Skip to content

Cyberark Privileged Access Security module#24803

Merged
adriansr merged 102 commits intoelastic:masterfrom
adriansr:cyberarkpas
Apr 19, 2021
Merged

Cyberark Privileged Access Security module#24803
adriansr merged 102 commits intoelastic:masterfrom
adriansr:cyberarkpas

Conversation

@adriansr
Copy link
Copy Markdown
Contributor

@adriansr adriansr commented Mar 29, 2021
edited
Loading

This PR adds a new module, cyberarkpas, to ingest Privileged Access Security audit logs from Vault via syslog.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Use cases

Screenshots

Dashboard:

filebeat-cyberarkpas-overview

Logs

@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Mar 29, 2021

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Mar 29, 2021
@adriansr adriansr closed this Mar 29, 2021
@adriansr adriansr reopened this Mar 29, 2021
@adriansr adriansr marked this pull request as draft March 29, 2021 07:48
adriansr
adriansr commented Mar 29, 2021
View reviewed changes
Copy link
Copy Markdown
Contributor Author

@adriansr adriansr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Notes to reviewers.

Don't be overwhelmed by the size of the PR. Most of it are sample logs that I plan to reduce.

x-pack/filebeat/module/cyberarkpas/_meta/assets/elastic-json-v1.0.xsl Outdated
Copy link
Copy Markdown
Contributor Author

@adriansr adriansr Mar 29, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file is necessary to configure the Vault, but it's not used by the module. Added it here so that it's under version control. We need to see how to distribute it.

x-pack/filebeat/module/cyberarkpas/audit/ingest/pipeline.yml Outdated
Copy link
Copy Markdown
Contributor Author

@adriansr adriansr Mar 29, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TODO: Most of these comments can be moved to a description field.

x-pack/filebeat/module/cyberarkpas/audit/ingest/pipeline.yml Outdated
Copy link
Copy Markdown
Contributor Author

@adriansr adriansr Mar 29, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note to reviewers: Please review these mappings

@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Mar 29, 2021
edited by jenkins-beats-ci bot
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: Pull request #24803 updated

  • Start Time: 2021-04-19T20:17:50.518+0000

  • Duration: 69 min 43 sec

  • Commit: d739863

Test stats 🧪

Test Results
Failed 0
Passed 13608
Skipped 2271
Total 15879

Trends 🧪

Image of Build Times

Image of Tests

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test Results
Failed 0
Passed 13608
Skipped 2271
Total 15879

@adriansr adriansr force-pushed the cyberarkpas branch 3 times, most recently from 727eb7d to 2a461e5 Compare April 6, 2021 09:50
@adriansr adriansr added review backport-v7.13.0 Automated backport with mergify and removed in progress Pull request is currently in progress. labels Apr 15, 2021
@adriansr adriansr marked this pull request as ready for review April 15, 2021 14:48
@adriansr adriansr changed the title [WIP] Cyberark Privileged Account Security module Cyberark Privileged Access Security module Apr 15, 2021
@adriansr
Copy link
Copy Markdown
Contributor Author

adriansr commented Apr 15, 2021

/test

andrewkroh
andrewkroh reviewed Apr 16, 2021
View reviewed changes
Copy link
Copy Markdown
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks documenting the pipeline so well!

x-pack/filebeat/module/cyberarkpas/audit/config/input.yml Outdated
Copy link
Copy Markdown
Member

@andrewkroh andrewkroh Apr 16, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this for adding network_direction? We do have that available in Ingest Node too now.

Copy link
Copy Markdown
Contributor Author

@adriansr adriansr Apr 18, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, I added the ingest node processor. However, I don't see a way for the user to pass custom internal networks in a way that's compatible with packages. Any ideas?

marc-gr
marc-gr reviewed Apr 19, 2021
View reviewed changes
adriansr added 5 commits April 19, 2021 22:14
@adriansr
Cyberarkpas module skeleton
1da5826
@adriansr
Save Cyberark transform XSLT file
599b7aa
@adriansr
XSL: Escape some control characters
c6d2ac0 
Technically it should escape all control characters (0-0x1f) but
I can't find a way to do that in XSLT v1.0. Only TAB, CR and LF
can be represented.
@adriansr
Mage update
79c4752
@adriansr
WIP
f94039e
adriansr added 21 commits April 19, 2021 22:14
@adriansr
Update dashboard again
be6cb78
@adriansr
Fix double backslashes
03002d2
@adriansr
Use triple braces for mustache in processors
43a1cb8
@adriansr
Remove duplicate observer fields
0fd761b
@adriansr
No need to populate host.hostname
d565794
@adriansr
Remove duplicated message_id
b71a273
@adriansr
More triple braces for mustache
552d9e4
@adriansr
Mage update
6f3a77d
@adriansr
Comment improvements
d846f02
@adriansr
Disable debug in XSL file
68ecae8
@adriansr
Update XSL link.
d7b0bd2
@adriansr
Add changelog entry
11dc572
@adriansr
Remove redundant test logs
86dceae
@adriansr
Add network_direction
57123d2
@adriansr
Use correct log.syslog.priority
1685391
@adriansr
Re-generate golden files with newer 7.13 ES
adfc531
@adriansr
Determine if a field is a valid IP address the 7.13 way
4a958f2
@adriansr
Add station/gateway_station to related.ip
0a02a6b
@adriansr
Remove bogus XSL distribution claim from docs
1e807b3
@adriansr
Add description to script processors
0fabc9f
@adriansr
Make rfc5424 field a boolean
d739863
@adriansr adriansr merged commit 2d51864 into elastic:master Apr 19, 2021
mergify bot pushed a commit that referenced this pull request Apr 19, 2021
@adriansr
Cyberark Privileged Access Security module (#24803)
d79156c 
This PR adds a new module, cyberarkpas, to ingest Privileged Access Security audit logs from Vault via syslog.

(cherry picked from commit 2d51864)
@mergify mergify bot mentioned this pull request Apr 19, 2021
Merged
v1v added a commit to v1v/beats that referenced this pull request Apr 20, 2021
@v1v
Merge remote-tracking branch 'upstream/master' into feature/customise…
2d9fb4d 
…-github-pr-comment-template

* upstream/master:
  [Ingest Manager] Keep http and logging config during enroll (elastic#25132)
  Refactor kubernetes autodiscover to avoid skipping short-living pods (elastic#24742)
  [libbeat] New decode xml wineventlog processor (elastic#25115)
  Add svc to agent k8s clusterRole (elastic#25146)
  Add awsfargate module to collect container logs from Amazon ECS on Fargate (elastic#25041)
  [Filebeat][Cisco ASA] log enhancement and performance (elastic#24744)
  Watch kubernetes namespaces for autodiscover metadata for pods (elastic#25117)
  Cyberark Privileged Access Security module (elastic#24803)
  [Elastic Agent] Log the container command output with LOGS_PATH (elastic#25150)
  Fix for tests after `device...` field has been removed (elastic#25141)
  [Ingest Manager] Restart process on output change (elastic#24907)
  Set --insecure in container when FLEET_SERVER_ENABLE and FLEET_INSECURE set. (elastic#25137)
  [filebeat] Update documentation / changelog / beta warnings for the syslog input (elastic#25047)
  Add support for ignore_inactive in filestream input (elastic#25036)
  Fix bug with annotations dedot config on k8s not used (elastic#25111)
adriansr pushed a commit that referenced this pull request Apr 20, 2021
@mergify
Cyberark Privileged Access Security module (backport #24803) (#25156)
994c6a5 
This PR adds a new module, cyberarkpas, to ingest Privileged Access Security audit logs from Vault via syslog.

(cherry picked from commit 2d51864)
@adriansr adriansr mentioned this pull request Apr 20, 2021
Merged
3 tasks
adriansr added a commit to elastic/integrations that referenced this pull request May 12, 2021
@adriansr
Add package for Cyberark Privileged Access Security audit logs (#928)
c33bc4f 
Adds a new package, cyberarkpas, for Cyberark Privileged Access Security audit logs (from elastic/beats#24803)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marc-gr marc-gr marc-gr left review comments

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees

No one assigned

Labels

backport-v7.13.0 Automated backport with mergify enhancement Filebeat Filebeat review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@adriansr @elasticmachine @andrewkroh @marc-gr