Skip to content

Commit

Permalink
Updated PTA documentation, and updated rulebooks.
Browse files Browse the repository at this point in the history
  • Loading branch information
cyberark-bizdev committed May 18, 2023
1 parent b7e2d1a commit f70a0df
Show file tree
Hide file tree
Showing 6 changed files with 109 additions and 4 deletions.
3 changes: 3 additions & 0 deletions docs/cyberark_eda.md
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,7 @@ SyslogServerIP=<INSERT RSYSLOG IP HERE>
SyslogServerPort=1514
SyslogServerProtocol=UDP
```

![Sample rulebook](https://github.com/cyberark/ansible-security-automation-collection/blob/master/docs/images/eda_disable_user_syslog.png?raw=true)


Expand All @@ -156,3 +157,5 @@ In the PTA server's local systemparm.properties file have a line with:
```
syslog_outbound=[{\"siem\": \"SIEM\", \"format\": \"CEF\", \"host\": \"ANSIBLE_EDA_SERVER\", \"port\": << PORT FOR THE ANSIBLE EVENT-SOURCE EDA PLUGIN >>, \"protocol\": \"UDP\"}]
```

![Sample rulebook](https://github.com/cyberark/ansible-security-automation-collection/blob/master/docs/images/eda_pta_disable_user_syslog.png?raw=true)
Binary file added docs/images/eda_pta_disable_user_syslog.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
7 changes: 3 additions & 4 deletions rulebooks/cyberark_test_rule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,22 +5,21 @@
host: 0.0.0.0
port: 1514
rules:

- name: Check For User Suspension Event, Then Disable The User and Notify
condition: event.cyberark.syslog.audit_record.Severity == "Error" and event.cyberark.syslog.audit_record.MessageID == "5"
action:
run_playbook:
name: ../../../cyberark/pas/tests/disable_user.yml
name: disable_user.yml
extra_vars:
username: "{{ event.cyberark.syslog.audit_record.Issuer }}"

- name: Check For PTA irregular IP OR irregular Hours Access and Notify
condition: event.cyberark.DeviceEventClassID == "25" or event.cyberark.DeviceEventClassID == "23"
action:
run_playbook:
name: pta_notify.yml
name: pta_disable_notify.yml
extra_vars:
username: "{{ event.cyberark.suser }}"
#username: "{{ event.cyberark.suser | ansible.builtin.regex_search('^[a-zA-Z0-9_]+') }}"
eventname: "{{ event.cyberark.DeviceName }}"
eventurl: "{{ event.cyberark.PTALink }}"
station: "{{ event.cyberark.shost }}"
42 changes: 42 additions & 0 deletions rulebooks/disable_user.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
---
- hosts: all
connection: local

collections:
- cyberark.pas

tasks:

- name: Logon to CyberArk Vault using PAS Web Services SDK
cyberark_authentication:
api_base_url: "https://BASE_URL"
validate_certs: false
username: "USERNAME"
password: "PASSWORD"

- name: Disabling a CyberArk User
cyberark_user:
username: "{{ username }}" #this is password from the running yml when condition is met
disabled: true
cyberark_session: "{{ cyberark_session }}"
register: cyberarkaction

- name: Debug message
debug:
var: cyberarkaction

- name: Logoff from CyberArk Vault
cyberark_authentication:
state: absent
cyberark_session: "{{ cyberark_session }}"

- name: Sending an e-mail using Gmail SMTP servers
community.general.mail:
host: SMTPSERVER
port: PORT
username: username@mail.com
password: password
to: First Last <first.last@mail.com>
subject: Ansible-Rulebook Report
body: Ansible Rulebook disabled Cyberark user '{{ username }}' due to too many login attempts.
delegate_to: localhost
42 changes: 42 additions & 0 deletions rulebooks/pta_disable_notify.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
---
- hosts: all
connection: local

collections:
- cyberark.pas

tasks:

- name: Logon to CyberArk Vault using PAS Web Services SDK
cyberark_authentication:
api_base_url: "https://BASE_URL"
validate_certs: false
username: "USERNAME"
password: "PASSWORD"

- name: Disabling a CyberArk User
cyberark_user:
username: "{{ username | regex_search('.+?(?=\\()') }}" #more optimal handle user case like suser=testuserFirst.testuserLast@acme.com(Vault user) match up to ( char
disabled: true
cyberark_session: "{{ cyberark_session }}"
register: cyberarkaction

- name: Debug message
debug:
var: cyberarkaction

- name: Logoff from CyberArk Vault
cyberark_authentication:
state: absent
cyberark_session: "{{ cyberark_session }}"

- name: Sending an e-mail using Gmail SMTP servers
community.general.mail:
host: SMTPSERVER
port: PORT
username: username@mail.com
password: password
to: First Last <first.last@mail.com>
subject: Ansible-Rulebook Report
body: Ansible Rulebook notify of PTA Event {{ username }} - {{ eventname }} - from host {{ station }} - For more info please visit - {{ eventurl }} - user disabled!
delegate_to: localhost
19 changes: 19 additions & 0 deletions rulebooks/pta_notify.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
---
- hosts: all
connection: local

collections:
- cyberark.pas

tasks:

- name: Sending an e-mail using Gmail SMTP servers
community.general.mail:
host: SMTPSERVER
port: PORT
username: username@mail.com
password: password
to: First Last <first.last@mail.com>
subject: Ansible-Rulebook Report
body: Ansible Rulebook notify of PTA Event '{{ username | ansible.builtin.regex_search('^[a-zA-Z0-9_]+') }}' '{{ eventname }}' from host '{{ station }}' For more info please visit - '{{ eventurl }}'
delegate_to: localhost

0 comments on commit f70a0df

Please sign in to comment.