Cyber ark#751
Conversation
JimmyJamTQBD
requested review from
Amitbergman,
KobyKoren,
Yaniv-Shasha,
YaronFruchtmann,
dicolanl,
ianhelle,
juliango2100,
liemilyg,
mgladi,
morshabi,
orco365,
preetikr,
sagamzu,
shainw and
timbMSFT
as code owners
preetikr
left a comment
preetikr
left a comment
There was a problem hiding this comment.
I also see a commit from someone else which is Playbooks/Get-MDATPVulnerabilities/report_template.docx included in this PR.
Please drop this file else it'll overwrite what we already have in the repo. It'll be great to clean up the branch or do this PR / changes from a new branch to avoid picking up random changes.
| @@ -54,7 +54,7 @@ | |||
| }, | |||
| { | |||
There was a problem hiding this comment.
Please move the CyberArk workbook to https://github.com/Azure/Azure-Sentinel/tree/master/Workbooks folder and follow guidance @ https://github.com/Azure/Azure-Sentinel/tree/master/Workbooks#how-to-contribute-new-workbook to submit the workbook.
The Dashboards folder is going to be deleted soon.
| @@ -0,0 +1,46 @@ | |||
| # Connect CyberArk to Azure Sentinel | |||
There was a problem hiding this comment.
Please email us the md file and remove this file from this PR - the documentation for data connector goes to a different repository and should not be in this repo. Thanks.
| @@ -0,0 +1,104 @@ | |||
| { | |||
| "id": "CyberArk", | |||
| "title": "CyberArk Enterprise Password Vault (EPV) Syslog", | |||
There was a problem hiding this comment.
You might want to remove Syslog from the title as it's basically a CEF connector
| "id": "CyberArk", | ||
| "title": "CyberArk Enterprise Password Vault (EPV) Syslog", | ||
| "publisher": "Cyber-Ark", | ||
| "descriptionMarkdown": "CyberArk Enterprise Password Vault generates an xml Syslog messages for every action taken against the Vault. The EPV will send the xml messages through the Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog staging server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Azure Log Analytics", |
There was a problem hiding this comment.
- Syslog message is right grammatically since it's 'generates an xml Syslog messages' which seems incorrect. Please fix.
- It'd be great to also add a link to CyberArk product documentation.
| "sampleQueries": [ | ||
| { | ||
| "description" : "CyberArk Alerts", | ||
| "query": "\nCommonSecurityLog\n| where LogSeverity == \"7\" or LogSeverity == \"10\"\n| sort by TimeGenerated desc" |
There was a problem hiding this comment.
This will get all results from not only CyberArk but also any other products that have LogSeverity.
Add a where clause as follows before the LogSeverity clause.
| where DeviceVendor == "Cyber-Ark"
| ], | ||
| "dataTypes": [ | ||
| { | ||
| "name": "CommonSecurityLog", |
There was a problem hiding this comment.
The data type name should be "CommonSecurityLog (CyberArk)" with values in the parenthesis same as the value in the legend name.
| "graphQueries": [ | ||
| { | ||
| "metricName": "Total data received", | ||
| "legend": "CyberArkSyslog", |
There was a problem hiding this comment.
You can have the legend as just CyberArk - the syslog term is confusing.
| }, | ||
| { | ||
| "title": "1.2 Install the CEF collector on the Linux machine", | ||
| "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Azure Sentinel workspace. The CEF collector colects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python –version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", |
There was a problem hiding this comment.
In step #1 there are ASCII / weird chars trailing python - 'following command: python �version.'
Please delete chars after python and delete parts of version and retype to remove this.
| }, | ||
| { | ||
| "title": "2. Forward Common Event Format (CEF) logs to Syslog agent", | ||
| "description": "On the EPV configure the dbparm.ini to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine’s IP address." |
There was a problem hiding this comment.
In step #2 as well there are ASCII / weird chars trailing machine - 'TCP on the machine�s IP address.'
Please delete chars after machine and delete parts of IP and retype to remove this.
| }, | ||
| { | ||
| "title": "3. Validate connection", | ||
| "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python –version\n\n>2. You must have elevated permissions (sudo) on your machine", |
There was a problem hiding this comment.
In step 3 (point 1) as well there are ASCII / weird chars trailing python - 'following command: python �version'
Please delete chars after python and delete parts of version and retype to remove this.
2 participants
Fixes #
Proposed Changes