Skip to content

Commit

Permalink
Cyberark Privileged Access Security module (backport #24803) (#25156)
Browse files Browse the repository at this point in the history 
This PR adds a new module, cyberarkpas, to ingest Privileged Access Security audit logs from Vault via syslog.

(cherry picked from commit 2d51864)
  • Loading branch information
@mergify
mergify[bot] authored Apr 20, 2021
1 parent 2f4b0ce commit 994c6a5
Show file tree
Hide file tree
Showing 173 changed files with 24,967 additions and 0 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -542,6 +542,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Change `okta.target` to `flattened` field type. {issue}24354[24354] {pull}24636[24636]
- Added `http.request.id` to `nginx/ingress_controller` and `elasticsearch/audit`. {pull}24994[24994]
- Add `awsfargate` module to collect container logs from Amazon ECS on Fargate. {pull}25041[25041]
- New module `cyberarkpas` for CyberArk Privileged Access Security audit logs. {pull}24803[24803]

*Heartbeat*

Expand Down
263 changes: 263 additions & 0 deletions filebeat/docs/fields.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ grouped in the following categories:
* <<exported-fields-coredns>>
* <<exported-fields-crowdstrike>>
* <<exported-fields-cyberark>>
* <<exported-fields-cyberarkpas>>
* <<exported-fields-cylance>>
* <<exported-fields-docker-processor>>
* <<exported-fields-ecs>>
Expand Down Expand Up @@ -34079,6 +34080,268 @@ type: keyword

--

[[exported-fields-cyberarkpas]]
== CyberArk PAS fields

cyberarkpas fields.




[float]
=== audit

Cyberark Privileged Access Security Audit fields.



*`cyberarkpas.audit.action`*::
+
--
A description of the audit record.

type: keyword

--

*`cyberarkpas.audit.ca_properties`*::
+
--
Account metadata.

type: flattened

--

*`cyberarkpas.audit.category`*::
+
--
The category name (for category-related operations).

type: keyword

--

*`cyberarkpas.audit.desc`*::
+
--
A static value that displays a description of the audit codes.

type: keyword

--

*`cyberarkpas.audit.extra_details`*::
+
--
Specific extra details of the audit records.

type: flattened

--

*`cyberarkpas.audit.file`*::
+
--
The name of the target file.

type: keyword

--

*`cyberarkpas.audit.gateway_station`*::
+
--
The IP of the web application machine (PVWA).

type: ip

--

*`cyberarkpas.audit.hostname`*::
+
--
The hostname, in upper case.

type: keyword

example: MY-COMPUTER

--

*`cyberarkpas.audit.iso_timestamp`*::
+
--
The timestamp, in ISO Timestamp format (RFC 3339).

type: date

example: 2013-06-25 10:47:19+00:00

--

*`cyberarkpas.audit.issuer`*::
+
--
The Vault user who wrote the audit. This is usually the user who performed the operation.

type: keyword

--

*`cyberarkpas.audit.location`*::
+
--
The target Location (for Location operations).

type: keyword

Field is not indexed.

--

*`cyberarkpas.audit.message`*::
+
--
A description of the audit records (same information as in the Desc field).

type: keyword

--

*`cyberarkpas.audit.message_id`*::
+
--
The code ID of the audit records.

type: keyword

--

*`cyberarkpas.audit.product`*::
+
--
A static value that represents the product.

type: keyword

--

*`cyberarkpas.audit.pvwa_details`*::
+
--
Specific details of the PVWA audit records.

type: flattened

--

*`cyberarkpas.audit.raw`*::
+
--
Raw XML for the original audit record. Only present when XSLT file has debugging enabled.


type: keyword

Field is not indexed.

--

*`cyberarkpas.audit.reason`*::
+
--
The reason entered by the user.

type: text

--

*`cyberarkpas.audit.rfc5424`*::
+
--
Whether the syslog format complies with RFC5424.

type: boolean

example: True

--

*`cyberarkpas.audit.safe`*::
+
--
The name of the target Safe.

type: keyword

--

*`cyberarkpas.audit.severity`*::
+
--
The severity of the audit records.

type: keyword

--

*`cyberarkpas.audit.source_user`*::
+
--
The name of the Vault user who performed the operation.

type: keyword

--

*`cyberarkpas.audit.station`*::
+
--
The IP from where the operation was performed. For PVWA sessions, this will be the real client machine IP.

type: ip

--

*`cyberarkpas.audit.target_user`*::
+
--
The name of the Vault user on which the operation was performed.

type: keyword

--

*`cyberarkpas.audit.timestamp`*::
+
--
The timestamp, in MMM DD HH:MM:SS format.

type: keyword

example: Jun 25 10:47:19

--

*`cyberarkpas.audit.vendor`*::
+
--
A static value that represents the vendor.

type: keyword

--

*`cyberarkpas.audit.version`*::
+
--
A static value that represents the version of the Vault.

type: keyword

--

[[exported-fields-cylance]]
== CylanceProtect fields

Expand Down
Binary file added filebeat/docs/images/filebeat-cyberarkpas-overview.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading

0 comments on commit 994c6a5

Please sign in to comment.