forked from demisto/content
-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Keeper Secrets Manager Event Collector (demisto#35107)
* Init integration * Moved to right path * CR fixes * Deleted files * Deleted comments * Dummy * Trying out SDK * Stash changes * Don't throw error * Deleted if statement * Added authentication and fetch * Organized code * Added docs, refresh token, updated fetch events * Updated image * Comment * Adding unit tests * Fixed content item suffix * Testing * added start and complete command * Updated desc * add_time_to_events * Added demo comments * Added UTs for registration * Added docstrings for unit tests * Deleted aud * Deleted test_data * Added README * Added RNs * pre-commit * CR fixes * Removed ignore * Fix YML * Added type: ignore to where needed * pylint errors * Added docs to abstract class * Moved to Keeper Secutiry * Deleted old integration * Removed RNs * Using keeper-security * Add modeling rules * Modified README file * Updated docker tag * Modified modeling rule * Modified modeling rule * Update KeeperSecurity.yml * Added Keywords and Tags to pack's metadata --------- Co-authored-by: samuelFain <[email protected]> Co-authored-by: Yehonatan Asta <[email protected]>
1 parent
66735e8
commit 2936cf3
Showing
15 changed files
with
1,954 additions
and
0 deletions.
There are no files selected for viewing
Empty file.
Empty file.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
526 changes: 526 additions & 0 deletions
526
Packs/KeeperSecurity/Integrations/KeeperSecurity/KeeperSecurity.py
Large diffs are not rendered by default.
Oops, something went wrong.
65 changes: 65 additions & 0 deletions
65
Packs/KeeperSecurity/Integrations/KeeperSecurity/KeeperSecurity.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
category: Authentication & Identity Management | ||
sectionOrder: | ||
- Connect | ||
- Collect | ||
commonfields: | ||
id: KeeperSecurity | ||
version: -1 | ||
configuration: | ||
- defaultvalue: keepersecurity.com | ||
display: Server URL | ||
name: url | ||
required: true | ||
type: 0 | ||
section: Connect | ||
additionalinfo: The server URL. For more help, checkout the 'Server Regions' section in the description. | ||
- display: Username | ||
name: credentials | ||
defaultvalue: "" | ||
type: 9 | ||
required: true | ||
section: Connect | ||
displaypassword: Password | ||
- defaultvalue: "10000" | ||
display: Maximum number of Alerts to fetch. | ||
name: alerts_max_fetch | ||
type: 0 | ||
section: Collect | ||
- display: Trust any certificate (not secure) | ||
name: insecure | ||
type: 8 | ||
required: false | ||
section: Connect | ||
- display: Use system proxy settings | ||
name: proxy | ||
type: 8 | ||
required: false | ||
section: Connect | ||
description: Use this integration to fetch audit logs from Keeper Security Admin Console as XSIAM events. | ||
display: Keeper Security | ||
name: KeeperSecurity | ||
script: | ||
commands: | ||
- arguments: | ||
- description: The authorization code retrieved from user's email. | ||
name: code | ||
required: false | ||
description: "Use this command to complete the registration process." | ||
name: keeper-security-register-complete | ||
- description: "Use this command to start the registration process." | ||
name: keeper-security-register-start | ||
arguments: [] | ||
- description: Use this command to test the connectivity of the instance. | ||
name: keeper-security-register-test | ||
arguments: [] | ||
runonce: false | ||
isfetchevents: true | ||
script: '-' | ||
type: python | ||
subtype: python3 | ||
dockerimage: demisto/keepercommander:1.0.0.112259 | ||
fromversion: 6.8.0 | ||
marketplaces: | ||
- marketplacev2 | ||
tests: | ||
- No tests (auto formatted) |
32 changes: 32 additions & 0 deletions
32
Packs/KeeperSecurity/Integrations/KeeperSecurity/KeeperSecurity_description.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
# Keeper Security Event Collector | ||
|
||
## Authentication | ||
|
||
Use basic authentication to communicate with the product. Supply your username and password of the account that you want to use. | ||
To create a new user: | ||
|
||
1. Log in in as admin in [Keeper Admin Console](https://keepersecurity.com/console/). | ||
2. Go to the **Admin** panel, found in the left side bar. | ||
3. Press on **Add User**, and complete the registration process. | ||
4. Once the user has been created, press on the **Edit** icon, and in the **User Actions** dropdown, click **Disable 2FA** (2FA is currently not supported). | ||
|
||
### Authentication Process | ||
|
||
In order to authenticate the configured user, the product uses a device registration process. In order to register a new device that will be used to authenticate the user, follow the following procedures: | ||
|
||
1. Run the **!keeper-security-register-start** command. | ||
2. If the account does **not** have a configured device, then an authorization code will be sent to the configured email address. | ||
3. Run the **!keeper-security-register-complete** command with the acquired authorization code. If the account already has a registered device, run the command without supplying any arguments. | ||
4. Run the command **!keeper-security-register-test** to test that everything is working fine. | ||
|
||
## Server Regions | ||
|
||
Use the URLs for the region that hosts your account: | ||
For more information, see the [Server Config File Options](https://docs.keeper.io/en/v/secrets-manager/commander-cli/commander-installation-setup/configuration#config-file-options) | ||
|
||
- US Instance: <https://keepersecurity.com> | ||
- EU Instance: <https://keepersecurity.eu> | ||
- AU Instance: <https://keepersecurity.com.au> | ||
- GOV Instance: <https://govcloud.keepersecurity.us> | ||
- CA Instance: <https://keepersecurity.ca> | ||
- JP Instance: <https://keepersecurity.jp> |
Binary file added
BIN
+2.84 KB
Packs/KeeperSecurity/Integrations/KeeperSecurity/KeeperSecurity_image.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
1,063 changes: 1,063 additions & 0 deletions
1,063
Packs/KeeperSecurity/Integrations/KeeperSecurity/KeeperSecurity_test.py
Large diffs are not rendered by default.
Oops, something went wrong.
89 changes: 89 additions & 0 deletions
89
Packs/KeeperSecurity/Integrations/KeeperSecurity/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
Use this integration to fetch audit logs from Keeper Security Admin Console as XSIAM events. | ||
This integration was integrated and tested with version 16.11.8 of Keeper Commander. | ||
|
||
## Configure Keeper Secrets Manager Event Collector on Cortex XSOAR | ||
|
||
1. Navigate to **Settings** > **Integrations** > **Servers & Services**. | ||
2. Search for Keeper Secrets Manager Event Collector. | ||
3. Click **Add instance** to create and configure a new integration instance. | ||
|
||
| **Parameter** | **Description** | **Required** | | ||
| --- | --- | --- | | ||
| Server URL | The server URL. For more help, checkout the 'Server Regions' section in the description. | True | | ||
| Username | | True | | ||
| Password | | True | | ||
| Maximum number of Alerts to fetch. | The maximum number of Alert events to fetch. | | | ||
| Trust any certificate (not secure) | | False | | ||
| Use system proxy settings | | False | | ||
|
||
4. Click **Test** to validate the URLs, token, and connection. | ||
|
||
## Commands | ||
|
||
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. | ||
After you successfully execute a command, a DBot message appears in the War Room with the command details. | ||
|
||
### keeper-security-register-start | ||
|
||
*** | ||
Use this command to start the registration process. | ||
|
||
#### Base Command | ||
|
||
`keeper-security-register-start` | ||
|
||
#### Input | ||
|
||
There are no input arguments for this command. | ||
|
||
#### Context Output | ||
|
||
There is no context output for this command. | ||
|
||
#### Human Readable Output | ||
|
||
>Code was sent successfully to the user's email | ||
### keeper-security-register-complete | ||
|
||
*** | ||
Use this command to complete the registration process. | ||
|
||
#### Base Command | ||
|
||
`keeper-security-register-complete` | ||
|
||
#### Input | ||
|
||
| **Argument Name** | **Description** | **Required** | | ||
| --- | --- | --- | | ||
| code | The authorization code retrieved from user's email. | Optional | | ||
|
||
#### Context Output | ||
|
||
There is no context output for this command. | ||
|
||
#### Human Readable Output | ||
|
||
>Login completed | ||
### keeper-security-register-test | ||
|
||
*** | ||
Use this command to test the connectivity of the instance. | ||
|
||
#### Base Command | ||
|
||
`keeper-security-register-test` | ||
|
||
#### Input | ||
|
||
There is no context output for this command. | ||
|
||
#### Context Output | ||
|
||
There is no context output for this command. | ||
|
||
#### Human Readable Output | ||
|
||
>Successful connection |
Empty file.
24 changes: 24 additions & 0 deletions
24
Packs/KeeperSecurity/ModelingRules/KeeperSecurity/KeeperSecurity.xif
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
[MODEL: dataset = "keeper_security_raw"] | ||
alter | ||
xdm.event.type = audit_event_type, | ||
xdm.event.id = to_string(id), | ||
xdm.source.ipv4 = if(ip_address ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", ip_address, null), | ||
xdm.source.ipv6 = if(ip_address ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", ip_address, null), | ||
xdm.source.user.username = username, | ||
xdm.source.user.ou = to_string(node_id), | ||
xdm.intermediate.user.username = from_username, | ||
xdm.target.user.username = if(lowercase(audit_event_type) in ("delete_pending_user", "auto_invite_user", "delete_user", "send_invitation"), email, coalesce(to_username, recipient)), | ||
xdm.target.user.upn = email, | ||
xdm.observer.type = arrayindex(regextract(keeper_version, "([^\d]+)\s\d"), 0), | ||
xdm.observer.version = arrayindex(regextract(keeper_version, "\s([\d\.]+)"), 0), | ||
xdm.target.file.file_type = file_format, | ||
xdm.target.file.directory = folder_uid, | ||
xdm.target.file.filename = attachment_id, | ||
xdm.source.host.device_model = device_name, | ||
xdm.target.resource.id = coalesce(record_uid, node, role_id, team_uid, shared_folder_uid, plan, secret_uid, gateway_uid), | ||
xdm.target.resource.value = value, | ||
xdm.target.resource.type = enforcement, | ||
xdm.target.resource.name = coalesce(email_domain, report_name, name), | ||
xdm.event.outcome = if(lowercase(result_code) contains "fail", XDM_CONST.OUTCOME_FAILED, lowercase(result_code) contains "succ", XDM_CONST.OUTCOME_SUCCESS, null), | ||
xdm.event.outcome_reason = result_code, | ||
xdm.network.application_protocol = protocol; |
6 changes: 6 additions & 0 deletions
6
Packs/KeeperSecurity/ModelingRules/KeeperSecurity/KeeperSecurity.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
fromversion: 8.5.0 | ||
id: Keeper_Security_ModelingRule | ||
name: Keeper Security Modeling Rule | ||
rules: '' | ||
schema: '' | ||
tags: '' |
120 changes: 120 additions & 0 deletions
120
Packs/KeeperSecurity/ModelingRules/KeeperSecurity/KeeperSecurity_schema.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,120 @@ | ||
{ | ||
"keeper_security_raw": { | ||
"audit_event_type": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"id": { | ||
"type": "int", | ||
"is_array": false | ||
}, | ||
"ip_address": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"username": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"node_id": { | ||
"type": "int", | ||
"is_array": false | ||
}, | ||
"from_username": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"email": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"to_username": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"recipient": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"keeper_version": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"file_format": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"folder_uid": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"attachment_id": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"device_name": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"record_uid": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"node": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"role_id": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"team_uid": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"shared_folder_uid": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"plan": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"gateway_uid": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"value": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"enforcement": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"email_domain": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"secret_uid": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"report_name": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"name": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"result_code": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"protocol": { | ||
"type": "string", | ||
"is_array": false | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
<~XSIAM> | ||
|
||
This pack provides access to Keeper Security Admin Console that is used to track and manage multiple Keeper Security products. | ||
|
||
## What does this pack do? | ||
|
||
- Fetches audit logs from Keeper Security Admin Console as XSIAM events. | ||
- Log Normalization - XDM mapping for key event types. | ||
|
||
</~XSIAM> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
{ | ||
"name": "Keeper Security", | ||
"description": "Use Keeper Security to manage and extract data regarding your Keeper Security products.", | ||
"support": "xsoar", | ||
"currentVersion": "1.0.0", | ||
"author": "Cortex XSOAR", | ||
"url": "https://www.paloaltonetworks.com/cortex", | ||
"email": "", | ||
"categories": [ | ||
"Authentication & Identity Management" | ||
], | ||
"tags": ["Security"], | ||
"useCases": [], | ||
"keywords": ["keeper", "security", "secret"], | ||
"marketplaces": [ | ||
"xsoar", | ||
"marketplacev2" | ||
] | ||
} |