39 строки
2.9 KiB
Plaintext
39 строки
2.9 KiB
Plaintext
// This is a Query Parser that is used to map Syslog messsages sent from a CyberArk Digital Vault for creating Dashboards and Alerts.
|
|
//
|
|
// This specific query leverages the Audit Codes that generate an Alert.
|
|
// Alerts are actions that have failed for not having proper access (Failed logon, Failed retrieval of password)
|
|
//
|
|
// Usage Instruction :
|
|
// Paste the query below into log analytics, click Save button and select as Function from drop down by specifying function name and alias.
|
|
// Ensure that your alias is set to "CyberArk_Alert"
|
|
// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries
|
|
// (example: CyberArk_Alert | take 10).
|
|
// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/function
|
|
|
|
|
|
Syslog
|
|
| where ProcessName contains "Cyber-Ark"
|
|
| extend Time = EventTime
|
|
| extend Source = Computer
|
|
| extend MessageID = ProcessID
|
|
| extend Vendor = ProcessName
|
|
| extend deviceAction = extract("act=(.*?)suser=", 1, SyslogMessage)
|
|
| extend sourceUserName = extract("suser=(.*?)fname=", 1, SyslogMessage)
|
|
| extend fileName = extract("fname=(.*?)dvc=", 1, SyslogMessage)
|
|
| extend deviceAddress = extract("dvc=(.*?)shost=", 1, SyslogMessage)
|
|
| extend sourceHostName = extract("shost=(.*?)dhost=", 1, SyslogMessage)
|
|
| extend destinationHostName = extract("dhost=(.*?)duser=", 1, SyslogMessage)
|
|
| extend destinationUserName = extract("duser=(.*?)externalId=", 1, SyslogMessage)
|
|
| extend externalId = extract("externalId=(.*?)app=", 1, SyslogMessage)
|
|
| extend applicationProtocol = extract("app=(.*?)reason=", 1, SyslogMessage)
|
|
| extend Reason = extract("reason=(.*?)cs1Label=", 1, SyslogMessage)
|
|
| extend affectedUserName = extract("cs1=(.*?)cs2Label=", 1, SyslogMessage)
|
|
| extend safeName = extract("cs2=(.*?)cs3Label=", 1, SyslogMessage)
|
|
| extend deviceType = extract("cs3=(.*?)cs4Label=", 1, SyslogMessage)
|
|
| extend Database = extract("cs4=(.*?)cs5Label=", 1, SyslogMessage)
|
|
| extend otherInfo = extract("cs5=(.*?)cn1Label=", 1, SyslogMessage)
|
|
| extend requestID = extract("cn1=(.*?)cn2Label=", 1, SyslogMessage)
|
|
| extend ticketID = extract("cn2=(.*$)", 1, SyslogMessage)
|
|
| extend Message = extract("msg=(.*$)", 1, SyslogMessage)
|
|
| where ProcessID in (0,3,4,5,6,9,10,11,12,13,14,15,16,17,18,21,23,25,26,27,28,29,30,34,35,38,40,41,42,43,44,45,46,47,48,49,55,56,63,65,70,72,74,76,77,78,82,85,87,89,90,92,96,97,10,101,102,103,104,110,113,116,117,131,132,133,134,135,137,142,145,146,147,148,149,150,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,186,189,191,193,196,197,198,204,205,206,207,208,214,215,216,221,222,237,238,243,244,248,249,250,253,255,260,261,262,263,269,271,272,280,281,284,297,298,301,303,306,307,309,314,315,320,333,336,338,339,342,345,347,349,350,352,353,360,362,363,365,366,369,371,373,375,377,379,381,399,403,404,408,409,413,440,442,444,464)
|