Updated PTA documentation, and updated rulebooks.

cyberark · May 18, 2023 · f70a0df · f70a0df
1 parent b7e2d1a
commit f70a0df
Show file tree

Hide file tree

Showing 6 changed files with 109 additions and 4 deletions.
diff --git a/docs/cyberark_eda.md b/docs/cyberark_eda.md
@@ -141,6 +141,7 @@ SyslogServerIP=<INSERT RSYSLOG IP HERE>
 SyslogServerPort=1514
 SyslogServerProtocol=UDP
 ```
+
 ![Sample rulebook](https://github.com/cyberark/ansible-security-automation-collection/blob/master/docs/images/eda_disable_user_syslog.png?raw=true)
 
 
@@ -156,3 +157,5 @@ In the PTA server's local systemparm.properties file have a line with:
 ```
 syslog_outbound=[{\"siem\": \"SIEM\", \"format\": \"CEF\", \"host\": \"ANSIBLE_EDA_SERVER\", \"port\": << PORT FOR THE ANSIBLE EVENT-SOURCE EDA PLUGIN >>, \"protocol\": \"UDP\"}]
 ```
+
+![Sample rulebook](https://github.com/cyberark/ansible-security-automation-collection/blob/master/docs/images/eda_pta_disable_user_syslog.png?raw=true)
diff --git a/docs/images/eda_pta_disable_user_syslog.png b/docs/images/eda_pta_disable_user_syslog.png
diff --git a/rulebooks/cyberark_test_rule.yml b/rulebooks/cyberark_test_rule.yml
@@ -5,22 +5,21 @@
         host: 0.0.0.0 
         port: 1514
   rules:
-
     - name: Check For User Suspension Event, Then Disable The User and Notify
       condition: event.cyberark.syslog.audit_record.Severity == "Error" and event.cyberark.syslog.audit_record.MessageID == "5"
       action:
         run_playbook:
-          name: ../../../cyberark/pas/tests/disable_user.yml
+          name: disable_user.yml
           extra_vars:
             username: "{{ event.cyberark.syslog.audit_record.Issuer }}"  
-
     - name: Check For PTA irregular IP OR irregular Hours Access and Notify
       condition: event.cyberark.DeviceEventClassID == "25" or event.cyberark.DeviceEventClassID == "23"
       action:
         run_playbook:
-          name: pta_notify.yml
+          name: pta_disable_notify.yml
           extra_vars:
             username: "{{ event.cyberark.suser }}"
+            #username: "{{ event.cyberark.suser | ansible.builtin.regex_search('^[a-zA-Z0-9_]+') }}"
             eventname: "{{ event.cyberark.DeviceName }}"
             eventurl: "{{ event.cyberark.PTALink }}"
             station: "{{ event.cyberark.shost }}"
diff --git a/rulebooks/disable_user.yml b/rulebooks/disable_user.yml
@@ -0,0 +1,42 @@
+---
+- hosts: all
+  connection: local
+
+  collections:
+    - cyberark.pas
+
+  tasks:
+
+    - name: Logon to CyberArk Vault using PAS Web Services SDK
+      cyberark_authentication:
+        api_base_url: "https://BASE_URL"
+        validate_certs: false
+        username: "USERNAME"
+        password: "PASSWORD"
+
+    - name: Disabling a CyberArk User
+      cyberark_user:
+        username: "{{ username }}" #this is password from the running yml when condition is met
+        disabled: true
+        cyberark_session: "{{ cyberark_session }}"
+      register: cyberarkaction
+
+    - name: Debug message
+      debug:
+        var: cyberarkaction
+
+    - name: Logoff from CyberArk Vault
+      cyberark_authentication:
+        state: absent
+        cyberark_session: "{{ cyberark_session }}"
+
+    - name: Sending an e-mail using Gmail SMTP servers
+      community.general.mail:
+        host: SMTPSERVER
+        port: PORT
+        username: [email protected]
+        password: password
+        to: First Last <[email protected]>
+        subject: Ansible-Rulebook Report
+        body: Ansible Rulebook disabled Cyberark user '{{ username }}' due to too many login attempts.
+      delegate_to: localhost
diff --git a/rulebooks/pta_disable_notify.yml b/rulebooks/pta_disable_notify.yml
@@ -0,0 +1,42 @@
+---
+- hosts: all
+  connection: local
+
+  collections:
+    - cyberark.pas
+
+  tasks:
+
+    - name: Logon to CyberArk Vault using PAS Web Services SDK
+      cyberark_authentication:
+        api_base_url: "https://BASE_URL"
+        validate_certs: false
+        username: "USERNAME"
+        password: "PASSWORD"
+
+    - name: Disabling a CyberArk User
+      cyberark_user:
+        username: "{{ username | regex_search('.+?(?=\\()') }}"   #more optimal handle user case like [email protected](Vault user) match up to ( char
+        disabled: true
+        cyberark_session: "{{ cyberark_session }}"
+      register: cyberarkaction
+
+    - name: Debug message
+      debug:
+        var: cyberarkaction
+
+    - name: Logoff from CyberArk Vault
+      cyberark_authentication:
+        state: absent
+        cyberark_session: "{{ cyberark_session }}"
+
+    - name: Sending an e-mail using Gmail SMTP servers
+      community.general.mail:
+        host: SMTPSERVER
+        port: PORT
+        username: [email protected]
+        password: password
+        to: First Last <[email protected]>
+        subject: Ansible-Rulebook Report
+        body: Ansible Rulebook notify of PTA Event {{ username  }} -  {{ eventname }} -  from host {{ station }} -  For more info please visit - {{ eventurl }} -  user disabled!
+      delegate_to: localhost
diff --git a/rulebooks/pta_notify.yml b/rulebooks/pta_notify.yml
@@ -0,0 +1,19 @@
+---
+- hosts: all
+  connection: local
+
+  collections:
+    - cyberark.pas
+
+  tasks:
+
+    - name: Sending an e-mail using Gmail SMTP servers
+      community.general.mail:
+        host: SMTPSERVER
+        port: PORT
+        username: [email protected]
+        password: password
+        to: First Last <[email protected]>
+        subject: Ansible-Rulebook Report
+        body: Ansible Rulebook notify of PTA Event '{{ username | ansible.builtin.regex_search('^[a-zA-Z0-9_]+') }}'   '{{ eventname }}'  from host '{{ station }}'   For more info please visit - '{{ eventurl }}'
+      delegate_to: localhost