Azure-Sentinel/Workbooks/CyberArkEPV.json

{
  "version": "Notebook/1.0",
  "items": [
    {
      "type": 1,
      "content": {
        "json": "## CEF standard custom label functionality has limitations and to solve those, here are the field mappings done for CyberArk data connector. Refer to the table below for further context.\n\n|      Old Label     |       Sentinel Label      |    xsl KeyName   |\n|:------------------:|:-------------------------:|:----------------:|\n| Safe Name          | DestinationUserPrivileges | dpriv            |\n| Device Type        | FileType                  | fileType         |\n| Affected User Name | SourceUserPrivileges      | spriv            |\n| Database           | DeviceExternalID          | deviceExternalId |\n| Other info         | destinationProcessName    | dproc            |\n| Request Id         | FileID                    | fileId           |\n| Ticket Id          | OldFileID                 | oldFileId        |\nThe workbooks outlined here are simply examples to get you started. Your enterprise's security view will dictate what fields need to be depicted in your workbooks and Sentinel's ease of use allows for dynamic views of your Vault activity."
      },
      "name": "CyberArk-Workbook-Notes"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Cyber-Ark\" \n| where DeviceProduct == \"Vault\" \n| where OldFileID contains \"Error\" or OldFileID contains \"Failure\"| summarize AggregatedValue = count() by bin(TimeGenerated, 1h)| sort by TimeGenerated desc| render timechart",
        "size": 1,
        "title": "Errors within the last hour",
        "noDataMessage": "There have been no reported errors in the last hour",
        "noDataMessageStyle": 3,
        "timeContext": {
          "durationMs": 604800000
        },
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces"
      },
      "name": "Errors within the last hour"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Cyber-Ark\" \n| where DeviceProduct == \"Vault\" \n| search OldFileID contains \"error\" or OldFileID contains \"Failure\"| summarize AggregatedValue = count() by DestinationUserName\r\n",
        "size": 0,
        "title": "CPM errors, by account",
        "noDataMessage": "No Accounts have failed rotation",
        "noDataMessageStyle": 3,
        "timeContext": {
          "durationMs": 604800000
        },
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces"
      },
      "name": "CPM errors, by account",
      "styleSettings": {
        "showBorder": true
      }
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Cyber-Ark\" \n| where DeviceProduct == \"Vault\" \n| where DeviceEventClassID == 7| where SourceUserName contains \"administrator\"| distinct SourceHostName, DeviceAddress, TimeGenerated | summarize count() by SourceHostName, DeviceAddress, TimeGenerated | render timechart",
        "size": 0,
        "title": "Logins by the Administrator account",
        "noDataMessage": "There have been no logins by the Adminstrator account",
        "timeContext": {
          "durationMs": 604800000
        },
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces"
      },
      "name": "Administrator account"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Cyber-Ark\" \n| where DeviceProduct == \"Vault\" \n| where DeviceEventClassID == 300| summarize count() by DestinationHostName",
        "size": 0,
        "title": "Endpoints most connected to",
        "noDataMessage": "The PSM is not being utilized",
        "noDataMessageStyle": 4,
        "timeContext": {
          "durationMs": 604800000
        },
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces"
      },
      "name": "Endpoints most connected to"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Cyber-Ark\" \n| where DeviceProduct == \"Vault\" \n| where DeviceEventClassID in (295,428)| where DestinationUserPrivileges !contains \"PSMSessions\"| where DestinationUserPrivileges !contains \"PVWAConfig\"| where DestinationUserPrivileges !contains \"PasswordManagerShared\"| where DestinationUserPrivileges !contains \"VaultInternal\"| where DestinationUserPrivileges !contains \"PasswordManager\"| where DestinationUserPrivileges !contains \"PVWAPrivateUserPrefs\"| where DestinationUserPrivileges !contains \"ConjurSync\"| where DestinationUserPrivileges !contains \"SharedAuth_Internal\"| where DestinationUserPrivileges !contains \"PSM\"| where SourceUserName !contains \"PasswordManager\"| summarize count() by DestinationUserPrivileges| render barchart",
        "size": 0,
        "title": "Accounts most accessed",
        "noDataMessage": "There have been no retrievals of accounts from the Vault",
        "timeContext": {
          "durationMs": 86400000
        },
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces"
      },
      "name": "Accounts most accessed"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Cyber-Ark\" \n| where DeviceProduct == \"Vault\" \n| where DeviceEventClassID in (22,24,31,414,416,418)| summarize count() by DestinationUserName| render piechart",
        "size": 0,
        "title": "Successful CPM operations",
        "noDataMessage": "It appears that there is no management of credentials",
        "noDataMessageStyle": 4,
        "timeContext": {
          "durationMs": 86400000
        },
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces"
      },
      "name": "Successful CPM operations"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Cyber-Ark\" \n| where DeviceProduct == \"Vault\" \n| where DeviceAction contains \"disable\"| summarize count() by FileName, DestinationUserName, OldFileID",
        "size": 0,
        "noDataMessage": "No Accounts have been Disabled",
        "noDataMessageStyle": 3,
        "timeContext": {
          "durationMs": 86400000
        },
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces"
      },
      "name": "Users accessing accounts"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "CommonSecurityLog\n| where DeviceVendor == \"Cyber-Ark\" \n| where DeviceProduct == \"Vault\" \n| where DeviceEventClassID in (295,428)| where DestinationUserPrivileges !contains \"PSMSessions\"| where DestinationUserPrivileges !contains \"PVWAConfig\"| where DestinationUserPrivileges !contains \"PasswordManagerShared\"| where DestinationUserPrivileges !contains \"VaultInternal\"| where DestinationUserPrivileges !contains \"PasswordManager\"| where DestinationUserPrivileges !contains \"PVWAPrivateUserPrefs\"| where DestinationUserPrivileges !contains \"ConjurSync\"| where DestinationUserPrivileges !contains \"SharedAuth_Internal\"| where DestinationUserPrivileges !contains \"PSM\"| where SourceUserName !contains \"PasswordManager\"| summarize count() by SourceUserName, TimeGenerated",
        "size": 0,
        "title": "Account objects accessed by user",
        "noDataMessage": "It appears no accounts have been accessed",
        "timeContext": {
          "durationMs": 86400000
        },
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces"
      },
      "name": "Account objects accessed"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "CommonSecurityLog\n| where DeviceVendor == \"Cyber-Ark\" \n| where DeviceProduct == \"Vault\" \n| where DeviceEventClassID in (302,359,360,361,412,411)\n| summarize audit=makeset(AdditionalExtensions) by ExternalID, DestinationUserName, SourceUserName",
        "size": 0,
        "title": "General audit information",
        "noDataMessage": "There just isn't anything to show here",
        "timeContext": {
          "durationMs": 86400000
        },
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces",
        "gridSettings": {
          "sortBy": [
            {
              "itemKey": "audit",
              "sortOrder": 2
            }
          ]
        },
        "sortBy": [
          {
            "itemKey": "audit",
            "sortOrder": 2
          }
        ]
      },
      "name": "Audit information"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Cyber-Ark\" \n| where DeviceProduct == \"Vault\" \n| where DeviceEventClassID in (295,428)| where DestinationUserPrivileges contains \"ConjurSync\"| where SourceUserName contains \"Sync_components\"| summarize AggregatedValue = count() by bin(TimeGenerated, 1h)| sort by TimeGenerated desc| render timechart",
        "size": 0,
        "title": "Conjur Vault syncs",
        "noDataMessage": "It doesn't look like you have Conjur",
        "timeContext": {
          "durationMs": 86400000
        },
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces"
      },
      "name": "Conjur Vault syncs"
    }
  ],
  "fromTemplateId": "sentinel-UserWorkbook",
  "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}