Skip to content

Commit

Permalink
Cyberark Privileged Access Security module (#24803)
Browse files Browse the repository at this point in the history 
This PR adds a new module, cyberarkpas, to ingest Privileged Access Security audit logs from Vault via syslog.
  • Loading branch information
@adriansr
adriansr authored Apr 19, 2021
1 parent 8c1b8f2 commit 2d51864
Show file tree
Hide file tree
Showing 173 changed files with 25,221 additions and 0 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -836,6 +836,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Add `fail_on_template_error` option for httpjson input. {pull}24784[24784]
- Change `okta.target` to `flattened` field type. {issue}24354[24354] {pull}24636[24636]
- Added `http.request.id` to `nginx/ingress_controller` and `elasticsearch/audit`. {pull}24994[24994]
- New module `cyberarkpas` for CyberArk Privileged Access Security audit logs. {pull}24803[24803]

*Heartbeat*

Expand Down
263 changes: 263 additions & 0 deletions filebeat/docs/fields.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ grouped in the following categories:
* <<exported-fields-coredns>>
* <<exported-fields-crowdstrike>>
* <<exported-fields-cyberark>>
* <<exported-fields-cyberarkpas>>
* <<exported-fields-cylance>>
* <<exported-fields-docker-processor>>
* <<exported-fields-ecs>>
Expand Down Expand Up @@ -34178,6 +34179,268 @@ type: keyword

--

[[exported-fields-cyberarkpas]]
== CyberArk PAS fields

cyberarkpas fields.




[float]
=== audit

Cyberark Privileged Access Security Audit fields.



*`cyberarkpas.audit.action`*::
+
--
A description of the audit record.

type: keyword

--

*`cyberarkpas.audit.ca_properties`*::
+
--
Account metadata.

type: flattened

--

*`cyberarkpas.audit.category`*::
+
--
The category name (for category-related operations).

type: keyword

--

*`cyberarkpas.audit.desc`*::
+
--
A static value that displays a description of the audit codes.

type: keyword

--

*`cyberarkpas.audit.extra_details`*::
+
--
Specific extra details of the audit records.

type: flattened

--

*`cyberarkpas.audit.file`*::
+
--
The name of the target file.

type: keyword

--

*`cyberarkpas.audit.gateway_station`*::
+
--
The IP of the web application machine (PVWA).

type: ip

--

*`cyberarkpas.audit.hostname`*::
+
--
The hostname, in upper case.

type: keyword

example: MY-COMPUTER

--

*`cyberarkpas.audit.iso_timestamp`*::
+
--
The timestamp, in ISO Timestamp format (RFC 3339).

type: date

example: 2013-06-25 10:47:19+00:00

--

*`cyberarkpas.audit.issuer`*::
+
--
The Vault user who wrote the audit. This is usually the user who performed the operation.

type: keyword

--

*`cyberarkpas.audit.location`*::
+
--
The target Location (for Location operations).

type: keyword

Field is not indexed.

--

*`cyberarkpas.audit.message`*::
+
--
A description of the audit records (same information as in the Desc field).

type: keyword

--

*`cyberarkpas.audit.message_id`*::
+
--
The code ID of the audit records.

type: keyword

--

*`cyberarkpas.audit.product`*::
+
--
A static value that represents the product.

type: keyword

--

*`cyberarkpas.audit.pvwa_details`*::
+
--
Specific details of the PVWA audit records.

type: flattened

--

*`cyberarkpas.audit.raw`*::
+
--
Raw XML for the original audit record. Only present when XSLT file has debugging enabled.


type: keyword

Field is not indexed.

--

*`cyberarkpas.audit.reason`*::
+
--
The reason entered by the user.

type: text

--

*`cyberarkpas.audit.rfc5424`*::
+
--
Whether the syslog format complies with RFC5424.

type: boolean

example: True

--

*`cyberarkpas.audit.safe`*::
+
--
The name of the target Safe.

type: keyword

--

*`cyberarkpas.audit.severity`*::
+
--
The severity of the audit records.

type: keyword

--

*`cyberarkpas.audit.source_user`*::
+
--
The name of the Vault user who performed the operation.

type: keyword

--

*`cyberarkpas.audit.station`*::
+
--
The IP from where the operation was performed. For PVWA sessions, this will be the real client machine IP.

type: ip

--

*`cyberarkpas.audit.target_user`*::
+
--
The name of the Vault user on which the operation was performed.

type: keyword

--

*`cyberarkpas.audit.timestamp`*::
+
--
The timestamp, in MMM DD HH:MM:SS format.

type: keyword

example: Jun 25 10:47:19

--

*`cyberarkpas.audit.vendor`*::
+
--
A static value that represents the vendor.

type: keyword

--

*`cyberarkpas.audit.version`*::
+
--
A static value that represents the version of the Vault.

type: keyword

--

[[exported-fields-cylance]]
== CylanceProtect fields

Expand Down
Binary file added filebeat/docs/images/filebeat-cyberarkpas-overview.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading

0 comments on commit 2d51864

Please sign in to comment.