Creating Cyberark PTA integration

.github/CODEOWNERS

@@ -52,6 +52,7 @@
 /packages/couchdb @elastic/obs-service-integrations
 /packages/crowdstrike @elastic/security-external-integrations
 /packages/cyberark @elastic/security-external-integrations
+/packages/cyberark_pta @elastic/security-external-integrations
 /packages/cyberarkpas @elastic/security-external-integrations
 /packages/cylance @elastic/security-external-integrations
 /packages/dga @elastic/ml-ui

packages/cyberark_pta/_dev/build/build.yml

@@ -0,0 +1,3 @@
+dependencies:
+  ecs:
+    reference: git@v8.3.0

packages/cyberark_pta/_dev/build/docs/README.md

@@ -0,0 +1,100 @@
+# Cyberark Privileged Threat Analytics
+
+CyberArk's Privileged Threat Analytics (PTA) continuously monitors the use of privileged accounts that are managed in the CyberArk Privileged Access Security (PAS) platform. This integration collects analytics from PTA's syslog via CEF-formatted logs.
+
+### Configuration
+
+Follow the steps described under [Send PTA syslog records to SIEM](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PTA/Outbound-Sending-%20PTA-syslog-Records-to-SIEM.htm) documentation to setup the integration:
+
+- Sample syslog configuration for `systemparm.properties`:
+
+```ini
+[SYSLOG]
+syslog_outbound=[{"siem": "Elastic", "format": "CEF", "host": "SIEM_MACHINE_ADDRESS", "port": 9301, "protocol": "TCP"}]
+```
+
+### Example event
+An example event for pta looks as following:
+
+```json
+{
+  "cef": {
+    "device": {
+      "event_class_id": "1",
+      "product": "PTA",
+      "vendor": "CyberArk",
+      "version": "12.6"
+    },
+    "extensions": {
+      "destinationAddress": "175.16.199.0",
+      "destinationHostName": "dev1.domain.com",
+      "destinationUserName": "andy@dev1.domain.com",
+      "deviceCustomDate1": "2014-01-01T12:05:00.000Z",
+      "deviceCustomDate1Label": "detectionDate",
+      "deviceCustomString1": "None",
+      "deviceCustomString1Label": "ExtraData",
+      "deviceCustomString2": "52b06812ec3500ed864c461e",
+      "deviceCustomString2Label": "EventID",
+      "deviceCustomString3": "https://1.128.0.0/incidents/52b06812ec3500ed864c461e",
+      "deviceCustomString3Label": "PTAlink",
+      "deviceCustomString4": "https://myexternallink.com",
+      "deviceCustomString4Label": "ExternalLink",
+      "sourceAddress": "1.128.0.0",
+      "sourceHostName": "prod1.domain.com",
+      "sourceUserName": "mike2@prod1.domain.com"
+    },
+    "name": "Suspected credentials theft",
+    "severity": "8",
+    "version": "0"
+  },
+  "destination": {
+    "domain": "dev1.domain.com",
+    "ip": "175.16.199.0",
+    "user": {
+      "name": "andy@dev1.domain.com"
+    }
+  },
+  "ecs": {
+    "version": "8.3.0"
+  },
+  "event": {
+    "code": "1",
+    "created": [
+      "2014-01-01T12:05:00.000Z"
+    ],
+    "id": [
+      "52b06812ec3500ed864c461e"
+    ],
+    "ingested": "2022-07-28T14:05:49Z",
+    "original": "CEF:0|CyberArk|PTA|12.6|1|Suspected credentials theft|8|suser=mike2@prod1.domain.com shost=prod1.domain.com src=1.128.0.0 duser=andy@dev1.domain.com dhost=dev1.domain.com dst=175.16.199.0 cs1Label=ExtraData cs1=None cs2Label=EventID cs2=52b06812ec3500ed864c461e deviceCustomDate1Label=detectionDate deviceCustomDate1=1388577900000 cs3Label=PTAlink cs3=https://1.128.0.0/incidents/52b06812ec3500ed864c461e cs4Label=ExternalLink cs4=https://myexternallink.com",
+    "reference": [
+      "https://1.128.0.0/incidents/52b06812ec3500ed864c461e"
+    ],
+    "severity": 8,
+    "url": [
+      "https://myexternallink.com"
+    ]
+  },
+  "message": "Suspected credentials theft",
+  "observer": {
+    "product": "PTA",
+    "vendor": "CyberArk",
+    "version": "12.6"
+  },
+  "source": {
+    "domain": "prod1.domain.com",
+    "ip": "1.128.0.0",
+    "user": {
+      "name": "mike2@prod1.domain.com"
+    }
+  },
+  "tags": [
+    "cyberark_pta",
+    "forwarded"
+  ]
+}
+```
+
+**Exported fields**
+
+{{fields "events"}}

packages/cyberark_pta/_dev/deploy/docker/docker-compose.yml

@@ -0,0 +1,12 @@
+version: "2.3"
+services:
+  cyberark-pta-udp:
+    image: docker.elastic.co/observability/stream:v0.6.2
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9514 -p=udp /sample_logs/*.log
+  cyberark-pta-tcp:
+    image: docker.elastic.co/observability/stream:v0.6.2
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9514 -p=tcp /sample_logs/*.log

packages/cyberark_pta/_dev/deploy/docker/sample_logs/active_dormant_user.log

@@ -0,0 +1 @@
+CEF:0|CyberArk|PTA|11.4|26|Active dormant Vault user|5|suser=Administrator(Vault user) shost=None src=None duser=svc_account@components.cyberark.local dhost=components.cyberark.local dst=10.0.1.20 cs1Label=ExtraData cs1=None cs2Label=EventID cs2=62bb9d97c2dcd9b6beb4cc15 deviceCustomDate1Label=DetectionDate deviceCustomDate1=1656462743000 cs3Label=PTALink cs3=https://components.cyberark.local:443/PasswordVault/v10/pta/events/62bb9d97c2dcd9b6beb4cc15 cs4Label=ExternalLink cs4=None.

packages/cyberark_pta/_dev/deploy/docker/sample_logs/suspected_cred_theft.log

@@ -0,0 +1 @@
+CEF:0|CyberArk|PTA|12.6|1|Suspected credentials theft|8|suser=mike2@prod1.domain.com shost=prod1.domain.com src=1.1.1.1 duser=andy@dev1.domain.com dhost=dev1.domain.com dst=2.2.2.2 cs1Label=ExtraData cs1=None cs2Label=EventID cs2=52b06812ec3500ed864c461e deviceCustomDate1Label=detectionDate deviceCustomDate1=1388577900000 cs3Label=PTAlink cs3=https://1.1.1.1/incidents/52b06812ec3500ed864c461e cs4Label=ExternalLink cs4=None

packages/cyberark_pta/changelog.yml

@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: "0.1.0"
+  changes:
+    - description: initial beta release
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3908

packages/cyberark_pta/data_stream/events/_dev/test/pipeline/test-active-dormant-user.json

@@ -0,0 +1,65 @@
+{
+    "events": [
+        {
+            "cef": {
+                "severity": "5",
+                "extensions": {
+                    "deviceCustomString3Label": "PTALink",
+                    "destinationAddress": "10.0.1.20",
+                    "sourceAddress": "10.0.0.3",
+                    "sourceHostName": "None",
+                    "sourceUserName": "Administrator(Vault user)",
+                    "deviceCustomString1": "None",
+                    "deviceCustomDate1": "2022-06-29T00:32:23.000Z",
+                    "deviceCustomString3": "https://components.cyberark.local:443/PasswordVault/v10/pta/events/62bb9d97c2dcd9b6beb4cc15",
+                    "deviceCustomString1Label": "ExtraData",
+                    "deviceCustomString2": "62bb9d97c2dcd9b6beb4cc15",
+                    "destinationHostName": "components.cyberark.local",
+                    "deviceCustomString4": "None.",
+                    "destinationUserName": "svc_account@components.cyberark.local",
+                    "deviceCustomString4Label": "ExternalLink",
+                    "deviceCustomDate1Label": "DetectionDate",
+                    "deviceCustomString2Label": "EventID"
+                },
+                "name": "Active dormant Vault user",
+                "version": "0",
+                "device": {
+                    "product": "PTA",
+                    "event_class_id": "26",
+                    "vendor": "CyberArk",
+                    "version": "11.4"
+                }
+            },
+            "destination": {
+                "domain": "components.cyberark.local",
+                "ip": "10.0.1.20",
+                "user": {
+                    "name": "svc_account@components.cyberark.local"
+                }
+            },
+            "source": {
+                "ip": "10.0.0.3",
+                "domain": "None",
+                "user": {
+                    "name": "Administrator(Vault user)"
+                }
+            },
+            "message": "Active dormant Vault user",
+            "tags": [
+                "cyberark_pta",
+                "forwarded"
+            ],
+            "observer": {
+                "product": "PTA",
+                "vendor": "CyberArk",
+                "version": "11.4"
+            },
+            "event": {
+                "severity": 5,
+                "ingested": "2022-07-29T16:33:40Z",
+                "original": "CEF:0|CyberArk|PTA|11.4|26|Active dormant Vault user|5|suser=Administrator(Vault user) shost=None src=10.0.0.3 duser=svc_account@components.cyberark.local dhost=components.cyberark.local dst=10.0.1.20 cs1Label=ExtraData cs1=None cs2Label=EventID cs2=62bb9d97c2dcd9b6beb4cc15 deviceCustomDate1Label=DetectionDate deviceCustomDate1=1656462743000 cs3Label=PTALink cs3=https://components.cyberark.local:443/PasswordVault/v10/pta/events/62bb9d97c2dcd9b6beb4cc15 cs4Label=ExternalLink cs4=None.",
+                "code": "26"
+            }
+        }
+    ]
+}

packages/cyberark_pta/data_stream/events/_dev/test/pipeline/test-active-dormant-user.json-expected.json

@@ -0,0 +1,77 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2022-06-29T00:32:23.000Z",
+            "cef": {
+                "device": {
+                    "event_class_id": "26",
+                    "product": "PTA",
+                    "vendor": "CyberArk",
+                    "version": "11.4"
+                },
+                "extensions": {
+                    "destinationAddress": "10.0.1.20",
+                    "destinationHostName": "components.cyberark.local",
+                    "destinationUserName": "svc_account@components.cyberark.local",
+                    "deviceCustomDate1": "2022-06-29T00:32:23.000Z",
+                    "deviceCustomDate1Label": "DetectionDate",
+                    "deviceCustomString1": "None",
+                    "deviceCustomString1Label": "ExtraData",
+                    "deviceCustomString2": "62bb9d97c2dcd9b6beb4cc15",
+                    "deviceCustomString2Label": "EventID",
+                    "deviceCustomString3": "https://components.cyberark.local:443/PasswordVault/v10/pta/events/62bb9d97c2dcd9b6beb4cc15",
+                    "deviceCustomString3Label": "PTALink",
+                    "deviceCustomString4": "None.",
+                    "deviceCustomString4Label": "ExternalLink",
+                    "sourceAddress": "10.0.0.3",
+                    "sourceHostName": "None",
+                    "sourceUserName": "Administrator(Vault user)"
+                },
+                "name": "Active dormant Vault user",
+                "severity": "5",
+                "version": "0"
+            },
+            "cyberark_pta": {
+                "log": {
+                    "event_type": "26"
+                }
+            },
+            "destination": {
+                "domain": "components.cyberark.local",
+                "ip": "10.0.1.20",
+                "user": {
+                    "name": "svc_account@components.cyberark.local"
+                }
+            },
+            "ecs": {
+                "version": "8.3.0"
+            },
+            "event": {
+                "code": "26",
+                "id": "62bb9d97c2dcd9b6beb4cc15",
+                "ingested": "2022-07-29T16:33:40Z",
+                "original": "CEF:0|CyberArk|PTA|11.4|26|Active dormant Vault user|5|suser=Administrator(Vault user) shost=None src=10.0.0.3 duser=svc_account@components.cyberark.local dhost=components.cyberark.local dst=10.0.1.20 cs1Label=ExtraData cs1=None cs2Label=EventID cs2=62bb9d97c2dcd9b6beb4cc15 deviceCustomDate1Label=DetectionDate deviceCustomDate1=1656462743000 cs3Label=PTALink cs3=https://components.cyberark.local:443/PasswordVault/v10/pta/events/62bb9d97c2dcd9b6beb4cc15 cs4Label=ExternalLink cs4=None.",
+                "reason": "Active dormant Vault user",
+                "reference": "https://components.cyberark.local:443/PasswordVault/v10/pta/events/62bb9d97c2dcd9b6beb4cc15",
+                "severity": 5,
+                "url": "None."
+            },
+            "observer": {
+                "product": "PTA",
+                "vendor": "CyberArk",
+                "version": "11.4"
+            },
+            "source": {
+                "domain": "None",
+                "ip": "10.0.0.3",
+                "user": {
+                    "name": "Administrator(Vault user)"
+                }
+            },
+            "tags": [
+                "cyberark_pta",
+                "forwarded"
+            ]
+        }
+    ]
+}

packages/cyberark_pta/data_stream/events/_dev/test/pipeline/test-generated.log-config.yml

@@ -0,0 +1,6 @@
+dynamic_fields:
+  event.ingested: ".*"
+fields:
+  tags:
+    - preserve_original_event
+    - cyberark_pta

packages/cyberark_pta/data_stream/events/_dev/test/pipeline/test-suspected-cred-theft.json

@@ -0,0 +1,65 @@
+{
+    "events": [
+        {
+            "cef": {
+                "severity": "8",
+                "extensions": {
+                    "destinationAddress": "175.16.199.0",
+                    "deviceCustomString3Label": "PTAlink",
+                    "sourceHostName": "prod1.domain.com",
+                    "sourceAddress": "1.128.0.0",
+                    "sourceUserName": "mike2@prod1.domain.com",
+                    "deviceCustomString1": "None",
+                    "deviceCustomDate1": "2014-01-01T12:05:00.000Z",
+                    "deviceCustomString3": "https://1.128.0.0/incidents/52b06812ec3500ed864c461e",
+                    "deviceCustomString2": "52b06812ec3500ed864c461e",
+                    "deviceCustomString1Label": "ExtraData",
+                    "destinationHostName": "dev1.domain.com",
+                    "deviceCustomString4": "https://myexternallink.com",
+                    "destinationUserName": "andy@dev1.domain.com",
+                    "deviceCustomString4Label": "ExternalLink",
+                    "deviceCustomDate1Label": "detectionDate",
+                    "deviceCustomString2Label": "EventID"
+                },
+                "name": "Suspected credentials theft",
+                "version": "0",
+                "device": {
+                    "product": "PTA",
+                    "event_class_id": "1",
+                    "vendor": "CyberArk",
+                    "version": "12.6"
+                }
+            },
+            "destination": {
+                "domain": "dev1.domain.com",
+                "ip": "175.16.199.0",
+                "user": {
+                    "name": "andy@dev1.domain.com"
+                }
+            },
+            "source": {
+                "domain": "prod1.domain.com",
+                "ip": "1.128.0.0",
+                "user": {
+                    "name": "mike2@prod1.domain.com"
+                }
+            },
+            "message": "Suspected credentials theft",
+            "tags": [
+                "cyberark_pta",
+                "forwarded"
+            ],
+            "observer": {
+                "product": "PTA",
+                "vendor": "CyberArk",
+                "version": "12.6"
+            },
+            "event": {
+                "severity": 8,
+                "original": "CEF:0|CyberArk|PTA|12.6|1|Suspected credentials theft|8|suser=mike2@prod1.domain.com shost=prod1.domain.com src=1.128.0.0 duser=andy@dev1.domain.com dhost=dev1.domain.com dst=175.16.199.0 cs1Label=ExtraData cs1=None cs2Label=EventID cs2=52b06812ec3500ed864c461e deviceCustomDate1Label=detectionDate deviceCustomDate1=1388577900000 cs3Label=PTAlink cs3=https://1.128.0.0/incidents/52b06812ec3500ed864c461e cs4Label=ExternalLink cs4=https://myexternallink.com",
+                "code": "1",
+                "ingested": "2022-07-28T14:05:49Z"
+            }
+        }
+    ]
+}