diff --git a/blog-service/2025-03-28-apps.md b/blog-service/2025-03-28-apps.md new file mode 100644 index 0000000000..e101259477 --- /dev/null +++ b/blog-service/2025-03-28-apps.md @@ -0,0 +1,13 @@ +--- +title: CyberArk Audit (Apps) +image: https://help.sumologic.com/img/sumo-square.png +keywords: + - apps + - cyberark-audit +hide_table_of_contents: true +--- + +import useBaseUrl from '@docusaurus/useBaseUrl'; + + +We're excited to introduce the new CyberArk Audit app for Sumo Logic. By leveraging this app, security analysts can monitor, analyze, and visualize audit trails of user activities, security events, and anomalies to enhance security. [Learn more](/docs/integrations/saas-cloud/cyberark-audit). \ No newline at end of file diff --git a/cid-redirects.json b/cid-redirects.json index 133b6b470d..f3c708899e 100644 --- a/cid-redirects.json +++ b/cid-redirects.json @@ -2142,6 +2142,7 @@ "/cid/4019": "/docs/send-data/installed-collectors/sources/script-action", "/cid/4412": "/docs/integrations/saas-cloud/crowdstrike-fdr-host-inventory", "/cid/44122": "/docs/integrations/saas-cloud/crowdstrike-spotlight", + "/cid/44124": "/docs/integrations/saas-cloud/cyberark-audit", "/cid/44123": "/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage", "/cid/4020": "/docs/search/behavior-insights/logreduce", "/cid/4021": "/docs/search/search-query-language/search-operators/accum", diff --git a/docs/integrations/product-list/product-list-a-l.md b/docs/integrations/product-list/product-list-a-l.md index 0f37c18c15..fedc6a2e7c 100644 --- a/docs/integrations/product-list/product-list-a-l.md +++ b/docs/integrations/product-list/product-list-a-l.md @@ -172,7 +172,7 @@ For descriptions of the different types of integrations Sumo Logic offers, see [ | Thumbnail icon | [Criminal IP](https://www.criminalip.io/) | Automation integration: [Criminal IP](/docs/platform-services/automation-service/app-central/integrations/criminal-ip) | | Thumbnail icon | [CrowdStrike](https://www.crowdstrike.com/) | Apps:
- [CrowdStrike Falcon Endpoint Protection](/docs/integrations/security-threat-detection/crowdstrike-falcon-endpoint-protection/)
- [CrowdStrike Falcon FileVantage](/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage/)
- [Threat Intel Quick Analysis](/docs/integrations/security-threat-detection/threat-intel-quick-analysis/)
- [CrowdStrike FDR Host Inventory](/docs/integrations/saas-cloud/crowdstrike-fdr-host-inventory)
- [CrowdStrike Spotlight](/docs/integrations/saas-cloud/crowdstrike-spotlight)
Automation integrations:
- [CrowdStrike Falcon](/docs/platform-services/automation-service/app-central/integrations/crowdstrike-falcon/)
- [CrowdStrike Falcon Discover](/docs/platform-services/automation-service/app-central/integrations/crowdstrike-falcon-discover/)
- [CrowdStrike Falcon Intelligence](/docs/platform-services/automation-service/app-central/integrations/crowdstrike-falcon-intelligence/)
- [CrowdStrike Falcon Sandbox](/docs/platform-services/automation-service/app-central/integrations/crowdstrike-falcon-sandbox/)
Cloud SIEM integrations:
- [CrowdStrike](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/79ade329-b6d4-43ae-8db1-2a9cc45c0fb0.md)
- [PreemptSecurity](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/15c77a62-0fbb-4a60-9fae-ead49ec423f9.md)
Collectors:
- [CrowdStrike Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-source/)
- [Crowdstrike FDR Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-fdr-source/)
- [CrowdStrike FDR Host Inventory Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-fdr-host-inventory-source/)
- [CrowdStrike FileVantage Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-filevantage-source/)
- [CrowdStrike Spotlight Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-spotlight-source/)
- [CrowdStrike Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-threat-intel-source/) | | Thumbnail icon | [Cuckoo](https://cuckoo.readthedocs.io/en/latest/#) | Automation integration: [Cuckoo](/docs/platform-services/automation-service/app-central/integrations/cuckoo/) | -| Thumbnail icon | [CyberArk](https://www.cyberark.com/) | Automation integrations:
- [CyberArk AAM](/docs/platform-services/automation-service/app-central/integrations/cyberark-aam/)
- [CyberArk PAM](/docs/platform-services/automation-service/app-central/integrations/cyberark-pam)
Cloud SIEM integration: [CyberArk](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/8a3d333e-ffad-49ed-9edd-0cf1c797b24f.md)
Collector:
- [CyberArk EPM Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cyberark-source/)
- [CyberArk Audit Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cyberark-audit-source/) | +| Thumbnail icon | [CyberArk](https://www.cyberark.com/) | App: [CyberArk Audit](/docs/integrations/saas-cloud/cyberark-audit)
Automation integrations:
- [CyberArk AAM](/docs/platform-services/automation-service/app-central/integrations/cyberark-aam/)
- [CyberArk PAM](/docs/platform-services/automation-service/app-central/integrations/cyberark-pam)
Cloud SIEM integration: [CyberArk](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/8a3d333e-ffad-49ed-9edd-0cf1c797b24f.md)
Collector:
- [CyberArk EPM Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cyberark-source/)
- [CyberArk Audit Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cyberark-audit-source/) | | cyberint | [CyberInt](https://cyberint.com/) | Automation integration: [Cyberint](/docs/platform-services/automation-service/app-central/integrations/cyberint) | | Thumbnail icon | [Cybereason](https://www.cybereason.com/) | Automation integration: [Cybereason](/docs/platform-services/automation-service/app-central/integrations/cybereason/)
Cloud SIEM integration: [Cybereason](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/1a51cb88-ebc9-4655-bce4-3d788bf19e89.md)
Collector: [Cybereason Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cybereason-source/)
Partner integration: [Cybereason](https://github.com/SumoLogic/sumologic-public-partner-apps/tree/master/Cybereason) | | Thumbnail icon | [Cybersecurity Help](https://www.cybersecurity-help.cz/) | Automation integration: [Cybersecurity Help](/docs/platform-services/automation-service/app-central/integrations/cybersecurity-help/) | diff --git a/docs/integrations/saas-cloud/cyberark-audit.md b/docs/integrations/saas-cloud/cyberark-audit.md new file mode 100644 index 0000000000..555c371c1d --- /dev/null +++ b/docs/integrations/saas-cloud/cyberark-audit.md @@ -0,0 +1,161 @@ +--- +id: cyberark-audit +title: CyberArk Audit +sidebar_label: CyberArk Audit +description: The CyberArk Audit app for Sumo Logic provides insights into your organization's cybersecurity practices to strengthen security. +--- + +import useBaseUrl from '@docusaurus/useBaseUrl'; + +thumbnail icon + +The Sumo Logic app for CyberArk Audit is a robhust tool that provides insights into your organization's cybersecurity practices. It helps IT and security teams monitor, analyze, and visualize audit trails of user activities, security events, and anomalies. By tracking data on security events, identity management, component usage, and administrative actions, the app delivers actionable intelligence to identify and mitigate security risks, ensuring compliance with regulations and internal policies. Customizable dashboards and detailed reporting enhance its ability to strengthen security. + +:::info +This app includes [built-in monitors](#cyberark-audit-monitors). For details on creating custom monitors, refer to [Create monitors for CyberArk Audit app](#create-monitors-for-cyberark-audit-app). +::: + +## Log types + +This app uses Sumo Logic’s [CyberArk Audit source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cyberark-audit-source/) to collect the audit logs from the CyberArk Audit platform. + +## Sample log messages + +
+Audit Log + +```json +{ + "uuid": "c131ad7d-af67-4a80-907c-3f982ef5d3be", + "tenantId": "9880566d-4831-4a33-9e11-f4958deae142", + "timestamp": 1742370356027, + "username": "PVWAGWUser", + "applicationCode": "PAM", + "auditCode": "PAM00088", + "auditType": "Info", + "action": "Set Password", + "userId": "PVWAGWUser", + "source": "PVWAAPP", + "actionType": "Password", + "component": "Vault", + "serviceName": "Privilege Cloud", + "accessMethod": null, + "accountId": "", + "target": "", + "command": null, + "sessionId": null, + "message": "", + "customData": { + "PAM": { + "new_target": "", + "target": "" + } + }, + "cloudProvider": null, + "cloudWorkspacesAndRoles": [], + "cloudIdentities": null, + "cloudAssets": null, + "safe": "", + "accountName": "", + "targetPlatform": "", + "targetAccount": "", + "identityType": null +} +``` +
+ +## Sample queries + +```sql title="Password Reset Events" +_sourceCategory="Labs/CyberArkAudit" +| json "uuid", "auditType", "serviceName", "actionType", "action", "identityType", "source", "auditCode", "timestamp", "tenantId", "username", "userId", "component", "message", "customData" as id, audit_type, service_name, action_type, action, identity_type, source, audit_code, timestamp, tenant_id, username, user_id, component, message, custom_data nodrop + +// global filters +| where service_name matches "{{service_name}}" +| where action_type matches "{{action_type}}" +| where audit_type matches "{{audit_type}}" +| where component matches "{{component}}" +| where audit_code matches "{{audit_code}}" +| where action matches "{{action}}" +| where if ("{{identity_type}}" = "*", true, identity_type matches "{{identity_type}}") + +// panel logic +| where toLowerCase(action_type) matches "password" AND toLowerCase(action) matches "set password" +| count by id +| count +``` + +## Collection configuration and app installation + +import CollectionConfiguration from '../../reuse/apps/collection-configuration.md'; + + + +:::important +Use the [Cloud-to-Cloud Integration for CyberArk Audit](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cyberark-audit-source/) to create the source and use the same source category while installing the app. By following these steps, you can ensure that your CyberArk Audit app is properly integrated and configured to collect and analyze your CyberArk Audit data. +::: + +### Create a new collector and install the app + +import AppCollectionOPtion1 from '../../reuse/apps/app-collection-option-1.md'; + + + +### Use an existing collector and install the app + +import AppCollectionOPtion2 from '../../reuse/apps/app-collection-option-2.md'; + + + +### Use an existing source and install the app + +import AppCollectionOPtion3 from '../../reuse/apps/app-collection-option-3.md'; + + + +## Viewing the CyberArk Audit dashboards​​ + +import ViewDashboards from '../../reuse/apps/view-dashboards.md'; + + + +### Overview + +The **CyberArk Audit - Overview** dashboard provides a comprehensive view of audit data, helping teams assess cybersecurity events in your organization. It displays key metrics like total events to display the volume of audit activities, explore events through service names and action types to reveal system access patterns. By categorizing events by audit and identity types, you can get insights into different event categories and user behaviors. Trend analysis and event distribution by geography helps you to identify anomalies, while summaries of deleted events highlights the active and ghost IT activities. This dashboard is the central nervous system for operational monitoring and strategic cybersecurity decisions.
CyberArk-Audit-Overview + +### Security Overview + +The **CyberArk Audit - Security Overview** dashboard provides focuses on security metrics related to audit events for network administrators and cybersecurity teams. It highlights high-risk activities such as password resets, suspicious threats, and multi-factor authentication (MFA) events. The dashboard shows administrative events by location, noting activities from embargoed areas. It visualizes OAuth token generation trends to identify anomalies and secure access points. Summaries of password resets, administrative events, and login attempts help detect vulnerabilities and unauthorized access, enhancing cybersecurity defense.
CyberArk-Audit-Security-Overview + +### Logins + +The **CyberArk Audit - Logins** dashboard provides an overview of user authentication activities, tracking successful and failed login trends. It visualizes successful logins by location and flags access from embargoed areas, emphasizing geopolitical access restrictions. For failed logins, the dashboard identifies locations and top users involved, highlighting potential account compromises. This dashboard helps security teams strengthen authentication and prevent unauthorized access, enhancing overall cybersecurity.
CyberArk-Audit-Logins + +## Create monitors for CyberArk Audit app + +import CreateMonitors from '../../reuse/apps/create-monitors.md'; + + + +### CyberArk Audit monitors + +| Name | Description | Trigger Type (Critical / Warning / MissingData) | Alert Condition | +|:--|:--|:--|:--| +| `CyberArk Audit - Events from Embargoed Locations` | This alert is triggered when CyberArk activity is detected from embargoed or restricted locations. This may indicate unauthorized access attempts from high-risk regions. | High | Count > 0 | +| `CyberArk Audit - Excessive Password Resets` | This alert is triggered when an unusual high number of password resets occur within a short period. This could be a sign of compromised accounts or malicious insider activity. | High | Count > 5 | +| `CyberArk Audit - Failed Login Attempts` | This alert is triggered when repeated failed login attempts are detected, indicating brute force attacks or unauthorized attempts to access privileged accounts. | Critical | Count > 0| +| `CyberArk Audit - Multiple Failed Vault Access Attempts` | This alert notifies you when multiple failed attempts are made to access the CyberArk vault, signaling potential credential theft or unauthorized access attempts. | Critical | Count > 3| +| `CyberArk Audit - OAuth Token Generation Events from Embargoed Locations` | This alert is triggered when OAuth tokens are generated from embargoed locations, which may indicate a potential security breach or misuse of privileged access. | High | Count > 0| +| `CyberArk Audit - Threats Detected` | This alert is triggered when threats within CyberArk, such as unauthorized access, suspicious activity, or potential compromise of privileged credentials are detected. | Critical | Count > 0| + +## Upgrading the CyberArk Audit app (Optional) + +import AppUpdate from '../../reuse/apps/app-update.md'; + + + +## Uninstalling the CyberArk Audit app (Optional) + +import AppUninstall from '../../reuse/apps/app-uninstall.md'; + + \ No newline at end of file diff --git a/docs/integrations/saas-cloud/index.md b/docs/integrations/saas-cloud/index.md index 12fdbd8c86..a87e6b9490 100644 --- a/docs/integrations/saas-cloud/index.md +++ b/docs/integrations/saas-cloud/index.md @@ -135,6 +135,12 @@ Learn about the Sumo Logic apps for SaaS and Cloud applications.

Gather real-time visibility into the vulnerabilities.

+
+
+ icon

CyberArk Audit

 +

Gather information about your organization's cybersecurity practices to strengthen security.

+
+
Thumbnail icon

Digital Guardian ARC

 diff --git a/sidebars.ts b/sidebars.ts index caaf4e558f..4bcd6ac6df 100644 --- a/sidebars.ts +++ b/sidebars.ts @@ -2523,6 +2523,7 @@ integrations: [ 'integrations/saas-cloud/crowdstrike-falcon-filevantage', 'integrations/saas-cloud/crowdstrike-fdr-host-inventory', 'integrations/saas-cloud/crowdstrike-spotlight', + 'integrations/saas-cloud/cyberark-audit', 'integrations/saas-cloud/datadog', 'integrations/saas-cloud/digital-guardian-arc', 'integrations/saas-cloud/docusign',