New Safe Details |
Displays a list of new safes and their details, including user,
account information, and safe name.
Hide Query Show Query // New Safes
#type=cyberark*
|"cef.event_class_id"=185
|rename(cef.ext.suser, as=user)
|format("A-%s", field=user, as=account)
|rename("cef.label.\"Safe Name\"", as="safeName")
|replace("(\")", with="", field=safeName, as=safeName)
| Event List |
Incident Details | Hide Query Show Query | cef.device.product = PTA
| table([@timestamp, cef.name, cef.severity, cef.ext.shost, cef.ext.suser, cef.label.PTALink])
| Table |
Incidents |
Displays a list of Privileged Threat Analytics (PTA) incidents by
external users.
Hide Query Show Query | cef.device.product = PTA
| count()
//| sankey(source=cef.ext.suser, target=cef.ext.duser)
| Single Value |
Disabled Safes | Hide Query Show Query #type=cyberark* |
!in(cef.ext.suser, values=["Backup", "Batch", "DR"]) |
"cef.label.\"Safe Name\""="\"DEL_*"
|count()
| Single Value |
Failed Login Details | Hide Query Show Query // Failed Login Attempts >= 3
#type=cyberark* |
"cef.event_class_id"=4 | top(cef.ext.suser) |
upper(cef.ext.suser, as=user) |
drop(cef.ext.suser) |
format("A-%s", field=user, as=user) |
rename(field="_count", as="failed logins")
| Table |
Incident Type | Hide Query Show Query | cef.device.product = PTA
| timechart(cef.name)
| Time Chart |
New Safes | Hide Query Show Query // New Safes
#type=cyberark* |
"cef.event_class_id"=185 |
count()
| Single Value |
Disabled Safes Details |
Displays a list of disabled safes and their details such as safe
name, user, etc.
Hide Query Show Query #type=cyberark* |
!in(cef.ext.suser, values=["Backup", "Batch", "DR"]) |
"cef.label.\"Safe Name\""="\"DEL_*"
|rename("cef.label.\"Safe Name\"", as="safeName")
|replace("(\")", with="", field=safeName, as=safeName)
|upper(cef.ext.suser, as=user)
|drop(cef.ext.suser)
|format("A-%s", field=user, as=user)
|rename(field="safeName", as="safe name")
| Event List |
PTA Threat Direction |
Displays a flowchart of PTA threat direction.
Hide Query Show Query | cef.device.product = PTA
| sankey(source=cef.ext.suser, target=cef.ext.duser)
| Sankey |
Incident Severity Timeline |
Displays an incident severity timeline chart using CyberArk PTA
data.
Hide Query Show Query | cef.device.product = PTA
| timechart(cef.severity)
| Time Chart |
User Retrieved Password | Hide Query Show Query #type=cyberark* |
"cef.event_class_id"=295 |
//in(cef.ext.suser, values=["$lanid$"])
cef.ext.suser !="" | lower(cef.ext.suser, as=cef.ext.suser)
| !in(cef.ext.suser, values=["admin*", "auditor", "backup", "batch", "*cyberark*", "dr", "master", "notificationengine", "passwordmanager", "psm*", "pvwa*", "vault*"])
| groupBy(cef.ext.suser, function=count(field=cef.ext.suser, as=_count, distinct=true))|
sum(_count)
| Single Value |
Vault Activity Timeline |
Displays a chart of vault activity in timeline format by safe
name.
Hide Query Show Query cef.device.product = *
| timechart("cef.label.\"Safe Name\"")
| Time Chart |
Failed login attempts >= 3 | Hide Query Show Query // Failed Login Attempts >= 3
#type=cyberark* |
"cef.event_class_id"=4 |
groupBy(cef.ext.suser) |
_count >= 3 |
count()
| Single Value |
Incident Type | Hide Query Show Query | cef.device.product = *
| top(cef.name)
| Pie Chart |
Total number of retrieved passwords | Hide Query Show Query #type=cyberark*
| "cef.event_class_id"=295
| cef.ext.suser !=""
| lower(cef.ext.suser, as=cef.ext.suser)
| !in(cef.ext.suser, values=["admin*", "auditor", "backup", "batch", "*cyberark*", "dr", "master", "notificationengine", "passwordmanager", "psm*", "pvwa*", "vault*"])
| count(field=cef.ext.suser)
| Single Value |
User Retrieved Safes |
Displays a list of user retrieved safes by user, time of access,
IP address, safe name, and times retrieved by user.
Hide Query Show Query #type=cyberark*
|"cef.event_class_id"=295
|cef.ext.suser !=""
|cef.ext.dvc !=""
|lower(cef.ext.suser, as=cef.ext.suser)
|formattime(format="%Y/%m/%d %H:%M:%S",field="@timestamp", as="time")
|rename(field=cef.ext.suser, as="user")
|SafeName := rename("cef.label.\"Safe Name\"")
|IP := rename(cef.ext.dvc)
|groupBy(field=[time,user, IP, SafeName], function=count(field="user", as="times retrieved per user", distinct=false))
|sort(field="times retrieved per user")
|replace("(\")", with="", field=SafeName, as=SafeName)
| Table |