New Safe Details |
Displays a list of new safes and their details, including user,
account information, and safe name.
Hide Query Show Query // New Safes
#type=cyberark*
|"cef.event_class_id"=185
|rename(cef.ext.suser, as=user)
|format("A-%s", field=user, as=account)
|rename("cef.label.\"Safe Name\"", as="safeName")
|replace("(\")", with="", field=safeName, as=safeName)
| Event List |
Disabled Safes |
Displays the names of disabled safes.
Hide Query Show Query #type=cyberark* |
!in(cef.ext.suser, values=["Backup", "Batch", "DR"]) |
"cef.label.\"Safe Name\""="\"DEL_*"
|count()
| Single Value |
Failed Login Details |
Displays a table of users who had greater than 3 failed login
attempts.
Hide Query Show Query // Failed Login Attempts >= 3
#type=cyberark* |
"cef.event_class_id"=4 | top(cef.ext.suser) |
upper(cef.ext.suser, as=user) |
drop(cef.ext.suser) |
format("A-%s", field=user, as=user) |
rename(field="_count", as="failed logins")
| Table |
New Safes |
Displays the number of new safes by class ID.
Hide Query Show Query // New Safes
#type=cyberark* |
"cef.event_class_id"=185 |
count()
| Single Value |
Disabled Safes Details |
Displays a list of disabled safes and their details such as safe
name, user, etc.
Hide Query Show Query #type=cyberark* |
!in(cef.ext.suser, values=["Backup", "Batch", "DR"]) |
"cef.label.\"Safe Name\""="\"DEL_*"
|rename("cef.label.\"Safe Name\"", as="safeName")
|replace("(\")", with="", field=safeName, as=safeName)
|upper(cef.ext.suser, as=user)
|drop(cef.ext.suser)
|format("A-%s", field=user, as=user)
|rename(field="safeName", as="safe name")
| Event List |
User Retrieved Password |
Displays CyberArk user-retrieved passwords.
Hide Query Show Query #type=cyberark* |
"cef.event_class_id"=295 |
//in(cef.ext.suser, values=["$lanid$"])
cef.ext.suser !="" | lower(cef.ext.suser, as=cef.ext.suser)
| !in(cef.ext.suser, values=["admin*", "auditor", "backup", "batch", "*cyberark*", "dr", "master", "notificationengine", "passwordmanager", "psm*", "pvwa*", "vault*"])
| groupBy(cef.ext.suser, function=count(field=cef.ext.suser, as=_count, distinct=true))|
sum(_count)
| Single Value |
Failed Login Attempts >= 3 |
Displays a list of user's with more than 3 failed login attempts.
Hide Query Show Query // Failed Login Attempts >= 3
#type=cyberark* |
"cef.event_class_id"=4 |
groupBy(cef.ext.suser) |
_count >= 3 |
count()
| Single Value |
Total number of retrieved passwords |
Displays the total number of retrieved passwords and associated
data.
Hide Query Show Query #type=cyberark*
| "cef.event_class_id"=295
| cef.ext.suser !=""
| lower(cef.ext.suser, as=cef.ext.suser)
| !in(cef.ext.suser, values=["admin*", "auditor", "backup", "batch", "*cyberark*", "dr", "master", "notificationengine", "passwordmanager", "psm*", "pvwa*", "vault*"])
| count(field=cef.ext.suser)
| Single Value |
User Retrieved Safes |
Displays a list of user retrieved safes by user, time of access,
IP address, safe name, and times retrieved by user.
Hide Query Show Query #type=cyberark*
|"cef.event_class_id"=295
|cef.ext.suser !=""
|cef.ext.dvc !=""
|lower(cef.ext.suser, as=cef.ext.suser)
|formattime(format="%Y/%m/%d %H:%M:%S",field="@timestamp", as="time")
|rename(field=cef.ext.suser, as="user")
|SafeName := rename("cef.label.\"Safe Name\"")
|IP := rename(cef.ext.dvc)
|groupBy(field=[time,user, IP, SafeName], function=count(field="user", as="times retrieved per user", distinct=false))
|sort(field="times retrieved per user")
|replace("(\")", with="", field=SafeName, as=SafeName)
| Table |