CyberArk OnBoarding Wizard

Packs/CyberArkIdentity/.secrets-ignore

@@ -1 +1,3 @@
-https://docs.cyberark.com
+https://docs.cyberark.com
+Clarizen
+SailPoint

Packs/CyberArkIdentity/CorrelationRules/CyberArkCorrelation_0.yml

@@ -0,0 +1,37 @@
+  alert_category: CREDENTIAL_ACCESS
+  alert_description: This correlation rule will trigger in an event in which 4 or
+    more Failed Logins events occurred from a single user during a 10 minutes timeframe.
+  alert_fields:
+    actor_image: null
+    actor_path: null
+    cmd: null
+    domain: null
+    hash: null
+    hostname: null
+    local_ip: xdm.source.ipv4
+    remote_ip: null
+    remote_port: null
+    username: xdm.target.user.username
+  alert_name: CyberArk Failed Logins
+  crontab: '*/10 * * * *'
+  dataset: alerts
+  description: This correlation rule will trigger in an event in which 4 or more Failed
+    Logins events occurred from a single user during a 10 minutes timeframe.
+  drilldown_query_timeframe: QUERY
+  execution_mode: SCHEDULED
+  global_rule_id: dfa5c92b-9b98-46f3-a438-5eb64ad89420
+  investigation_query_link: null
+  mapping_strategy: CUSTOM
+  mitre_defs: {}
+  name: CyberArk Failed Logins
+  search_window: 10 minutes
+  severity: SEV_030_MEDIUM
+  suppression_duration: null
+  suppression_enabled: false
+  suppression_fields: null
+  user_defined_category: null
+  user_defined_severity: null
+  xql_query: "datamodel \r\n|filter xdm.observer.vendor=\"cyberark\" and  xdm.observer.product=\"\
+    identity\"\r\n|filter xdm.event.type=\"Cloud.Core.LoginFail\"\r\n|comp count(xdm.event.type)\
+    \ as `Failed Logins` by xdm.target.user.username, xdm.source.ipv4 \r\n|filter\
+    \  `Failed Logins` >=4 "

Packs/CyberArkIdentity/ModelingRules/CyberArkIdentityEventCollector_1_3/CyberArkIdentityEventCollector_1_3.xif

@@ -11,7 +11,10 @@ filter
 	xdm.auth.auth_method = AuthMethod,
     xdm.event.type=EventType,
     xdm.source.ipv4 = FromIPAddress,
-    xdm.source.application.name = AppId;
+    xdm.source.application.name = AppId,
+    xdm.observer.vendor=_vendor,
+    xdm.observer.product=_product;
+
 filter  EventType not in ("Cloud.Core.OAuthToken.Create", "Cloud.Core.Logout", "Cloud.Core.MfaSummary", "Cloud.Core.StartImpersonate","Cloud.Core.Login", "Cloud.Core.LoginFail", "Cloud.Core.Logout", "Cloud.Core.OAuthToken.InvalidClient" )
  |   alter
     xdm.target.resource.name = coalesce(ObjectName, Role, Alias, ProfileName, TargetUser, DSName, ImpersonateTargetName, Cname, AffectedTenant, OU, DeviceName, ApplicationName, AppName, EntityName),
@@ -30,4 +33,6 @@ filter  EventType not in ("Cloud.Core.OAuthToken.Create", "Cloud.Core.Logout", "
     xdm.target.resource_before.type = OldLicenseType,
     xdm.target.resource.sub_type = MobileAppType,
     xdm.session_context_id = coalesce(JobUniqueId, SessionId),
-	xdm.event.type=EventType;
+	xdm.event.type=EventType,
+    xdm.observer.vendor=_vendor,
+    xdm.observer.product=_product;