diff --git a/packages/cyberarkpas/changelog.yml b/packages/cyberarkpas/changelog.yml index fd33243b81a..4842bfaa2e0 100644 --- a/packages/cyberarkpas/changelog.yml +++ b/packages/cyberarkpas/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.3.2" + changes: + - description: Fix error ingesting events with a single entry in the CAProperties field + type: bugfix + link: https://github.com/elastic/integrations/pull/2965 - version: "2.3.1" changes: - description: Add documentation for multi-fields diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log-expected.json index 709c69c3603..d668b484cad 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log-expected.json @@ -30,7 +30,6 @@ "event": { "action": "add file category", "code": "105", - "ingested": "2022-02-03T12:42:08.641873855Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-08T18:24:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:24:49\",\"IsoTimestamp\":\"2021-03-08T18:24:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WinDesktopLocal-Address-adriansr\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"Address\",\"RequestId\":\"\",\"Reason\":\"Value=[Address]\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"10.0.1.20\"}}}", "severity": 2 @@ -93,7 +92,6 @@ "event": { "action": "add file category", "code": "105", - "ingested": "2022-02-03T12:42:08.641881194Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:11:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:54\",\"IsoTimestamp\":\"2021-03-10T09:11:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_localhost.localdomain\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_localhost.localdomain.LiveSessions\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -161,7 +159,6 @@ "event": { "action": "add file category", "code": "105", - "ingested": "2022-02-03T12:42:08.641882228Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T18:46:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:46:48\",\"IsoTimestamp\":\"2021-03-10T18:46:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_VAGRANT\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSMServer.LiveSessions\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -230,7 +227,6 @@ "event": { "action": "add file category", "code": "105", - "ingested": "2022-02-03T12:42:08.641883015Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T22:17:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:26\",\"IsoTimestamp\":\"2021-03-10T22:17:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"LogonDomain\",\"RequestId\":\"\",\"Reason\":\"Value=[ASR-CYBERARK-WI]\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -298,7 +294,6 @@ "event": { "action": "add file category", "code": "105", - "ingested": "2022-02-03T12:42:08.641883798Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T22:20:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:20:12\",\"IsoTimestamp\":\"2021-03-10T22:20:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI.LiveSessions\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -367,7 +362,6 @@ "event": { "action": "add file category", "code": "105", - "ingested": "2022-02-03T12:42:08.641884548Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T16:59:58Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:58\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:58Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e105\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd File Category\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eAdd File Category\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMPApp_VAGRANT.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e_PSMLiveSessions_1\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd File Category\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:58\",\"IsoTimestamp\":\"2021-03-11T16:59:58Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_VAGRANT.LiveSessions\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log-expected.json index 47bdeb9a9b5..2aa02e5e530 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log-expected.json @@ -30,7 +30,6 @@ "event": { "action": "update file category", "code": "106", - "ingested": "2022-02-03T12:42:10.047885354Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-08T18:25:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:25:52\",\"IsoTimestamp\":\"2021-03-08T18:25:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WinDesktopLocal-Address-adriansr\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"Address\",\"RequestId\":\"\",\"Reason\":\"Value=[components] Old Value=[Address]\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"10.0.1.20\"}}}", "severity": 2 @@ -93,7 +92,6 @@ "event": { "action": "update file category", "code": "106", - "ingested": "2022-02-03T12:42:10.047887687Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T18:46:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:46:48\",\"IsoTimestamp\":\"2021-03-10T18:46:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_VAGRANT\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSMServer.LiveSessions\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -161,7 +159,6 @@ "event": { "action": "update file category", "code": "106", - "ingested": "2022-02-03T12:42:10.047888557Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T22:20:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:20:12\",\"IsoTimestamp\":\"2021-03-10T22:20:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI.LiveSessions\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -230,7 +227,6 @@ "event": { "action": "update file category", "code": "106", - "ingested": "2022-02-03T12:42:10.047889326Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T17:38:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e106\u003c/MessageID\u003e\\n \u003cDesc\u003eUpdate File Category\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eUpdate File Category\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\\n \u003cFile\u003eroot\\\\87012dcc-8290-11eb-949e-080027efd402.session\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003ePSMStatus\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUpdate File Category\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:26\",\"IsoTimestamp\":\"2021-03-11T17:38:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMRecordings\",\"File\":\"root\\\\87012dcc-8290-11eb-949e-080027efd402.session\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"PSMStatus\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -299,7 +295,6 @@ "event": { "action": "update file category", "code": "106", - "ingested": "2022-02-03T12:42:10.047890093Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T20:10:33Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 12:10:33\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T20:10:33Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e106\u003c/MessageID\u003e\\n \u003cDesc\u003eUpdate File Category\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMApp_ASR-WIN\u003c/Issuer\u003e\\n \u003cAction\u003eUpdate File Category\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSM-ASR-CYBERARK-WI.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e_PSMLiveSessions_1\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUpdate File Category\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 12:10:33\",\"IsoTimestamp\":\"2021-03-11T20:10:33Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI.LiveSessions\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -368,7 +363,6 @@ "event": { "action": "update file category", "code": "106", - "ingested": "2022-02-03T12:42:10.047890857Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-14T13:49:38Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:38\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:38Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e106\u003c/MessageID\u003e\\n \u003cDesc\u003eUpdate File Category\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_SSH\u003c/Issuer\u003e\\n \u003cAction\u003eUpdate File Category\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMPApp_SSH.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e_PSMLiveSessions_1\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUpdate File Category\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:38\",\"IsoTimestamp\":\"2021-03-14T13:49:38Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_SSH\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_SSH.LiveSessions\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log-expected.json index bae1df33251..2022782fd8c 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log-expected.json @@ -31,7 +31,6 @@ "event": { "action": "delete file category", "code": "107", - "ingested": "2022-02-03T12:42:11.800463943Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-15T10:22:24Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:22:24\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:22:24Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e107\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File Category\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File Category\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003eLastFailDate\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eOld Value=[1615803137]\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File Category\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:22:24\",\"IsoTimestamp\":\"2021-03-15T10:22:24Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"107\",\"Desc\":\"Delete File Category\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"LastFailDate\",\"RequestId\":\"\",\"Reason\":\"Old Value=[1615803137]\",\"ExtraDetails\":\"\",\"Message\":\"Delete File Category\",\"GatewayStation\":\"10.0.1.20\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log-expected.json index 883a279cda5..d58ef3f0085 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log-expected.json @@ -29,7 +29,6 @@ "event": { "action": "rename file", "code": "124", - "ingested": "2022-02-03T12:42:12.034822006Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-14T13:42:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:42:20\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:42:20Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e124\u003c/MessageID\u003e\\n \u003cDesc\u003eRename File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRename File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-PSMConnect\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRename File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:42:20\",\"IsoTimestamp\":\"2021-03-14T13:42:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"124\",\"Desc\":\"Rename File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Rename File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-PSMConnect\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Rename File\",\"GatewayStation\":\"10.0.1.20\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log-expected.json index 1efb797d0e6..1cf1d9534d8 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log-expected.json @@ -29,7 +29,6 @@ "event": { "action": "rename file (cont.)", "code": "125", - "ingested": "2022-02-03T12:42:12.513140283Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-14T13:42:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:42:20\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:42:20Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e125\u003c/MessageID\u003e\\n \u003cDesc\u003eRename File (Cont.)\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRename File (Cont.)\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eOperating System-UnixSSH-67.43.156.15-PSMConnect\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRename File (Cont.)\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:42:20\",\"IsoTimestamp\":\"2021-03-14T13:42:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"125\",\"Desc\":\"Rename File (Cont.)\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Rename File (Cont.)\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Operating System-UnixSSH-67.43.156.15-PSMConnect\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Rename File (Cont.)\",\"GatewayStation\":\"10.0.1.20\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log-expected.json index c6616abec24..58a54ee60d0 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log-expected.json @@ -23,7 +23,6 @@ "event": { "action": "unlock file", "code": "126", - "ingested": "2022-02-03T12:42:12.768833128Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T18:33:34Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:33:34\",\"IsoTimestamp\":\"2021-03-10T18:33:34Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"126\",\"Desc\":\"Unlock File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Unlock File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"Root\\\\PVConfiguration.xml\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Unlock File\",\"GatewayStation\":\"\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-expected.json index 5737956d5bb..89e2590eb26 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-expected.json @@ -51,7 +51,6 @@ "iam" ], "code": "130", - "ingested": "2022-02-03T12:42:12.939888420Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-15T12:57:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 05:57:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T12:57:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e130\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Disable Password\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Disable Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eMaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=5;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Disable Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"(CPM)MaxRetries\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"5\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615813031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 05:57:13\",\"IsoTimestamp\":\"2021-03-15T12:57:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"130\",\"Desc\":\"CPM Disable Password\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Disable Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=67.43.156.15;retriescount=5;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Disable Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"CPMDisabled\",\"Value\":\"(CPM)MaxRetries\"},{\"Name\":\"RetriesCount\",\"Value\":\"5\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615813031\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "failure", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log-expected.json index ee312e728a5..878f14741cc 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log-expected.json @@ -23,7 +23,6 @@ "event": { "action": "get user's details", "code": "178", - "ingested": "2022-02-03T12:42:13.362488464Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-11T18:45:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:45:23\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:45:23Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e178\u003c/MessageID\u003e\\n \u003cDesc\u003eGet User's Details\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eGet User's Details\u003c/Action\u003e\\n \u003cSourceUser\u003eMaster\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eGet User's Details\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:45:23\",\"IsoTimestamp\":\"2021-03-11T18:45:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"178\",\"Desc\":\"Get User's Details\",\"Severity\":\"Error\",\"Issuer\":\"Administrator\",\"Action\":\"Get User's Details\",\"SourceUser\":\"Master\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Get User's Details\",\"GatewayStation\":\"\"}}}", "severity": 7, diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-expected.json index 3b16d988306..3f28500a2d4 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-expected.json @@ -25,7 +25,6 @@ "iam" ], "code": "180", - "ingested": "2022-02-03T12:42:13.710447187Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPApp_localhost.localdomain\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -104,7 +103,6 @@ "iam" ], "code": "180", - "ingested": "2022-02-03T12:42:13.710449757Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPGW_localhost.localdomain\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -183,7 +181,6 @@ "iam" ], "code": "180", - "ingested": "2022-02-03T12:42:13.710450879Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:11:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:35\",\"IsoTimestamp\":\"2021-03-10T09:11:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMP_ADB_localhost.localdomain\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -262,7 +259,6 @@ "iam" ], "code": "180", - "ingested": "2022-02-03T12:42:13.710451847Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T17:59:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:19\",\"IsoTimestamp\":\"2021-03-10T17:59:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMApp_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -341,7 +337,6 @@ "iam" ], "code": "180", - "ingested": "2022-02-03T12:42:13.710452774Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T17:59:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:27\",\"IsoTimestamp\":\"2021-03-10T17:59:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMGw_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -420,7 +415,6 @@ "iam" ], "code": "180", - "ingested": "2022-02-03T12:42:13.710453677Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T22:19:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:06\",\"IsoTimestamp\":\"2021-03-10T22:19:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMApp_ASR-WIN\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -499,7 +493,6 @@ "iam" ], "code": "180", - "ingested": "2022-02-03T12:42:13.710454588Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T22:19:15Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:15\",\"IsoTimestamp\":\"2021-03-10T22:19:15Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMGw_ASR-WIN\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -579,7 +572,6 @@ "iam" ], "code": "180", - "ingested": "2022-02-03T12:42:13.710455512Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T16:59:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:36\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:36Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e180\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd User\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPApp_VAGRANT\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd User\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:36\",\"IsoTimestamp\":\"2021-03-11T16:59:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPApp_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -659,7 +651,6 @@ "iam" ], "code": "180", - "ingested": "2022-02-03T12:42:13.710456417Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T16:59:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:36\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:36Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e180\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd User\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPGW_VAGRANT\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd User\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:36\",\"IsoTimestamp\":\"2021-03-11T16:59:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPGW_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -739,7 +730,6 @@ "iam" ], "code": "180", - "ingested": "2022-02-03T12:42:13.710457342Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-14T12:57:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:16\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:16Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e180\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd User\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPGW_SSH\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd User\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:16\",\"IsoTimestamp\":\"2021-03-14T12:57:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPGW_SSH\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -819,7 +809,6 @@ "iam" ], "code": "180", - "ingested": "2022-02-03T12:42:13.710458251Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-14T12:57:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:16\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:16Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e180\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd User\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPApp_SSH\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd User\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:16\",\"IsoTimestamp\":\"2021-03-14T12:57:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPApp_SSH\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -899,7 +888,6 @@ "iam" ], "code": "180", - "ingested": "2022-02-03T12:42:13.710459387Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-14T12:57:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:21\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:21Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e180\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd User\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMP_ADB_asr-cyberark-psm-ssh\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd User\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:21\",\"IsoTimestamp\":\"2021-03-14T12:57:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMP_ADB_asr-cyberark-psm-ssh\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "outcome": "success", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log-expected.json index 4e585120dd2..c24735d63bd 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log-expected.json @@ -22,7 +22,6 @@ "event": { "action": "update safe", "code": "181", - "ingested": "2022-02-03T12:42:17.691757080Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T18:15:44Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:15:44\",\"IsoTimestamp\":\"2021-03-10T18:15:44Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"181\",\"Desc\":\"Update Safe\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Safe\",\"GatewayStation\":\"\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log-expected.json index 38859cda7e5..60ed9e9c800 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log-expected.json @@ -22,7 +22,6 @@ "event": { "action": "add safe", "code": "185", - "ingested": "2022-02-03T12:42:17.942807929Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"185\",\"Desc\":\"Add Safe\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Safe\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -86,7 +85,6 @@ "event": { "action": "add safe", "code": "185", - "ingested": "2022-02-03T12:42:17.942810409Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T17:38:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e185\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Safe\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Safe\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Safe\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:13\",\"IsoTimestamp\":\"2021-03-11T17:38:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"185\",\"Desc\":\"Add Safe\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Add Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMRecordings\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Safe\",\"GatewayStation\":\"\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log-expected.json index c7cae62b603..37f3b4253b6 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log-expected.json @@ -23,7 +23,6 @@ "event": { "action": "add folder", "code": "187", - "ingested": "2022-02-03T12:42:18.454976004Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:11:40Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:40\",\"IsoTimestamp\":\"2021-03-10T09:11:40Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"187\",\"Desc\":\"Add Folder\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Folder\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPADBridgeConf\",\"File\":\"Root\\\\Scripts\\\\\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Folder\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -91,7 +90,6 @@ "event": { "action": "add folder", "code": "187", - "ingested": "2022-02-03T12:42:18.454978412Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T18:01:14Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:01:14\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:01:14Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e187\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Folder\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePVWAAppUser\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Folder\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMUnmanagedSessionAccounts\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\2\\\\\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Folder\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:01:14\",\"IsoTimestamp\":\"2021-03-11T18:01:14Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"187\",\"Desc\":\"Add Folder\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Add Folder\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMUnmanagedSessionAccounts\",\"File\":\"Root\\\\2\\\\\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Folder\",\"GatewayStation\":\"\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log-expected.json index c6f6d05922b..0b63dd8926e 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log-expected.json @@ -33,7 +33,6 @@ "network" ], "code": "19", - "ingested": "2022-02-03T12:42:19.053341747Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-08T18:07:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:07:51\",\"IsoTimestamp\":\"2021-03-08T18:07:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", "outcome": "success", @@ -116,7 +115,6 @@ "network" ], "code": "19", - "ingested": "2022-02-03T12:42:19.053343784Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-09T08:32:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 00:32:51\",\"IsoTimestamp\":\"2021-03-09T08:32:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", "outcome": "success", @@ -208,7 +206,6 @@ "network" ], "code": "19", - "ingested": "2022-02-03T12:42:19.053344639Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-09T10:14:58Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:14:58\",\"IsoTimestamp\":\"2021-03-09T10:14:58Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", "outcome": "success", @@ -300,7 +297,6 @@ "network" ], "code": "19", - "ingested": "2022-02-03T12:42:19.053345434Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T08:31:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:31:50\",\"IsoTimestamp\":\"2021-03-10T08:31:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", "outcome": "success", @@ -382,7 +378,6 @@ "network" ], "code": "19", - "ingested": "2022-02-03T12:42:19.053346200Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T22:37:00Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:37:00\",\"IsoTimestamp\":\"2021-03-10T22:37:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.10\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", "outcome": "success", @@ -475,7 +470,6 @@ "network" ], "code": "19", - "ingested": "2022-02-03T12:42:19.053346941Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T17:38:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:05\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:05Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e19\u003c/MessageID\u003e\\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPGW_VAGRANT\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:05\",\"IsoTimestamp\":\"2021-03-11T17:38:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PSMPGW_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"67.43.156.13\"}}}", "outcome": "success", @@ -568,7 +562,6 @@ "network" ], "code": "19", - "ingested": "2022-02-03T12:42:19.053347692Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T17:48:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:48:22\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:48:22Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e19\u003c/MessageID\u003e\\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPGW_VAGRANT\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:48:22\",\"IsoTimestamp\":\"2021-03-11T17:48:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PSMPGW_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"67.43.156.13\"}}}", "outcome": "success", @@ -652,7 +645,6 @@ "network" ], "code": "19", - "ingested": "2022-02-03T12:42:19.053348440Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T18:02:57Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:02:57\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:02:57Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e19\u003c/MessageID\u003e\\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\\n \u003cSourceUser\u003ePVWAGWUser\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.14\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:02:57\",\"IsoTimestamp\":\"2021-03-11T18:02:57Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", "outcome": "success", @@ -754,7 +746,6 @@ "network" ], "code": "19", - "ingested": "2022-02-03T12:42:19.053349180Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-14T13:49:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:35\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:35Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e19\u003c/MessageID\u003e\\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPGW_SSH\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.15\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:35\",\"IsoTimestamp\":\"2021-03-14T13:49:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PSMPGW_SSH\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"67.43.156.15\"}}}", "outcome": "success", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log-expected.json index e1ddabe4c70..0c1d69783d3 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log-expected.json @@ -23,7 +23,6 @@ "event": { "action": "partial gateway connection", "code": "20", - "ingested": "2022-02-03T12:42:21.852769349Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-25T09:20:07Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 05:20:07\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T09:20:07Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e20\u003c/MessageID\u003e\\n \u003cDesc\u003ePartial Gateway Connection\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMGw_COMP01\u003c/Issuer\u003e\\n \u003cAction\u003ePartial Gateway Connection\u003c/Action\u003e\\n \u003cSourceUser\u003eAdministrator\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePartial Gateway Connection\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 05:20:07\",\"IsoTimestamp\":\"2021-03-25T09:20:07Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"20\",\"Desc\":\"Partial Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"PSMGw_COMP01\",\"Action\":\"Partial Gateway Connection\",\"SourceUser\":\"Administrator\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Partial Gateway Connection\",\"GatewayStation\":\"\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log-expected.json index 15695ebe82a..3dbd24212b0 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log-expected.json @@ -21,7 +21,6 @@ "event": { "action": "old backup files deletion start", "code": "202", - "ingested": "2022-02-03T12:42:22.571735594Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-09T10:17:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:17:54\",\"IsoTimestamp\":\"2021-03-09T10:17:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"202\",\"Desc\":\"Old Backup Files Deletion Start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Old Backup Files Deletion Start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Old Backup Files Deletion Start\",\"GatewayStation\":\"\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log-expected.json index 238ddc75e20..1aeb353e586 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log-expected.json @@ -21,7 +21,6 @@ "event": { "action": "old backup files deletion end", "code": "203", - "ingested": "2022-02-03T12:42:22.708480389Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-09T10:17:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:17:54\",\"IsoTimestamp\":\"2021-03-09T10:17:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"203\",\"Desc\":\"Old Backup Files Deletion End\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Old Backup Files Deletion End\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Old Backup Files Deletion End\",\"GatewayStation\":\"\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log-expected.json index 941cc8026f7..02c6a3ab6e0 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log-expected.json @@ -52,7 +52,6 @@ "iam" ], "code": "22", - "ingested": "2022-02-03T12:42:22.842662521Z", "kind": "event", "original": "Apr 07 09:51:42 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e22\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12\u003c/File\u003e\\n \u003cStation\u003e10.2.0.4\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=radiussrv.cyberark.local;username=test12;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"LINUX-SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"test12\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"radiussrv.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1604943844\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"22\",\"Desc\":\"CPM Verify Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Safe\":\"Linux\",\"File\":\"Root\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12\",\"Station\":\"10.2.0.4\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=radiussrv.cyberark.local;username=test12;\",\"Message\":\"CPM Verify Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"LINUX-SSH\"},{\"Name\":\"UserName\",\"Value\":\"test12\"},{\"Name\":\"Address\",\"Value\":\"radiussrv.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1604943844\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"}]}}}}", "outcome": "success", @@ -159,7 +158,6 @@ "iam" ], "code": "22", - "ingested": "2022-02-03T12:42:22.842664468Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-15T10:22:44Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:22:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:22:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e22\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;username=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:22:44\",\"IsoTimestamp\":\"2021-03-15T10:22:44Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"22\",\"Desc\":\"CPM Verify Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=67.43.156.15;username=testark;\",\"Message\":\"CPM Verify Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "success", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log-expected.json index d074ccc55bd..0629a4dbc42 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log-expected.json @@ -22,7 +22,6 @@ "event": { "action": "action on closed safe", "code": "23", - "ingested": "2022-02-03T12:42:23.248778920Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"23\",\"Desc\":\"Action On Closed Safe\",\"Severity\":\"Error\",\"Issuer\":\"Administrator\",\"Action\":\"Action On Closed Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Action On Closed Safe\",\"GatewayStation\":\"\"}}}", "severity": 7, @@ -87,7 +86,6 @@ "event": { "action": "action on closed safe", "code": "23", - "ingested": "2022-02-03T12:42:23.248781463Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-14T12:07:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:07:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:07:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e23\u003c/MessageID\u003e\\n \u003cDesc\u003eAction On Closed Safe\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eAction On Closed Safe\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eAccountsFeedADAccounts\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAction On Closed Safe\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:07:27\",\"IsoTimestamp\":\"2021-03-14T12:07:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"23\",\"Desc\":\"Action On Closed Safe\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"Action On Closed Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"AccountsFeedADAccounts\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Action On Closed Safe\",\"GatewayStation\":\"\"}}}", "severity": 7, @@ -143,7 +141,6 @@ "event": { "action": "action on closed safe", "code": "23", - "ingested": "2022-02-03T12:42:23.248782330Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-14T12:57:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:16\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:16Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e23\u003c/MessageID\u003e\\n \u003cDesc\u003eAction On Closed Safe\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAction On Closed Safe\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPConf\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAction On Closed Safe\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:16\",\"IsoTimestamp\":\"2021-03-14T12:57:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"23\",\"Desc\":\"Action On Closed Safe\",\"Severity\":\"Error\",\"Issuer\":\"Administrator\",\"Action\":\"Action On Closed Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Action On Closed Safe\",\"GatewayStation\":\"\"}}}", "severity": 7, diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-expected.json index 2b27b2de20b..344652e6d30 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-expected.json @@ -50,7 +50,6 @@ "iam" ], "code": "24", - "ingested": "2022-02-03T12:42:24.273727950Z", "kind": "event", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e24\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Change Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Change Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12\u003c/File\u003e\\n \u003cStation\u003e10.2.0.4\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=radiussrv.cyberark.local;username=test12;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Change Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"LINUX-SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"test12\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"radiussrv.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1604943844\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1604944158\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"24\",\"Desc\":\"CPM Change Password\",\"Severity\":\"Info\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Change Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux\",\"File\":\"Root\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12\",\"Station\":\"10.2.0.4\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=radiussrv.cyberark.local;username=test12;\",\"Message\":\"CPM Change Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"LINUX-SSH\"},{\"Name\":\"UserName\",\"Value\":\"test12\"},{\"Name\":\"Address\",\"Value\":\"radiussrv.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1604943844\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1604944158\"}]}}}}", "outcome": "success", @@ -145,7 +144,6 @@ "iam" ], "code": "24", - "ingested": "2022-02-03T12:42:24.273730413Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-08T19:20:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 11:20:05\",\"IsoTimestamp\":\"2021-03-08T19:20:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"24\",\"Desc\":\"CPM Change Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Change Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=components;username=x_accountA;\",\"Message\":\"CPM Change Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"27\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615231204\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "outcome": "success", @@ -249,7 +247,6 @@ "iam" ], "code": "24", - "ingested": "2022-02-03T12:42:24.273731275Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T23:39:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 15:39:28\",\"IsoTimestamp\":\"2021-03-10T23:39:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"24\",\"Desc\":\"CPM Change Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Change Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=components;username=x_accountB;\",\"Message\":\"CPM Change Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountB\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"25\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615419568\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"2\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "outcome": "success", @@ -354,7 +351,6 @@ "iam" ], "code": "24", - "ingested": "2022-02-03T12:42:24.273732013Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-15T10:12:24Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:12:24\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:12:24Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e24\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Change Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Change Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eTest\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=components;username=x_accountA;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Change Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDesktopLocal\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"x_accountA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"components\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"28\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"GroupName\\\" Value=\\\"WindowsGroup\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1615803143\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Index\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DualAccountStatus\\\" Value=\\\"Inactive\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"VirtualUsername\\\" Value=\\\"virtual\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:12:24\",\"IsoTimestamp\":\"2021-03-15T10:12:24Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"24\",\"Desc\":\"CPM Change Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Change Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=components;username=x_accountA;\",\"Message\":\"CPM Change Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"28\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615803143\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "outcome": "success", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log-expected.json index 59b3df069f9..99150378ce1 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log-expected.json @@ -22,7 +22,6 @@ "event": { "action": "add/update group", "code": "259", - "ingested": "2022-02-03T12:42:25.610733376Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:11:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:21\",\"IsoTimestamp\":\"2021-03-10T09:11:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"259\",\"Desc\":\"Add/Update Group\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add/Update Group\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add/Update Group\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -85,7 +84,6 @@ "event": { "action": "add/update group", "code": "259", - "ingested": "2022-02-03T12:42:25.610735710Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:11:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:21\",\"IsoTimestamp\":\"2021-03-10T09:11:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"259\",\"Desc\":\"Add/Update Group\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add/Update Group\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add/Update Group\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -148,7 +146,6 @@ "event": { "action": "add/update group", "code": "259", - "ingested": "2022-02-03T12:42:25.610736590Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:11:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:35\",\"IsoTimestamp\":\"2021-03-10T09:11:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"259\",\"Desc\":\"Add/Update Group\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add/Update Group\",\"SourceUser\":\"PSMP_ADB_AppUsers\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add/Update Group\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -211,7 +208,6 @@ "event": { "action": "add/update group", "code": "259", - "ingested": "2022-02-03T12:42:25.610737358Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T17:59:29Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:29\",\"IsoTimestamp\":\"2021-03-10T17:59:29Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"259\",\"Desc\":\"Add/Update Group\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add/Update Group\",\"SourceUser\":\"PSMLiveSessionTerminators\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add/Update Group\",\"GatewayStation\":\"\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-expected.json index 98a268ed6ad..f39c58907c1 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-expected.json @@ -23,7 +23,6 @@ "event": { "action": "add group member", "code": "265", - "ingested": "2022-02-03T12:42:26.490227428Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:11:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:22\",\"IsoTimestamp\":\"2021-03-10T09:11:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"PSMPApp_localhost.localdomain\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -87,7 +86,6 @@ "event": { "action": "add group member", "code": "265", - "ingested": "2022-02-03T12:42:26.490230354Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:11:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:22\",\"IsoTimestamp\":\"2021-03-10T09:11:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"PSMPGW_localhost.localdomain\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -151,7 +149,6 @@ "event": { "action": "add group member", "code": "265", - "ingested": "2022-02-03T12:42:26.490231383Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:11:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:35\",\"IsoTimestamp\":\"2021-03-10T09:11:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMP_ADB_AppUsers\",\"TargetUser\":\"PSMP_ADB_localhost.localdomain\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -215,7 +212,6 @@ "event": { "action": "add group member", "code": "265", - "ingested": "2022-02-03T12:42:26.490232296Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T17:58:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:58:01\",\"IsoTimestamp\":\"2021-03-10T17:58:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"Administrator\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -279,7 +275,6 @@ "event": { "action": "add group member", "code": "265", - "ingested": "2022-02-03T12:42:26.490233195Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T17:59:29Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:29\",\"IsoTimestamp\":\"2021-03-10T17:59:29Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"PSMApp_VAGRANT\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -343,7 +338,6 @@ "event": { "action": "add group member", "code": "265", - "ingested": "2022-02-03T12:42:26.490234118Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T17:59:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:30\",\"IsoTimestamp\":\"2021-03-10T17:59:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"PSMGw_VAGRANT\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -407,7 +401,6 @@ "event": { "action": "add group member", "code": "265", - "ingested": "2022-02-03T12:42:26.490235005Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T22:17:15Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:15\",\"IsoTimestamp\":\"2021-03-10T22:17:15Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"Administrator\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -471,7 +464,6 @@ "event": { "action": "add group member", "code": "265", - "ingested": "2022-02-03T12:42:26.490235934Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T22:19:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:16\",\"IsoTimestamp\":\"2021-03-10T22:19:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"PSMApp_ASR-WIN\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -535,7 +527,6 @@ "event": { "action": "add group member", "code": "265", - "ingested": "2022-02-03T12:42:26.490236817Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T22:19:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:16\",\"IsoTimestamp\":\"2021-03-10T22:19:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"PSMGw_ASR-WIN\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -600,7 +591,6 @@ "event": { "action": "add group member", "code": "265", - "ingested": "2022-02-03T12:42:26.490237699Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T16:59:38Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:38\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:38Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e265\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMAppUsers\u003c/SourceUser\u003e\\n \u003cTargetUser\u003ePSMPApp_VAGRANT\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:38\",\"IsoTimestamp\":\"2021-03-11T16:59:38Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"PSMPApp_VAGRANT\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -665,7 +655,6 @@ "event": { "action": "add group member", "code": "265", - "ingested": "2022-02-03T12:42:26.490238590Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T16:59:38Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:38\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:38Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e265\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\\n \u003cSourceUser\u003ePVWAGWAccounts\u003c/SourceUser\u003e\\n \u003cTargetUser\u003ePSMPGW_VAGRANT\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:38\",\"IsoTimestamp\":\"2021-03-11T16:59:38Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"PSMPGW_VAGRANT\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -730,7 +719,6 @@ "event": { "action": "add group member", "code": "265", - "ingested": "2022-02-03T12:42:26.490239626Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-14T12:57:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e265\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\\n \u003cSourceUser\u003ePVWAGWAccounts\u003c/SourceUser\u003e\\n \u003cTargetUser\u003ePSMPGW_SSH\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:17\",\"IsoTimestamp\":\"2021-03-14T12:57:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"PSMPGW_SSH\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -795,7 +783,6 @@ "event": { "action": "add group member", "code": "265", - "ingested": "2022-02-03T12:42:26.490240512Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-14T12:57:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e265\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMAppUsers\u003c/SourceUser\u003e\\n \u003cTargetUser\u003ePSMPApp_SSH\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:17\",\"IsoTimestamp\":\"2021-03-14T12:57:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"PSMPApp_SSH\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -860,7 +847,6 @@ "event": { "action": "add group member", "code": "265", - "ingested": "2022-02-03T12:42:26.490241409Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-14T12:57:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:21\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:21Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e265\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMP_ADB_AppUsers\u003c/SourceUser\u003e\\n \u003cTargetUser\u003ePSMP_ADB_asr-cyberark-psm-ssh\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:21\",\"IsoTimestamp\":\"2021-03-14T12:57:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMP_ADB_AppUsers\",\"TargetUser\":\"PSMP_ADB_asr-cyberark-psm-ssh\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-expected.json index 3f6131ccd1b..51a82097dfc 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-expected.json @@ -23,7 +23,6 @@ "event": { "action": "remove group member", "code": "266", - "ingested": "2022-02-03T12:42:30.044831797Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T17:59:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:48\",\"IsoTimestamp\":\"2021-03-10T17:59:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"266\",\"Desc\":\"Remove Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Remove Group Member\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"Administrator\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Remove Group Member\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -87,7 +86,6 @@ "event": { "action": "remove group member", "code": "266", - "ingested": "2022-02-03T12:42:30.044834135Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T22:19:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:23\",\"IsoTimestamp\":\"2021-03-10T22:19:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"266\",\"Desc\":\"Remove Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Remove Group Member\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"Administrator\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Remove Group Member\",\"GatewayStation\":\"\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log-expected.json index 5b624e3b144..b883797c36a 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log-expected.json @@ -23,7 +23,6 @@ "event": { "action": "remove owner", "code": "273", - "ingested": "2022-02-03T12:42:30.454664292Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T17:59:33Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:33\",\"IsoTimestamp\":\"2021-03-10T17:59:33Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"273\",\"Desc\":\"Remove Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Remove Owner\",\"SourceUser\":\"Administrator\",\"TargetUser\":\"\",\"Safe\":\"PSMSessions\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Remove Owner\",\"GatewayStation\":\"\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log-expected.json index eadd7fbdba6..c64b2c8f9e4 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log-expected.json @@ -26,7 +26,6 @@ "event": { "action": "add rule", "code": "278", - "ingested": "2022-02-03T12:42:30.635561221Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T18:01:14Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:01:14\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:01:14Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e278\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Rule\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePVWAAppUser\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Rule\u003c/Action\u003e\\n \u003cSourceUser\u003eAdministrator\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMUnmanagedSessionAccounts\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\2\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eAllow\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Rule\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:01:14\",\"IsoTimestamp\":\"2021-03-11T18:01:14Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"278\",\"Desc\":\"Add Rule\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Add Rule\",\"SourceUser\":\"Administrator\",\"TargetUser\":\"\",\"Safe\":\"PSMUnmanagedSessionAccounts\",\"File\":\"Root\\\\2\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Allow\",\"ExtraDetails\":\"\",\"Message\":\"Add Rule\",\"GatewayStation\":\"\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-expected.json index 7c57b94049f..d31e6c648b1 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-expected.json @@ -21,7 +21,6 @@ "event": { "action": "auto clear users history start", "code": "288", - "ingested": "2022-02-03T12:42:31.159779825Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-05T11:00:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 05 03:00:06\",\"IsoTimestamp\":\"2021-03-05T11:00:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"288\",\"Desc\":\"Auto Clear Users History start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Auto Clear Users History start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Auto Clear Users History start\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -72,7 +71,6 @@ "event": { "action": "auto clear users history start", "code": "288", - "ingested": "2022-02-03T12:42:31.159782608Z", "kind": "event", "original": "Mar 08 03:00:20 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"288\",\"Desc\":\"Auto Clear Users History start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Auto Clear Users History start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Auto Clear Users History start\",\"GatewayStation\":\"\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-expected.json index 15d61fc1ded..b2cfaed910f 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-expected.json @@ -21,7 +21,6 @@ "event": { "action": "auto clear users history end", "code": "289", - "ingested": "2022-02-03T12:42:31.408820121Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-05T11:00:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 05 03:00:06\",\"IsoTimestamp\":\"2021-03-05T11:00:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"289\",\"Desc\":\"Auto Clear Users History end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Auto Clear Users History end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Auto Clear Users History end\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -72,7 +71,6 @@ "event": { "action": "auto clear users history end", "code": "289", - "ingested": "2022-02-03T12:42:31.408822828Z", "kind": "event", "original": "Mar 08 03:00:20 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"289\",\"Desc\":\"Auto Clear Users History end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Auto Clear Users History end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Auto Clear Users History end\",\"GatewayStation\":\"\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log-expected.json index 21ccf8e2e78..e3ce6412c8a 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log-expected.json @@ -21,7 +21,6 @@ "event": { "action": "auto clear safes history start", "code": "290", - "ingested": "2022-02-03T12:42:31.801723378Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-09T09:00:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 01:00:47\",\"IsoTimestamp\":\"2021-03-09T09:00:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"290\",\"Desc\":\"Auto Clear Safes History start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Auto Clear Safes History start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Auto Clear Safes History start\",\"GatewayStation\":\"\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log-expected.json index 3e0eb89043f..d450f795b01 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log-expected.json @@ -21,7 +21,6 @@ "event": { "action": "auto clear safes history end", "code": "291", - "ingested": "2022-02-03T12:42:32.109535360Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-09T09:00:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 01:00:47\",\"IsoTimestamp\":\"2021-03-09T09:00:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"291\",\"Desc\":\"Auto Clear Safes History end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Auto Clear Safes History end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Auto Clear Safes History end\",\"GatewayStation\":\"\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log-expected.json index b7b5ca89369..425105efbf1 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log-expected.json @@ -33,7 +33,6 @@ "event": { "action": "store password", "code": "294", - "ingested": "2022-02-03T12:42:32.543263212Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-08T10:19:42Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 02:19:42\",\"IsoTimestamp\":\"2021-03-08T10:19:42Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Groups\\\\WindowsGroup\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WindowsDesktopLocalAccountsRotationalPolicy\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615198782\"},{\"Name\":\"CurrInd\",\"Value\":\"2\"}]}}}}", "severity": 2 @@ -96,7 +95,6 @@ "event": { "action": "store password", "code": "294", - "ingested": "2022-02-03T12:42:32.543265370Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-08T18:24:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:24:49\",\"IsoTimestamp\":\"2021-03-08T18:24:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WinDesktopLocal-Address-adriansr\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"10.0.1.20\"}}}", "severity": 2 @@ -179,7 +177,6 @@ "event": { "action": "store password", "code": "294", - "ingested": "2022-02-03T12:42:32.543266285Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-08T19:20:02Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 11:20:02\",\"IsoTimestamp\":\"2021-03-08T19:20:02Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ChangeTask\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"SequenceID\",\"Value\":\"26\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"StartChangeNotBefore\",\"Value\":\"1615231182\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1614785704\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "severity": 2 @@ -247,7 +244,6 @@ "event": { "action": "store password", "code": "294", - "ingested": "2022-02-03T12:42:32.543267083Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T14:38:57Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 06:38:57\",\"IsoTimestamp\":\"2021-03-10T14:38:57Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Groups\\\\WindowsGroup\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WindowsDesktopLocalAccountsRotationalPolicy\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615387136\"},{\"Name\":\"CurrInd\",\"Value\":\"1\"}]}}}}", "severity": 2 @@ -305,7 +301,6 @@ "event": { "action": "store password", "code": "294", - "ingested": "2022-02-03T12:42:32.543267845Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T17:58:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:58:06\",\"IsoTimestamp\":\"2021-03-10T17:58:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSMServer\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -372,7 +367,6 @@ "event": { "action": "store password", "code": "294", - "ingested": "2022-02-03T12:42:32.543268602Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T22:17:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:26\",\"IsoTimestamp\":\"2021-03-10T22:17:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -460,7 +454,6 @@ "event": { "action": "store password", "code": "294", - "ingested": "2022-02-03T12:42:32.543269351Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T23:39:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 15:39:25\",\"IsoTimestamp\":\"2021-03-10T23:39:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountB\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ChangeTask\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"SequenceID\",\"Value\":\"24\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"StartChangeNotBefore\",\"Value\":\"1615419536\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1614868762\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"2\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "severity": 2 @@ -529,7 +522,6 @@ "event": { "action": "store password", "code": "294", - "ingested": "2022-02-03T12:42:32.543270105Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-14T11:48:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 04:48:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T11:48:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e294\u003c/MessageID\u003e\\n \u003cDesc\u003eStore password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eStore password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eTest\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Groups\\\\WindowsGroup\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WindowsDesktopLocalAccountsRotationalPolicy\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"InProcess\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1615722505\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CurrInd\\\" Value=\\\"2\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 04:48:26\",\"IsoTimestamp\":\"2021-03-14T11:48:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Groups\\\\WindowsGroup\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WindowsDesktopLocalAccountsRotationalPolicy\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615722505\"},{\"Name\":\"CurrInd\",\"Value\":\"2\"}]}}}}", "severity": 2 @@ -609,7 +601,6 @@ "event": { "action": "store password", "code": "294", - "ingested": "2022-02-03T12:42:32.543270862Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-15T10:12:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:12:21\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:12:21Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e294\u003c/MessageID\u003e\\n \u003cDesc\u003eStore password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eStore password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eTest\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDesktopLocal\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"x_accountA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"components\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"InProcess\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"27\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"StartChangeNotBefore\\\" Value=\\\"1615754905\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"GroupName\\\" Value=\\\"WindowsGroup\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1615231204\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Index\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DualAccountStatus\\\" Value=\\\"Inactive\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"VirtualUsername\\\" Value=\\\"virtual\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:12:21\",\"IsoTimestamp\":\"2021-03-15T10:12:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ChangeTask\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"SequenceID\",\"Value\":\"27\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"StartChangeNotBefore\",\"Value\":\"1615754905\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615231204\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "severity": 2 @@ -688,7 +679,6 @@ "event": { "action": "store password", "code": "294", - "ingested": "2022-02-03T12:42:32.543271606Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-15T13:13:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:13:01\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:13:01Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e294\u003c/MessageID\u003e\\n \u003cDesc\u003eStore password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eStore password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore password\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615813465\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:13:01\",\"IsoTimestamp\":\"2021-03-15T13:13:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615813465\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log-expected.json index c758f7a731a..41438268f28 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log-expected.json @@ -44,7 +44,6 @@ "iam" ], "code": "295", - "ingested": "2022-02-03T12:42:34.700333294Z", "kind": "event", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e295\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eProv_PVWA\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.3\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eAIM password request\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"LINUX-SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"admin2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"radiussrv.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"No Reason\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"Nobody\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"295\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Prov_PVWA\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux\",\"File\":\"Root\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\",\"Station\":\"10.2.0.3\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"AIM password request\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"LINUX-SSH\"},{\"Name\":\"UserName\",\"Value\":\"admin2\"},{\"Name\":\"Address\",\"Value\":\"radiussrv.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"CPMDisabled\",\"Value\":\"No Reason\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Customer\",\"Value\":\"Nobody\"}]}}}}", "outcome": "success", @@ -143,7 +142,6 @@ "iam" ], "code": "295", - "ingested": "2022-02-03T12:42:34.700335692Z", "kind": "event", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e295\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eadm2\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eWindows\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.6\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e(Action: Show Password)\u003c/Reason\u003e\\n \u003cPvwaDetails\u003e\u003cRetrieveReason\u003e\\n \u003cGeneral\u003e\\n \u003cRetrieveAction\u003eShow Password\u003c/RetrieveAction\u003e\\n \u003c/General\u003e\\n\u003c/RetrieveReason\u003e\u003c/PvwaDetails\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve password\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.2.0.3\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WIN-SERVER-LOCAL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"Administrator2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"dbserver.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"DBServer\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessReconciliation\\\" Value=\\\"1604944215\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"EvilCorp\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"295\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"adm2\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Windows\",\"File\":\"Root\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\",\"Station\":\"10.2.0.6\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"(Action: Show Password)\",\"PvwaDetails\":{\"RetrieveReason\":{\"General\":{\"RetrieveAction\":\"Show Password\"}}},\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"10.2.0.3\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WIN-SERVER-LOCAL\"},{\"Name\":\"UserName\",\"Value\":\"Administrator2\"},{\"Name\":\"Address\",\"Value\":\"dbserver.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"LogonDomain\",\"Value\":\"DBServer\"},{\"Name\":\"SequenceID\",\"Value\":\"1\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessReconciliation\",\"Value\":\"1604944215\"},{\"Name\":\"Customer\",\"Value\":\"EvilCorp\"}]}}}}", "outcome": "success", @@ -229,7 +227,6 @@ "iam" ], "code": "295", - "ingested": "2022-02-03T12:42:34.700336576Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-08T18:16:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:16:51\",\"IsoTimestamp\":\"2021-03-08T18:16:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\testobject\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"testing\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"test\"},{\"Name\":\"Address\",\"Value\":\"test\"},{\"Name\":\"CPMDisabled\",\"Value\":\"testing\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "success", @@ -335,7 +332,6 @@ "iam" ], "code": "295", - "ingested": "2022-02-03T12:42:34.700337359Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-08T19:19:59Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 11:19:59\",\"IsoTimestamp\":\"2021-03-08T19:19:59Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"CPM\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ChangeTask\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"SequenceID\",\"Value\":\"26\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"StartChangeNotBefore\",\"Value\":\"1615231182\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1614785704\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "outcome": "success", @@ -422,7 +418,6 @@ "iam" ], "code": "295", - "ingested": "2022-02-03T12:42:34.700338120Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-08T19:20:02Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 11:20:02\",\"IsoTimestamp\":\"2021-03-08T19:20:02Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Groups\\\\WindowsGroup\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"CPM\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WindowsDesktopLocalAccountsRotationalPolicy\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615198782\"},{\"Name\":\"CurrInd\",\"Value\":\"2\"}]}}}}", "outcome": "success", @@ -523,7 +518,6 @@ "iam" ], "code": "295", - "ingested": "2022-02-03T12:42:34.700338872Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T14:40:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 06:40:37\",\"IsoTimestamp\":\"2021-03-10T14:40:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Prov_COMPONENTS\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Application provider background refresh job\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"27\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615231204\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Active\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "outcome": "success", @@ -614,7 +608,6 @@ "iam" ], "code": "295", - "ingested": "2022-02-03T12:42:34.700339612Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T18:27:57Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:27:57\",\"IsoTimestamp\":\"2021-03-10T18:27:57Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSMAdmin\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"test\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"UserName\",\"Value\":\"PSMAdminConnect\"},{\"Name\":\"Address\",\"Value\":\"169.254.180.25\"},{\"Name\":\"LogonDomain\",\"Value\":\"VAGRANT-2012-R2\"}]}}}}", "outcome": "success", @@ -709,7 +702,6 @@ "iam" ], "code": "295", - "ingested": "2022-02-03T12:42:34.700340356Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T18:28:07Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:28:07\",\"IsoTimestamp\":\"2021-03-10T18:28:07Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSMServer\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"test\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"UserName\",\"Value\":\"PSMConnect\"},{\"Name\":\"Address\",\"Value\":\"169.254.180.25\"},{\"Name\":\"LogonDomain\",\"Value\":\"VAGRANT-2012-R2\"}]}}}}", "outcome": "success", @@ -819,7 +811,6 @@ "iam" ], "code": "295", - "ingested": "2022-02-03T12:42:34.700341103Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T23:39:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 15:39:22\",\"IsoTimestamp\":\"2021-03-10T23:39:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"CPM\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountB\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ChangeTask\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"SequenceID\",\"Value\":\"24\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"StartChangeNotBefore\",\"Value\":\"1615419536\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1614868762\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"2\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "outcome": "success", @@ -906,7 +897,6 @@ "iam" ], "code": "295", - "ingested": "2022-02-03T12:42:34.700341853Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T23:39:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 15:39:25\",\"IsoTimestamp\":\"2021-03-10T23:39:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Groups\\\\WindowsGroup\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"CPM\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WindowsDesktopLocalAccountsRotationalPolicy\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615387136\"},{\"Name\":\"CurrInd\",\"Value\":\"1\"}]}}}}", "outcome": "success", @@ -997,7 +987,6 @@ "iam" ], "code": "295", - "ingested": "2022-02-03T12:42:34.700342593Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T16:41:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:41:21\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:41:21Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e295\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMAdmin\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003elksajdflkasdf\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"PSMAdminConnect\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"169.254.180.25\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"VAGRANT-2012-R2\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:41:21\",\"IsoTimestamp\":\"2021-03-11T16:41:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSMAdmin\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"lksajdflkasdf\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"UserName\",\"Value\":\"PSMAdminConnect\"},{\"Name\":\"Address\",\"Value\":\"169.254.180.25\"},{\"Name\":\"LogonDomain\",\"Value\":\"VAGRANT-2012-R2\"}]}}}}", "outcome": "success", @@ -1092,7 +1081,6 @@ "iam" ], "code": "295", - "ingested": "2022-02-03T12:42:34.700343548Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T16:50:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:50:28\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:50:28Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e295\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePVWAAppUser\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMServer\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"PSMConnect\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"169.254.180.25\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"VAGRANT-2012-R2\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:50:28\",\"IsoTimestamp\":\"2021-03-11T16:50:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSMServer\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"UserName\",\"Value\":\"PSMConnect\"},{\"Name\":\"Address\",\"Value\":\"169.254.180.25\"},{\"Name\":\"LogonDomain\",\"Value\":\"VAGRANT-2012-R2\"}]}}}}", "outcome": "success", @@ -1189,7 +1177,6 @@ "iam" ], "code": "295", - "ingested": "2022-02-03T12:42:34.700344299Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T16:54:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:54:20\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:54:20Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e295\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-centos8-PSMApp_VAGRANT\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003esdfsdf\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"PSMApp_VAGRANT\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"centos8\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:54:20\",\"IsoTimestamp\":\"2021-03-11T16:54:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSH-centos8-PSMApp_VAGRANT\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"sdfsdf\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"PSMApp_VAGRANT\"},{\"Name\":\"Address\",\"Value\":\"centos8\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "success", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log-expected.json index af36d54d848..7843e939f2c 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log-expected.json @@ -55,7 +55,6 @@ "session" ], "code": "300", - "ingested": "2022-02-03T12:42:38.969147328Z", "kind": "event", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.7\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"LINUX-SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"admin2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"radiussrv.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"No Reason\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"Tesla\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"300\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux\",\"File\":\"Root\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\",\"Station\":\"10.2.0.7\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"LINUX-SSH\"},{\"Name\":\"UserName\",\"Value\":\"admin2\"},{\"Name\":\"Address\",\"Value\":\"radiussrv.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"CPMDisabled\",\"Value\":\"No Reason\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Customer\",\"Value\":\"Tesla\"}]}}}}", "outcome": "success", @@ -162,7 +161,6 @@ "session" ], "code": "300", - "ingested": "2022-02-03T12:42:38.969149699Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T17:38:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:20\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:20Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:20\",\"IsoTimestamp\":\"2021-03-11T17:38:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "success", @@ -280,7 +278,6 @@ "session" ], "code": "300", - "ingested": "2022-02-03T12:42:38.969150584Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T17:46:56Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:46:56\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:46:56Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:46:56\",\"IsoTimestamp\":\"2021-03-11T17:46:56Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "success", @@ -398,7 +395,6 @@ "session" ], "code": "300", - "ingested": "2022-02-03T12:42:38.969151344Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T17:48:34Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:48:34\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:48:34Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:48:34\",\"IsoTimestamp\":\"2021-03-11T17:48:34Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "success", @@ -516,7 +512,6 @@ "session" ], "code": "300", - "ingested": "2022-02-03T12:42:38.969152139Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T17:54:56Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:54:56\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:54:56Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:54:56\",\"IsoTimestamp\":\"2021-03-11T17:54:56Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "success", @@ -634,7 +629,6 @@ "session" ], "code": "300", - "ingested": "2022-02-03T12:42:38.969152887Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T17:56:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:56:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:56:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:56:37\",\"IsoTimestamp\":\"2021-03-11T17:56:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "success", @@ -752,7 +746,6 @@ "session" ], "code": "300", - "ingested": "2022-02-03T12:42:38.969153624Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T20:23:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 12:23:25\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T20:23:25Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 12:23:25\",\"IsoTimestamp\":\"2021-03-11T20:23:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "success", @@ -876,7 +869,6 @@ "session" ], "code": "300", - "ingested": "2022-02-03T12:42:38.969154374Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-14T13:49:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:37\",\"IsoTimestamp\":\"2021-03-14T13:49:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "success", @@ -1008,7 +1000,6 @@ "session" ], "code": "300", - "ingested": "2022-02-03T12:42:38.969155129Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-14T13:50:43Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:50:43\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:50:43Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:50:43\",\"IsoTimestamp\":\"2021-03-14T13:50:43Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "success", @@ -1138,7 +1129,6 @@ "session" ], "code": "300", - "ingested": "2022-02-03T12:42:38.969155877Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-15T10:31:56Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:31:56\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:31:56Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:31:56\",\"IsoTimestamp\":\"2021-03-15T10:31:56Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "success", @@ -1268,7 +1258,6 @@ "session" ], "code": "300", - "ingested": "2022-02-03T12:42:38.969156617Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-15T10:33:39Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:33:39\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:33:39Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:33:39\",\"IsoTimestamp\":\"2021-03-15T10:33:39Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "success", @@ -1398,7 +1387,6 @@ "session" ], "code": "300", - "ingested": "2022-02-03T12:42:38.969157492Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-15T10:35:00Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:35:00\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:35:00Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:35:00\",\"IsoTimestamp\":\"2021-03-15T10:35:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "success", @@ -1524,7 +1512,6 @@ "session" ], "code": "300", - "ingested": "2022-02-03T12:42:38.969158254Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-15T13:18:31Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:18:31\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:18:31Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=67.43.156.13;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:18:31\",\"IsoTimestamp\":\"2021-03-15T13:18:31Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=67.43.156.13;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "success", @@ -1650,7 +1637,6 @@ "session" ], "code": "300", - "ingested": "2022-02-03T12:42:38.969158994Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-15T14:08:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:08:06\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:08:06Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=67.43.156.13;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:08:06\",\"IsoTimestamp\":\"2021-03-15T14:08:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=67.43.156.13;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "success", @@ -1785,7 +1771,6 @@ "session" ], "code": "300", - "ingested": "2022-02-03T12:42:38.969159754Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-15T14:08:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:08:28\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:08:28Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814025\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:08:28\",\"IsoTimestamp\":\"2021-03-15T14:08:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814025\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "outcome": "success", @@ -1920,7 +1905,6 @@ "session" ], "code": "300", - "ingested": "2022-02-03T12:42:38.969160524Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-15T14:11:09Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:11:09\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:11:09Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814025\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:11:09\",\"IsoTimestamp\":\"2021-03-15T14:11:09Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814025\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "outcome": "success", @@ -2055,7 +2039,6 @@ "session" ], "code": "300", - "ingested": "2022-02-03T12:42:38.969161377Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-16T10:04:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 16 03:04:51\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-16T10:04:51Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"4\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615888216\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 16 03:04:51\",\"IsoTimestamp\":\"2021-03-16T10:04:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"4\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615888216\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "outcome": "success", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log-expected.json index ed8e5da92ba..65eee3ee787 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log-expected.json @@ -57,7 +57,6 @@ ], "code": "302", "duration": 7000000000, - "ingested": "2022-02-03T12:42:45.549165328Z", "kind": "event", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.7\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:07;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"LINUX-SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"admin2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"radiussrv.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"No Reason\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"Tesla\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"302\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux\",\"File\":\"Root\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\",\"Station\":\"10.2.0.7\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:07;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"LINUX-SSH\"},{\"Name\":\"UserName\",\"Value\":\"admin2\"},{\"Name\":\"Address\",\"Value\":\"radiussrv.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"CPMDisabled\",\"Value\":\"No Reason\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Customer\",\"Value\":\"Tesla\"}]}}}}", "outcome": "success", @@ -166,7 +165,6 @@ ], "code": "302", "duration": 13000000000, - "ingested": "2022-02-03T12:42:45.549167362Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T17:38:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:26\",\"IsoTimestamp\":\"2021-03-11T17:38:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "success", @@ -286,7 +284,6 @@ ], "code": "302", "duration": 11000000000, - "ingested": "2022-02-03T12:42:45.549168254Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T17:47:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:47:01\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:47:01Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:47:01\",\"IsoTimestamp\":\"2021-03-11T17:47:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "success", @@ -406,7 +403,6 @@ ], "code": "302", "duration": 12000000000, - "ingested": "2022-02-03T12:42:45.549169041Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T17:48:40Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:48:40\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:48:40Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:48:40\",\"IsoTimestamp\":\"2021-03-11T17:48:40Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "success", @@ -526,7 +522,6 @@ ], "code": "302", "duration": 12000000000, - "ingested": "2022-02-03T12:42:45.549169822Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T17:55:02Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:55:02\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:55:02Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:55:02\",\"IsoTimestamp\":\"2021-03-11T17:55:02Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "success", @@ -646,7 +641,6 @@ ], "code": "302", "duration": 12000000000, - "ingested": "2022-02-03T12:42:45.549170571Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T17:56:42Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:56:42\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:56:42Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:56:42\",\"IsoTimestamp\":\"2021-03-11T17:56:42Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "success", @@ -766,7 +760,6 @@ ], "code": "302", "duration": 12000000000, - "ingested": "2022-02-03T12:42:45.549171334Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T20:23:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 12:23:30\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T20:23:30Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 12:23:30\",\"IsoTimestamp\":\"2021-03-11T20:23:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "success", @@ -892,7 +885,6 @@ ], "code": "302", "duration": 18000000000, - "ingested": "2022-02-03T12:42:45.549172096Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-14T13:49:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:54\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:54Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:54\",\"IsoTimestamp\":\"2021-03-14T13:49:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "success", @@ -1026,7 +1018,6 @@ ], "code": "302", "duration": 54000000000, - "ingested": "2022-02-03T12:42:45.549172839Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-14T13:51:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:51:35\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:51:35Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:51:35\",\"IsoTimestamp\":\"2021-03-14T13:51:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "success", @@ -1158,7 +1149,6 @@ ], "code": "302", "duration": 95000000000, - "ingested": "2022-02-03T12:42:45.549173586Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-15T10:33:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:33:30\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:33:30Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:33:30\",\"IsoTimestamp\":\"2021-03-15T10:33:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "success", @@ -1290,7 +1280,6 @@ ], "code": "302", "duration": 73000000000, - "ingested": "2022-02-03T12:42:45.549174344Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-15T10:34:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:34:50\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:34:50Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:34:50\",\"IsoTimestamp\":\"2021-03-15T10:34:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "success", @@ -1422,7 +1411,6 @@ ], "code": "302", "duration": 2230000000000, - "ingested": "2022-02-03T12:42:45.549175319Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-15T11:12:09Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 04:12:09\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T11:12:09Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 04:12:09\",\"IsoTimestamp\":\"2021-03-15T11:12:09Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "success", @@ -1550,7 +1538,6 @@ ], "code": "302", "duration": 5000000000, - "ingested": "2022-02-03T12:42:45.549176076Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-15T13:18:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:18:36\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:18:36Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=67.43.156.13;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:18:36\",\"IsoTimestamp\":\"2021-03-15T13:18:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=67.43.156.13;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "success", @@ -1678,7 +1665,6 @@ ], "code": "302", "duration": 6000000000, - "ingested": "2022-02-03T12:42:45.549176841Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-15T14:08:11Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:08:11\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:08:11Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=67.43.156.13;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:08:11\",\"IsoTimestamp\":\"2021-03-15T14:08:11Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=67.43.156.13;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "success", @@ -1815,7 +1801,6 @@ ], "code": "302", "duration": 9000000000, - "ingested": "2022-02-03T12:42:45.549177579Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-15T14:08:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:08:36\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:08:36Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814025\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:08:36\",\"IsoTimestamp\":\"2021-03-15T14:08:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814025\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "outcome": "success", @@ -1952,7 +1937,6 @@ ], "code": "302", "duration": 2952000000000, - "ingested": "2022-02-03T12:42:45.549178321Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-15T15:00:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 08:00:21\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T15:00:21Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615819476\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 08:00:21\",\"IsoTimestamp\":\"2021-03-15T15:00:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"1\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615819476\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "outcome": "success", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log-expected.json index 4fe5b589a64..1ab0b5b07ef 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log-expected.json @@ -36,7 +36,6 @@ "event": { "action": "psm upload recording", "code": "304", - "ingested": "2022-02-03T12:42:52.059784523Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-25T09:20:56Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 05:20:56\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T09:20:56Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e304\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Upload Recording\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMApp_COMP01\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Upload Recording\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\a4636750-50a2-492e-984c-e08743d8a883.SSH.txt\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eDstHost=rhel7.cybr.com;LogonAccount=logon;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:46;SessionID=a4636750-50a2-492e-984c-e08743d8a883;SrcHost=127.0.0.1;User=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Upload Recording\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 05:20:56\",\"IsoTimestamp\":\"2021-03-25T09:20:56Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"304\",\"Desc\":\"PSM Upload Recording\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_COMP01\",\"Action\":\"PSM Upload Recording\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMRecordings\",\"File\":\"Root\\\\a4636750-50a2-492e-984c-e08743d8a883.SSH.txt\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"DstHost=rhel7.cybr.com;LogonAccount=logon;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:46;SessionID=a4636750-50a2-492e-984c-e08743d8a883;SrcHost=127.0.0.1;User=root;\",\"Message\":\"PSM Upload Recording\",\"GatewayStation\":\"\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log-expected.json index a7e852b1550..54c187801d8 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log-expected.json @@ -50,7 +50,6 @@ "iam" ], "code": "308", - "ingested": "2022-02-03T12:42:52.221759001Z", "kind": "event", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eadm2\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eWindows\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.6\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e(Action: Connect)\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.2.0.3\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WIN-SERVER-LOCAL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"Administrator2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"dbserver.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"DBServer\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessReconciliation\\\" Value=\\\"1604944215\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"EvilCorp\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"308\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"adm2\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Windows\",\"File\":\"Root\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\",\"Station\":\"10.2.0.6\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"(Action: Connect)\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"10.2.0.3\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WIN-SERVER-LOCAL\"},{\"Name\":\"UserName\",\"Value\":\"Administrator2\"},{\"Name\":\"Address\",\"Value\":\"dbserver.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"LogonDomain\",\"Value\":\"DBServer\"},{\"Name\":\"SequenceID\",\"Value\":\"1\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessReconciliation\",\"Value\":\"1604944215\"},{\"Name\":\"Customer\",\"Value\":\"EvilCorp\"}]}}}}", "outcome": "success", @@ -146,7 +145,6 @@ "iam" ], "code": "308", - "ingested": "2022-02-03T12:42:52.221761275Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T17:38:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:12\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:12Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003efun and profit\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:12\",\"IsoTimestamp\":\"2021-03-11T17:38:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"fun and profit\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"67.43.156.13\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "reason": "fun and profit", @@ -254,7 +252,6 @@ "iam" ], "code": "308", - "ingested": "2022-02-03T12:42:52.221762160Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T17:46:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:46:49\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:46:49Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eFOR FUN.\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:46:49\",\"IsoTimestamp\":\"2021-03-11T17:46:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"FOR FUN.\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"67.43.156.13\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "reason": "FOR FUN.", @@ -362,7 +359,6 @@ "iam" ], "code": "308", - "ingested": "2022-02-03T12:42:52.221762927Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T17:48:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:48:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:48:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eFor fun and profit\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:48:27\",\"IsoTimestamp\":\"2021-03-11T17:48:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"For fun and profit\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"67.43.156.13\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "reason": "For fun and profit", @@ -470,7 +466,6 @@ "iam" ], "code": "308", - "ingested": "2022-02-03T12:42:52.221763751Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T17:54:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:54:49\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:54:49Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eBecause I say so\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:54:49\",\"IsoTimestamp\":\"2021-03-11T17:54:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Because I say so\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"67.43.156.13\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "reason": "Because I say so", @@ -578,7 +573,6 @@ "iam" ], "code": "308", - "ingested": "2022-02-03T12:42:52.221764495Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T17:56:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:56:30\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:56:30Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003efor fun\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:56:30\",\"IsoTimestamp\":\"2021-03-11T17:56:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"for fun\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"67.43.156.13\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "reason": "for fun", @@ -686,7 +680,6 @@ "iam" ], "code": "308", - "ingested": "2022-02-03T12:42:52.221765245Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T20:23:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 12:23:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T20:23:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003etesting\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 12:23:17\",\"IsoTimestamp\":\"2021-03-11T20:23:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"testing\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"67.43.156.13\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "reason": "testing", @@ -799,7 +792,6 @@ "iam" ], "code": "308", - "ingested": "2022-02-03T12:42:52.221765991Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-14T13:49:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:35\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:35Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.15\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:35\",\"IsoTimestamp\":\"2021-03-14T13:49:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"67.43.156.15\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "failure", @@ -918,7 +910,6 @@ "iam" ], "code": "308", - "ingested": "2022-02-03T12:42:52.221766756Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-15T10:31:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:31:54\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:31:54Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.15\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:31:54\",\"IsoTimestamp\":\"2021-03-15T10:31:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"67.43.156.15\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "success", @@ -1042,7 +1033,6 @@ "iam" ], "code": "308", - "ingested": "2022-02-03T12:42:52.221767504Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-15T14:08:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:08:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:08:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.15\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814025\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:08:26\",\"IsoTimestamp\":\"2021-03-15T14:08:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"67.43.156.15\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814025\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "outcome": "failure", @@ -1166,7 +1156,6 @@ "iam" ], "code": "308", - "ingested": "2022-02-03T12:42:52.221768253Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-16T10:04:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 16 03:04:49\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-16T10:04:49Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.15\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"4\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615888216\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 16 03:04:49\",\"IsoTimestamp\":\"2021-03-16T10:04:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"67.43.156.15\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"4\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615888216\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "outcome": "failure", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log-expected.json index e5bf558e37b..e68734ee6ab 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log-expected.json @@ -29,7 +29,6 @@ "authentication" ], "code": "309", - "ingested": "2022-02-03T12:42:57.270595193Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-08T18:31:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:31:52\",\"IsoTimestamp\":\"2021-03-08T18:31:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"309\",\"Desc\":\"Undefined User Logon\",\"Severity\":\"Error\",\"Issuer\":\"adriansr\",\"Action\":\"Undefined User Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Undefined User Logon\",\"GatewayStation\":\"10.0.1.20\"}}}", "outcome": "failure", @@ -104,7 +103,6 @@ "authentication" ], "code": "309", - "ingested": "2022-02-03T12:42:57.270597353Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-08T18:32:03Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:32:03\",\"IsoTimestamp\":\"2021-03-08T18:32:03Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"309\",\"Desc\":\"Undefined User Logon\",\"Severity\":\"Error\",\"Issuer\":\"adriansra\",\"Action\":\"Undefined User Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Undefined User Logon\",\"GatewayStation\":\"10.0.1.20\"}}}", "outcome": "failure", @@ -175,7 +173,6 @@ "authentication" ], "code": "309", - "ingested": "2022-02-03T12:42:57.270598233Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-11T16:43:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:43:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:43:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e309\u003c/MessageID\u003e\\n \u003cDesc\u003eUndefined User Logon\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMAdmin\u003c/Issuer\u003e\\n \u003cAction\u003eUndefined User Logon\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUndefined User Logon\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:43:26\",\"IsoTimestamp\":\"2021-03-11T16:43:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"309\",\"Desc\":\"Undefined User Logon\",\"Severity\":\"Error\",\"Issuer\":\"PSMAdmin\",\"Action\":\"Undefined User Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Undefined User Logon\",\"GatewayStation\":\"\"}}}", "outcome": "failure", @@ -265,7 +262,6 @@ "authentication" ], "code": "309", - "ingested": "2022-02-03T12:42:57.270599026Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-11T17:46:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:46:28\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:46:28Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e309\u003c/MessageID\u003e\\n \u003cDesc\u003eUndefined User Logon\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003eadrian\u003c/Issuer\u003e\\n \u003cAction\u003eUndefined User Logon\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUndefined User Logon\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:46:28\",\"IsoTimestamp\":\"2021-03-11T17:46:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"309\",\"Desc\":\"Undefined User Logon\",\"Severity\":\"Error\",\"Issuer\":\"adrian\",\"Action\":\"Undefined User Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Undefined User Logon\",\"GatewayStation\":\"67.43.156.13\"}}}", "outcome": "failure", @@ -350,7 +346,6 @@ "authentication" ], "code": "309", - "ingested": "2022-02-03T12:42:57.270599801Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-14T13:28:00Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:28:00\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:28:00Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e309\u003c/MessageID\u003e\\n \u003cDesc\u003eUndefined User Logon\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003etestark\u003c/Issuer\u003e\\n \u003cAction\u003eUndefined User Logon\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUndefined User Logon\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.15\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:28:00\",\"IsoTimestamp\":\"2021-03-14T13:28:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"309\",\"Desc\":\"Undefined User Logon\",\"Severity\":\"Error\",\"Issuer\":\"testark\",\"Action\":\"Undefined User Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Undefined User Logon\",\"GatewayStation\":\"67.43.156.15\"}}}", "outcome": "failure", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-expected.json index 5dfaa484ad3..6e1a22d3583 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-expected.json @@ -52,7 +52,6 @@ "iam" ], "code": "31", - "ingested": "2022-02-03T12:42:58.749139611Z", "kind": "event", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e31\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eWindows\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.4\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=dbserver.cyberark.local;username=Administrator2;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WIN-SERVER-LOCAL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"Administrator2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"dbserver.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"DBServer\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessReconciliation\\\" Value=\\\"1604944215\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"EvilCorp\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Version\":\"11.6.0000\",\"MessageID\":\"31\",\"Desc\":\"CPM Reconcile Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Windows\",\"File\":\"Root\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\",\"Station\":\"10.2.0.4\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=dbserver.cyberark.local;username=Administrator2;\",\"Message\":\"CPM Reconcile Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WIN-SERVER-LOCAL\"},{\"Name\":\"UserName\",\"Value\":\"Administrator2\"},{\"Name\":\"Address\",\"Value\":\"dbserver.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"LogonDomain\",\"Value\":\"DBServer\"},{\"Name\":\"SequenceID\",\"Value\":\"1\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessReconciliation\",\"Value\":\"1604944215\"},{\"Name\":\"Customer\",\"Value\":\"EvilCorp\"}]}}}}", "outcome": "success", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-expected.json index 97112f78ef1..a46626fc88e 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-expected.json @@ -21,7 +21,6 @@ "event": { "action": "monitor dr replication start", "code": "310", - "ingested": "2022-02-03T12:42:59.459674904Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-04T19:10:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:01\",\"IsoTimestamp\":\"2021-03-04T19:10:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"310\",\"Desc\":\"Monitor DR Replication start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor DR Replication start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor DR Replication start\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -72,7 +71,6 @@ "event": { "action": "monitor dr replication start", "code": "310", - "ingested": "2022-02-03T12:42:59.459677361Z", "kind": "event", "original": "Mar 08 02:48:07 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"310\",\"Desc\":\"Monitor DR Replication start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor DR Replication start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor DR Replication start\",\"GatewayStation\":\"\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-expected.json index ba7f05996e5..f9ff68fa42c 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-expected.json @@ -21,7 +21,6 @@ "event": { "action": "monitor dr replication end", "code": "311", - "ingested": "2022-02-03T12:42:59.695793873Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-04T19:10:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:01\",\"IsoTimestamp\":\"2021-03-04T19:10:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"311\",\"Desc\":\"Monitor DR Replication end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor DR Replication end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor DR Replication end\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -72,7 +71,6 @@ "event": { "action": "monitor dr replication end", "code": "311", - "ingested": "2022-02-03T12:42:59.695796143Z", "kind": "event", "original": "Mar 08 02:48:07 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"311\",\"Desc\":\"Monitor DR Replication end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor DR Replication end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor DR Replication end\",\"GatewayStation\":\"\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log-expected.json index cc239b66986..17f18a45fd0 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log-expected.json @@ -23,7 +23,6 @@ "event": { "action": "reset user password detailed information", "code": "316", - "ingested": "2022-02-03T12:42:59.928746909Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T18:16:45Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:45\",\"IsoTimestamp\":\"2021-03-10T18:16:45Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"316\",\"Desc\":\"Reset User Password Detailed Information\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Reset User Password Detailed Information\",\"SourceUser\":\"PSMGw_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Password changed\",\"ExtraDetails\":\"\",\"Message\":\"Reset User Password Detailed Information\",\"GatewayStation\":\"\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log-expected.json index f667b9e9fde..b1a592c5cdd 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log-expected.json @@ -22,7 +22,6 @@ "event": { "action": "reset user password", "code": "317", - "ingested": "2022-02-03T12:43:00.197385257Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T18:16:45Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:45\",\"IsoTimestamp\":\"2021-03-10T18:16:45Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"317\",\"Desc\":\"Reset User Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Reset User Password\",\"SourceUser\":\"PSMGw_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Reset User Password\",\"GatewayStation\":\"\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-expected.json index d753f6d536a..349758ec7bd 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-expected.json @@ -26,7 +26,6 @@ "iam" ], "code": "32", - "ingested": "2022-02-03T12:43:00.755878171Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Master\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -108,7 +107,6 @@ "iam" ], "code": "32", - "ingested": "2022-02-03T12:43:00.755881347Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Administrator\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -189,7 +187,6 @@ "iam" ], "code": "32", - "ingested": "2022-02-03T12:43:00.755882406Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Batch\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -271,7 +268,6 @@ "iam" ], "code": "32", - "ingested": "2022-02-03T12:43:00.755883314Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Operators\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -353,7 +349,6 @@ "iam" ], "code": "32", - "ingested": "2022-02-03T12:43:00.755884213Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Backup Users\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -435,7 +430,6 @@ "iam" ], "code": "32", - "ingested": "2022-02-03T12:43:00.755885097Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Auditors\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -517,7 +511,6 @@ "iam" ], "code": "32", - "ingested": "2022-02-03T12:43:00.755885985Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"DR Users\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -599,7 +592,6 @@ "iam" ], "code": "32", - "ingested": "2022-02-03T12:43:00.755886883Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Notification Engines\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -681,7 +673,6 @@ "iam" ], "code": "32", - "ingested": "2022-02-03T12:43:00.755887766Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:11:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:22\",\"IsoTimestamp\":\"2021-03-10T09:11:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PSMPApp_localhost.localdomain\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -763,7 +754,6 @@ "iam" ], "code": "32", - "ingested": "2022-02-03T12:43:00.755888669Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:11:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:23\",\"IsoTimestamp\":\"2021-03-10T09:11:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -845,7 +835,6 @@ "iam" ], "code": "32", - "ingested": "2022-02-03T12:43:00.755889588Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:11:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:23\",\"IsoTimestamp\":\"2021-03-10T09:11:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Vault Admins\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -927,7 +916,6 @@ "iam" ], "code": "32", - "ingested": "2022-02-03T12:43:00.755890641Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:11:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:23\",\"IsoTimestamp\":\"2021-03-10T09:11:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PVWAAppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -1009,7 +997,6 @@ "iam" ], "code": "32", - "ingested": "2022-02-03T12:43:00.755891542Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:11:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:36\",\"IsoTimestamp\":\"2021-03-10T09:11:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"\",\"Safe\":\"PSMPADBUserProfile\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -1091,7 +1078,6 @@ "iam" ], "code": "32", - "ingested": "2022-02-03T12:43:00.755892426Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:11:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:37\",\"IsoTimestamp\":\"2021-03-10T09:11:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PSMP_ADB_localhost.localdomain\",\"TargetUser\":\"\",\"Safe\":\"PSMPADBridgeConf\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -1173,7 +1159,6 @@ "iam" ], "code": "32", - "ingested": "2022-02-03T12:43:00.755893318Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:11:38Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:38\",\"IsoTimestamp\":\"2021-03-10T09:11:38Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PSMP_ADB_AppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSMPADBridgeCustom\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -1255,7 +1240,6 @@ "iam" ], "code": "32", - "ingested": "2022-02-03T12:43:00.755894220Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T17:59:32Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:32\",\"IsoTimestamp\":\"2021-03-10T17:59:32Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PSMApp_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "outcome": "success", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log-expected.json index 00104d31d3c..8603c93a5db 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log-expected.json @@ -30,7 +30,6 @@ "event": { "action": "cpm auto-detection start", "code": "326", - "ingested": "2022-02-03T12:43:06.421481738Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T16:21:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:21:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:21:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e326\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Auto-detection Start\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Auto-detection Start\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePasswordManager_info\u003c/Safe\u003e\\n \u003cFile\u003e \u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e \u003c/Reason\u003e\\n \u003cExtraDetails\u003eADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Auto-detection Start\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:21:37\",\"IsoTimestamp\":\"2021-03-11T16:21:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"326\",\"Desc\":\"CPM Auto-detection Start\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Auto-detection Start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManager_info\",\"File\":\" \",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\" \",\"ExtraDetails\":\"ADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;\",\"Message\":\"CPM Auto-detection Start\",\"GatewayStation\":\"\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log-expected.json index 4105dbcc91f..f888ac2456a 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log-expected.json @@ -30,7 +30,6 @@ "event": { "action": "cpm auto-detection end", "code": "327", - "ingested": "2022-02-03T12:43:06.575359759Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T16:21:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:21:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:21:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e327\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Auto-detection End\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Auto-detection End\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePasswordManager_info\u003c/Safe\u003e\\n \u003cFile\u003e \u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e \u003c/Reason\u003e\\n \u003cExtraDetails\u003eADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Auto-detection End\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:21:37\",\"IsoTimestamp\":\"2021-03-11T16:21:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"327\",\"Desc\":\"CPM Auto-detection End\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Auto-detection End\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManager_info\",\"File\":\" \",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\" \",\"ExtraDetails\":\"ADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;\",\"Message\":\"CPM Auto-detection End\",\"GatewayStation\":\"\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-expected.json index b0e17278cde..92a5875e82a 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-expected.json @@ -26,7 +26,6 @@ "iam" ], "code": "33", - "ingested": "2022-02-03T12:43:06.733255918Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T18:16:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:49\",\"IsoTimestamp\":\"2021-03-10T18:16:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"PVWAAppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -108,7 +107,6 @@ "iam" ], "code": "33", - "ingested": "2022-02-03T12:43:06.733258293Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T18:16:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:50\",\"IsoTimestamp\":\"2021-03-10T18:16:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"PSMApp_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -190,7 +188,6 @@ "iam" ], "code": "33", - "ingested": "2022-02-03T12:43:06.733259169Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T18:16:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:51\",\"IsoTimestamp\":\"2021-03-10T18:16:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -272,7 +269,6 @@ "iam" ], "code": "33", - "ingested": "2022-02-03T12:43:06.733259952Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T18:16:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:51\",\"IsoTimestamp\":\"2021-03-10T18:16:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -354,7 +350,6 @@ "iam" ], "code": "33", - "ingested": "2022-02-03T12:43:06.733260756Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T18:16:53Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:53\",\"IsoTimestamp\":\"2021-03-10T18:16:53Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"Vault Admins\",\"TargetUser\":\"\",\"Safe\":\"PSMUniversalConnectors\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -436,7 +431,6 @@ "iam" ], "code": "33", - "ingested": "2022-02-03T12:43:06.733261566Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T22:19:18Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:18\",\"IsoTimestamp\":\"2021-03-10T22:19:18Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"PVWAAppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -519,7 +513,6 @@ "iam" ], "code": "33", - "ingested": "2022-02-03T12:43:06.733262354Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T17:38:14Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:14\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:14Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e33\u003c/MessageID\u003e\\n \u003cDesc\u003eUpdate Owner\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eUpdate Owner\u003c/Action\u003e\\n \u003cSourceUser\u003eAuditors\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUpdate Owner\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:14\",\"IsoTimestamp\":\"2021-03-11T17:38:14Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Update Owner\",\"SourceUser\":\"Auditors\",\"TargetUser\":\"\",\"Safe\":\"PSMRecordings\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", "outcome": "success", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log-expected.json index c6fdf9961ea..a6a5bdfc80e 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log-expected.json @@ -21,7 +21,6 @@ "event": { "action": "monitor license expiration date start", "code": "355", - "ingested": "2022-02-03T12:43:09.181679150Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-09T10:17:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:17:54\",\"IsoTimestamp\":\"2021-03-09T10:17:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"355\",\"Desc\":\"Monitor License Expiration Date start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor License Expiration Date start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor License Expiration Date start\",\"GatewayStation\":\"\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log-expected.json index 5d3bc6071e6..a719b1ea145 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log-expected.json @@ -21,7 +21,6 @@ "event": { "action": "monitor license expiration date end", "code": "356", - "ingested": "2022-02-03T12:43:09.327481936Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-09T10:17:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:17:54\",\"IsoTimestamp\":\"2021-03-09T10:17:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"356\",\"Desc\":\"Monitor License Expiration Date end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor License Expiration Date end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor License Expiration Date end\",\"GatewayStation\":\"\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-expected.json index 6fdbe7af58f..dcdf515d33e 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-expected.json @@ -21,7 +21,6 @@ "event": { "action": "monitor fw rules start", "code": "357", - "ingested": "2022-02-03T12:43:09.634044593Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-04T19:10:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:01\",\"IsoTimestamp\":\"2021-03-04T19:10:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"357\",\"Desc\":\"Monitor FW rules start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor FW rules start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor FW rules start\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -72,7 +71,6 @@ "event": { "action": "monitor fw rules start", "code": "357", - "ingested": "2022-02-03T12:43:09.634047657Z", "kind": "event", "original": "Mar 08 02:32:56 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"357\",\"Desc\":\"Monitor FW rules start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor FW rules start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor FW rules start\",\"GatewayStation\":\"\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-expected.json index 8fe507311a6..2f0d5e24263 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-expected.json @@ -21,7 +21,6 @@ "event": { "action": "monitor fw rules end", "code": "358", - "ingested": "2022-02-03T12:43:10.167144238Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-04T19:10:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:01\",\"IsoTimestamp\":\"2021-03-04T19:10:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"358\",\"Desc\":\"Monitor FW Rules end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor FW Rules end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor FW Rules end\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -72,7 +71,6 @@ "event": { "action": "monitor fw rules end", "code": "358", - "ingested": "2022-02-03T12:43:10.167146761Z", "kind": "event", "original": "Mar 08 02:32:56 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"358\",\"Desc\":\"Monitor FW Rules end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor FW Rules end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor FW Rules end\",\"GatewayStation\":\"\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log-expected.json index ef23b031f0b..fa370bc02c7 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log-expected.json @@ -66,7 +66,6 @@ "database" ], "code": "359", - "ingested": "2022-02-03T12:43:10.435248203Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-25T14:56:44Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT USER FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=69B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:44\",\"IsoTimestamp\":\"2021-03-25T14:56:44Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT USER FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=69B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "outcome": "success", @@ -185,7 +184,6 @@ "database" ], "code": "359", - "ingested": "2022-02-03T12:43:10.435250256Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-25T14:56:44Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=BEGIN DBMS_OUTPUT.DISABLE\\\\; END\\\\;;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=123B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:44\",\"IsoTimestamp\":\"2021-03-25T14:56:44Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=BEGIN DBMS_OUTPUT.DISABLE\\\\; END\\\\;;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=123B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "outcome": "success", @@ -304,7 +302,6 @@ "database" ], "code": "359", - "ingested": "2022-02-03T12:43:10.435251145Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-25T14:56:44Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT ATTRIBUTE,SCOPE,NUMERIC_VALUE,CHAR_VALUE,DATE_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND (UPPER(USER) LIKE USERID);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=187B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:44\",\"IsoTimestamp\":\"2021-03-25T14:56:44Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT ATTRIBUTE,SCOPE,NUMERIC_VALUE,CHAR_VALUE,DATE_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND (UPPER(USER) LIKE USERID);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=187B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "outcome": "success", @@ -423,7 +420,6 @@ "database" ], "code": "359", - "ingested": "2022-02-03T12:43:10.435251908Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-25T14:56:44Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT CHAR_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND ((UPPER(USER) LIKE USERID) OR (USERID \\\\= 'PUBLIC')) AND (UPPER(ATTRIBUTE) \\\\= 'ROLES');ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=380B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:44\",\"IsoTimestamp\":\"2021-03-25T14:56:44Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT CHAR_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND ((UPPER(USER) LIKE USERID) OR (USERID \\\\= 'PUBLIC')) AND (UPPER(ATTRIBUTE) \\\\= 'ROLES');ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=380B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "outcome": "success", @@ -542,7 +538,6 @@ "database" ], "code": "359", - "ingested": "2022-02-03T12:43:10.435252651Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-25T14:56:44Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=BEGIN DBMS_APPLICATION_INFO.SET_MODULE(:1,NULL)\\\\; END\\\\; (Parameters bound by position: 1\\\\=[SQL*Plus]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=596B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:44\",\"IsoTimestamp\":\"2021-03-25T14:56:44Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=BEGIN DBMS_APPLICATION_INFO.SET_MODULE(:1,NULL)\\\\; END\\\\; (Parameters bound by position: 1\\\\=[SQL*Plus]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=596B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "outcome": "success", @@ -661,7 +656,6 @@ "database" ], "code": "359", - "ingested": "2022-02-03T12:43:10.435253404Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-25T14:56:45Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:45\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:45Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT DECODE('A','A','1','2') FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=727B;SrcHost=127.0.0.1;User=HR;VIDOffset=5T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:45\",\"IsoTimestamp\":\"2021-03-25T14:56:45Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT DECODE('A','A','1','2') FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=727B;SrcHost=127.0.0.1;User=HR;VIDOffset=5T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "outcome": "success", @@ -780,7 +774,6 @@ "database" ], "code": "359", - "ingested": "2022-02-03T12:43:10.435254144Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-25T14:56:54Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:54\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:54Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\\\=[HELP]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=800B;SrcHost=127.0.0.1;User=HR;VIDOffset=14T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:54\",\"IsoTimestamp\":\"2021-03-25T14:56:54Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\\\=[HELP]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=800B;SrcHost=127.0.0.1;User=HR;VIDOffset=14T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "outcome": "success", @@ -899,7 +892,6 @@ "database" ], "code": "359", - "ingested": "2022-02-03T12:43:10.435254890Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-25T14:58:02Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:58:02\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:58:02Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT * FROM DBA_USERS;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1097B;SrcHost=127.0.0.1;User=HR;VIDOffset=82T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:58:02\",\"IsoTimestamp\":\"2021-03-25T14:58:02Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT * FROM DBA_USERS;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1097B;SrcHost=127.0.0.1;User=HR;VIDOffset=82T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "outcome": "success", @@ -1018,7 +1010,6 @@ "database" ], "code": "359", - "ingested": "2022-02-03T12:43:10.435255639Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-25T14:57:05Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:57:05\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:57:05Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\\\=[SHOW%]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=948B;SrcHost=127.0.0.1;User=HR;VIDOffset=25T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:57:05\",\"IsoTimestamp\":\"2021-03-25T14:57:05Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\\\=[SHOW%]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=948B;SrcHost=127.0.0.1;User=HR;VIDOffset=25T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "outcome": "success", @@ -1137,7 +1128,6 @@ "database" ], "code": "359", - "ingested": "2022-02-03T12:43:10.435256371Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-25T14:58:44Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:58:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:58:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=select distinct owner from all_objects;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1153B;SrcHost=127.0.0.1;User=HR;VIDOffset=124T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:58:44\",\"IsoTimestamp\":\"2021-03-25T14:58:44Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=select distinct owner from all_objects;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1153B;SrcHost=127.0.0.1;User=HR;VIDOffset=124T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "outcome": "success", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log-expected.json index 5a3f6da5e59..d72333d4977 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log-expected.json @@ -58,7 +58,6 @@ "session" ], "code": "361", - "ingested": "2022-02-03T12:43:14.208883900Z", "kind": "event", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.7\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=ls \\\"/var/tmp\\\";ConnectionComponentId=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=499852f2-22b5-11eb-8bff-000c297aae88;SrcHost=10.2.0.6;SSHOffset=3642B;User=admin2;VIDOffset=125T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"LINUX-SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"admin2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"radiussrv.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"No Reason\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"Tesla\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"361\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux\",\"File\":\"Root\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\",\"Station\":\"10.2.0.7\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=ls \\\"/var/tmp\\\";ConnectionComponentId=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=499852f2-22b5-11eb-8bff-000c297aae88;SrcHost=10.2.0.6;SSHOffset=3642B;User=admin2;VIDOffset=125T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"LINUX-SSH\"},{\"Name\":\"UserName\",\"Value\":\"admin2\"},{\"Name\":\"Address\",\"Value\":\"radiussrv.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"CPMDisabled\",\"Value\":\"No Reason\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Customer\",\"Value\":\"Tesla\"}]}}}}", "severity": 2, @@ -173,7 +172,6 @@ "session" ], "code": "361", - "ingested": "2022-02-03T12:43:14.208886159Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-14T13:49:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:49\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:49Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=10T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:49\",\"IsoTimestamp\":\"2021-03-14T13:49:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=10T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "severity": 2, @@ -305,7 +303,6 @@ "session" ], "code": "361", - "ingested": "2022-02-03T12:43:14.208887013Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-15T10:32:04Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:32:04\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:32:04Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.13;SSHOffset=1312B;User=testark;VIDOffset=6T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:32:04\",\"IsoTimestamp\":\"2021-03-15T10:32:04Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=67.43.156.13;SSHOffset=1312B;User=testark;VIDOffset=6T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "severity": 2, @@ -437,7 +434,6 @@ "session" ], "code": "361", - "ingested": "2022-02-03T12:43:14.208887809Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-15T10:33:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:33:47\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:33:47Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=7T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:33:47\",\"IsoTimestamp\":\"2021-03-15T10:33:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=7T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "severity": 2, @@ -569,7 +565,6 @@ "session" ], "code": "361", - "ingested": "2022-02-03T12:43:14.208888562Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-15T10:35:08Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:35:08\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:35:08Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=7T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:35:08\",\"IsoTimestamp\":\"2021-03-15T10:35:08Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=7T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "severity": 2, @@ -706,7 +701,6 @@ "session" ], "code": "361", - "ingested": "2022-02-03T12:43:14.208889336Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-15T14:11:18Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:11:18\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:11:18Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=8T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814025\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:11:18\",\"IsoTimestamp\":\"2021-03-15T14:11:18Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;SSHOffset=1309B;User=testark;VIDOffset=8T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814025\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "severity": 2, @@ -843,7 +837,6 @@ "session" ], "code": "361", - "ingested": "2022-02-03T12:43:14.208890079Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-15T14:45:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:45:51\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:45:51Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\\\;;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;SSHOffset=296291B;User=testark;VIDOffset=2081T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615819476\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:45:51\",\"IsoTimestamp\":\"2021-03-15T14:45:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\\\;;ConnectionComponentId=PSMP-SSH;DstHost=67.43.156.15;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=67.43.156.13;SSHOffset=296291B;User=testark;VIDOffset=2081T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"1\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615819476\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "severity": 2, diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log-expected.json index e07fe97e762..d88e3b7bbc8 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log-expected.json @@ -65,7 +65,6 @@ "iam" ], "code": "38", - "ingested": "2022-02-03T12:43:17.022113342Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-15T13:19:58Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:19:58\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:19:58Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\ELASTIC\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814397\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 67.43.156.15\\\\ELASTIC\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:19:58\",\"IsoTimestamp\":\"2021-03-15T13:19:58Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\ELASTIC\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=67.43.156.15;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814397\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 67.43.156.15\\\\ELASTIC\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "failure", @@ -185,7 +184,6 @@ "iam" ], "code": "38", - "ingested": "2022-02-03T12:43:17.022115878Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-15T13:25:32Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:25:32\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:25:32Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The network name cannot be found. (winRc=67). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;username=bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814709\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserDN\\\" Value=\\\"ELASTIC.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 67.43.156.15\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The network name cannot be found. (winRc=67). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:25:32\",\"IsoTimestamp\":\"2021-03-15T13:25:32Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The network name cannot be found. (winRc=67). \\n\",\"ExtraDetails\":\"address=67.43.156.15;username=bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814709\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"UserDN\",\"Value\":\"ELASTIC.local\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 67.43.156.15\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The network name cannot be found. (winRc=67). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "failure", @@ -304,7 +302,6 @@ "iam" ], "code": "38", - "ingested": "2022-02-03T12:43:17.022116787Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-15T13:33:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:33:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:33:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.15-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;username=ELASTIC.local\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC.local\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615815206\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:33:26\",\"IsoTimestamp\":\"2021-03-15T13:33:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.15-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=67.43.156.15;username=ELASTIC.local\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC.local\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615815206\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "failure", @@ -424,7 +421,6 @@ "iam" ], "code": "38", - "ingested": "2022-02-03T12:43:17.022117560Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-15T15:04:11Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 08:04:11\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T15:04:11Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.15-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=1;username=ELASTIC.local\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC.local\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615820651\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 08:04:11\",\"IsoTimestamp\":\"2021-03-15T15:04:11Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.15-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=67.43.156.15;retriescount=1;username=ELASTIC.local\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC.local\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"1\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615820651\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "failure", @@ -544,7 +540,6 @@ "iam" ], "code": "38", - "ingested": "2022-02-03T12:43:17.022118305Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-15T16:35:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 09:35:01\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T16:35:01Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.15-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=2;username=ELASTIC.local\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC.local\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615826099\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 09:35:01\",\"IsoTimestamp\":\"2021-03-15T16:35:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.15-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=67.43.156.15;retriescount=2;username=ELASTIC.local\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC.local\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"2\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615826099\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "failure", @@ -653,7 +648,6 @@ "iam" ], "code": "38", - "ingested": "2022-02-03T12:43:17.022119072Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-15T16:56:29Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 09:56:29\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T16:56:29Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=10.0.1.20;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.0.1.20\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615827245\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 09:56:29\",\"IsoTimestamp\":\"2021-03-15T16:56:29Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\",\"ExtraDetails\":\"address=10.0.1.20;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"10.0.1.20\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615827245\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "outcome": "failure", @@ -763,7 +757,6 @@ "iam" ], "code": "38", - "ingested": "2022-02-03T12:43:17.022119822Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-15T17:01:07Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 10:01:07\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T17:01:07Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=10.0.1.20;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.0.1.20\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615827554\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DSN\\\" Value=\\\"mariadb\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 10:01:07\",\"IsoTimestamp\":\"2021-03-15T17:01:07Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\\n\",\"ExtraDetails\":\"address=10.0.1.20;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"10.0.1.20\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615827554\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"DSN\",\"Value\":\"mariadb\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "outcome": "failure", @@ -873,7 +866,6 @@ "iam" ], "code": "38", - "ingested": "2022-02-03T12:43:17.022120600Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-15T17:05:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 10:05:47\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T17:05:47Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=10.0.1.20;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.0.1.20\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615827864\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DSN\\\" Value=\\\"DRIVER={MariaDB ODBC 3.1 Driver};TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 10:05:47\",\"IsoTimestamp\":\"2021-03-15T17:05:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\n\",\"ExtraDetails\":\"address=10.0.1.20;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"10.0.1.20\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615827864\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"DSN\",\"Value\":\"DRIVER={MariaDB ODBC 3.1 Driver};TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "outcome": "failure", @@ -983,7 +975,6 @@ "iam" ], "code": "38", - "ingested": "2022-02-03T12:43:17.022121363Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-15T17:10:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 10:10:25\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T17:10:25Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=10.0.1.20;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.0.1.20\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615828174\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DSN\\\" Value=\\\"DSN=mariadb;TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 10:10:25\",\"IsoTimestamp\":\"2021-03-15T17:10:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\n\",\"ExtraDetails\":\"address=10.0.1.20;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"10.0.1.20\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615828174\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"DSN\",\"Value\":\"DSN=mariadb;TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "outcome": "failure", @@ -1093,7 +1084,6 @@ "iam" ], "code": "38", - "ingested": "2022-02-03T12:43:17.022122141Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-15T17:28:07Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 10:28:07\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T17:28:07Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=127.0.0.1;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"127.0.0.1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615829287\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"3306\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 10:28:07\",\"IsoTimestamp\":\"2021-03-15T17:28:07Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\",\"ExtraDetails\":\"address=127.0.0.1;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"127.0.0.1\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615829287\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"Port\",\"Value\":\"3306\"},{\"Name\":\"Database\",\"Value\":\"test\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "outcome": "failure", @@ -1206,7 +1196,6 @@ "iam" ], "code": "38", - "ingested": "2022-02-03T12:43:17.022122879Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-15T17:33:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 10:33:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T17:33:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=127.0.0.1;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"127.0.0.1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615829597\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"3306\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DSN\\\" Value=\\\"mysql\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 10:33:17\",\"IsoTimestamp\":\"2021-03-15T17:33:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\",\"ExtraDetails\":\"address=127.0.0.1;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"127.0.0.1\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615829597\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"Port\",\"Value\":\"3306\"},{\"Name\":\"Database\",\"Value\":\"test\"},{\"Name\":\"DSN\",\"Value\":\"mysql\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "outcome": "failure", @@ -1319,7 +1308,6 @@ "iam" ], "code": "38", - "ingested": "2022-02-03T12:43:17.022123813Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-15T17:38:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 10:38:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T17:38:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=127.0.0.1;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"127.0.0.1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615829907\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"3306\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DSN\\\" Value=\\\"Driver={MySQL ODBC 5.3 Unicode Driver};server=%ADDRESS%;user=%USER%;option=3;port=%PORT%;Password=%LOGONPASSWORD%\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 10:38:27\",\"IsoTimestamp\":\"2021-03-15T17:38:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\n\",\"ExtraDetails\":\"address=127.0.0.1;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"127.0.0.1\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615829907\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"Port\",\"Value\":\"3306\"},{\"Name\":\"Database\",\"Value\":\"test\"},{\"Name\":\"DSN\",\"Value\":\"Driver={MySQL ODBC 5.3 Unicode Driver};server=%ADDRESS%;user=%USER%;option=3;port=%PORT%;Password=%LOGONPASSWORD%\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "outcome": "failure", @@ -1432,7 +1420,6 @@ "iam" ], "code": "38", - "ingested": "2022-02-03T12:43:17.022124572Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-15T18:00:07Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 11:00:07\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T18:00:07Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=Driver\\\\={MySQL ODBC 5.3 Unicode Driver}\\\\;server\\\\=127.0.0.1\\\\;user\\\\=root\\\\;option\\\\=3\\\\;port\\\\=3306\\\\;Password\\\\=1234;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"Driver={MySQL ODBC 5.3 Unicode Driver};server=127.0.0.1;user=root;option=3;port=3306;Password=1234\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615831206\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"3306\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DSN\\\" Value=\\\"mysql\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 11:00:07\",\"IsoTimestamp\":\"2021-03-15T18:00:07Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\",\"ExtraDetails\":\"address=Driver\\\\={MySQL ODBC 5.3 Unicode Driver}\\\\;server\\\\=127.0.0.1\\\\;user\\\\=root\\\\;option\\\\=3\\\\;port\\\\=3306\\\\;Password\\\\=1234;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"Driver={MySQL ODBC 5.3 Unicode Driver};server=127.0.0.1;user=root;option=3;port=3306;Password=1234\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615831206\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"Port\",\"Value\":\"3306\"},{\"Name\":\"Database\",\"Value\":\"test\"},{\"Name\":\"DSN\",\"Value\":\"mysql\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "outcome": "failure", @@ -1548,7 +1535,6 @@ "iam" ], "code": "38", - "ingested": "2022-02-03T12:43:17.022125327Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-15T18:05:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 11:05:16\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T18:05:16Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.15-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=3;username=ELASTIC.local\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC.local\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"3\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615831516\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 11:05:16\",\"IsoTimestamp\":\"2021-03-15T18:05:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.15-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=67.43.156.15;retriescount=3;username=ELASTIC.local\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC.local\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"3\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615831516\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "failure", @@ -1668,7 +1654,6 @@ "iam" ], "code": "38", - "ingested": "2022-02-03T12:43:17.022126078Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-16T09:50:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 16 02:50:19\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-16T09:50:19Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.15-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=4;username=ELASTIC.local\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC.local\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"4\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615888216\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 16 02:50:19\",\"IsoTimestamp\":\"2021-03-16T09:50:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.15-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.15-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=67.43.156.15;retriescount=4;username=ELASTIC.local\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC.local\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"4\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615888216\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 67.43.156.15\\\\ELASTIC.local\\\\bart on domain 67.43.156.15(\\\\\\\\67.43.156.15). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "failure", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log-expected.json index 5266786f1ec..b92aa3cd34d 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log-expected.json @@ -28,7 +28,6 @@ "event": { "action": "blservice audit record", "code": "385", - "ingested": "2022-02-03T12:43:22.190176250Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T16:31:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:31:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:31:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e385\u003c/MessageID\u003e\\n \u003cDesc\u003eBLService Audit Record\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eBLService Audit Record\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: False; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eBLService Audit Record\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:31:13\",\"IsoTimestamp\":\"2021-03-11T16:31:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"385\",\"Desc\":\"BLService Audit Record\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"BLService Audit Record\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: False; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"BLService Audit Record\",\"GatewayStation\":\"10.0.1.20\"}}}", "severity": 2 @@ -92,7 +91,6 @@ "event": { "action": "blservice audit record", "code": "385", - "ingested": "2022-02-03T12:43:22.190178767Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T16:31:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:31:23\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:31:23Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e385\u003c/MessageID\u003e\\n \u003cDesc\u003eBLService Audit Record\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eBLService Audit Record\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eBLService Audit Record\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:31:23\",\"IsoTimestamp\":\"2021-03-11T16:31:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"385\",\"Desc\":\"BLService Audit Record\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"BLService Audit Record\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"BLService Audit Record\",\"GatewayStation\":\"10.0.1.20\"}}}", "severity": 2 @@ -156,7 +154,6 @@ "event": { "action": "blservice audit record", "code": "385", - "ingested": "2022-02-03T12:43:22.190179668Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T19:40:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 11:40:52\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T19:40:52Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e385\u003c/MessageID\u003e\\n \u003cDesc\u003eBLService Audit Record\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eBLService Audit Record\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eBLService Audit Record\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 11:40:52\",\"IsoTimestamp\":\"2021-03-11T19:40:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"385\",\"Desc\":\"BLService Audit Record\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"BLService Audit Record\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"BLService Audit Record\",\"GatewayStation\":\"10.0.1.20\"}}}", "severity": 2 @@ -220,7 +217,6 @@ "event": { "action": "blservice audit record", "code": "385", - "ingested": "2022-02-03T12:43:22.190180431Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-14T12:04:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:04:35\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:04:35Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e385\u003c/MessageID\u003e\\n \u003cDesc\u003eBLService Audit Record\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eBLService Audit Record\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eBLService Audit Record\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:04:35\",\"IsoTimestamp\":\"2021-03-14T12:04:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"385\",\"Desc\":\"BLService Audit Record\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"BLService Audit Record\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"BLService Audit Record\",\"GatewayStation\":\"10.0.1.20\"}}}", "severity": 2 @@ -284,7 +280,6 @@ "event": { "action": "blservice audit record", "code": "385", - "ingested": "2022-02-03T12:43:22.190181204Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-14T12:04:53Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:04:53\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:04:53Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e385\u003c/MessageID\u003e\\n \u003cDesc\u003eBLService Audit Record\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eBLService Audit Record\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 500; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eBLService Audit Record\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:04:53\",\"IsoTimestamp\":\"2021-03-14T12:04:53Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"385\",\"Desc\":\"BLService Audit Record\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"BLService Audit Record\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 500; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"BLService Audit Record\",\"GatewayStation\":\"10.0.1.20\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log-expected.json index b52e2805eaf..844dc83b2b2 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log-expected.json @@ -24,7 +24,6 @@ "authentication" ], "code": "4", - "ingested": "2022-02-03T12:43:23.404242632Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-10T18:42:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:42:36\",\"IsoTimestamp\":\"2021-03-10T18:42:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"4\",\"Desc\":\"User Authentication\",\"Severity\":\"Error\",\"Issuer\":\"Administrator\",\"Action\":\"User Authentication\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"User Authentication\",\"GatewayStation\":\"\"}}}", "outcome": "failure", @@ -105,7 +104,6 @@ "authentication" ], "code": "4", - "ingested": "2022-02-03T12:43:23.404244954Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-11T18:03:43Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:03:43\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:03:43Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e4\u003c/MessageID\u003e\\n \u003cDesc\u003eUser Authentication\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUser Authentication\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUser Authentication\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:03:43\",\"IsoTimestamp\":\"2021-03-11T18:03:43Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"4\",\"Desc\":\"User Authentication\",\"Severity\":\"Error\",\"Issuer\":\"Administrator\",\"Action\":\"User Authentication\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"User Authentication\",\"GatewayStation\":\"10.0.1.20\"}}}", "outcome": "failure", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log-expected.json index dd8fa4739f3..b37dcf02efa 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log-expected.json @@ -64,7 +64,6 @@ "process" ], "code": "411", - "ingested": "2022-02-03T12:43:24.210231974Z", "kind": "event", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e411\u003c/MessageID\u003e\\n \u003cDesc\u003eWindow Title\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eadm2\u003c/Issuer\u003e\\n \u003cAction\u003eWindow Title\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eWindows\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.5\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=shutdown.exe, Shutdown Event Tracker;ConnectionComponentId=PSM-RDP;DstHost=dbserver.cyberark.local;ProcessId=4144;ProcessName=shutdown.exe;Protocol=RDP;PSMID=PSMServer_88f6598;RDPOffset=218B;SessionID=a1f46060-1de4-4f56-a8ba-71fdf3140ac1;SrcHost=10.2.0.6;User=Administrator2;VIDOffset=12T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eWindow Title\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WIN-SERVER-LOCAL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"Administrator2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"dbserver.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"DBServer\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessReconciliation\\\" Value=\\\"1604944215\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"EvilCorp\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"411\",\"Desc\":\"Window Title\",\"Severity\":\"Info\",\"Issuer\":\"adm2\",\"Action\":\"Window Title\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Windows\",\"File\":\"Root\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\",\"Station\":\"10.2.0.5\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=shutdown.exe, Shutdown Event Tracker;ConnectionComponentId=PSM-RDP;DstHost=dbserver.cyberark.local;ProcessId=4144;ProcessName=shutdown.exe;Protocol=RDP;PSMID=PSMServer_88f6598;RDPOffset=218B;SessionID=a1f46060-1de4-4f56-a8ba-71fdf3140ac1;SrcHost=10.2.0.6;User=Administrator2;VIDOffset=12T;\",\"IsoTimestamp\":\"2021-03-16T17:11:42Z\",\"Message\":\"Window Title\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WIN-SERVER-LOCAL\"},{\"Name\":\"UserName\",\"Value\":\"Administrator2\"},{\"Name\":\"Address\",\"Value\":\"dbserver.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"LogonDomain\",\"Value\":\"DBServer\"},{\"Name\":\"SequenceID\",\"Value\":\"1\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessReconciliation\",\"Value\":\"1604944215\"},{\"Name\":\"Customer\",\"Value\":\"EvilCorp\"}]}}}}", "severity": 2, diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log-expected.json index 6d01826e99b..c9155a177cd 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log-expected.json @@ -65,7 +65,6 @@ "session" ], "code": "412", - "ingested": "2022-02-03T12:43:24.558390182Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-25T11:29:37Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 07:29:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T11:29:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e412\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eMSSQL\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MSSql-epmsvr01.cybr.com-sa\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SHOW DATABASES\\\\;;ConnectionComponentId=PSM-SQLServerMgmtStudio;DataBase=master;DstHost=tgtsvr01.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=975edc19-ad10-4b42-8098-f26afab40fac;SrcHost=127.0.0.1;TXTOffset=702B;User=sa;VIDOffset=33T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MSSql\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"sa\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"tgtsvr01.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"master\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580240\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011980\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"SQL;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 07:29:37\",\"IsoTimestamp\":\"2021-03-25T11:29:37Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"412\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"MSSQL\",\"File\":\"Root\\\\Database-MSSql-epmsvr01.cybr.com-sa\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SHOW DATABASES\\\\;;ConnectionComponentId=PSM-SQLServerMgmtStudio;DataBase=master;DstHost=tgtsvr01.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=975edc19-ad10-4b42-8098-f26afab40fac;SrcHost=127.0.0.1;TXTOffset=702B;User=sa;VIDOffset=33T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MSSql\"},{\"Name\":\"UserName\",\"Value\":\"sa\"},{\"Name\":\"Address\",\"Value\":\"tgtsvr01.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"master\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580240\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011980\"},{\"Name\":\"Tags\",\"Value\":\"SQL;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "severity": 2, diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log-expected.json index eef44ed43aa..74707607496 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log-expected.json @@ -61,7 +61,6 @@ "iam" ], "code": "414", - "ingested": "2022-02-03T12:43:24.897023261Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-25T10:04:06Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 06:04:06\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T10:04:06Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e414\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify SSH Key\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify SSH Key\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux SSH Keys\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-rhel7.cybr.com-firecall1\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eVerificationPeriod\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=rhel7.cybr.com;username=firecall1;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify SSH Key\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"firecall1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"rhel7.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ExtraPass3Name\\\" Value=\\\"Operating System-UnixSSH-rhel7.cybr.com-root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ExtraPass3Folder\\\" Value=\\\"Root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ExtraPass3Safe\\\" Value=\\\"Linux Root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616666646\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1582315464\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 06:04:06\",\"IsoTimestamp\":\"2021-03-25T10:04:06Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"414\",\"Desc\":\"CPM Verify SSH Key\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify SSH Key\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux SSH Keys\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-rhel7.cybr.com-firecall1\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"VerificationPeriod\",\"ExtraDetails\":\"address=rhel7.cybr.com;username=firecall1;\",\"Message\":\"CPM Verify SSH Key\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"firecall1\"},{\"Name\":\"Address\",\"Value\":\"rhel7.cybr.com\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"SequenceID\",\"Value\":\"2\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"ExtraPass3Name\",\"Value\":\"Operating System-UnixSSH-rhel7.cybr.com-root\"},{\"Name\":\"ExtraPass3Folder\",\"Value\":\"Root\"},{\"Name\":\"ExtraPass3Safe\",\"Value\":\"Linux Root\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616666646\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1582315464\"},{\"Name\":\"Tags\",\"Value\":\"SSH\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "outcome": "success", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log-expected.json index b299e72701b..7d2035507fa 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log-expected.json @@ -29,7 +29,6 @@ "event": { "action": "store ssh key", "code": "427", - "ingested": "2022-02-03T12:43:25.403066235Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T16:50:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:50:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:50:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e427\u003c/MessageID\u003e\\n \u003cDesc\u003eStore SSH Key\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eStore SSH Key\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore SSH Key\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:50:17\",\"IsoTimestamp\":\"2021-03-11T16:50:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"427\",\"Desc\":\"Store SSH Key\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store SSH Key\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store SSH Key\",\"GatewayStation\":\"10.0.1.20\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log-expected.json index 37058b6b7b4..af3c4605757 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log-expected.json @@ -61,7 +61,6 @@ "iam" ], "code": "428", - "ingested": "2022-02-03T12:43:25.691665422Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T17:43:44Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:43:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:43:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e428\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve SSH Key\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve SSH Key\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e(Action: Retrieve SSH key)for fun and profit\u003c/Reason\u003e\\n \u003cPvwaDetails\u003e\u003cRetrieveReason\u003e\\n \u003cGeneral\u003e\\n \u003cUserReason\u003efor fun and profit\u003c/UserReason\u003e\\n \u003cRetrieveAction\u003eRetrieve SSH key\u003c/RetrieveAction\u003e\\n \u003c/General\u003e\\n\u003c/RetrieveReason\u003e\u003c/PvwaDetails\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve SSH Key\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:43:44\",\"IsoTimestamp\":\"2021-03-11T17:43:44Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"428\",\"Desc\":\"Retrieve SSH Key\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve SSH Key\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"(Action: Retrieve SSH key)for fun and profit\",\"PvwaDetails\":{\"RetrieveReason\":{\"General\":{\"UserReason\":\"for fun and profit\",\"RetrieveAction\":\"Retrieve SSH key\"}}},\"ExtraDetails\":\"\",\"Message\":\"Retrieve SSH Key\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "success", @@ -181,7 +180,6 @@ "iam" ], "code": "428", - "ingested": "2022-02-03T12:43:25.691667782Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T21:08:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 13:08:48\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T21:08:48Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e428\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve SSH Key\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve SSH Key\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e(Action: Connect)testing(Connection to address: 67.43.156.15)\u003c/Reason\u003e\\n \u003cPvwaDetails\u003e\u003cRetrieveReason\u003e\\n \u003cGeneral\u003e\\n \u003cUserReason\u003etesting\u003c/UserReason\u003e\\n \u003cRetrieveAction\u003eConnect\u003c/RetrieveAction\u003e\\n \u003c/General\u003e\\n \u003cConnectionDetails\u003e\\n \u003cConnectionAddress\u003e67.43.156.15\u003c/ConnectionAddress\u003e\\n \u003c/ConnectionDetails\u003e\\n\u003c/RetrieveReason\u003e\u003c/PvwaDetails\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve SSH Key\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 13:08:48\",\"IsoTimestamp\":\"2021-03-11T21:08:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"428\",\"Desc\":\"Retrieve SSH Key\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve SSH Key\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"(Action: Connect)testing(Connection to address: 67.43.156.15)\",\"PvwaDetails\":{\"RetrieveReason\":{\"General\":{\"UserReason\":\"testing\",\"RetrieveAction\":\"Connect\"},\"ConnectionDetails\":{\"ConnectionAddress\":\"67.43.156.15\"}}},\"ExtraDetails\":\"\",\"Message\":\"Retrieve SSH Key\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "success", @@ -297,7 +295,6 @@ "iam" ], "code": "428", - "ingested": "2022-02-03T12:43:25.691668636Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-15T13:18:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:18:52\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:18:52Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e428\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve SSH Key\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve SSH Key\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e(Action: Retrieve SSH key)\u003c/Reason\u003e\\n \u003cPvwaDetails\u003e\u003cRetrieveReason\u003e\\n \u003cGeneral\u003e\\n \u003cRetrieveAction\u003eRetrieve SSH key\u003c/RetrieveAction\u003e\\n \u003c/General\u003e\\n\u003c/RetrieveReason\u003e\u003c/PvwaDetails\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve SSH Key\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:18:52\",\"IsoTimestamp\":\"2021-03-15T13:18:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"428\",\"Desc\":\"Retrieve SSH Key\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve SSH Key\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-67.43.156.15-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"(Action: Retrieve SSH key)\",\"PvwaDetails\":{\"RetrieveReason\":{\"General\":{\"RetrieveAction\":\"Retrieve SSH key\"}}},\"ExtraDetails\":\"\",\"Message\":\"Retrieve SSH Key\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "success", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log-expected.json index 3c409b83225..7b104fbfef1 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log-expected.json @@ -23,7 +23,6 @@ "event": { "action": "create discovery succeeded", "code": "449", - "ingested": "2022-02-03T12:43:26.894331191Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-14T12:06:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:06:35\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:06:35Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e449\u003c/MessageID\u003e\\n \u003cDesc\u003eCreate Discovery Succeeded\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eCreate Discovery Succeeded\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eStatus:Success; Discovery:\u003cWindows discovery from ELASTIC.local\u003e; Reason:;\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCreate Discovery Succeeded\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:06:35\",\"IsoTimestamp\":\"2021-03-14T12:06:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"449\",\"Desc\":\"Create Discovery Succeeded\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Create Discovery Succeeded\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Status:Success; Discovery:\u003cWindows discovery from ELASTIC.local\u003e; Reason:;\",\"ExtraDetails\":\"\",\"Message\":\"Create Discovery Succeeded\",\"GatewayStation\":\"\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log-expected.json index 853fa0cf5d4..a7dffcdb3d4 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log-expected.json @@ -47,7 +47,6 @@ "event": { "action": "general audit", "code": "459", - "ingested": "2022-02-03T12:43:27.040937666Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-08T10:19:42Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 02:19:42\",\"IsoTimestamp\":\"2021-03-08T10:19:42Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"459\",\"Desc\":\"General Audit\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"General Audit\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Dual account rotation\",\"ExtraDetails\":\"DualAccountStatus=Active;Index=2;\",\"Message\":\"General Audit\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountB\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"24\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1614868762\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"2\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Active\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "severity": 2 @@ -129,7 +128,6 @@ "event": { "action": "general audit", "code": "459", - "ingested": "2022-02-03T12:43:27.040940248Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T14:38:57Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 06:38:57\",\"IsoTimestamp\":\"2021-03-10T14:38:57Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"459\",\"Desc\":\"General Audit\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"General Audit\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Dual account rotation\",\"ExtraDetails\":\"DualAccountStatus=Active;Index=1;\",\"Message\":\"General Audit\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"27\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615231204\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Active\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "severity": 2 @@ -212,7 +210,6 @@ "event": { "action": "general audit", "code": "459", - "ingested": "2022-02-03T12:43:27.040941097Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-14T11:48:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 04:48:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T11:48:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e459\u003c/MessageID\u003e\\n \u003cDesc\u003eGeneral Audit\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eGeneral Audit\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eTest\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eDual account rotation\u003c/Reason\u003e\\n \u003cExtraDetails\u003eDualAccountStatus=Active;Index=2;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eGeneral Audit\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDesktopLocal\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"x_accountB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"components\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"25\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"GroupName\\\" Value=\\\"WindowsGroup\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1615419568\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Index\\\" Value=\\\"2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DualAccountStatus\\\" Value=\\\"Active\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"VirtualUsername\\\" Value=\\\"virtual\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 04:48:26\",\"IsoTimestamp\":\"2021-03-14T11:48:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"459\",\"Desc\":\"General Audit\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"General Audit\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Dual account rotation\",\"ExtraDetails\":\"DualAccountStatus=Active;Index=2;\",\"Message\":\"General Audit\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountB\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"25\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615419568\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"2\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Active\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log-expected.json index e53adeedc8d..a4abeeb335a 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log-expected.json @@ -21,7 +21,6 @@ "event": { "action": "the component public key for jwt authentication was updated", "code": "467", - "ingested": "2022-02-03T12:43:27.768818319Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T18:14:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:14:35\",\"IsoTimestamp\":\"2021-03-10T18:14:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"467\",\"Desc\":\"The component public key for JWT authentication was updated\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"The component public key for JWT authentication was updated\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"The component public key for JWT authentication was updated\",\"GatewayStation\":\"\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-expected.json index f0a767286ff..16c4a139653 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-expected.json @@ -21,7 +21,6 @@ "event": { "action": "security warning - the signature hash algorithm of the vault certificate is sha1.", "code": "479", - "ingested": "2022-02-03T12:43:28.090704415Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-04T19:10:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:01\",\"IsoTimestamp\":\"2021-03-04T19:10:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"479\",\"Desc\":\"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.\",\"Severity\":\"Error\",\"Issuer\":\"Builtin\",\"Action\":\"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.\",\"GatewayStation\":\"\"}}}", "severity": 7, @@ -73,7 +72,6 @@ "event": { "action": "security warning - the signature hash algorithm of the vault certificate is sha1.", "code": "479", - "ingested": "2022-02-03T12:43:28.090706905Z", "kind": "event", "original": "Mar 08 07:46:54 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"479\",\"Desc\":\"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.\",\"Severity\":\"Error\",\"Issuer\":\"Builtin\",\"Action\":\"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.\",\"GatewayStation\":\"\"}}}", "severity": 7, diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log-expected.json index a50cf6f4b44..c1e3fec5522 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log-expected.json @@ -21,7 +21,6 @@ "event": { "action": "update existing add account bulk operation succeeded", "code": "482", - "ingested": "2022-02-03T12:43:28.536929793Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T08:31:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:31:49\",\"IsoTimestamp\":\"2021-03-10T08:31:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"482\",\"Desc\":\"Update existing Add Account Bulk Operation succeeded\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Update existing Add Account Bulk Operation succeeded\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update existing Add Account Bulk Operation succeeded\",\"GatewayStation\":\"\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log-expected.json index c32f506a2a0..fe6a1b15f71 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log-expected.json @@ -23,7 +23,6 @@ "event": { "action": "store file", "code": "50", - "ingested": "2022-02-03T12:43:28.828293865Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-08T18:24:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:24:50\",\"IsoTimestamp\":\"2021-03-08T18:24:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAPrivateUserPrefs\",\"File\":\"Root\\\\YWRtaW5pc3RyYXRvcg==\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -81,7 +80,6 @@ "event": { "action": "store file", "code": "50", - "ingested": "2022-02-03T12:43:28.828295429Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:11:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:21\",\"IsoTimestamp\":\"2021-03-10T09:11:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"Root\\\\syntaxparser-conf.json.1.1\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -148,7 +146,6 @@ "event": { "action": "store file", "code": "50", - "ingested": "2022-02-03T12:43:28.828295861Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T18:36:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:36:22\",\"IsoTimestamp\":\"2021-03-10T18:36:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"Root\\\\PVConfiguration.xml\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -206,7 +203,6 @@ "event": { "action": "store file", "code": "50", - "ingested": "2022-02-03T12:43:28.828296250Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T22:17:56Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:56\",\"IsoTimestamp\":\"2021-03-10T22:17:56Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"ROOT\\\\PVConfiguration.xml\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -274,7 +270,6 @@ "event": { "action": "store file", "code": "50", - "ingested": "2022-02-03T12:43:28.828296633Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T17:38:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e50\u003c/MessageID\u003e\\n \u003cDesc\u003eStore File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eStore File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\\n \u003cFile\u003eroot\\\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore File\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:27\",\"IsoTimestamp\":\"2021-03-11T17:38:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMRecordings\",\"File\":\"root\\\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -347,7 +342,6 @@ "event": { "action": "store file", "code": "50", - "ingested": "2022-02-03T12:43:28.828297032Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T19:45:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 11:45:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T19:45:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e50\u003c/MessageID\u003e\\n \u003cDesc\u003eStore File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eStore File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePVWAConfig\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PVConfiguration.xml\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 11:45:26\",\"IsoTimestamp\":\"2021-03-11T19:45:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"Root\\\\PVConfiguration.xml\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"10.0.1.20\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log index 8cd3214a84f..72ebac13a75 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log @@ -1,2 +1,3 @@ <5>1 2021-03-04T19:10:05Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:10:05","IsoTimestamp":"2021-03-04T19:10:05Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"51","Desc":"Retrieve File","Severity":"Info","Issuer":"PasswordManager","Action":"Retrieve File","SourceUser":"","TargetUser":"","Safe":"PasswordManagerShared","File":"Root\\Policies\\Policy-GenericWebApp.ini","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Retrieve File","GatewayStation":""}}} <5>1 2021-03-04T19:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:11:23","IsoTimestamp":"2021-03-04T19:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"51","Desc":"Retrieve File","Severity":"Info","Issuer":"Prov_COMPONENTS","Action":"Retrieve File","SourceUser":"","TargetUser":"","Safe":"AppProviderConf","File":"Root\\main_appprovider.conf.Win64.11.04","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Retrieve File","GatewayStation":""}}} +<5>1 2022-03-30T05:51:59Z HOSTNAME {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 30 16:51:59","IsoTimestamp":"2022-03-30T05:51:59Z","Hostname":"HOSTNAME","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.1.0000","MessageID":"51","Desc":"Retrieve File","Severity":"Info","Issuer":"PSMApp_FOOBAR","Action":"Retrieve File","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"Root[\\ConfigurationSchemas\\AuditFilters.xsd](file:///ConfigurationSchemas////AuditFilters.xsd/)","Station":"10.2.1.12","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Retrieve File","GatewayStation":"","CAProperties":{"CAProperty":{"Name":"ConfigurationSchemaVersion","Value":"12121"}}}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log-expected.json index 4079262ce4c..10b29789963 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log-expected.json @@ -23,7 +23,6 @@ "event": { "action": "retrieve file", "code": "51", - "ingested": "2022-02-03T12:43:30.264983923Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-04T19:10:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:05\",\"IsoTimestamp\":\"2021-03-04T19:10:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"51\",\"Desc\":\"Retrieve File\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManagerShared\",\"File\":\"Root\\\\Policies\\\\Policy-GenericWebApp.ini\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve File\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -81,7 +80,6 @@ "event": { "action": "retrieve file", "code": "51", - "ingested": "2022-02-03T12:43:30.264986522Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-04T19:11:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:11:23\",\"IsoTimestamp\":\"2021-03-04T19:11:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"51\",\"Desc\":\"Retrieve File\",\"Severity\":\"Info\",\"Issuer\":\"Prov_COMPONENTS\",\"Action\":\"Retrieve File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"AppProviderConf\",\"File\":\"Root\\\\main_appprovider.conf.Win64.11.04\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve File\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -115,6 +113,68 @@ "tags": [ "preserve_original_event" ] + }, + { + "@timestamp": "2022-03-30T05:51:59.000Z", + "cyberarkpas": { + "audit": { + "action": "Retrieve File", + "ca_properties": { + "other": { + "configuration_schema_version": "12121" + } + }, + "desc": "Retrieve File", + "file": "Root[\\ConfigurationSchemas\\AuditFilters.xsd](file:///ConfigurationSchemas////AuditFilters.xsd/)", + "iso_timestamp": "2022-03-30T05:51:59Z", + "issuer": "PSMApp_FOOBAR", + "message": "Retrieve File", + "rfc5424": true, + "safe": "PVWAConfig", + "severity": "Info", + "station": "10.2.1.12", + "timestamp": "Mar 30 16:51:59" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "retrieve file", + "code": "51", + "kind": "event", + "original": "\u003c5\u003e1 2022-03-30T05:51:59Z HOSTNAME {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 30 16:51:59\",\"IsoTimestamp\":\"2022-03-30T05:51:59Z\",\"Hostname\":\"HOSTNAME\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.1.0000\",\"MessageID\":\"51\",\"Desc\":\"Retrieve File\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_FOOBAR\",\"Action\":\"Retrieve File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"Root[\\\\ConfigurationSchemas\\\\AuditFilters.xsd](file:///ConfigurationSchemas////AuditFilters.xsd/)\",\"Station\":\"10.2.1.12\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve File\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":{\"Name\":\"ConfigurationSchemaVersion\",\"Value\":\"12121\"}}}}}", + "severity": 2 + }, + "file": { + "path": "Root[\\ConfigurationSchemas\\AuditFilters.xsd](file:///ConfigurationSchemas////AuditFilters.xsd/)" + }, + "host": { + "name": "HOSTNAME" + }, + "log": { + "syslog": { + "priority": 5 + } + }, + "observer": { + "hostname": "HOSTNAME", + "product": "Vault", + "vendor": "Cyber-Ark", + "version": "12.1.0000" + }, + "related": { + "ip": [ + "10.2.1.12" + ] + }, + "source": { + "address": "10.2.1.12", + "ip": "10.2.1.12" + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log-expected.json index 4f90ce01d67..43c85740c08 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log-expected.json @@ -36,7 +36,6 @@ "event": { "action": "delete file", "code": "52", - "ingested": "2022-02-03T12:43:31.098128250Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-08T18:32:43Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:32:43\",\"IsoTimestamp\":\"2021-03-08T18:32:43Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WinDesktopLocal-Address-adriansr\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"adriansr\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "severity": 2 @@ -112,7 +111,6 @@ "event": { "action": "delete file", "code": "52", - "ingested": "2022-02-03T12:43:31.098130170Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-08T18:38:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:38:21\",\"IsoTimestamp\":\"2021-03-08T18:38:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"VaultInternal\",\"File\":\"Root\\\\Operating System-WinServerLocal-components-adriansr\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinServerLocal\"},{\"Name\":\"UserName\",\"Value\":\"adriansr\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"LogonDomain\",\"Value\":\"COMPONENTS\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "severity": 2 @@ -174,7 +172,6 @@ "event": { "action": "delete file", "code": "52", - "ingested": "2022-02-03T12:43:31.098130663Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-08T19:20:04Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 11:20:04\",\"IsoTimestamp\":\"2021-03-08T19:20:04Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManager_workspace\",\"File\":\"Root\\\\Test_4\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -233,7 +230,6 @@ "event": { "action": "delete file", "code": "52", - "ingested": "2022-02-03T12:43:31.098131150Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T18:59:57Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:59:57\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:59:57Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMApp_ASR-WIN\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd\u003c/File\u003e\\n \u003cStation\u003e67.43.156.14\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:59:57\",\"IsoTimestamp\":\"2021-03-11T18:59:57Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMSessions\",\"File\":\"Root\\\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -310,7 +306,6 @@ "event": { "action": "delete file", "code": "52", - "ingested": "2022-02-03T12:43:31.098131584Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T19:32:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 11:32:12\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T19:32:12Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMPApp_VAGRANT.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"_PSMLiveSessions_1\\\" Value=\\\"\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"_PSMLiveSessions_2\\\" Value=\\\"\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"_PSMLiveSessions_3\\\" Value=\\\"\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"_PSMLiveSessions_4\\\" Value=\\\"\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"_PSMLiveSessions_5\\\" Value=\\\"\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 11:32:12\",\"IsoTimestamp\":\"2021-03-11T19:32:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_VAGRANT.LiveSessions\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"_PSMLiveSessions_1\",\"Value\":\"\"},{\"Name\":\"_PSMLiveSessions_2\",\"Value\":\"\"},{\"Name\":\"_PSMLiveSessions_3\",\"Value\":\"\"},{\"Name\":\"_PSMLiveSessions_4\",\"Value\":\"\"},{\"Name\":\"_PSMLiveSessions_5\",\"Value\":\"\"}]}}}}", "severity": 2 @@ -382,7 +377,6 @@ "event": { "action": "delete file", "code": "52", - "ingested": "2022-02-03T12:43:31.098132Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T21:06:40Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 13:06:40\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T21:06:40Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.14-PSMConnect\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"PSMConnect\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.14\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 13:06:40\",\"IsoTimestamp\":\"2021-03-11T21:06:40Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.14-PSMConnect\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"PSMConnect\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.14\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "severity": 2 @@ -456,7 +450,6 @@ "event": { "action": "delete file", "code": "52", - "ingested": "2022-02-03T12:43:31.098132435Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T21:06:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 13:06:50\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T21:06:50Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSM-ASR-CYBERARK-WI\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"PSMConnect\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.128.0.65\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"ASR-CYBERARK-WI\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 13:06:50\",\"IsoTimestamp\":\"2021-03-11T21:06:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"UserName\",\"Value\":\"PSMConnect\"},{\"Name\":\"Address\",\"Value\":\"10.128.0.65\"},{\"Name\":\"LogonDomain\",\"Value\":\"ASR-CYBERARK-WI\"}]}}}}", "severity": 2 @@ -530,7 +523,6 @@ "event": { "action": "delete file", "code": "52", - "ingested": "2022-02-03T12:43:31.098132883Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-14T12:10:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:10:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:10:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMAdmin\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"PSMAdminConnect\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"169.254.180.25\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"VAGRANT-2012-R2\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:10:17\",\"IsoTimestamp\":\"2021-03-14T12:10:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSMAdmin\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"UserName\",\"Value\":\"PSMAdminConnect\"},{\"Name\":\"Address\",\"Value\":\"169.254.180.25\"},{\"Name\":\"LogonDomain\",\"Value\":\"VAGRANT-2012-R2\"}]}}}}", "severity": 2 @@ -608,7 +600,6 @@ "event": { "action": "delete file", "code": "52", - "ingested": "2022-02-03T12:43:31.098133327Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-15T15:09:00Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 08:09:00\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T15:09:00Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-10.128.0.7-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.128.0.7\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"3306\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 08:09:00\",\"IsoTimestamp\":\"2021-03-15T15:09:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-Oracle-10.128.0.7-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"10.128.0.7\"},{\"Name\":\"Port\",\"Value\":\"3306\"},{\"Name\":\"Database\",\"Value\":\"test\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "severity": 2 @@ -686,7 +677,6 @@ "event": { "action": "delete file", "code": "52", - "ingested": "2022-02-03T12:43:31.098133733Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-15T15:13:59Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 08:13:59\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T15:13:59Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.128.0.7-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.128.0.7\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"3306\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 08:13:59\",\"IsoTimestamp\":\"2021-03-15T15:13:59Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.128.0.7-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"10.128.0.7\"},{\"Name\":\"Port\",\"Value\":\"3306\"},{\"Name\":\"Database\",\"Value\":\"test\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-expected.json index 6a5026ea4be..440715f1d77 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-expected.json @@ -62,7 +62,6 @@ "iam" ], "code": "57", - "ingested": "2022-02-03T12:43:33.599812266Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-25T12:00:08Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 08:00:08\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T12:00:08Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e57\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Change Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Change Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux Accounts\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-rhel7.cybr.com-firecall2\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=rhel7.cybr.com;username=firecall2;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Change Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"firecall2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"rhel7.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ExtraPass3Name\\\" Value=\\\"Operating System-UnixSSH-rhel7.cybr.com-root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ExtraPass3Folder\\\" Value=\\\"Root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ExtraPass3Safe\\\" Value=\\\"Linux Root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1616673608\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580255\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011989\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessReconciliation\\\" Value=\\\"1576120341\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"No\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 08:00:08\",\"IsoTimestamp\":\"2021-03-25T12:00:08Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"57\",\"Desc\":\"CPM Change Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Change Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux Accounts\",\"File\":\"Root\\\\Operating System-UnixSSH-rhel7.cybr.com-firecall2\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002\",\"ExtraDetails\":\"address=rhel7.cybr.com;username=firecall2;\",\"Message\":\"CPM Change Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"firecall2\"},{\"Name\":\"Address\",\"Value\":\"rhel7.cybr.com\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ChangeTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"ExtraPass3Name\",\"Value\":\"Operating System-UnixSSH-rhel7.cybr.com-root\"},{\"Name\":\"ExtraPass3Folder\",\"Value\":\"Root\"},{\"Name\":\"ExtraPass3Safe\",\"Value\":\"Linux Root\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1616673608\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580255\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011989\"},{\"Name\":\"LastSuccessReconciliation\",\"Value\":\"1576120341\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"No\"},{\"Name\":\"Tags\",\"Value\":\"SSH\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "outcome": "failure", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-expected.json index 63ad5aa0b08..a2a8556d13f 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-expected.json @@ -22,7 +22,6 @@ "event": { "action": "clear safe history", "code": "59", - "ingested": "2022-02-03T12:43:33.848901208Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-04T19:25:02Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:25:02\",\"IsoTimestamp\":\"2021-03-04T19:25:02Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"59\",\"Desc\":\"Clear Safe History\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Clear Safe History\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManager_workspace\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Clear Safe History\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -74,7 +73,6 @@ "event": { "action": "clear safe history", "code": "59", - "ingested": "2022-02-03T12:43:33.848906333Z", "kind": "event", "original": "Mar 08 03:10:31 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"59\",\"Desc\":\"Clear Safe History\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Clear Safe History\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManager_workspace\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Clear Safe History\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -123,7 +121,6 @@ "event": { "action": "clear safe history", "code": "59", - "ingested": "2022-02-03T12:43:33.848906954Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-09T09:00:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 01:00:47\",\"IsoTimestamp\":\"2021-03-09T09:00:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"59\",\"Desc\":\"Clear Safe History\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Clear Safe History\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"System\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Clear Safe History\",\"GatewayStation\":\"\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-expected.json index a9599c9f820..5f903d09149 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-expected.json @@ -62,7 +62,6 @@ "iam" ], "code": "60", - "ingested": "2022-02-03T12:43:34.208553742Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-11T21:12:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 13:12:22\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T21:12:22Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615497142\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 13:12:22\",\"IsoTimestamp\":\"2021-03-11T21:12:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=67.43.156.15;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615497142\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "failure", @@ -181,7 +180,6 @@ "iam" ], "code": "60", - "ingested": "2022-02-03T12:43:34.208555625Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-14T13:18:15Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:18:15\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:18:15Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=2;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615727895\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:18:15\",\"IsoTimestamp\":\"2021-03-14T13:18:15Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=67.43.156.15;retriescount=2;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"2\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615727895\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "failure", @@ -298,7 +296,6 @@ "iam" ], "code": "60", - "ingested": "2022-02-03T12:43:34.208556062Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-14T13:46:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:46:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:46:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;username=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:46:13\",\"IsoTimestamp\":\"2021-03-14T13:46:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\",\"ExtraDetails\":\"address=67.43.156.15;username=testark;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "failure", @@ -417,7 +414,6 @@ "iam" ], "code": "60", - "ingested": "2022-02-03T12:43:34.208556448Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-14T14:49:11Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 07:49:11\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T14:49:11Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=3;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"3\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615733350\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 07:49:11\",\"IsoTimestamp\":\"2021-03-14T14:49:11Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=67.43.156.15;retriescount=3;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"3\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615733350\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "failure", @@ -536,7 +532,6 @@ "iam" ], "code": "60", - "ingested": "2022-02-03T12:43:34.208556808Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-15T10:12:18Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:12:18\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:12:18Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=4;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"4\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615803137\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:12:18\",\"IsoTimestamp\":\"2021-03-15T10:12:18Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=67.43.156.15;retriescount=4;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"4\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615803137\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "failure", @@ -654,7 +649,6 @@ "iam" ], "code": "60", - "ingested": "2022-02-03T12:43:34.208557175Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-15T10:12:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:12:19\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:12:19Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=1;username=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615803137\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:12:19\",\"IsoTimestamp\":\"2021-03-15T10:12:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\",\"ExtraDetails\":\"address=67.43.156.15;retriescount=1;username=testark;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"1\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615803137\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "failure", @@ -774,7 +768,6 @@ "iam" ], "code": "60", - "ingested": "2022-02-03T12:43:34.208557532Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-15T12:57:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 05:57:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T12:57:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=5;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"(CPM)MaxRetries\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"5\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615813031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 05:57:13\",\"IsoTimestamp\":\"2021-03-15T12:57:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-67.43.156.14-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-67.43.156.14-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=67.43.156.15;retriescount=5;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"CPMDisabled\",\"Value\":\"(CPM)MaxRetries\"},{\"Name\":\"RetriesCount\",\"Value\":\"5\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615813031\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"67.43.156.15\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "failure", @@ -892,7 +885,6 @@ "iam" ], "code": "60", - "ingested": "2022-02-03T12:43:34.208557887Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-15T13:04:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:04:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:04:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;username=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615813465\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:04:27\",\"IsoTimestamp\":\"2021-03-15T13:04:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\",\"ExtraDetails\":\"address=67.43.156.15;username=testark;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615813465\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "outcome": "failure", @@ -1013,7 +1005,6 @@ "iam" ], "code": "60", - "ingested": "2022-02-03T12:43:34.208558244Z", "kind": "event", "original": "\u003c7\u003e1 2021-03-15T14:44:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:44:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:44:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-67.43.156.15-testark\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=67.43.156.15;retriescount=1;username=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"67.43.156.15\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615819476\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:44:37\",\"IsoTimestamp\":\"2021-03-15T14:44:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-67.43.156.15-testark\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-67.43.156.15-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\",\"ExtraDetails\":\"address=67.43.156.15;retriescount=1;username=testark;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"67.43.156.15\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"1\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615819476\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "outcome": "failure", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log-expected.json index 52e4090e11f..3c994ed87e6 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log-expected.json @@ -23,7 +23,6 @@ "event": { "action": "create file version", "code": "62", - "ingested": "2022-02-03T12:43:37.761489976Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:11:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:54\",\"IsoTimestamp\":\"2021-03-10T09:11:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_localhost.localdomain\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_localhost.localdomain.LiveSessions\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -90,7 +89,6 @@ "event": { "action": "create file version", "code": "62", - "ingested": "2022-02-03T12:43:37.761491871Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T17:58:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:58:05\",\"IsoTimestamp\":\"2021-03-10T17:58:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMNotifications\",\"File\":\"Root\\\\SessionControl\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -157,7 +155,6 @@ "event": { "action": "create file version", "code": "62", - "ingested": "2022-02-03T12:43:37.761492288Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T18:46:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:46:47\",\"IsoTimestamp\":\"2021-03-10T18:46:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_VAGRANT\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSMServer.LiveSessions\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -224,7 +221,6 @@ "event": { "action": "create file version", "code": "62", - "ingested": "2022-02-03T12:43:37.761492661Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T22:20:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:20:12\",\"IsoTimestamp\":\"2021-03-10T22:20:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI.LiveSessions\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -292,7 +288,6 @@ "event": { "action": "create file version", "code": "62", - "ingested": "2022-02-03T12:43:37.761493033Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T16:50:29Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:50:29\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:50:29Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e62\u003c/MessageID\u003e\\n \u003cDesc\u003eCreate File Version\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePVWAAppUser\u003c/Issuer\u003e\\n \u003cAction\u003eCreate File Version\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\ec7c3e3bd11069dd20a491a6b11bbe293bf4780b\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCreate File Version\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:50:29\",\"IsoTimestamp\":\"2021-03-11T16:50:29Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMSessions\",\"File\":\"Root\\\\ec7c3e3bd11069dd20a491a6b11bbe293bf4780b\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -351,7 +346,6 @@ "event": { "action": "create file version", "code": "62", - "ingested": "2022-02-03T12:43:37.761493387Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T16:59:58Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:58\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:58Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e62\u003c/MessageID\u003e\\n \u003cDesc\u003eCreate File Version\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eCreate File Version\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMPApp_VAGRANT.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCreate File Version\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:58\",\"IsoTimestamp\":\"2021-03-11T16:59:58Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_VAGRANT.LiveSessions\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -424,7 +418,6 @@ "event": { "action": "create file version", "code": "62", - "ingested": "2022-02-03T12:43:37.761493733Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-14T12:07:32Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:07:32\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:07:32Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e62\u003c/MessageID\u003e\\n \u003cDesc\u003eCreate File Version\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCreate File Version\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eAccountsFeedDiscoveryLogs\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Windows discovery from ELASTIC.local_PasswordManager_UID1.log\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCreate File Version\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:07:32\",\"IsoTimestamp\":\"2021-03-14T12:07:32Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"AccountsFeedDiscoveryLogs\",\"File\":\"Root\\\\Windows discovery from ELASTIC.local_PasswordManager_UID1.log\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"10.0.1.20\"}}}", "severity": 2 @@ -486,7 +479,6 @@ "event": { "action": "create file version", "code": "62", - "ingested": "2022-02-03T12:43:37.761494086Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-14T12:57:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e62\u003c/MessageID\u003e\\n \u003cDesc\u003eCreate File Version\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_SSH\u003c/Issuer\u003e\\n \u003cAction\u003eCreate File Version\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMPApp_SSH.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCreate File Version\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:27\",\"IsoTimestamp\":\"2021-03-14T12:57:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_SSH\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_SSH.LiveSessions\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log-expected.json index 33c9a1f5e3f..1793d33f6d8 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log-expected.json @@ -30,7 +30,6 @@ "session" ], "code": "7", - "ingested": "2022-02-03T12:43:39.563609130Z", "kind": "event", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e7\u003c/MessageID\u003e\\n \u003cDesc\u003eLogon\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eadm2\u003c/Issuer\u003e\\n \u003cAction\u003eLogon\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.2.0.6\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogon\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.2.0.3\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"adm2\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.2.0.6\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"10.2.0.3\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\"}}}", "outcome": "success", @@ -92,7 +91,6 @@ "session" ], "code": "7", - "ingested": "2022-02-03T12:43:39.563610993Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-04T19:10:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:05\",\"IsoTimestamp\":\"2021-03-04T19:10:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -159,7 +157,6 @@ "session" ], "code": "7", - "ingested": "2022-02-03T12:43:39.563611415Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-04T19:10:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:20\",\"IsoTimestamp\":\"2021-03-04T19:10:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"SCIM-user\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -226,7 +223,6 @@ "session" ], "code": "7", - "ingested": "2022-02-03T12:43:39.563611783Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-04T19:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:11:20\",\"IsoTimestamp\":\"2021-03-04T19:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PVWAGWUser\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -293,7 +289,6 @@ "session" ], "code": "7", - "ingested": "2022-02-03T12:43:39.563612152Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-04T19:11:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:11:23\",\"IsoTimestamp\":\"2021-03-04T19:11:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"Prov_COMPONENTS\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -360,7 +355,6 @@ "session" ], "code": "7", - "ingested": "2022-02-03T12:43:39.563612508Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-05T10:18:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 05 02:18:50\",\"IsoTimestamp\":\"2021-03-05T10:18:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -432,7 +426,6 @@ "session" ], "code": "7", - "ingested": "2022-02-03T12:43:39.563612854Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-08T18:07:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:07:51\",\"IsoTimestamp\":\"2021-03-08T18:07:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"10.0.1.20\"}}}", "outcome": "success", @@ -508,7 +501,6 @@ "session" ], "code": "7", - "ingested": "2022-02-03T12:43:39.563613235Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-09T08:32:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 00:32:51\",\"IsoTimestamp\":\"2021-03-09T08:32:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"10.0.1.20\"}}}", "outcome": "success", @@ -593,7 +585,6 @@ "session" ], "code": "7", - "ingested": "2022-02-03T12:43:39.563613596Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-09T10:14:58Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:14:58\",\"IsoTimestamp\":\"2021-03-09T10:14:58Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"10.0.1.20\"}}}", "outcome": "success", @@ -673,7 +664,6 @@ "session" ], "code": "7", - "ingested": "2022-02-03T12:43:39.563613967Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:11:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:48\",\"IsoTimestamp\":\"2021-03-10T09:11:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PSMP_ADB_localhost.localdomain\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -749,7 +739,6 @@ "session" ], "code": "7", - "ingested": "2022-02-03T12:43:39.563614315Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:11:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:48\",\"IsoTimestamp\":\"2021-03-10T09:11:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_localhost.localdomain\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -825,7 +814,6 @@ "session" ], "code": "7", - "ingested": "2022-02-03T12:43:39.563614839Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:11:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:49\",\"IsoTimestamp\":\"2021-03-10T09:11:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_localhost.localdomain\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "outcome": "success", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log-expected.json index c34a37736f9..84cdd8aca95 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log-expected.json @@ -25,7 +25,6 @@ "session" ], "code": "8", - "ingested": "2022-02-03T12:43:42.880963063Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-08T18:19:15Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:19:15\",\"IsoTimestamp\":\"2021-03-08T18:19:15Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -92,7 +91,6 @@ "session" ], "code": "8", - "ingested": "2022-02-03T12:43:42.880965182Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-08T18:59:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:59:23\",\"IsoTimestamp\":\"2021-03-08T18:59:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -159,7 +157,6 @@ "session" ], "code": "8", - "ingested": "2022-02-03T12:43:42.880965612Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T08:28:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:28:28\",\"IsoTimestamp\":\"2021-03-10T08:28:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -226,7 +223,6 @@ "session" ], "code": "8", - "ingested": "2022-02-03T12:43:42.880965966Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T08:28:29Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:28:29\",\"IsoTimestamp\":\"2021-03-10T08:28:29Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Prov_COMPONENTS\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -293,7 +289,6 @@ "session" ], "code": "8", - "ingested": "2022-02-03T12:43:42.880966324Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T08:28:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:28:30\",\"IsoTimestamp\":\"2021-03-10T08:28:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PVWAGWUser\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -360,7 +355,6 @@ "session" ], "code": "8", - "ingested": "2022-02-03T12:43:42.880966682Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T08:28:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:28:30\",\"IsoTimestamp\":\"2021-03-10T08:28:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -427,7 +421,6 @@ "session" ], "code": "8", - "ingested": "2022-02-03T12:43:42.880967043Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:11:33Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:33\",\"IsoTimestamp\":\"2021-03-10T09:11:33Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -503,7 +496,6 @@ "session" ], "code": "8", - "ingested": "2022-02-03T12:43:42.880967393Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:12:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:12:20\",\"IsoTimestamp\":\"2021-03-10T09:12:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PSMP_ADB_localhost.localdomain\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -579,7 +571,6 @@ "session" ], "code": "8", - "ingested": "2022-02-03T12:43:42.880967773Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:12:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:12:27\",\"IsoTimestamp\":\"2021-03-10T09:12:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_localhost.localdomain\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -655,7 +646,6 @@ "session" ], "code": "8", - "ingested": "2022-02-03T12:43:42.880968122Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T22:17:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:27\",\"IsoTimestamp\":\"2021-03-10T22:17:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -746,7 +736,6 @@ "session" ], "code": "8", - "ingested": "2022-02-03T12:43:42.880968536Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T17:38:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e8\u003c/MessageID\u003e\\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eLogoff\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogoff\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:13\",\"IsoTimestamp\":\"2021-03-11T17:38:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"67.43.156.13\"}}}", "outcome": "success", @@ -832,7 +821,6 @@ "session" ], "code": "8", - "ingested": "2022-02-03T12:43:42.880969052Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T17:48:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:48:28\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:48:28Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e8\u003c/MessageID\u003e\\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eLogoff\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogoff\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.13\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:48:28\",\"IsoTimestamp\":\"2021-03-11T17:48:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"67.43.156.13\"}}}", "outcome": "success", @@ -904,7 +892,6 @@ "session" ], "code": "8", - "ingested": "2022-02-03T12:43:42.880969401Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T17:49:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:49:06\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:49:06Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e8\u003c/MessageID\u003e\\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPGW_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eLogoff\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogoff\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:49:06\",\"IsoTimestamp\":\"2021-03-11T17:49:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_VAGRANT\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -981,7 +968,6 @@ "session" ], "code": "8", - "ingested": "2022-02-03T12:43:42.880969754Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-14T12:57:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:20\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:20Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e8\u003c/MessageID\u003e\\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eLogoff\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogoff\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:20\",\"IsoTimestamp\":\"2021-03-14T12:57:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -1072,7 +1058,6 @@ "session" ], "code": "8", - "ingested": "2022-02-03T12:43:42.880970106Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-14T13:49:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:36\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:36Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e8\u003c/MessageID\u003e\\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eLogoff\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogoff\u003c/Message\u003e\\n \u003cGatewayStation\u003e67.43.156.15\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:36\",\"IsoTimestamp\":\"2021-03-14T13:49:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"67.43.156.15\"}}}", "outcome": "success", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-expected.json index 184d6c8bce2..240ee979e92 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-expected.json @@ -21,7 +21,6 @@ "event": { "action": "set password", "code": "88", - "ingested": "2022-02-03T12:43:47.099219023Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-04T19:16:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:16:19\",\"IsoTimestamp\":\"2021-03-04T19:16:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PVWAGWUser\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -74,7 +73,6 @@ "event": { "action": "set password", "code": "88", - "ingested": "2022-02-03T12:43:47.099220889Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-04T19:16:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:16:19\",\"IsoTimestamp\":\"2021-03-04T19:16:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -125,7 +123,6 @@ "event": { "action": "set password", "code": "88", - "ingested": "2022-02-03T12:43:47.099221405Z", "kind": "event", "original": "Mar 08 02:54:46 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PVWAGWUser\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -173,7 +170,6 @@ "event": { "action": "set password", "code": "88", - "ingested": "2022-02-03T12:43:47.099221759Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T08:29:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:29:19\",\"IsoTimestamp\":\"2021-03-10T08:29:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"Prov_COMPONENTS\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -226,7 +222,6 @@ "event": { "action": "set password", "code": "88", - "ingested": "2022-02-03T12:43:47.099222112Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T08:29:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:29:28\",\"IsoTimestamp\":\"2021-03-10T08:29:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -279,7 +274,6 @@ "event": { "action": "set password", "code": "88", - "ingested": "2022-02-03T12:43:47.099222461Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:11:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:52\",\"IsoTimestamp\":\"2021-03-10T09:11:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_localhost.localdomain\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -341,7 +335,6 @@ "event": { "action": "set password", "code": "88", - "ingested": "2022-02-03T12:43:47.099222819Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:11:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:52\",\"IsoTimestamp\":\"2021-03-10T09:11:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_localhost.localdomain\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -403,7 +396,6 @@ "event": { "action": "set password", "code": "88", - "ingested": "2022-02-03T12:43:47.099223176Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T09:11:55Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:55\",\"IsoTimestamp\":\"2021-03-10T09:11:55Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMP_ADB_localhost.localdomain\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -465,7 +457,6 @@ "event": { "action": "set password", "code": "88", - "ingested": "2022-02-03T12:43:47.099223524Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T18:46:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:46:47\",\"IsoTimestamp\":\"2021-03-10T18:46:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_VAGRANT\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -527,7 +518,6 @@ "event": { "action": "set password", "code": "88", - "ingested": "2022-02-03T12:43:47.099223895Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T18:46:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:46:47\",\"IsoTimestamp\":\"2021-03-10T18:46:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMGw_VAGRANT\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -589,7 +579,6 @@ "event": { "action": "set password", "code": "88", - "ingested": "2022-02-03T12:43:47.099224250Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T22:20:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:20:12\",\"IsoTimestamp\":\"2021-03-10T22:20:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -651,7 +640,6 @@ "event": { "action": "set password", "code": "88", - "ingested": "2022-02-03T12:43:47.099225049Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T22:20:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:20:12\",\"IsoTimestamp\":\"2021-03-10T22:20:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMGw_ASR-WIN\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -714,7 +702,6 @@ "event": { "action": "set password", "code": "88", - "ingested": "2022-02-03T12:43:47.099225419Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T16:59:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:54\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:54Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:54\",\"IsoTimestamp\":\"2021-03-11T16:59:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -777,7 +764,6 @@ "event": { "action": "set password", "code": "88", - "ingested": "2022-02-03T12:43:47.099225769Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T16:59:55Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:55\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:55Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPGW_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.13\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:55\",\"IsoTimestamp\":\"2021-03-11T16:59:55Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_VAGRANT\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -840,7 +826,6 @@ "event": { "action": "set password", "code": "88", - "ingested": "2022-02-03T12:43:47.099226117Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T20:10:33Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 12:10:33\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T20:10:33Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMApp_ASR-WIN\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 12:10:33\",\"IsoTimestamp\":\"2021-03-11T20:10:33Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -903,7 +888,6 @@ "event": { "action": "set password", "code": "88", - "ingested": "2022-02-03T12:43:47.099226465Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-14T12:57:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:25\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:25Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPGW_SSH\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:25\",\"IsoTimestamp\":\"2021-03-14T12:57:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_SSH\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -966,7 +950,6 @@ "event": { "action": "set password", "code": "88", - "ingested": "2022-02-03T12:43:47.099226934Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-14T12:57:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:25\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:25Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_SSH\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:25\",\"IsoTimestamp\":\"2021-03-14T12:57:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_SSH\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -1029,7 +1012,6 @@ "event": { "action": "set password", "code": "88", - "ingested": "2022-02-03T12:43:47.099227292Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-14T12:57:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:25\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:25Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMP_ADB_asr-cyberark-psm-ssh\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e67.43.156.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:25\",\"IsoTimestamp\":\"2021-03-14T12:57:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMP_ADB_asr-cyberark-psm-ssh\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"67.43.156.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log-expected.json index c4df1dd46b7..8b48e210aaf 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log-expected.json @@ -23,7 +23,6 @@ "event": { "action": "open file (write only)", "code": "98", - "ingested": "2022-02-03T12:43:51.225239551Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-08T18:24:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:24:50\",\"IsoTimestamp\":\"2021-03-08T18:24:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"98\",\"Desc\":\"Open File (Write Only)\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Open File (Write Only)\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAPrivateUserPrefs\",\"File\":\"Root\\\\YWRtaW5pc3RyYXRvcg==\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Open File (Write Only)\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -81,7 +80,6 @@ "event": { "action": "open file (write only)", "code": "98", - "ingested": "2022-02-03T12:43:51.225241892Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T18:44:08Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:44:08\",\"IsoTimestamp\":\"2021-03-10T18:44:08Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"98\",\"Desc\":\"Open File (Write Only)\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Open File (Write Only)\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"ROOT\\\\PVConfiguration.xml\",\"Station\":\"67.43.156.13\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Open File (Write Only)\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -148,7 +146,6 @@ "event": { "action": "open file (write only)", "code": "98", - "ingested": "2022-02-03T12:43:51.225242427Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-10T22:17:40Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:40\",\"IsoTimestamp\":\"2021-03-10T22:17:40Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"98\",\"Desc\":\"Open File (Write Only)\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Open File (Write Only)\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"ROOT\\\\PVConfiguration.xml\",\"Station\":\"67.43.156.14\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Open File (Write Only)\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -221,7 +218,6 @@ "event": { "action": "open file (write only)", "code": "98", - "ingested": "2022-02-03T12:43:51.225242866Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-11T19:45:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 11:45:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T19:45:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e98\u003c/MessageID\u003e\\n \u003cDesc\u003eOpen File (Write Only)\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eOpen File (Write Only)\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePVWAConfig\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PVConfiguration.xml\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eOpen File (Write Only)\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 11:45:26\",\"IsoTimestamp\":\"2021-03-11T19:45:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"98\",\"Desc\":\"Open File (Write Only)\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Open File (Write Only)\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"Root\\\\PVConfiguration.xml\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Open File (Write Only)\",\"GatewayStation\":\"10.0.1.20\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log-expected.json index 5496f68514e..255d6b16e2a 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log-expected.json @@ -23,7 +23,6 @@ "event": { "action": "open file", "code": "99", - "ingested": "2022-02-03T12:43:52.088006437Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-04T19:10:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:05\",\"IsoTimestamp\":\"2021-03-04T19:10:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"99\",\"Desc\":\"Open File\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Open File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"Root\\\\EPMConfiguration.xml\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Open File\",\"GatewayStation\":\"\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-common-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-common-config.yml index c59c2e72ffa..80145382e3e 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-common-config.yml +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-common-config.yml @@ -1,5 +1,4 @@ dynamic_fields: - event.ingested: ".*" "@timestamp": "^[0-9]{4}(-[0-9]{2}){2}T[0-9]{2}(:[0-9]{2}){2}\\.[0-9]{3}Z$" fields: tags: diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-expected.json index d84b0eab096..28dc15641d9 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-expected.json @@ -21,7 +21,6 @@ "event": { "action": "retrieve file", "code": "51", - "ingested": "2022-02-03T12:43:52.332421214Z", "kind": "event", "original": "Mar 08 03:41:01 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"51\",\"Desc\":\"Retrieve File\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManagerShared\",\"File\":\"Root\\\\Policies\\\\Policy-BusinessWebsite.ini\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve File\",\"GatewayStation\":\"\"}}}", "severity": 2 diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log-expected.json index 0c3a4549d4b..c70ca05ad8f 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log-expected.json @@ -25,7 +25,6 @@ "session" ], "code": "7", - "ingested": "2022-02-03T12:43:52.783799583Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-04T17:27:14Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 09:27:14\",\"IsoTimestamp\":\"2021-03-04T17:27:14Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PVWAGWUser\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -92,7 +91,6 @@ "session" ], "code": "7", - "ingested": "2022-02-03T12:43:52.783801796Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-04T17:27:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 09:27:21\",\"IsoTimestamp\":\"2021-03-04T17:27:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "outcome": "success", @@ -157,7 +155,6 @@ "event": { "action": "retrieve file", "code": "51", - "ingested": "2022-02-03T12:43:52.783802270Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-04T17:27:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 09:27:21\",\"IsoTimestamp\":\"2021-03-04T17:27:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"51\",\"Desc\":\"Retrieve File\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManagerShared\",\"File\":\"Root\\\\Policies\\\\Policy-GenericWebApp.ini\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve File\",\"GatewayStation\":\"\"}}}", "severity": 2 @@ -217,7 +214,6 @@ "session" ], "code": "7", - "ingested": "2022-02-03T12:43:52.783802744Z", "kind": "event", "original": "\u003c5\u003e1 2021-03-04T17:27:33Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 09:27:33\",\"IsoTimestamp\":\"2021-03-04T17:27:33Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "outcome": "success", diff --git a/packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index 235c9d36ab7..845c3cc4b87 100644 --- a/packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -5,9 +5,6 @@ processors: # # Set ECS version and event.ingested # - - set: - field: event.ingested - value: '{{{_ingest.timestamp}}}' - set: field: ecs.version value: '8.0.0' @@ -184,6 +181,18 @@ processors: ignore_empty_value: true override: true + # This script ensures that CAProperties.CAProperty is an array. + # When there's a single property, it is serialised as an object instead + # of a single element array. + - script: + lang: painless + description: "Converts CAProperties into an array if necessary" + source: > + def props = ctx.cyberarkpas?.audit?.CAProperties?.CAProperty; + if (props != null && props instanceof Map) { + ctx.cyberarkpas.audit.CAProperties.CAProperty = [ props ]; + } + # This script converts the nested object under cyberarkpas.audit.CAProperties.CAProperty # into an object under cyberarkpas.audit.CAProperties: # diff --git a/packages/cyberarkpas/manifest.yml b/packages/cyberarkpas/manifest.yml index 2fa53de791f..f364177e43a 100644 --- a/packages/cyberarkpas/manifest.yml +++ b/packages/cyberarkpas/manifest.yml @@ -1,6 +1,6 @@ name: cyberarkpas title: CyberArk Privileged Access Security Logs -version: 2.3.1 +version: 2.3.2 release: ga description: Collect audit logs from Cyberark Vault servers with Elastic Agent. type: integration