Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New CyberArk rules and decoders #177

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

New CyberArk rules and decoders #177

wants to merge 1 commit into from

Conversation

SitoRBJ
Copy link
Contributor

@SitoRBJ SitoRBJ commented Aug 28, 2018

We have created rules and decoders for CyberArk events.

Sep 21 13:49:33 GADC-VAULT001 CEF:0|Cyber-Ark|Vault|1.10.0000|165|Retrieve password|1|act=Retrieve password suser=PasswordManager fname=Root\Operating System-HP-WindowsServerLocalAccounts dvc= SessionDuration= shost=192.168.1.2 dhost=gadc-spfsrvp01. duser=GSH001 SessionID=1 ApplicationType=2 UUID=3 Protocol=4 Command=5 CurrentWorkingDirectory=6 Hostname=7 MachineIP=8.9.8.9 AccountUsername=myacount cs1Label="Affected User Name" cs1=123 cs2Label="Safe Name" cs2=WIN-P-SPOTFIRE-LA cs3Label="Device Type" cs3=Operating System cs4Label="Database" cs4=123 cs5Label="Other info" cs5=123 cn1Label="Request Id" cn1=123 cn2Label="Ticket Id" cn2=CPM  msg=CPM


**Phase 1: Completed pre-decoding.
       full event: 'Sep 21 13:49:33 GADC-VAULT001 CEF:0|Cyber-Ark|Vault|1.10.0000|165|Retrieve password|1|act=Retrieve password suser=PasswordManager fname=Root\Operating System-HP-WindowsServerLocalAccounts dvc= SessionDuration= shost=192.168.1.2 dhost=gadc-spfsrvp01. duser=GSH001 SessionID=1 ApplicationType=2 UUID=3 Protocol=4 Command=5 CurrentWorkingDirectory=6 Hostname=7 MachineIP=8.9.8.9 AccountUsername=myacount cs1Label="Affected User Name" cs1=123 cs2Label="Safe Name" cs2=WIN-P-SPOTFIRE-LA cs3Label="Device Type" cs3=Operating System cs4Label="Database" cs4=123 cs5Label="Other info" cs5=123 cn1Label="Request Id" cn1=123 cn2Label="Ticket Id" cn2=CPM  msg=CPM'
       timestamp: 'Sep 21 13:49:33'
       hostname: 'GADC-VAULT001'
       program_name: 'CEF'
       log: '0|Cyber-Ark|Vault|1.10.0000|165|Retrieve password|1|act=Retrieve password suser=PasswordManager fname=Root\Operating System-HP-WindowsServerLocalAccounts dvc= SessionDuration= shost=192.168.1.2 dhost=gadc-spfsrvp01. duser=GSH001 SessionID=1 ApplicationType=2 UUID=3 Protocol=4 Command=5 CurrentWorkingDirectory=6 Hostname=7 MachineIP=8.9.8.9 AccountUsername=myacount cs1Label="Affected User Name" cs1=123 cs2Label="Safe Name" cs2=WIN-P-SPOTFIRE-LA cs3Label="Device Type" cs3=Operating System cs4Label="Database" cs4=123 cs5Label="Other info" cs5=123 cn1Label="Request Id" cn1=123 cn2Label="Ticket Id" cn2=CPM  msg=CPM'

**Phase 2: Completed decoding.
       decoder: 'cyberark'
       type: 'Retrieve password'
       suser: 'PasswordManager'
       fname: 'Root\Operating System-HP-WindowsServerLocalAccounts'
       shost: '192.168.1.2'
       dsthost: 'gadc-spfsrvp01.'
       duser: 'GSH001'
       sessionID: '1'
       protocol_: '4'
       command: '5'
       affected-user-name: '123'
       safe-name: 'WIN-P-SPOTFIRE-LA'
       device-type: 'Operating System'
       database: '123'
       other-info: '123'
       request_id: '123'
       ticket_id: 'CPM '
       msg: 'CPM'

**Phase 3: Completed filtering (rules).
       Rule id: '89101'
       Level: '3'
       Description: 'CyberArk'
**Alert to be generated.

Kind regards,

Alfonso Ruiz-Bravo

@SitoRBJ
New CyberArk rules and decoders
b76d921 
We have created rules and decoders for CyberArk events.
@SitoRBJ SitoRBJ changed the base branch from 3.6 to 3.7 September 12, 2018 09:34
@chemamartinez chemamartinez mentioned this pull request Sep 27, 2019
Open
This was referenced Apr 6, 2020
Open
Open
@vikman90 vikman90 changed the base branch from 3.7 to develop July 31, 2020 12:11
@vikman90 vikman90 changed the base branch from develop to master September 25, 2020 08:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jesuslinares jesuslinares Awaiting requested review from jesuslinares

@migruiz4 migruiz4 Awaiting requested review from migruiz4

At least 1 approving review is required to merge this pull request.

Assignees

@migruiz4 migruiz4

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@SitoRBJ @migruiz4