Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add decoders for CyberArk logs #600

Open
K-Embee opened this issue Apr 7, 2020 · 0 comments · May be fixed by #596
Open

Add decoders for CyberArk logs #600

K-Embee opened this issue Apr 7, 2020 · 0 comments · May be fixed by #596
Labels
enhancement

Comments

@K-Embee
Copy link
Contributor

K-Embee commented Apr 7, 2020

PR #177 added decoders for CyberArk and a grouping rule but was never merged. In addition, the PR is also missing an .ini test file. #596 adds this and points it to the latest branch

Logtest example:

Sep 21 13:49:33 GADC-VAULT001 CEF:0|Cyber-Ark|Vault|1.10.0000|165|Retrieve password|1|act=Retrieve password suser=PasswordManager fname=Root\Operating System-HP-WindowsServerLocalAccounts dvc= SessionDuration= shost=192.168.1.2 dhost=gadc-spfsrvp01. duser=GSH001 SessionID=1 ApplicationType=2 UUID=3 Protocol=4 Command=5 CurrentWorkingDirectory=6 Hostname=7 MachineIP=8.9.8.9 AccountUsername=myacount cs1Label="Affected User Name" cs1=123 cs2Label="Safe Name" cs2=WIN-P-SPOTFIRE-LA cs3Label="Device Type" cs3=Operating System cs4Label="Database" cs4=123 cs5Label="Other info" cs5=123 cn1Label="Request Id" cn1=123 cn2Label="Ticket Id" cn2=CPM  msg=CPM


**Phase 1: Completed pre-decoding.
       full event: 'Sep 21 13:49:33 GADC-VAULT001 CEF:0|Cyber-Ark|Vault|1.10.0000|165|Retrieve password|1|act=Retrieve password suser=PasswordManager fname=Root\Operating System-HP-WindowsServerLocalAccounts dvc= SessionDuration= shost=192.168.1.2 dhost=gadc-spfsrvp01. duser=GSH001 SessionID=1 ApplicationType=2 UUID=3 Protocol=4 Command=5 CurrentWorkingDirectory=6 Hostname=7 MachineIP=8.9.8.9 AccountUsername=myacount cs1Label="Affected User Name" cs1=123 cs2Label="Safe Name" cs2=WIN-P-SPOTFIRE-LA cs3Label="Device Type" cs3=Operating System cs4Label="Database" cs4=123 cs5Label="Other info" cs5=123 cn1Label="Request Id" cn1=123 cn2Label="Ticket Id" cn2=CPM  msg=CPM'
       timestamp: 'Sep 21 13:49:33'
       hostname: 'GADC-VAULT001'
       program_name: 'CEF'
       log: '0|Cyber-Ark|Vault|1.10.0000|165|Retrieve password|1|act=Retrieve password suser=PasswordManager fname=Root\Operating System-HP-WindowsServerLocalAccounts dvc= SessionDuration= shost=192.168.1.2 dhost=gadc-spfsrvp01. duser=GSH001 SessionID=1 ApplicationType=2 UUID=3 Protocol=4 Command=5 CurrentWorkingDirectory=6 Hostname=7 MachineIP=8.9.8.9 AccountUsername=myacount cs1Label="Affected User Name" cs1=123 cs2Label="Safe Name" cs2=WIN-P-SPOTFIRE-LA cs3Label="Device Type" cs3=Operating System cs4Label="Database" cs4=123 cs5Label="Other info" cs5=123 cn1Label="Request Id" cn1=123 cn2Label="Ticket Id" cn2=CPM  msg=CPM'

**Phase 2: Completed decoding.
       decoder: 'cyberark'
       type: 'Retrieve password'
       suser: 'PasswordManager'
       fname: 'Root\Operating System-HP-WindowsServerLocalAccounts'
       shost: '192.168.1.2'
       dsthost: 'gadc-spfsrvp01.'
       duser: 'GSH001'
       sessionID: '1'
       protocol_: '4'
       command: '5'
       affected-user-name: '123'
       safe-name: 'WIN-P-SPOTFIRE-LA'
       device-type: 'Operating System'
       database: '123'
       other-info: '123'
       request_id: '123'
       ticket_id: 'CPM '
       msg: 'CPM'

**Phase 3: Completed filtering (rules).
       Rule id: '89101'
       Level: '3'
       Description: 'CyberArk'
**Alert to be generated.```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
1 participant
@K-Embee