| New Safe Details | Hide Query Show Query // New Safes
#type=cyberark*
|"cef.event_class_id"=185
|rename(cef.ext.suser, as=user)
|format("A-%s", field=user, as=account)
|rename("cef.label.\"Safe Name\"", as="safeName")
|replace("(\")", with="", field=safeName, as=safeName)
| Event List |
| Incident Details | Hide Query Show Query | cef.device.product = PTA
| table([@timestamp, cef.name, cef.severity, cef.ext.shost, cef.ext.suser, cef.label.PTALink])
| Table |
| Incidents | Hide Query Show Query | cef.device.product = PTA
| count()
//| sankey(source=cef.ext.suser, target=cef.ext.duser)
| Single Value |
| Disabled Safes | Hide Query Show Query #type=cyberark* |
!in(cef.ext.suser, values=["Backup", "Batch", "DR"]) |
"cef.label.\"Safe Name\""="\"DEL_*"
|count()
| Single Value |
| Failed Login Details | Hide Query Show Query // Failed Login Attempts >= 3
#type=cyberark* |
"cef.event_class_id"=4 | top(cef.ext.suser) |
upper(cef.ext.suser, as=user) |
drop(cef.ext.suser) |
format("A-%s", field=user, as=user) |
rename(field="_count", as="failed logins")
| Table |
| Incident Type | Hide Query Show Query | cef.device.product = PTA
| timechart(cef.name)
| Time Chart |
| New Safes | Hide Query Show Query // New Safes
#type=cyberark* |
"cef.event_class_id"=185 |
count()
| Single Value |
| Disabled Safes Details | Hide Query Show Query #type=cyberark* |
!in(cef.ext.suser, values=["Backup", "Batch", "DR"]) |
"cef.label.\"Safe Name\""="\"DEL_*"
|rename("cef.label.\"Safe Name\"", as="safeName")
|replace("(\")", with="", field=safeName, as=safeName)
|upper(cef.ext.suser, as=user)
|drop(cef.ext.suser)
|format("A-%s", field=user, as=user)
|rename(field="safeName", as="safe name")
| Event List |
| PTA Threat Direction | Hide Query Show Query | cef.device.product = PTA
| sankey(source=cef.ext.suser, target=cef.ext.duser)
| Sankey |
| Incident Severity Timeline | Hide Query Show Query | cef.device.product = PTA
| timechart(cef.severity)
| Time Chart |
| User Retrieved Password | Hide Query Show Query #type=cyberark* |
"cef.event_class_id"=295 |
//in(cef.ext.suser, values=["$lanid$"])
cef.ext.suser !="" | lower(cef.ext.suser, as=cef.ext.suser)
| !in(cef.ext.suser, values=["admin*", "auditor", "backup", "batch", "*cyberark*", "dr", "master", "notificationengine", "passwordmanager", "psm*", "pvwa*", "vault*"])
| groupBy(cef.ext.suser, function=count(field=cef.ext.suser, as=_count, distinct=true))|
sum(_count)
| Single Value |
| Vault Activity Timeline | Hide Query Show Query cef.device.product = *
| timechart("cef.label.\"Safe Name\"")
| Time Chart |
| Failed login attempts >= 3 | Hide Query Show Query // Failed Login Attempts >= 3
#type=cyberark* |
"cef.event_class_id"=4 |
groupBy(cef.ext.suser) |
_count >= 3 |
count()
| Single Value |
| Incident Type | Hide Query Show Query | cef.device.product = *
| top(cef.name)
| Pie Chart |
| Total number of retrieved passwords | Hide Query Show Query #type=cyberark*
| "cef.event_class_id"=295
| cef.ext.suser !=""
| lower(cef.ext.suser, as=cef.ext.suser)
| !in(cef.ext.suser, values=["admin*", "auditor", "backup", "batch", "*cyberark*", "dr", "master", "notificationengine", "passwordmanager", "psm*", "pvwa*", "vault*"])
| count(field=cef.ext.suser)
| Single Value |
| User Retrieved Safes | Hide Query Show Query #type=cyberark*
|"cef.event_class_id"=295
|cef.ext.suser !=""
|cef.ext.dvc !=""
|lower(cef.ext.suser, as=cef.ext.suser)
|formattime(format="%Y/%m/%d %H:%M:%S",field="@timestamp", as="time")
|rename(field=cef.ext.suser, as="user")
|SafeName := rename("cef.label.\"Safe Name\"")
|IP := rename(cef.ext.dvc)
|groupBy(field=[time,user, IP, SafeName], function=count(field="user", as="times retrieved per user", distinct=false))
|sort(field="times retrieved per user")
|replace("(\")", with="", field=SafeName, as=SafeName)
| Table |
