wazuh-ruleset icon indicating copy to clipboard operation
wazuh-ruleset copied to clipboard

Published 20 hours ago verified publisher icon wazuh

New CyberArk rules and decoders

Open SitoRBJ opened this issue 6 years ago • 0 comments

We have created rules and decoders for CyberArk events.

Sep 21 13:49:33 GADC-VAULT001 CEF:0|Cyber-Ark|Vault|1.10.0000|165|Retrieve password|1|act=Retrieve password suser=PasswordManager fname=Root\Operating System-HP-WindowsServerLocalAccounts dvc= SessionDuration= shost=192.168.1.2 dhost=gadc-spfsrvp01. duser=GSH001 SessionID=1 ApplicationType=2 UUID=3 Protocol=4 Command=5 CurrentWorkingDirectory=6 Hostname=7 MachineIP=8.9.8.9 AccountUsername=myacount cs1Label="Affected User Name" cs1=123 cs2Label="Safe Name" cs2=WIN-P-SPOTFIRE-LA cs3Label="Device Type" cs3=Operating System cs4Label="Database" cs4=123 cs5Label="Other info" cs5=123 cn1Label="Request Id" cn1=123 cn2Label="Ticket Id" cn2=CPM  msg=CPM


**Phase 1: Completed pre-decoding.
       full event: 'Sep 21 13:49:33 GADC-VAULT001 CEF:0|Cyber-Ark|Vault|1.10.0000|165|Retrieve password|1|act=Retrieve password suser=PasswordManager fname=Root\Operating System-HP-WindowsServerLocalAccounts dvc= SessionDuration= shost=192.168.1.2 dhost=gadc-spfsrvp01. duser=GSH001 SessionID=1 ApplicationType=2 UUID=3 Protocol=4 Command=5 CurrentWorkingDirectory=6 Hostname=7 MachineIP=8.9.8.9 AccountUsername=myacount cs1Label="Affected User Name" cs1=123 cs2Label="Safe Name" cs2=WIN-P-SPOTFIRE-LA cs3Label="Device Type" cs3=Operating System cs4Label="Database" cs4=123 cs5Label="Other info" cs5=123 cn1Label="Request Id" cn1=123 cn2Label="Ticket Id" cn2=CPM  msg=CPM'
       timestamp: 'Sep 21 13:49:33'
       hostname: 'GADC-VAULT001'
       program_name: 'CEF'
       log: '0|Cyber-Ark|Vault|1.10.0000|165|Retrieve password|1|act=Retrieve password suser=PasswordManager fname=Root\Operating System-HP-WindowsServerLocalAccounts dvc= SessionDuration= shost=192.168.1.2 dhost=gadc-spfsrvp01. duser=GSH001 SessionID=1 ApplicationType=2 UUID=3 Protocol=4 Command=5 CurrentWorkingDirectory=6 Hostname=7 MachineIP=8.9.8.9 AccountUsername=myacount cs1Label="Affected User Name" cs1=123 cs2Label="Safe Name" cs2=WIN-P-SPOTFIRE-LA cs3Label="Device Type" cs3=Operating System cs4Label="Database" cs4=123 cs5Label="Other info" cs5=123 cn1Label="Request Id" cn1=123 cn2Label="Ticket Id" cn2=CPM  msg=CPM'

**Phase 2: Completed decoding.
       decoder: 'cyberark'
       type: 'Retrieve password'
       suser: 'PasswordManager'
       fname: 'Root\Operating System-HP-WindowsServerLocalAccounts'
       shost: '192.168.1.2'
       dsthost: 'gadc-spfsrvp01.'
       duser: 'GSH001'
       sessionID: '1'
       protocol_: '4'
       command: '5'
       affected-user-name: '123'
       safe-name: 'WIN-P-SPOTFIRE-LA'
       device-type: 'Operating System'
       database: '123'
       other-info: '123'
       request_id: '123'
       ticket_id: 'CPM '
       msg: 'CPM'

**Phase 3: Completed filtering (rules).
       Rule id: '89101'
       Level: '3'
       Description: 'CyberArk'
**Alert to be generated.

Kind regards,

Alfonso Ruiz-Bravo

SitoRBJ avatar Aug 28 '18 13:08 SitoRBJ