Added PTA syslog information and example

cyberark · May 18, 2023 · cd8cf03 · cd8cf03
1 parent 5443801
commit cd8cf03
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 1 deletion.
diff --git a/docs/cyberark_eda.md b/docs/cyberark_eda.md
@@ -4,12 +4,18 @@ The CyberArk PAM Self-Hosted solution can be configured to export syslogs to Ans
 
 The following options will be available to configure CyberArk as Event Source:
 
+**VAULT**
 * CyberArk to Rsyslog to EDA Webhook
 * CyberArk to Rsyslog to EDA Kafka Topic
 * CyberArk Syslog as EDA event source (UDP Protocol)
 
+**PTA**
+* CyberArk PTA Syslog to EDA event source (UDP Protocol)
+
+
 **NOTE**: For Rsyslog work, it was tested successfully with rsyslogd 8.2306.0.master (aka 2023.06) running on Ubuntu
 
+
 ## CyberArk to Rsyslog to EDA Webhook
 
 ![CyberArk to Rsyslog to EDA Webhook](https://github.com/cyberark/ansible-security-automation-collection/blob/master/docs/images/rsyslog-webhook.png?raw=true)
@@ -136,3 +142,17 @@ SyslogServerPort=1514
 SyslogServerProtocol=UDP
 ```
 ![Sample rulebook](https://github.com/cyberark/ansible-security-automation-collection/blob/master/docs/images/eda_disableuser_kafka.png?raw=true)
+
+
+## CyberArk PTA Syslog to EDA event source (UDP Protocol)
+
+![CyberArk PTA Syslog to EDA event source (UDP Protocol)](https://github.com/cyberark/ansible-security-automation-collection/blob/master/docs/images/eda-pta-syslog.png?raw=true)
+
+Please refer to the following documentation for instructions on how to setup PTA to sent data to SIEM:
+[Send PTA syslog Records to SIEM](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PTA/Outbound-Sending-%20PTA-syslog-Records-to-SIEM.htm?tocpath=Administrator%7CComponents%7CPrivileged%20Threat%20Analytics%7CConfigure%20Privileged%20Threat%20Analytics%7CSend%20PTA%20Data%7CSend%20PTA%20syslog%20Records%20to%20SIEM%7C_____0)
+
+In the PTA server's local systemparm.properties file have a line with:
+
+```
+syslog_outbound=[{"siem": "SIEM", "format": "CEF", "host": "ANSIBLE_EDA_SERVER", "port": << PORT FOR THE ANSIBLE EVENT-SOURCE EDA PLUGIN >>, "protocol": "UDP"}]
+```
diff --git a/docs/images/eda-pta-syslog.png b/docs/images/eda-pta-syslog.png
diff --git a/galaxy.yml b/galaxy.yml
@@ -1,6 +1,6 @@
 namespace: "cyberark"
 name: "pas"
-version: "1.0.17"
+version: "1.0.18"
 readme: README.md
 authors:
     - CyberArk Business Development (@cyberark-bizdev)

diff --git a/rulebooks/cyberark_test_rule.yml b/rulebooks/cyberark_test_rule.yml
@@ -5,10 +5,22 @@
         host: 0.0.0.0 
         port: 1514
   rules:
+
     - name: Check For User Suspension Event, Then Disable The User and Notify
       condition: event.cyberark.syslog.audit_record.Severity == "Error" and event.cyberark.syslog.audit_record.MessageID == "5"
       action:
         run_playbook:
           name: ../../../cyberark/pas/tests/disable_user.yml
           extra_vars:
             username: "{{ event.cyberark.syslog.audit_record.Issuer }}"  
+
+    - name: Check For PTA irregular IP OR irregular Hours Access and Notify
+      condition: event.cyberark.DeviceEventClassID == "25" or event.cyberark.DeviceEventClassID == "23"
+      action:
+        run_playbook:
+          name: pta_notify.yml
+          extra_vars:
+            username: "{{ event.cyberark.suser }}"
+            eventname: "{{ event.cyberark.DeviceName }}"
+            eventurl: "{{ event.cyberark.PTALink }}"
+            station: "{{ event.cyberark.shost }}"