Cyberark PTA Mapping (demisto#30295)

* Updated ModelingRules * Updated secrets * Updated yml * Update Packs/CyberArk_Privileged_Threat_Analytics/README.md Co-authored-by: ShirleyDenkberg <[email protected]> * Update Packs/CyberArk_Privileged_Threat_Analytics/README.md Co-authored-by: ShirleyDenkberg <[email protected]> * Update Packs/CyberArk_Privileged_Threat_Analytics/README.md Co-authored-by: ShirleyDenkberg <[email protected]> * Updated yml * Updated README * Updated Beta Note * Updated ModelingRules * Updated README --------- Co-authored-by: ShirleyDenkberg <[email protected]>
SEKOIA-IO · Oct 23, 2023 · 727eff9 · 727eff9
1 parent 91f3267
commit 727eff9
Show file tree

Hide file tree

Showing 7 changed files with 157 additions and 0 deletions.
diff --git a/Packs/CyberArk_Privileged_Threat_Analytics/.pack-ignore b/Packs/CyberArk_Privileged_Threat_Analytics/.pack-ignore
diff --git a/Packs/CyberArk_Privileged_Threat_Analytics/.secrets-ignore b/Packs/CyberArk_Privileged_Threat_Analytics/.secrets-ignore
@@ -0,0 +1 @@
+https://docs.cyberark.com
diff --git a/...delingRules/CyberArk_Privileged_Threat_Analytics/CyberArk_Privileged_Threat_Analytics.xif b/...delingRules/CyberArk_Privileged_Threat_Analytics/CyberArk_Privileged_Threat_Analytics.xif
@@ -0,0 +1,28 @@
+[MODEL: dataset = "cyberark_pta_raw"]
+// This is a beta Modeling Rule, which lets you process CyberArk PTA log fields to XDM fields.
+// Since the Modeling Rule is considered as beta, it might not contain some of the fields that are available from the logs.
+// We appreciate your feedback on the quality and usability of the Modeling Rule to help us identify issues, fix them, and continually improve.
+alter
+	src_ip_v4 = if(src !~= ":", src, null),
+    src_ip_v6 = if(src ~= ":", src, null),
+	tar_ip_v4 = if(dst !~= ":", dst, null),
+    tar_ip_v6 = if(dst ~= ":", dst, null)
+| alter	
+	xdm.source.ipv4 = src_ip_v4,
+	xdm.source.ipv6 = src_ip_v6,
+	xdm.target.ipv4 = tar_ip_v4,
+	xdm.target.ipv6 = tar_ip_v6,
+	xdm.source.user.user_type = if(suser ~= "@", XDM_CONST.USER_TYPE_REGULAR, suser ~= "Vault user", XDM_CONST.USER_TYPE_SERVICE_ACCOUNT),
+	xdm.target.user.user_type = if(duser ~= "@", XDM_CONST.USER_TYPE_REGULAR, duser ~= "Vault user", XDM_CONST.USER_TYPE_SERVICE_ACCOUNT),
+	xdm.event.description = cs1,
+	xdm.alert.original_alert_id = cs2,
+	xdm.observer.unique_identifier = cs3,
+	xdm.intermediate.application.name = cs4,
+	xdm.event.operation_sub_type = cs5,
+	xdm.target.host.hostname = dhost,
+	xdm.target.user.username = duser,
+	xdm.source.host.hostname = shost,
+	xdm.source.user.username = suser,
+	xdm.event.type = cefName,
+	xdm.alert.severity = cefSeverity,
+	xdm.event.id = cefDeviceEventClassId;
diff --git a/...delingRules/CyberArk_Privileged_Threat_Analytics/CyberArk_Privileged_Threat_Analytics.yml b/...delingRules/CyberArk_Privileged_Threat_Analytics/CyberArk_Privileged_Threat_Analytics.yml
@@ -0,0 +1,6 @@
+fromversion: 8.2.0
+id: CyberArk_PTA_ModelingRule
+name: CyberArk PTA Modeling Rule
+rules: ''
+schema: ''
+tags: ''
diff --git a/...les/CyberArk_Privileged_Threat_Analytics/CyberArk_Privileged_Threat_Analytics_schema.json b/...les/CyberArk_Privileged_Threat_Analytics/CyberArk_Privileged_Threat_Analytics_schema.json
@@ -0,0 +1,60 @@
+{
+    "cyberark_pta_raw": {
+          "src": {
+            "type": "string",
+            "is_array": false
+          },
+          "dst": {
+            "type": "string",
+            "is_array": false
+          },
+          "cs1": {
+            "type": "string",
+            "is_array": false
+          },
+          "cs2": {
+            "type": "string",
+            "is_array": false
+          },      
+          "cs3": {
+            "type": "string",
+            "is_array": false
+          },
+          "cs4": {
+            "type": "string",
+            "is_array": false
+          },
+          "cs5": {
+            "type": "string",
+            "is_array": false
+          },
+          "dhost": {
+            "type": "string",
+            "is_array": false
+          },
+          "duser": {
+            "type": "string",
+            "is_array": false
+          },
+          "shost": {
+            "type": "string",
+            "is_array": false
+          },
+          "suser": {
+            "type": "string",
+            "is_array": false
+          },
+          "cefName": {
+            "type": "string",
+            "is_array": false
+          },      
+          "cefSeverity": {
+            "type": "string",
+            "is_array": false
+          },
+          "cefDeviceEventClassId": {
+            "type": "string",
+            "is_array": false
+          }
+    }
+}                
diff --git a/Packs/CyberArk_Privileged_Threat_Analytics/README.md b/Packs/CyberArk_Privileged_Threat_Analytics/README.md
@@ -0,0 +1,44 @@
+# CyberArk Privileged Threat Analytics
+
+<~XSIAM>
+
+This pack includes Cortex XSIAM content.
+
+This pack contains a beta Modeling Rule, which lets you process CyberArk PTA log fields to XDM fields.
+Since the Modeling Rule is considered as beta, it might not contain some of the fields that are available from the logs.
+We appreciate your feedback on the quality and usability of the Modeling Rule to help us identify issues, fix them, and continually improve. 
+
+## Configuration on Server Side
+You need to configure CyberArk Privileged Threat Analytics (PTA) to forward Syslog messages in CEF format.
+
+Access your Cyberark PTA machine and follow these instructions [Product Documentation](https://docs.cyberark.com/PAS/Latest/en/Content/PTA/Outbound-Sending-%20PTA-syslog-Records-to-SIEM.htm):
+1. On the PTA machine, open the default **systemparm.properties** file using the ***DEFAULTPARM*** command.
+2. Copy the line containing the **syslog_outbound** property, and exit the file.
+3. Open the local **systemparm.properties** file using the ***LOCALPARM*** command.
+4. Press **i** to edit the file.
+5. Paste the line you copied, uncomment the **syslog_outbound** property and edit the parameters. Use the following as a guide.
+   * format - CEF.
+   * protocol - UDP.
+   * siem - Assign a name to your configuration.
+   * host - Write the dedicated hostname or IP address.
+   * port - Write the dedicated port number.
+   * syslogType - RFC5424.
+
+## Collect Events from Vendor
+In order to use the collector, use the [Broker VM](#broker-vm) option.
+
+### Broker VM
+To create or configure the Broker VM, use the information described [here](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Configure-the-Broker-VM).
+
+You can configure the specific vendor and product for this instance.
+
+1. Navigate to **Settings** &rarr; **Configuration** &rarr; **Data Broker** &rarr; **Broker VMs**.
+2. Go to the **Apps** column under the **Brokers** tab and add the **Syslog Collector** app for the relevant broker instance. If the app already exists, hover over it and click **Configure**.
+3. Click **Add New** for adding a new syslog data source.
+4. When configuring the new syslog data source, set the following values:
+   | Parameter     | Value   
+   | :---          | :---        
+   | `Vendor`      | Enter **cyberark**.
+   | `Product`     | Enter **pta**.
+
+</~XSIAM>
diff --git a/Packs/CyberArk_Privileged_Threat_Analytics/pack_metadata.json b/Packs/CyberArk_Privileged_Threat_Analytics/pack_metadata.json
@@ -0,0 +1,18 @@
+{
+    "name": "CyberArk Privileged Threat Analytics",
+    "description": "CyberArk Privileged Threat Analytics (PTA) leverages the analytic capabilities of PTA and assigns a risk score to privileged sessions.",
+    "support": "xsoar",
+    "currentVersion": "1.0.0",
+    "author": "Cortex XSOAR",
+    "url": "https://www.paloaltonetworks.com/cortex",
+    "email": "",
+    "categories": [
+        "Analytics & SIEM"
+    ],
+    "tags": [],
+    "useCases": [],
+    "keywords": [],
+    "marketplaces": [
+        "marketplacev2"
+    ]
+}