Skip to content

Commit

Permalink
Keeper Secrets Manager Event Collector (demisto#35107)
Browse files Browse the repository at this point in the history
* Init integration

* Moved to right path

* CR fixes

* Deleted files

* Deleted comments

* Dummy

* Trying out SDK

* Stash changes

* Don't throw error

* Deleted if statement

* Added authentication and fetch

* Organized code

* Added docs, refresh token, updated fetch events

* Updated image

* Comment

* Adding unit tests

* Fixed content item suffix

* Testing

* added start and complete command

* Updated desc

* add_time_to_events

* Added demo comments

* Added UTs for registration

* Added docstrings for unit tests

* Deleted aud

* Deleted test_data

* Added README

* Added RNs

* pre-commit

* CR fixes

* Removed ignore

* Fix YML

* Added type: ignore to where needed

* pylint errors

* Added docs to abstract class

* Moved to Keeper Secutiry

* Deleted old integration

* Removed RNs

* Using keeper-security

* Add modeling rules

* Modified README file

* Updated docker tag

* Modified modeling rule

* Modified modeling rule

* Update KeeperSecurity.yml

* Added Keywords and Tags to pack's metadata

---------

Co-authored-by: samuelFain <[email protected]>
Co-authored-by: Yehonatan Asta <[email protected]>
3 people authored Sep 23, 2024

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
1 parent 66735e8 commit 2936cf3
Showing 15 changed files with 1,954 additions and 0 deletions.
Empty file.
Empty file.
Binary file added Packs/KeeperSecurity/Author_image.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
526 changes: 526 additions & 0 deletions Packs/KeeperSecurity/Integrations/KeeperSecurity/KeeperSecurity.py

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
category: Authentication & Identity Management
sectionOrder:
- Connect
- Collect
commonfields:
id: KeeperSecurity
version: -1
configuration:
- defaultvalue: keepersecurity.com
display: Server URL
name: url
required: true
type: 0
section: Connect
additionalinfo: The server URL. For more help, checkout the 'Server Regions' section in the description.
- display: Username
name: credentials
defaultvalue: ""
type: 9
required: true
section: Connect
displaypassword: Password
- defaultvalue: "10000"
display: Maximum number of Alerts to fetch.
name: alerts_max_fetch
type: 0
section: Collect
- display: Trust any certificate (not secure)
name: insecure
type: 8
required: false
section: Connect
- display: Use system proxy settings
name: proxy
type: 8
required: false
section: Connect
description: Use this integration to fetch audit logs from Keeper Security Admin Console as XSIAM events.
display: Keeper Security
name: KeeperSecurity
script:
commands:
- arguments:
- description: The authorization code retrieved from user's email.
name: code
required: false
description: "Use this command to complete the registration process."
name: keeper-security-register-complete
- description: "Use this command to start the registration process."
name: keeper-security-register-start
arguments: []
- description: Use this command to test the connectivity of the instance.
name: keeper-security-register-test
arguments: []
runonce: false
isfetchevents: true
script: '-'
type: python
subtype: python3
dockerimage: demisto/keepercommander:1.0.0.112259
fromversion: 6.8.0
marketplaces:
- marketplacev2
tests:
- No tests (auto formatted)
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# Keeper Security Event Collector

## Authentication

Use basic authentication to communicate with the product. Supply your username and password of the account that you want to use.
To create a new user:

1. Log in in as admin in [Keeper Admin Console](https://keepersecurity.com/console/).
2. Go to the **Admin** panel, found in the left side bar.
3. Press on **Add User**, and complete the registration process.
4. Once the user has been created, press on the **Edit** icon, and in the **User Actions** dropdown, click **Disable 2FA** (2FA is currently not supported).

### Authentication Process

In order to authenticate the configured user, the product uses a device registration process. In order to register a new device that will be used to authenticate the user, follow the following procedures:

1. Run the **!keeper-security-register-start** command.
2. If the account does **not** have a configured device, then an authorization code will be sent to the configured email address.
3. Run the **!keeper-security-register-complete** command with the acquired authorization code. If the account already has a registered device, run the command without supplying any arguments.
4. Run the command **!keeper-security-register-test** to test that everything is working fine.

## Server Regions

Use the URLs for the region that hosts your account:
For more information, see the [Server Config File Options](https://docs.keeper.io/en/v/secrets-manager/commander-cli/commander-installation-setup/configuration#config-file-options)

- US Instance: <https://keepersecurity.com>
- EU Instance: <https://keepersecurity.eu>
- AU Instance: <https://keepersecurity.com.au>
- GOV Instance: <https://govcloud.keepersecurity.us>
- CA Instance: <https://keepersecurity.ca>
- JP Instance: <https://keepersecurity.jp>
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
1,063 changes: 1,063 additions & 0 deletions Packs/KeeperSecurity/Integrations/KeeperSecurity/KeeperSecurity_test.py

Large diffs are not rendered by default.

89 changes: 89 additions & 0 deletions Packs/KeeperSecurity/Integrations/KeeperSecurity/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
Use this integration to fetch audit logs from Keeper Security Admin Console as XSIAM events.
This integration was integrated and tested with version 16.11.8 of Keeper Commander.

## Configure Keeper Secrets Manager Event Collector on Cortex XSOAR

1. Navigate to **Settings** > **Integrations** > **Servers & Services**.
2. Search for Keeper Secrets Manager Event Collector.
3. Click **Add instance** to create and configure a new integration instance.

| **Parameter** | **Description** | **Required** |
| --- | --- | --- |
| Server URL | The server URL. For more help, checkout the 'Server Regions' section in the description. | True |
| Username | | True |
| Password | | True |
| Maximum number of Alerts to fetch. | The maximum number of Alert events to fetch. | |
| Trust any certificate (not secure) | | False |
| Use system proxy settings | | False |

4. Click **Test** to validate the URLs, token, and connection.

## Commands

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook.
After you successfully execute a command, a DBot message appears in the War Room with the command details.

### keeper-security-register-start

***
Use this command to start the registration process.

#### Base Command

`keeper-security-register-start`

#### Input

There are no input arguments for this command.

#### Context Output

There is no context output for this command.

#### Human Readable Output

>Code was sent successfully to the user's email
### keeper-security-register-complete

***
Use this command to complete the registration process.

#### Base Command

`keeper-security-register-complete`

#### Input

| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| code | The authorization code retrieved from user's email. | Optional |

#### Context Output

There is no context output for this command.

#### Human Readable Output

>Login completed
### keeper-security-register-test

***
Use this command to test the connectivity of the instance.

#### Base Command

`keeper-security-register-test`

#### Input

There is no context output for this command.

#### Context Output

There is no context output for this command.

#### Human Readable Output

>Successful connection
Empty file.
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
[MODEL: dataset = "keeper_security_raw"]
alter
xdm.event.type = audit_event_type,
xdm.event.id = to_string(id),
xdm.source.ipv4 = if(ip_address ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", ip_address, null),
xdm.source.ipv6 = if(ip_address ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", ip_address, null),
xdm.source.user.username = username,
xdm.source.user.ou = to_string(node_id),
xdm.intermediate.user.username = from_username,
xdm.target.user.username = if(lowercase(audit_event_type) in ("delete_pending_user", "auto_invite_user", "delete_user", "send_invitation"), email, coalesce(to_username, recipient)),
xdm.target.user.upn = email,
xdm.observer.type = arrayindex(regextract(keeper_version, "([^\d]+)\s\d"), 0),
xdm.observer.version = arrayindex(regextract(keeper_version, "\s([\d\.]+)"), 0),
xdm.target.file.file_type = file_format,
xdm.target.file.directory = folder_uid,
xdm.target.file.filename = attachment_id,
xdm.source.host.device_model = device_name,
xdm.target.resource.id = coalesce(record_uid, node, role_id, team_uid, shared_folder_uid, plan, secret_uid, gateway_uid),
xdm.target.resource.value = value,
xdm.target.resource.type = enforcement,
xdm.target.resource.name = coalesce(email_domain, report_name, name),
xdm.event.outcome = if(lowercase(result_code) contains "fail", XDM_CONST.OUTCOME_FAILED, lowercase(result_code) contains "succ", XDM_CONST.OUTCOME_SUCCESS, null),
xdm.event.outcome_reason = result_code,
xdm.network.application_protocol = protocol;
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
fromversion: 8.5.0
id: Keeper_Security_ModelingRule
name: Keeper Security Modeling Rule
rules: ''
schema: ''
tags: ''
Original file line number Diff line number Diff line change
@@ -0,0 +1,120 @@
{
"keeper_security_raw": {
"audit_event_type": {
"type": "string",
"is_array": false
},
"id": {
"type": "int",
"is_array": false
},
"ip_address": {
"type": "string",
"is_array": false
},
"username": {
"type": "string",
"is_array": false
},
"node_id": {
"type": "int",
"is_array": false
},
"from_username": {
"type": "string",
"is_array": false
},
"email": {
"type": "string",
"is_array": false
},
"to_username": {
"type": "string",
"is_array": false
},
"recipient": {
"type": "string",
"is_array": false
},
"keeper_version": {
"type": "string",
"is_array": false
},
"file_format": {
"type": "string",
"is_array": false
},
"folder_uid": {
"type": "string",
"is_array": false
},
"attachment_id": {
"type": "string",
"is_array": false
},
"device_name": {
"type": "string",
"is_array": false
},
"record_uid": {
"type": "string",
"is_array": false
},
"node": {
"type": "string",
"is_array": false
},
"role_id": {
"type": "string",
"is_array": false
},
"team_uid": {
"type": "string",
"is_array": false
},
"shared_folder_uid": {
"type": "string",
"is_array": false
},
"plan": {
"type": "string",
"is_array": false
},
"gateway_uid": {
"type": "string",
"is_array": false
},
"value": {
"type": "string",
"is_array": false
},
"enforcement": {
"type": "string",
"is_array": false
},
"email_domain": {
"type": "string",
"is_array": false
},
"secret_uid": {
"type": "string",
"is_array": false
},
"report_name": {
"type": "string",
"is_array": false
},
"name": {
"type": "string",
"is_array": false
},
"result_code": {
"type": "string",
"is_array": false
},
"protocol": {
"type": "string",
"is_array": false
}
}
}
10 changes: 10 additions & 0 deletions Packs/KeeperSecurity/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
<~XSIAM>

This pack provides access to Keeper Security Admin Console that is used to track and manage multiple Keeper Security products.

## What does this pack do?

- Fetches audit logs from Keeper Security Admin Console as XSIAM events.
- Log Normalization - XDM mapping for key event types.

</~XSIAM>
19 changes: 19 additions & 0 deletions Packs/KeeperSecurity/pack_metadata.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{
"name": "Keeper Security",
"description": "Use Keeper Security to manage and extract data regarding your Keeper Security products.",
"support": "xsoar",
"currentVersion": "1.0.0",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
"categories": [
"Authentication & Identity Management"
],
"tags": ["Security"],
"useCases": [],
"keywords": ["keeper", "security", "secret"],
"marketplaces": [
"xsoar",
"marketplacev2"
]
}

0 comments on commit 2936cf3

Please sign in to comment.