diff --git a/Solutions/CyberArkEPM/DataConnectors/CyberArkEPMSentinelConn.zip b/Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConn.zip similarity index 100% rename from Solutions/CyberArkEPM/DataConnectors/CyberArkEPMSentinelConn.zip rename to Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConn.zip diff --git a/Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/TODO b/Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/TODO new file mode 100644 index 00000000000..9d2003fc275 --- /dev/null +++ b/Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/TODO @@ -0,0 +1,3 @@ +1. Add support for ISPSS login +2. Error handling +3. Install over existing connector \ No newline at end of file diff --git a/Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/__init__.py b/Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/__init__.py new file mode 100644 index 00000000000..457a190bc4c --- /dev/null +++ b/Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/__init__.py @@ -0,0 +1 @@ +from .main import main diff --git a/Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/epm.py b/Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/epm.py new file mode 100644 index 00000000000..fa199a736fc --- /dev/null +++ b/Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/epm.py @@ -0,0 +1,213 @@ +import logging +import os +import time +from datetime import datetime, timedelta + +from typing import Optional + +import requests + +from .pyepm import ( + get_admin_audit_events, + get_aggregated_events, + get_aggregated_policy_audits, + get_detailed_raw_events, + get_policy_audit_raw_event_details, + get_sets_list, +) +from .storage import AzureBlobStorage, LocalStorage + + +def _get_env(*names: str, default=None): + for name in names: + value = os.environ.get(name) + if value is not None and value != '': + return value + return default + + +client_id = _get_env('OAUTH_USERNAME', 'OAuthUsername') +client_secret = _get_env('OAUTH_PASSWORD', 'OAuthPassword') +identity_endpoint = _get_env('IDENTITY_ENDPOINT', 'IdentityEndpoint') +epm_host = _get_env('EPM_HOST', 'EPMHost') +webapp_id = _get_env('WEBAPP_ID', 'WebAppID') + +fetch_interval_minutes = int(_get_env('FETCH_INTERVAL', 'FetchInterval', default='60')) + +storage = LocalStorage() if _get_env('STORAGE', 'Storage') == 'LocalStorage' else AzureBlobStorage() + +TOKEN_FILE_NAME = 'token.json' +EPM_TENANT_URL_FILE_NAME = 'epm_tenant_url.json' +TIME_FRAME_FILE_NAME = 'time_frame.json' + + +def _is_token_expired(token: dict) -> bool: + timestamp = int(token.get('timestamp', 0)) + expiration = int(token.get('expires_in', 0)) + return timestamp + expiration <= int(time.time()) + + +def _get_oauth_token() -> Optional[str]: + if not (client_id and client_secret and identity_endpoint and webapp_id): + logging.error('Missing OAuth2 configuration environment variables') + return None + + url = f'{identity_endpoint}/oauth2/token/{webapp_id}' + headers = { + 'Content-Type': 'application/x-www-form-urlencoded' + } + body = { + 'grant_type': 'client_credentials', + 'client_id': client_id, + 'client_secret': client_secret + } + + token_data = storage.load(file_name=TOKEN_FILE_NAME) + if token_data and not _is_token_expired(token_data): + return token_data.get('token') + if token_data: + logging.warning('Stored token expired') + + try: + logging.info('Creating new token') + response = requests.post(url=url, headers=headers, data=body) + res_content = response.json() + if 200 <= response.status_code <= 299: + expiration = res_content['expires_in'] + token = res_content['access_token'] + storage.save( + data={'token': token, 'expiration': expiration, 'timestamp': int(time.time())}, + file_name=TOKEN_FILE_NAME, + ) + return token + if response.status_code == 400: + logging.error(f"{res_content.get('error')} {res_content.get('error_description')}") + else: + logging.error(f'error during access token negotiation: {response.status_code} {response.text}') + except Exception as err: + logging.error(f'Something went wrong. Exception error text: {err}') + return None + + +def _get_time_window() -> tuple[str, str]: + current_time = datetime.utcnow().replace(second=0, microsecond=0) - timedelta(minutes=10) + current_time_str = current_time.strftime('%Y-%m-%dT%H:%M:%SZ') + + saved = storage.load(file_name=TIME_FRAME_FILE_NAME) or {} + last_end_str = saved.get('last_end_time') + + if last_end_str: + try: + start_time_dt = datetime.strptime(last_end_str, '%Y-%m-%dT%H:%M:%SZ') + except Exception: + logging.warning('Invalid last_end_time in storage. Falling back to configured fetch interval.') + start_time_dt = current_time - timedelta(minutes=fetch_interval_minutes) + else: + start_time_dt = current_time - timedelta(minutes=fetch_interval_minutes) + + start_time_str = start_time_dt.strftime('%Y-%m-%dT%H:%M:%SZ') + storage.save(data={'last_end_time': current_time_str}, file_name=TIME_FRAME_FILE_NAME) + return start_time_str, current_time_str + + +def _fetch_set_events(fetch_func, dispatcher_url: str, token: str, filter_date: str, set_id: dict, next_cursor: str = 'start') -> list: + response_json = fetch_func( + epm_server=dispatcher_url, + epm_token=token, + set_id=set_id['Id'], + data=filter_date, + next_cursor=next_cursor, + ).json() + + if isinstance(response_json, list): + return [] + + events = response_json.get('events') or [] + cursor = response_json.get('nextCursor') + if cursor: + events += _fetch_set_events(fetch_func, dispatcher_url=dispatcher_url, token=token, filter_date=filter_date, set_id=set_id, next_cursor=cursor) + return [e | {"SetName": set_id.get("Name")} for e in events if isinstance(e, dict)] + + +def _get_dispatcher_url(auth_token: str): + url = f'{epm_host}/EPM/API/accounts/tenanturl' + headers = { + 'Content-Type': 'application/json', + 'Authorization': f'Bearer {auth_token}' + } + tenant_url = storage.load(file_name=EPM_TENANT_URL_FILE_NAME) + if tenant_url: + return tenant_url.get('tenantUrl') + + try: + logging.info('Getting tenant URL') + response = requests.get(url=url, headers=headers) + res_content = response.json() + if 200 <= response.status_code <= 299: + tenant_url = res_content['tenantUrl'] + storage.save( + data={'tenantUrl': tenant_url}, + file_name=EPM_TENANT_URL_FILE_NAME, + ) + return tenant_url + if response.status_code == 400: + logging.error(f"{res_content.get('error')} {res_content.get('error_description')}") + else: + logging.error(f'error fetching tenant URL: {response.status_code} {response.text}') + except Exception as err: + logging.error(f'Something went wrong. Exception error text: {err}') + return None + + +def collect_events() -> list: + token = _get_oauth_token() + dispatcher_url = _get_dispatcher_url(token) + if not token or not dispatcher_url: + logging.error('Failed to obtain OAuth token or dispatcher URL') + return [] + + start_time, end_time = _get_time_window() + logging.info(f'Data processing. Period(UTC): {start_time} - {end_time}') + + filter_date = '{"filter": "arrivalTime GE ' + str(start_time) + ' AND arrivalTime LE ' + end_time + '"}' + + try: + sets_list = get_sets_list(epm_server=dispatcher_url, epm_token=token) + sets = sets_list.json().get('Sets') or [] + except Exception: + logging.error('CyberArkEPMServerURL is invalid') + return [] + + all_events: list = [] + for set_id in sets: + aggregated_events = _fetch_set_events(get_aggregated_events, dispatcher_url=dispatcher_url, token=token, filter_date=filter_date, set_id=set_id) + logging.info(f"Fetched {len(aggregated_events)} aggregated events from {set_id.get('Name')}") + all_events.extend([e | {"eventType": 'aggregated_events'} for e in aggregated_events if isinstance(e, dict)]) + + detailed_raw_events = _fetch_set_events(get_detailed_raw_events, dispatcher_url=dispatcher_url, token=token, filter_date=filter_date, set_id=set_id) + logging.info(f"Fetched {len(detailed_raw_events)} detailed raw events from {set_id.get('Name')}") + all_events.extend([e | {"eventType": 'raw_event'} for e in detailed_raw_events if isinstance(e, dict)]) + + aggregated_policy_audits = _fetch_set_events(get_aggregated_policy_audits, dispatcher_url=dispatcher_url, token=token, filter_date=filter_date, set_id=set_id) + logging.info(f"Fetched {len(aggregated_policy_audits)} aggregated policy audits from {set_id.get('Name')}") + all_events.extend([e | {"eventType": 'aggregated_policy_audits'} for e in aggregated_policy_audits if isinstance(e, dict)]) + + audit_raw_event_details = _fetch_set_events(get_policy_audit_raw_event_details, dispatcher_url=dispatcher_url, token=token, filter_date=filter_date, set_id=set_id) + logging.info(f"Fetched {len(audit_raw_event_details)} policy audit raw events from {set_id.get('Name')}") + all_events.extend([e | {"eventType": 'policy_audit_raw_event_details'} for e in audit_raw_event_details if isinstance(e, dict)]) + + try: + admin_events = get_admin_audit_events( + epm_server=dispatcher_url, + epm_token=token, + set_id=set_id['Id'], + start_time=start_time, + end_time=end_time, + limit=100, + ) + logging.info(f"Fetched {len(admin_events)} admin audit events from {set_id.get('Name')}") + all_events.extend(admin_events) + except Exception as err: + logging.warning(f'Failed fetching Admin Audit Data: {err}') + + return [e for e in all_events if isinstance(e, dict)] diff --git a/Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/exporter.py b/Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/exporter.py new file mode 100644 index 00000000000..2d4a4a33f1e --- /dev/null +++ b/Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/exporter.py @@ -0,0 +1,135 @@ +import json +import logging +import os +from datetime import datetime, timezone + +from azure.identity import DefaultAzureCredential +from azure.monitor.ingestion import LogsIngestionClient + + +_CONNECTOR_EVENT_TYPES = { + 'aggregated_events', + 'raw_event', + 'aggregated_policy_audits', + 'policy_audit_raw_event_details', + 'admin_audit', +} + + +def _to_rfc3339_utc(value): + if value is None: + return None + if isinstance(value, datetime): + dt = value + if dt.tzinfo is None: + dt = dt.replace(tzinfo=timezone.utc) + return dt.astimezone(timezone.utc).isoformat().replace('+00:00', 'Z') + if not isinstance(value, str): + return None + + s = value.strip() + if not s: + return None + + # Examples in docs: + # - 2021-07-07T06:44:52Z + # - 2022-02-28T11:28:16.069Z + try: + if s.endswith('Z'): + # datetime.fromisoformat doesn't accept trailing 'Z' directly + dt = datetime.fromisoformat(s[:-1]) + dt = dt.replace(tzinfo=timezone.utc) + else: + dt = datetime.fromisoformat(s) + if dt.tzinfo is None: + dt = dt.replace(tzinfo=timezone.utc) + return dt.astimezone(timezone.utc).isoformat().replace('+00:00', 'Z') + except Exception: + return None + + +def _pick_timegenerated(event: dict): + for k in ('arrivalTime', 'lastEventDate', 'firstEventDate', 'date', 'Date', 'time', 'Time'): + ts = _to_rfc3339_utc(event.get(k)) + if ts: + return ts + return _to_rfc3339_utc(datetime.now(timezone.utc)) + + +def _get_first(event: dict, keys): + for k in keys: + v = event.get(k) + if v is not None and v != '': + return v + return None + + +def _transform_schema(epm_events): + dcr_events = [] + for event in epm_events: + if not isinstance(event, dict): + continue + + raw_event_type = event.get('eventType') or event.get('event_type') + if isinstance(raw_event_type, str) and raw_event_type in _CONNECTOR_EVENT_TYPES: + connector_event_type = raw_event_type + cyberark_event_type = event.get('CyberArkEventType') or event.get('cyberArkEventType') + else: + connector_event_type = event.get('EventType') or event.get('event_type') or 'unknown' + cyberark_event_type = raw_event_type + + normalized = { + 'TimeGenerated': _pick_timegenerated(event), + 'EventType': connector_event_type, + 'SetId': event.get('SetId') or event.get('setId'), + 'SetName': event.get('SetName') or event.get('set_name') or event.get('setName'), + 'EpmAgentId': event.get('agentId') or event.get('lastAgentId'), + 'ComputerName': event.get('computerName') or event.get('lastEventComputerName') or event.get('sourceWSName'), + 'UserName': _get_first(event, ('userName', 'lastEventUserName', 'firstEventUserName', 'owner')), + 'PolicyName': event.get('policyName') or event.get('lastEventDisplayName'), + 'PolicyAction': event.get('policyAction') or event.get('threatDetectionAction') or event.get('threatProtectionAction'), + 'CyberArkEventType': cyberark_event_type, + 'FileName': _get_first(event, ('fileName', 'lastEventFileName', 'lastEventOriginalFileName', 'originalFileName')), + 'FilePath': event.get('filePath') or event.get('fileLocation'), + 'Hash': event.get('hash'), + 'Publisher': event.get('publisher'), + 'SourceType': event.get('sourceType') or event.get('lastEventSourceType'), + 'SourceName': event.get('sourceName') or event.get('lastEventSourceName'), + 'FirstEventDate': _to_rfc3339_utc(event.get('firstEventDate')), + 'LastEventDate': _to_rfc3339_utc(event.get('lastEventDate')), + 'ArrivalTime': _to_rfc3339_utc(event.get('arrivalTime')), + 'TotalEvents': event.get('totalEvents'), + 'AffectedComputers': event.get('affectedComputers'), + 'AffectedUsers': event.get('affectedUsers'), + 'AggregatedBy': event.get('aggregatedBy'), + 'FileQualifier': event.get('fileQualifier'), + 'Skipped': event.get('skipped'), + 'SkippedCount': event.get('skippedCount'), + 'AdditionalFields': event, + } + + # Drop None keys (keeps payload smaller and avoids type conflicts in DCR) + normalized = {k: v for k, v in normalized.items() if v is not None} + + # Ensure non-dynamic fields don't accidentally become dict/list + for k, v in list(normalized.items()): + if k == 'AdditionalFields': + continue + if isinstance(v, (dict, list)): + normalized[k] = json.dumps(v) + + dcr_events.append(normalized) + + return dcr_events + + +def send_dcr_data(data: list): + endpoint = os.environ.get('DATA_COLLECTION_ENDPOINT') + rule_id = os.environ.get('LOGS_DCR_RULE_ID') + try: + credential = DefaultAzureCredential() # CodeQL [SM05139] This data connector (Function app based) is deprecated. + client = LogsIngestionClient(endpoint=endpoint, credential=credential, logging_enable=True) + dcr_events = _transform_schema(data) + client.upload(rule_id=rule_id, stream_name=os.environ.get('LOGS_DCR_STREAM_NAME'), logs=dcr_events) + except Exception as e: + logging.error(f"Upload failed: {e}") diff --git a/Solutions/CyberArkEPM/DataConnectors/CyberArkEPMSentinelConnector/function.json b/Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/function.json similarity index 100% rename from Solutions/CyberArkEPM/DataConnectors/CyberArkEPMSentinelConnector/function.json rename to Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/function.json diff --git a/Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/main.py b/Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/main.py new file mode 100644 index 00000000000..db9543cf150 --- /dev/null +++ b/Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/main.py @@ -0,0 +1,32 @@ +import os +import logging +import azure.functions as func +from .epm import collect_events +from .exporter import send_dcr_data + + +def _iter_chunks(data, chunk_size: int): + chunk = [] + for item in data: + chunk.append(item) + if len(chunk) >= chunk_size: + yield chunk + chunk = [] + if chunk: + yield chunk + + +def main(mytimer: func.TimerRequest) -> None: + if getattr(mytimer, 'past_due', False): + logging.info('The timer is past due!') + + logging.getLogger().setLevel(logging.INFO) + logging.info('Starting program') + + events = collect_events() + logging.info(f'Found {len(events)} events to export') + if not events: + return + chunk_size = int(os.environ.get('CHUNK_SIZE', '2000')) + for chunk in _iter_chunks(events, chunk_size=chunk_size): + send_dcr_data(data=chunk) diff --git a/Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/pyepm.py b/Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/pyepm.py new file mode 100644 index 00000000000..c52eace78b9 --- /dev/null +++ b/Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/pyepm.py @@ -0,0 +1,204 @@ +import requests, urllib3 + + +urllib3.disable_warnings() + + +def _build_bearer_headers(bearer_token): + return { + 'Content-Type': 'application/json', + 'Authorization': 'Bearer ' + bearer_token, + } + + +def _request(method, url, headers=None, data=None, params=None): + if method == 'GET': + return requests.get(url, headers=headers, params=params) + if method == 'POST': + return requests.post(url, headers=headers, data=data, params=params) + raise ValueError('Unsupported method') + + +def _build_auth_headers(epm_token, auth_type=None): + return _build_bearer_headers(epm_token) + + +def get_version(dispatcher, version=None): + """ + Get EPM version + This method enables the user to retrieve the EPM version + """ + # create the URL to the dispacthcer with the information passed in to the function + if not version: + target_url = dispatcher + "/EPM/API/Server/Version" + else: + target_url = dispatcher + "/EPM/API/" + version + "/Server/Version" + + # make the Rest API call + return requests.get(target_url) + + +def get_sets_list(epm_server, epm_token, version=None): + """ + Get Sets list + This method enables the user to retrieve the list of Sets. + """ + # build the URL + if not version: + target_url = epm_server + "/EPM/API/Sets" + else: + target_url = epm_server + "/EPM/API/" + version + "/Sets" + + # build the header + hdr = _build_bearer_headers(epm_token) + hdr['x-cybr-telemetry'] = 'aW49TWljcm9zb2Z0IFNlbnRpbmVsIEVQTSZpdj0yLjAmdm49TWljcm9zb2Z0Jml0PVNJRU0=' + + # make the Rest API call + return _request('GET', target_url, headers=hdr) + + +def get_aggregated_events(epm_server, epm_token, set_id, data, next_cursor="start", limit=1000, **kwargs): + """ + Get aggregated events + This method enables the user to retrieve aggregated events from EPM according + """ + + # build the URL + + if next_cursor: + target_url = epm_server + "/EPM/API/Sets/" + set_id + "/events/aggregations/search?nextCursor=" + next_cursor + "&limit=" + str( + limit) + else: + target_url = epm_server + "/EPM/API/Sets/" + set_id + "/events/aggregations/search?limit=" + str(limit) + + # build the header + hdr = _build_bearer_headers(epm_token) + + # make the Rest API call + # this url can take a query, the parameters for the query should be in kwargs + # check to see if there are any keyword arguments passed in to this function + # if so, use them + if len(kwargs) > 0: + return _request('POST', target_url, headers=hdr, data=data, params=kwargs) + else: + return _request('POST', target_url, headers=hdr, data=data) + + +def get_detailed_raw_events(epm_server, epm_token, set_id, data, next_cursor="start", limit=1000, **kwargs): + """ + Get detailed raw events + This method enables the user to retrieve raw events from EPM according + to a predefined filter + """ + + # build the URL + if next_cursor: + target_url = epm_server + "/EPM/API/Sets/" + set_id + "/Events/Search?nextCursor=" + next_cursor + "&limit=" + str( + limit) + else: + target_url = epm_server + "/EPM/API/Sets/" + set_id + "/Events/Search?limit=" + str(limit) + + # build the header + hdr = _build_bearer_headers(epm_token) + + # make the Rest API call + # this url can take a query, the parameters for the query should be in kwargs + # check to see if there are any keyword arguments passed in to this function + # if so, use them + + if len(kwargs) > 0: + return _request('POST', target_url, headers=hdr, data=data, params=kwargs) + else: + return _request('POST', target_url, headers=hdr, data=data) + + +def get_aggregated_policy_audits(epm_server, epm_token, set_id, data, next_cursor="start", limit=1000, **kwargs): + """ + Get aggregated policy audits + This method enables the user to retrieve aggregated policy audits from EPM according + """ + + # build the URL + if next_cursor: + target_url = epm_server + "/EPM/API/Sets/" + set_id + "/policyaudits/aggregations/search?nextCursor=" + next_cursor + "&limit=" + str( + limit) + else: + target_url = epm_server + "/EPM/API/Sets/" + set_id + "/policyaudits/aggregations/search?limit=" + str(limit) + + # build the header + hdr = _build_bearer_headers(epm_token) + + # make the Rest API call + # this url can take a query, the parameters for the query should be in kwargs + # check to see if there are any keyword arguments passed in to this function + # if so, use them + + if len(kwargs) > 0: + return _request('POST', target_url, headers=hdr, data=data, params=kwargs) + else: + return _request('POST', target_url, headers=hdr, data=data) + + +def get_policy_audit_raw_event_details(epm_server, epm_token, set_id, data, next_cursor="start", limit=1000, + **kwargs): + """ + Get policy audit raw event details + This method enables the user to retrieve policy audit raw event details from EPM according + """ + + # build the URL + if next_cursor: + target_url = epm_server + "/EPM/API/Sets/" + set_id + "/policyaudits/search?nextCursor=" + next_cursor + "&limit=" + str( + limit) + else: + target_url = epm_server + "/EPM/API/Sets/" + set_id + "/policyaudits/search?limit=" + str(limit) + + # build the header + hdr = _build_bearer_headers(epm_token) + + # make the Rest API call + # this url can take a query, the parameters for the query should be in kwargs + # check to see if there are any keyword arguments passed in to this function + # if so, use them + + if len(kwargs) > 0: + return _request('POST', target_url, headers=hdr, data=data, params=kwargs) + else: + return _request('POST', target_url, headers=hdr, data=data) + +def get_admin_audit_events(epm_server, epm_token, set_id, start_time, end_time, limit=100): + """ + Get Admin Audit Data + This method enables the user to retrieve Admin Audit Data from EPM according + to a range of time (between start_time and end_time) + """ + # build the header + hdr = _build_bearer_headers(epm_token) + + # make the Rest API call + # this url can take a query, the parameters for the query should be in kwargs + # check to see if there are any keyword arguments passed in to this function + # if so, use them + + rows_count = 0 + offset = 0 + events_json = [] + + while True: + #build the URL + target_url = epm_server + "/EPM/API/Sets/" + set_id + "/AdminAudit?DateFrom=" + start_time + "&DateTo=" + end_time + "&limit=" + str(limit) + "&offset=" + str(offset) + r = _request('GET', target_url, headers=hdr).json() + events_json += r["AdminAudits"] + #Get TotalCount from JSON + total_count = r["TotalCount"] + rows_count += len(r["AdminAudits"]) + + if total_count > rows_count: + offset += limit + else: + break + if len(events_json) > 0: + for admin_audit_event in events_json: + admin_audit_event["eventType"] = "admin_audit" + + return events_json diff --git a/Solutions/CyberArkEPM/DataConnectors/CyberArkEPMSentinelConnector/state_manager.py b/Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/state_manager.py similarity index 100% rename from Solutions/CyberArkEPM/DataConnectors/CyberArkEPMSentinelConnector/state_manager.py rename to Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/state_manager.py diff --git a/Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/storage.py b/Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/storage.py new file mode 100644 index 00000000000..bffb08ad637 --- /dev/null +++ b/Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/storage.py @@ -0,0 +1,51 @@ +import json +import logging +import os + +from azure.storage.blob import ContainerClient + + +class BaseStorage: + def save(self, data: dict, file_name: str) -> None: + pass + + def load(self, file_name: str) -> dict: + pass + + +class LocalStorage(BaseStorage): + def save(self, data: dict, file_name: str) -> None: + with open(file_name, 'w+') as file: + json.dump(data, file) + + def load(self, file_name: str) -> dict: + if os.path.exists(file_name): + with open(file_name, 'r') as file: + return json.load(file) + return {} + + +class AzureBlobStorage(BaseStorage): + def __init__(self): + storage_account = os.environ.get('AzureWebJobsStorage') + audit_container = os.environ.get('StorageContainer', 'epm-query-storage') + self.container_client = ContainerClient.from_connection_string(conn_str=storage_account, + container_name=audit_container) + + def save(self, data: dict, file_name: str) -> None: + blob_client = self.container_client.get_blob_client(blob=file_name) + + try: + blob_client.upload_blob(json.dumps(data), overwrite=True) + logging.info(f'Blob {file_name} successfully written') + except Exception as e: + logging.error(f'Error writing to blob {file_name}: {str(e)}') + + def load(self, file_name: str) -> dict: + blob_client = self.container_client.get_blob_client(blob=file_name) + try: + blob_data = blob_client.download_blob().readall() + return json.loads(blob_data) + except Exception as e: + logging.error(f'Error reading blob {file_name}: {str(e)}') + return {} diff --git a/Solutions/CyberArkEPM/DataConnectors/CyberArkEPM_API_FunctionApp.json b/Solutions/CyberArkEPM/Data Connectors/CyberArkEPM_API_FunctionApp.json similarity index 100% rename from Solutions/CyberArkEPM/DataConnectors/CyberArkEPM_API_FunctionApp.json rename to Solutions/CyberArkEPM/Data Connectors/CyberArkEPM_API_FunctionApp.json diff --git a/Solutions/CyberArkEPM/Data Connectors/CyberArkEPM_CCP/CyberArkEPM_DCR.json b/Solutions/CyberArkEPM/Data Connectors/CyberArkEPM_CCP/CyberArkEPM_DCR.json new file mode 100644 index 00000000000..3d2407f0d5a --- /dev/null +++ b/Solutions/CyberArkEPM/Data Connectors/CyberArkEPM_CCP/CyberArkEPM_DCR.json @@ -0,0 +1,141 @@ +[ + { + "name": "CyberArkEPMDCR", + "apiVersion": "2021-09-01-preview", + "type": "Microsoft.Insights/dataCollectionRules", + "location": "{{location}}", + "properties": { + "dataCollectionEndpointId": "{{dataCollectionEndpointId}}", + "streamDeclarations": { + "Custom-CyberArkEPM": { + "columns": [ + { + "name": "TimeGenerated", + "type": "string" + }, + { + "name": "EventType", + "type": "string" + }, + { + "name": "SetId", + "type": "string" + }, + { + "name": "SetName", + "type": "string" + }, + { + "name": "EpmAgentId", + "type": "string" + }, + { + "name": "ComputerName", + "type": "string" + }, + { + "name": "UserName", + "type": "string" + }, + { + "name": "PolicyName", + "type": "string" + }, + { + "name": "PolicyAction", + "type": "string" + }, + { + "name": "CyberArkEventType", + "type": "string" + }, + { + "name": "FileName", + "type": "string" + }, + { + "name": "FilePath", + "type": "string" + }, + { + "name": "Hash", + "type": "string" + }, + { + "name": "Publisher", + "type": "string" + }, + { + "name": "SourceType", + "type": "string" + }, + { + "name": "SourceName", + "type": "string" + }, + { + "name": "FirstEventDate", + "type": "string" + }, + { + "name": "LastEventDate", + "type": "string" + }, + { + "name": "ArrivalTime", + "type": "string" + }, + { + "name": "TotalEvents", + "type": "int" + }, + { + "name": "AffectedComputers", + "type": "int" + }, + { + "name": "AffectedUsers", + "type": "int" + }, + { + "name": "AggregatedBy", + "type": "string" + }, + { + "name": "FileQualifier", + "type": "string" + }, + { + "name": "Skipped", + "type": "boolean" + }, + { + "name": "SkippedCount", + "type": "int" + }, + { + "name": "AdditionalFields", + "type": "dynamic" + } + ] + } + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "{{workspaceResourceId}}", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": ["Custom-CyberArkEPM"], + "destinations": ["clv2ws1"], + "transformKql": "source | project TimeGenerated=todatetime(TimeGenerated), EventType=tostring(EventType), SetId=tostring(SetId), SetName=tostring(SetName), EpmAgentId=tostring(EpmAgentId), ComputerName=tostring(ComputerName), UserName=tostring(UserName), PolicyName=tostring(PolicyName), PolicyAction=tostring(PolicyAction), CyberArkEventType=tostring(CyberArkEventType), FileName=tostring(FileName), FilePath=tostring(FilePath), Hash=tostring(Hash), Publisher=tostring(Publisher), SourceType=tostring(SourceType), SourceName=tostring(SourceName), FirstEventDate=todatetime(FirstEventDate), LastEventDate=todatetime(LastEventDate), ArrivalTime=todatetime(ArrivalTime), TotalEvents=toint(TotalEvents), AffectedComputers=toint(AffectedComputers), AffectedUsers=toint(AffectedUsers), AggregatedBy=tostring(AggregatedBy), FileQualifier=tostring(FileQualifier), Skipped=tobool(Skipped), SkippedCount=toint(SkippedCount), AdditionalFields=parse_json(tostring(AdditionalFields))", + "outputStream": "Custom-CyberArk_EPMEvents_CL" + } + ] + } + } + ] \ No newline at end of file diff --git a/Solutions/CyberArkEPM/Data Connectors/CyberArkEPM_CCP/CyberArkEPM_DataConnectorDefinition.json b/Solutions/CyberArkEPM/Data Connectors/CyberArkEPM_CCP/CyberArkEPM_DataConnectorDefinition.json new file mode 100644 index 00000000000..5015635db64 --- /dev/null +++ b/Solutions/CyberArkEPM/Data Connectors/CyberArkEPM_CCP/CyberArkEPM_DataConnectorDefinition.json @@ -0,0 +1,128 @@ +{ + "name": "CyberArkEPMCCPDefinition", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.SecurityInsights/dataConnectorDefinitions", + "location": "{{location}}", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "CyberArkEPMCCPDefinition", + "title": "CyberArk EPM", + "publisher": "CyberArk", + "descriptionMarkdown": "The [CyberArk Endpoint Privilege Manager](https://www.cyberark.com/products/endpoint-privilege-manager/) data connector enables Microsoft Sentinel to ingest security event logs and other events from CyberArk EPM via REST API.", + "graphQueriesTableName": "CyberArk_EPMEvents_CL", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "CyberArk EPM Events", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "CyberArk EPM Events - All Activities.", + "query": "{{graphQueriesTableName}}\n | sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n|summarize Time = max (TimeGenerated)\n|where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "CyberArk EPM Platform", + "description": "Access to perform required configurations in CyberArk EPM platform" + } + ] + }, + "instructionSteps": [ + { + "description": "Follow the configuration steps [here](https://docs.cyberark.com/epm/latest/en/content/webservices/authenticate-with-identity-administration.htm) to integrate Microsoft Sentinel with CyberArk EPM and enable centralized monitoring of endpoint events within Microsoft Sentinel.", + "instructions": [ + { + "type": "Textbox", + "parameters": { + "label": "Web App ID", + "validations": { + "required": true + }, + "placeholder": "The OAuth2 server web app ApplicationID", + "type": "text", + "name": "WebAppID" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Region based Tenant URL", + "validations": { + "required": true + }, + "placeholder": "e.g. api-na.epm.cyberark.cloud", + "type": "text", + "name": "TenantUrl" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Set ID", + "validations": { + "required": true + }, + "placeholder": "List of comma seperated EPM Set IDs to poll events from", + "type": "text", + "name": "SetId" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Identity Endpoint", + "validations": { + "required": true + }, + "placeholder": "e.g. kln9281.id.cyberark.cloud", + "type": "text", + "name": "IdentityEndpoint" + } + }, + { + "type": "OAuthForm", + "parameters": { + "clientIdLabel": "Oauth Username", + "clientSecretLabel": "Oauth Password", + "clientIdPlaceholder": "The service user created in Identity Administration", + "clientSecretPlaceholder": "The user password created in Identity Administration", + "connectButtonLabel": "Connect", + "disconnectButtonLabel": "Disconnect" + } + } + ], + "title": "Connect to CyberArk EPM API to start collecting event logs in Microsoft Sentinel" + } + ] + } + } +} \ No newline at end of file diff --git a/Solutions/CyberArkEPM/Data Connectors/CyberArkEPM_CCP/CyberArkEPM_PollingConfig.json b/Solutions/CyberArkEPM/Data Connectors/CyberArkEPM_CCP/CyberArkEPM_PollingConfig.json new file mode 100644 index 00000000000..15a838ced98 --- /dev/null +++ b/Solutions/CyberArkEPM/Data Connectors/CyberArkEPM_CCP/CyberArkEPM_PollingConfig.json @@ -0,0 +1,287 @@ +[ + { + "name": "CyberArk EPM Aggregated Events Polling Config", + "apiVersion": "2022-12-01-preview", + "type": "Microsoft.SecurityInsights/dataConnectors", + "location": "{{location}}", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "CyberArkEPMCCPDefinition", + "dataType": "CyberArk_EPMEvents_CL", + "dcrConfig": { + "dataCollectionEndpoint": "{{dataCollectionEndpoint}}", + "dataCollectionRuleImmutableId": "{{dataCollectionRuleImmutableId}}", + "streamName": "Custom-CyberArkEPM" + }, + "auth": { + "type": "OAuth2", + "ClientSecret": "{{clientSecret}}", + "ClientId": "{{clientId}}", + "TokenEndpoint": "https://{{IdentityEndpoint}}/oauth2/token/{{WebAppID}}", + "tokenEndpointHeaders": { + "Accept": "application/json", + "Content-Type": "application/x-www-form-urlencoded" + }, + "TokenEndpointQueryParameters": {}, + "grantType": "client_credentials" + }, + "request": { + "apiEndpoint": "https://{{TenantUrl}}/EPM/API/Sets/{{SetId}}/events/aggregations/search", + "httpMethod": "POST", + "queryParameters": { + "nextCursor": "start", + "limit": 1000 + }, + "queryWindowInMin": 60, + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "rateLimitQps": 10, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Content-Type": "application/json", + "x-cybr-telemetry": "aW49TWljcm9zb2Z0IFNlbnRpbmVsIEVQTSZpdj0yLjAmdm49TWljcm9zb2Z0Jml0PVNJRU0=" + }, + "isPostPayloadJson": true, + "queryParametersTemplate": "{\"filter\":\"arrivalTime GE {_QueryWindowStartTime} AND arrivalTime LE {_QueryWindowEndTime}\"}" + }, + "response": { + "eventsJsonPaths": [ + "$.events" + ], + "format": "json" + }, + "paging": { + "pagingType": "NextPageToken", + "nextPageTokenJsonPath": "$.nextCursor", + "nextPageParaName": "nextCursor" + } + } + }, + { + "name": "CyberArk EPM Raw Events Polling Config", + "apiVersion": "2022-12-01-preview", + "type": "Microsoft.SecurityInsights/dataConnectors", + "location": "{{location}}", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "CyberArkEPMCCPDefinition", + "dataType": "CyberArk_EPMEvents_CL", + "dcrConfig": { + "dataCollectionEndpoint": "{{dataCollectionEndpoint}}", + "dataCollectionRuleImmutableId": "{{dataCollectionRuleImmutableId}}", + "streamName": "Custom-CyberArkEPM" + }, + "auth": { + "type": "OAuth2", + "ClientSecret": "{{clientSecret}}", + "ClientId": "{{clientId}}", + "TokenEndpoint": "https://{{IdentityEndpoint}}/oauth2/token/{{WebAppID}}", + "tokenEndpointHeaders": { + "Accept": "application/json", + "Content-Type": "application/x-www-form-urlencoded" + }, + "TokenEndpointQueryParameters": {}, + "grantType": "client_credentials" + }, + "request": { + "apiEndpoint": "https://{{TenantUrl}}/EPM/API/Sets/{{SetId}}/Events/Search", + "httpMethod": "POST", + "queryParameters": { + "nextCursor": "start", + "limit": 1000 + }, + "queryWindowInMin": 60, + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "rateLimitQps": 10, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Content-Type": "application/json", + "x-cybr-telemetry": "aW49TWljcm9zb2Z0IFNlbnRpbmVsIEVQTSZpdj0yLjAmdm49TWljcm9zb2Z0Jml0PVNJRU0=" + }, + "isPostPayloadJson": true, + "queryParametersTemplate": "{\"filter\":\"arrivalTime GE {_QueryWindowStartTime} AND arrivalTime LE {_QueryWindowEndTime}\"}" + }, + "response": { + "eventsJsonPaths": [ + "$.events" + ], + "format": "json" + }, + "paging": { + "pagingType": "NextPageToken", + "nextPageTokenJsonPath": "$.nextCursor", + "nextPageParaName": "nextCursor" + } + } + }, + { + "name": "CyberArk EPM Aggregated Policy Audits Polling Config", + "apiVersion": "2022-12-01-preview", + "type": "Microsoft.SecurityInsights/dataConnectors", + "location": "{{location}}", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "CyberArkEPMCCPDefinition", + "dataType": "CyberArk_EPMEvents_CL", + "dcrConfig": { + "dataCollectionEndpoint": "{{dataCollectionEndpoint}}", + "dataCollectionRuleImmutableId": "{{dataCollectionRuleImmutableId}}", + "streamName": "Custom-CyberArkEPM" + }, + "auth": { + "type": "OAuth2", + "ClientSecret": "{{clientSecret}}", + "ClientId": "{{clientId}}", + "TokenEndpoint": "https://{{IdentityEndpoint}}/oauth2/token/{{WebAppID}}", + "tokenEndpointHeaders": { + "Accept": "application/json", + "Content-Type": "application/x-www-form-urlencoded" + }, + "TokenEndpointQueryParameters": {}, + "grantType": "client_credentials" + }, + "request": { + "apiEndpoint": "https://{{TenantUrl}}/EPM/API/Sets/{{SetId}}/policyaudits/aggregations/search", + "httpMethod": "POST", + "queryParameters": { + "nextCursor": "start", + "limit": 1000 + }, + "queryWindowInMin": 60, + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "rateLimitQps": 10, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Content-Type": "application/json", + "x-cybr-telemetry": "aW49TWljcm9zb2Z0IFNlbnRpbmVsIEVQTSZpdj0yLjAmdm49TWljcm9zb2Z0Jml0PVNJRU0=" + }, + "isPostPayloadJson": true, + "queryParametersTemplate": "{\"filter\":\"arrivalTime GE {_QueryWindowStartTime} AND arrivalTime LE {_QueryWindowEndTime}\"}" + }, + "response": { + "eventsJsonPaths": [ + "$.events" + ], + "format": "json" + }, + "paging": { + "pagingType": "NextPageToken", + "nextPageTokenJsonPath": "$.nextCursor", + "nextPageParaName": "nextCursor" + } + } + }, + { + "name": "CyberArk EPM Policy Audit Raw Event Details Polling Config", + "apiVersion": "2022-12-01-preview", + "type": "Microsoft.SecurityInsights/dataConnectors", + "location": "{{location}}", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "CyberArkEPMCCPDefinition", + "dataType": "CyberArk_EPMEvents_CL", + "dcrConfig": { + "dataCollectionEndpoint": "{{dataCollectionEndpoint}}", + "dataCollectionRuleImmutableId": "{{dataCollectionRuleImmutableId}}", + "streamName": "Custom-CyberArkEPM" + }, + "auth": { + "type": "OAuth2", + "ClientSecret": "{{clientSecret}}", + "ClientId": "{{clientId}}", + "TokenEndpoint": "https://{{IdentityEndpoint}}/oauth2/token/{{WebAppID}}", + "tokenEndpointHeaders": { + "Accept": "application/json", + "Content-Type": "application/x-www-form-urlencoded" + }, + "TokenEndpointQueryParameters": {}, + "grantType": "client_credentials" + }, + "request": { + "apiEndpoint": "https://{{TenantUrl}}/EPM/API/Sets/{{SetId}}/policyaudits/search", + "httpMethod": "POST", + "queryParameters": { + "nextCursor": "start", + "limit": 1000 + }, + "queryWindowInMin": 60, + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "rateLimitQps": 10, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Content-Type": "application/json", + "x-cybr-telemetry": "aW49TWljcm9zb2Z0IFNlbnRpbmVsIEVQTSZpdj0yLjAmdm49TWljcm9zb2Z0Jml0PVNJRU0=" + }, + "isPostPayloadJson": true, + "queryParametersTemplate": "{\"filter\":\"arrivalTime GE {_QueryWindowStartTime} AND arrivalTime LE {_QueryWindowEndTime}\"}" + }, + "response": { + "eventsJsonPaths": [ + "$.events" + ], + "format": "json" + }, + "paging": { + "pagingType": "NextPageToken", + "nextPageTokenJsonPath": "$.nextCursor", + "nextPageParaName": "nextCursor" + } + } + }, + { + "name": "CyberArk EPM Admin Audit Polling Config", + "apiVersion": "2022-12-01-preview", + "type": "Microsoft.SecurityInsights/dataConnectors", + "location": "{{location}}", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "CyberArkEPMCCPDefinition", + "dataType": "CyberArk_EPMEvents_CL", + "dcrConfig": { + "dataCollectionEndpoint": "{{dataCollectionEndpoint}}", + "dataCollectionRuleImmutableId": "{{dataCollectionRuleImmutableId}}", + "streamName": "Custom-CyberArkEPM" + }, + "auth": { + "type": "OAuth2", + "ClientSecret": "{{clientSecret}}", + "ClientId": "{{clientId}}", + "TokenEndpoint": "https://{{IdentityEndpoint}}/oauth2/token/{{WebAppID}}", + "tokenEndpointHeaders": { + "Accept": "application/json", + "Content-Type": "application/x-www-form-urlencoded" + }, + "TokenEndpointQueryParameters": {}, + "grantType": "client_credentials" + }, + "request": { + "apiEndpoint": "https://{{TenantUrl}}/EPM/API/Sets/{{SetId}}/AdminAudit", + "httpMethod": "GET", + "queryParameters": { + "DateFrom": "{_QueryWindowStartTime}", + "DateTo": "{_QueryWindowEndTime}", + "limit": 100, + "offset": 0 + }, + "queryWindowInMin": 60, + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "rateLimitQps": 10, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json", + "x-cybr-telemetry": "aW49TWljcm9zb2Z0IFNlbnRpbmVsIEVQTSZpdj0yLjAmdm49TWljcm9zb2Z0Jml0PVNJRU0=" + } + }, + "response": { + "eventsJsonPaths": [ + "$.AdminAudits" + ], + "format": "json" + } + } + } +] \ No newline at end of file diff --git a/Solutions/CyberArkEPM/Data Connectors/CyberArkEPM_CCP/CyberArkEPM_Tables.json b/Solutions/CyberArkEPM/Data Connectors/CyberArkEPM_CCP/CyberArkEPM_Tables.json new file mode 100644 index 00000000000..e64f26a4437 --- /dev/null +++ b/Solutions/CyberArkEPM/Data Connectors/CyberArkEPM_CCP/CyberArkEPM_Tables.json @@ -0,0 +1,124 @@ +[ + { + "name": "CyberArk_EPMEvents_CL", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "apiVersion": "2021-03-01-privatepreview", + "location": "{{location}}", + "tags": {}, + "properties": { + "schema": { + "name": "CyberArk_EPMEvents_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime" + }, + { + "name": "EventType", + "type": "string" + }, + { + "name": "SetId", + "type": "string" + }, + { + "name": "SetName", + "type": "string" + }, + { + "name": "EpmAgentId", + "type": "string" + }, + { + "name": "ComputerName", + "type": "string" + }, + { + "name": "UserName", + "type": "string" + }, + { + "name": "PolicyName", + "type": "string" + }, + { + "name": "PolicyAction", + "type": "string" + }, + { + "name": "CyberArkEventType", + "type": "string" + }, + { + "name": "FileName", + "type": "string" + }, + { + "name": "FilePath", + "type": "string" + }, + { + "name": "Hash", + "type": "string" + }, + { + "name": "Publisher", + "type": "string" + }, + { + "name": "SourceType", + "type": "string" + }, + { + "name": "SourceName", + "type": "string" + }, + { + "name": "FirstEventDate", + "type": "DateTime" + }, + { + "name": "LastEventDate", + "type": "DateTime" + }, + { + "name": "ArrivalTime", + "type": "DateTime" + }, + { + "name": "TotalEvents", + "type": "int" + }, + { + "name": "AffectedComputers", + "type": "int" + }, + { + "name": "AffectedUsers", + "type": "int" + }, + { + "name": "AggregatedBy", + "type": "string" + }, + { + "name": "FileQualifier", + "type": "string" + }, + { + "name": "Skipped", + "type": "bool" + }, + { + "name": "SkippedCount", + "type": "int" + }, + { + "name": "AdditionalFields", + "type": "dynamic" + } + ] + } + } + } + ] \ No newline at end of file diff --git a/Solutions/CyberArkEPM/DataConnectors/azuredeploy_Connector_CyberArkEPM_API_AzureFunction.json b/Solutions/CyberArkEPM/Data Connectors/azuredeploy_Connector_CyberArkEPM_API_AzureFunction.json similarity index 100% rename from Solutions/CyberArkEPM/DataConnectors/azuredeploy_Connector_CyberArkEPM_API_AzureFunction.json rename to Solutions/CyberArkEPM/Data Connectors/azuredeploy_Connector_CyberArkEPM_API_AzureFunction.json diff --git a/Solutions/CyberArkEPM/DataConnectors/host.json b/Solutions/CyberArkEPM/Data Connectors/host.json similarity index 100% rename from Solutions/CyberArkEPM/DataConnectors/host.json rename to Solutions/CyberArkEPM/Data Connectors/host.json diff --git a/Solutions/CyberArkEPM/DataConnectors/proxies.json b/Solutions/CyberArkEPM/Data Connectors/proxies.json similarity index 100% rename from Solutions/CyberArkEPM/DataConnectors/proxies.json rename to Solutions/CyberArkEPM/Data Connectors/proxies.json diff --git a/Solutions/CyberArkEPM/DataConnectors/requirements.txt b/Solutions/CyberArkEPM/Data Connectors/requirements.txt similarity index 78% rename from Solutions/CyberArkEPM/DataConnectors/requirements.txt rename to Solutions/CyberArkEPM/Data Connectors/requirements.txt index 24f350dd4e9..2c2b5fa22c2 100644 --- a/Solutions/CyberArkEPM/DataConnectors/requirements.txt +++ b/Solutions/CyberArkEPM/Data Connectors/requirements.txt @@ -2,6 +2,8 @@ # The Python Worker is managed by Azure Functions platform # Manually managing azure-functions-worker may cause unexpected issues -azure-storage-file-share==12.5.0 azure-functions +azure-identity +azure-storage-blob +azure-monitor-ingestion requests diff --git a/Solutions/CyberArkEPM/DataConnectors/CyberArkEPMSentinelConnector/__init__.py b/Solutions/CyberArkEPM/DataConnectors/CyberArkEPMSentinelConnector/__init__.py deleted file mode 100644 index 7e5977b1999..00000000000 --- a/Solutions/CyberArkEPM/DataConnectors/CyberArkEPMSentinelConnector/__init__.py +++ /dev/null @@ -1,186 +0,0 @@ -import requests -import datetime -import hashlib -import hmac -import base64 -import logging -from .pyepm import getAggregatedEvents, getDetailedRawEvents, epmAuth, getSetsList, getPolicyAuditRawEventDetails, \ - getAggregatedPolicyAudits, getAdminAuditEvents, samlAuth -import os -from datetime import datetime, timedelta -import json -from .state_manager import StateManager -import re -import azure.functions as func - -dispatcher = os.environ['CyberArkEPMServerURL'] -username = os.environ['CyberArkEPMUsername'] -password = os.environ['CyberArkEPMPassword'] -customer_id = os.environ['WorkspaceID'] -shared_key = os.environ['WorkspaceKey'] -use_saml_auth = os.environ['UseSAMLAuth'] -identity_tenant_url = os.environ['IdentityTenantURL'] -identity_tenant_id = os.environ['IdentityTenantID'] -identity_appkey = os.environ['IdentityAppKey'] -log_type = "CyberArkEPM" -connection_string = os.environ['AzureWebJobsStorage'] -chunksize = 2000 -logAnalyticsUri = os.environ.get('logAnalyticsUri') - -if dispatcher == "": - raise Exception("CyberArkEPMServerURL is missing") - -if ((logAnalyticsUri in (None, '') or str(logAnalyticsUri).isspace())): - logging.warning("logAnalyticsUri is None, used default value.") - logAnalyticsUri = 'https://' + customer_id + '.ods.opinsights.azure.com' - -pattern = r'https:\/\/([\w\-]+)\.ods\.opinsights\.azure.([a-zA-Z\.]+)$' -match = re.match(pattern, str(logAnalyticsUri)) -if (not match): - raise Exception("CyberArkEPM: Invalid Log Analytics Uri.") - - -def generate_date(): - current_time = datetime.utcnow().replace(second=0, microsecond=0) - timedelta(minutes=10) - state = StateManager(connection_string=connection_string) - past_time = state.get() - if past_time is not None: - logging.info("The last time point is: {}".format(past_time)) - else: - logging.info("There is no last time point, trying to get events for last hour.") - past_time = (current_time - timedelta(minutes=60)).strftime("%Y-%m-%dT%H:%M:%SZ") - state.post(current_time.strftime("%Y-%m-%dT%H:%M:%SZ")) - return past_time, current_time.strftime("%Y-%m-%dT%H:%M:%SZ") - - -def build_signature(customer_id, shared_key, date, content_length, method, content_type, resource): - x_headers = 'x-ms-date:' + date - string_to_hash = method + "\n" + str(content_length) + "\n" + content_type + "\n" + x_headers + "\n" + resource - bytes_to_hash = bytes(string_to_hash, encoding="utf-8") - decoded_key = base64.b64decode(shared_key) - encoded_hash = base64.b64encode(hmac.new(decoded_key, bytes_to_hash, digestmod=hashlib.sha256).digest()).decode() - authorization = "SharedKey {}:{}".format(customer_id, encoded_hash) - return authorization - - -def post_data(chunk): - body = json.dumps(chunk) - method = 'POST' - content_type = 'application/json' - resource = '/api/logs' - rfc1123date = datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT') - content_length = len(body) - signature = build_signature(customer_id, shared_key, rfc1123date, content_length, method, content_type, resource) - uri = 'https://' + customer_id + '.ods.opinsights.azure.com' + resource + '?api-version=2016-04-01' - - headers = { - 'content-type': content_type, - 'Authorization': signature, - 'Log-Type': log_type, - 'x-ms-date': rfc1123date - } - try: - response = requests.post(uri, data=body, headers=headers) - - if 200 <= response.status_code <= 299: - logging.info("{} events was injected".format(len(chunk))) - return response.status_code - elif response.status_code == 401: - logging.error( - "The authentication credentials are incorrect or missing. Error code: {}".format(response.status_code)) - else: - logging.error("Something wrong. Error code: {}".format(response.status_code)) - return None - except Exception as err: - logging.error("Something wrong. Exception error text: {}".format(err)) - - -def gen_chunks_to_object(data, chunk_size=100): - chunk = [] - for index, line in enumerate(data): - if index % chunk_size == 0 and index > 0: - yield chunk - del chunk[:] - chunk.append(line) - yield chunk - - -def gen_chunks(data): - for chunk in gen_chunks_to_object(data, chunk_size=chunksize): - post_data(chunk) - - -def get_events(func_name, auth, filter_date, set_id, next_cursor="start"): - events_json = func_name(epmserver=auth.json()["ManagerURL"], - epmToken=auth.json()['EPMAuthenticationResult'], - authType='EPM', setid=set_id['Id'], - data=filter_date, - next_cursor=next_cursor).json() - if type(events_json) == list: - logging.info("Set - {} is empty.".format(set_id["Name"])) - return {'events': []} - else: - if events_json["nextCursor"]: - response_json = get_events(auth=auth, filter_date=filter_date, set_id=set_id, func_name=func_name, - next_cursor=events_json["nextCursor"]) - events_json["events"] += response_json["events"] - for event in events_json["events"]: - event["set_name"] = set_id["Name"] - return events_json - - -def main(mytimer: func.TimerRequest) -> None: - if mytimer.past_due: - logging.info('The timer is past due!') - logging.getLogger().setLevel(logging.INFO) - logging.info('Starting program') - start_time, end_time = generate_date() - logging.info('Data processing. Period(UTC): {} - {}'.format(start_time, end_time)) - try: - if(str(use_saml_auth).lower() == "true"): - auth = samlAuth(dispatcher=dispatcher, username=username, password=password, identityTenantID=identity_tenant_id, identityTenantURL=identity_tenant_url, identityAppKey=identity_appkey) - else: - auth = epmAuth(dispatcher=dispatcher, username=username, password=password) - if auth.status_code == 401: - logging.error( - "The authentication credentials are incorrect or missing. Error code: {}".format(auth.status_code)) - return - sets_list = getSetsList(epmserver=dispatcher, epmToken=auth.json()['EPMAuthenticationResult'], authType='EPM') - except Exception as err: - logging.error("CyberArkEPMServerURL is invalid") - return - filter_date = '{"filter": "arrivalTime GE ' + str(start_time) + ' AND arrivalTime LE ' + end_time + '"}' - aggregated_events = [] - raw_events = [] - aggregated_policy_audits = [] - policy_audit_raw_event_details = [] - admin_audit_data = [] - sets = sets_list.json().get("Sets") or [] - if not sets: - logging.info("No sets with events were found; skipping set-based collection") - for set_id in sets: - logging.info("Collecting aggregated events from {}".format(set_id["Name"])) - aggregated_events += get_events(func_name=getAggregatedEvents, auth=auth, filter_date=filter_date, - set_id=set_id)["events"] - logging.info("Collecting raw events from {}".format(set_id["Name"])) - raw_events += get_events(func_name=getDetailedRawEvents, - auth=auth, filter_date=filter_date, set_id=set_id)["events"] - logging.info("Collecting aggregated policy audits from {}".format(set_id["Name"])) - aggregated_policy_audits += get_events(func_name=getAggregatedPolicyAudits, - auth=auth, filter_date=filter_date, set_id=set_id)["events"] - logging.info("Collecting policy audit raw event details from {}".format(set_id["Name"])) - policy_audit_raw_event_details += get_events(func_name=getPolicyAuditRawEventDetails, - auth=auth, filter_date=filter_date, set_id=set_id)["events"] - logging.info("Collecting Admin Audit Data from {}".format(set_id["Name"])) - admin_audit_data += getAdminAuditEvents(epmserver=dispatcher, epmToken=auth.json()['EPMAuthenticationResult'], authType='EPM', setid=set_id['Id'], start_time=start_time, end_time=end_time, limit=100) - - # Send data via data collector API - for aggregated_event in aggregated_events: - aggregated_event["event_type"] = "aggregated_events" - for raw_event in raw_events: - raw_event["event_type"] = "raw_event" - for aggregated_policy_audit in aggregated_policy_audits: - aggregated_policy_audit["event_type"] = "aggregated_policy_audits" - for policy_audit_raw_event_detail in policy_audit_raw_event_details: - policy_audit_raw_event_detail["event_type"] = "policy_audit_raw_event_details" - gen_chunks(aggregated_events + raw_events + aggregated_policy_audits + policy_audit_raw_event_details + admin_audit_data) diff --git a/Solutions/CyberArkEPM/DataConnectors/CyberArkEPMSentinelConnector/pyepm.py b/Solutions/CyberArkEPM/DataConnectors/CyberArkEPMSentinelConnector/pyepm.py deleted file mode 100644 index 229b775f838..00000000000 --- a/Solutions/CyberArkEPM/DataConnectors/CyberArkEPMSentinelConnector/pyepm.py +++ /dev/null @@ -1,370 +0,0 @@ -""" -Author: Steven Steiner -Version: 0.0.1 -Date Created: 6/10/2019 16:19 -""" -import json, requests, urllib3, urllib -from html.parser import HTMLParser - - -class _SamlResponseParser(HTMLParser): - def __init__(self): - super().__init__() - self.values = [] - - def handle_starttag(self, tag, attrs): - if tag.lower() != 'input': - return - d = {k.lower(): v for k, v in attrs} - if d.get('name') == 'SAMLResponse' and 'value' in d: - self.values.append(d['value']) - - -def _extract_saml_response(html_text): - parser = _SamlResponseParser() - parser.feed(html_text) - if not parser.values: - raise ValueError('SAMLResponse input not found in IdP HTML response') - return parser.values[-1] - -def epmAuth(dispatcher, username, password): - """ - EPM Authentication - This method authenticates the user to EPM using username and password and returns - a token that can be used in subsequent Rest API calls. - After the configured timeout expires, users have to logon again using their - username and password. - The session timeout for all APIs is part of the session token and is defined by the - Timeoutforinactivesession Server Configuration parameter. - Args: - diapatcher (str): The EPM SaaS site to get version information from and perform the initial logon - username (str): Valid User ID with access to the Set(s) - password (str): Password for the User ID logging into the Rest API - - Returns: - list: Json list containing the EPMAuthenticationResult, ManagerURL, IsPasswordExpired (True/False) - """ - # build the body of the request containing the credentials - body = {} - body['Username'] = username - body['Password'] = password - body['ApplicationID'] = 'Irrelevent' - logonBody = json.dumps(body) - - # build the header and url - myURL = dispatcher + "/EPM/API/Auth/EPM/Logon" - hdr = {'Content-Type': 'application/json'} - - # make the Rest API call - urllib3.disable_warnings() - - return requests.post(myURL, headers=hdr, data=logonBody) - -def samlAuth(dispatcher, username, password, identityTenantID, identityTenantURL, identityAppKey): - - #StartAuth - url = identityTenantURL + "/Security/StartAuthentication" - - payload = "{\r\n \"TenantId\": \"" + identityTenantID + "\",\r\n \"User\": \"" + username + "\",\r\n \"Version\": \"1.0\" \r\n}\r\n\r\n" - headers = { - 'X-CENTRIFY-NATIVE-CLIENT': 'true', - 'Content-Type': 'application/json' - } - - urllib3.disable_warnings() - session = requests.Session() - - # response = requests.request("POST", url, headers=headers, data = payload, verify = False) - response = session.post(url, headers=headers, data = payload) - - json_data = json.loads(response.text) - session_id = json_data.get("Result").get("SessionId") - mechanism_id = json_data.get("Result").get("Challenges")[0].get("Mechanisms")[0].get("MechanismId") - - #AdvanceAuthentication - url = identityTenantURL + "/Security/AdvanceAuthentication?X-CENTRIFY-NATIVE-CLIENT=true&" - - payload = "{\r\n \"TenantId\": \"" + identityTenantID + "\",\r\n \"SessionId\": \"" + session_id + "\",\r\n \"MechanismId\": \"" + mechanism_id + "\",\r\n \"Action\": \"Answer\",\r\n \"Answer\": \"" + password + "\"\r\n}" - headers = { - 'Content-Type': 'application/json', - 'X-CENTRIFY-NATIVE-CLIENT': 'true' - } - - session.post(url, headers=headers, data = payload) - - #AppClick - - url = identityTenantURL + "/uprest/HandleAppClick?appkey=" + identityAppKey + "&markAppVisited=true" - - payload={} - headers = { - 'X-CENTRIFY-NATIVE-CLIENT': 'true', - 'Authorization': 'bearer AuthorizationToken' - } - response = session.get(url, headers=headers, data = payload) - - samlresponse = _extract_saml_response(response.text) - - #SAML Logon - url = dispatcher + "/SAML/Logon" - - payload='SAMLResponse=' + urllib.parse.quote(samlresponse) - - headers = { - 'Content-Type': 'application/x-www-form-urlencoded' - } - return session.post(url, headers=headers, data=payload) - -def winAuth(epmsrv, username, password, version=None): - """ - Windows Authentication - This method authenticates the user to EPM by Windows authentication and returns - a token that can be used in subsequent Rest API calls. - After the configured timeout expires, users have to logon again using their - username and password. - ***** Not for EPM SaaS use ***** - """ - # build the body of the request containing the credentials - body = {} - body['ApplicationID'] = 'Irrelevent' - logonBody = json.dumps(body) - - # build the header and url - if version == None: - myURL = epmsrv + "/EPM/API/Auth/Windows/Logon" - else: - myURL = epmsrv + "/EPM/API/" + version + "/Auth/Windows/Logon" - hdr = {'Content-Type': 'application/json'} - - # make the Rest API call - urllib3.disable_warnings() - return requests.post(myURL, headers=hdr, data=logonBody) - - -def getVersion(dispatcher, version=None): - """ - Get EPM version - This method enables the user to retrieve the EPM version - """ - # create the URL to the dispacthcer with the information passed in to the function - if version == None: - myURL = dispatcher + "/EPM/API/Server/Version" - else: - myURL = dispatcher + "/EPM/API/" + version + "/Server/Version" - - # make the Rest API call - urllib3.disable_warnings() - return requests.get(myURL) - - -def getSetsList(epmserver, epmToken, authType, version=None): - """ - Get Sets list - This method enables the user to retrieve the list of Sets. - """ - # build the URL - if version == None: - myURL = epmserver + "/EPM/API/Sets" - else: - myURL = epmserver + "/EPM/API/" + version + "/Sets" - - # build the header - hdr = {} - hdr['Content-Type'] = 'application/json' - if authType == 'EPM': - authToken = 'basic ' + epmToken - hdr['Authorization'] = authToken - else: - authToken = epmToken - hdr['VFUser'] = authToken - - # make the Rest API call - urllib3.disable_warnings() - return requests.get(myURL, headers=hdr) - - -def getAggregatedEvents(epmserver, epmToken, authType, setid, data, next_cursor="start", limit=1000, **kwargs): - """ - Get aggregated events - This method enables the user to retrieve aggregated events from EPM according - """ - - # build the URL - - if next_cursor is not None: - myURL = epmserver + "/EPM/API/Sets/" + setid + "/events/aggregations/search?nextCursor=" + next_cursor + "&limit=" + str( - limit) - else: - myURL = epmserver + "/EPM/API/Sets/" + setid + "/events/aggregations/search?limit=" + str(limit) - - # build the header - hdr = {} - hdr['Content-Type'] = 'application/json' - if authType == 'EPM': - authToken = 'basic ' + epmToken - hdr['Authorization'] = authToken - else: - authToken = epmToken - hdr['VFUser'] = authToken - - # make the Rest API call - urllib3.disable_warnings() - # this url can take a query, the parameters for the query should be in kwargs - # check to see if there are any keyword arguments passed in to this function - # if so, use them - if len(kwargs) > 0: - return requests.post(myURL, headers=hdr, data=data, params=kwargs) - else: - return requests.post(myURL, headers=hdr, data=data) - - -def getDetailedRawEvents(epmserver, epmToken, authType, setid, data, next_cursor="start", limit=1000, **kwargs): - """ - Get detailed raw events - This method enables the user to retrieve raw events from EPM according - to a predefined filter - """ - - # build the URL - if next_cursor is not None: - myURL = epmserver + "/EPM/API/Sets/" + setid + "/Events/Search?nextCursor=" + next_cursor + "&limit=" + str( - limit) - else: - myURL = epmserver + "/EPM/API/Sets/" + setid + "/Events/Search?limit=" + str(limit) - - # build the header - hdr = {} - hdr['Content-Type'] = 'application/json' - if authType == 'EPM': - authToken = 'basic ' + epmToken - hdr['Authorization'] = authToken - else: - authToken = epmToken - hdr['VFUser'] = authToken - - # make the Rest API call - urllib3.disable_warnings() - # this url can take a query, the parameters for the query should be in kwargs - # check to see if there are any keyword arguments passed in to this function - # if so, use them - - if len(kwargs) > 0: - return requests.post(myURL, headers=hdr, params=kwargs, data=data) - else: - return requests.post(myURL, headers=hdr, data=data) - - -def getAggregatedPolicyAudits(epmserver, epmToken, authType, setid, data, next_cursor="start", limit=1000, **kwargs): - """ - Get aggregated policy audits - This method enables the user to retrieve aggregated policy audits from EPM according - """ - - # build the URL - if next_cursor is not None: - myURL = epmserver + "/EPM/API/Sets/" + setid + "/policyaudits/aggregations/search?nextCursor=" + next_cursor + "&limit=" + str( - limit) - else: - myURL = epmserver + "/EPM/API/Sets/" + setid + "/policyaudits/aggregations/search?limit=" + str(limit) - - # build the header - hdr = {} - hdr['Content-Type'] = 'application/json' - if authType == 'EPM': - authToken = 'basic ' + epmToken - hdr['Authorization'] = authToken - else: - authToken = epmToken - hdr['VFUser'] = authToken - - # make the Rest API call - urllib3.disable_warnings() - # this url can take a query, the parameters for the query should be in kwargs - # check to see if there are any keyword arguments passed in to this function - # if so, use them - - if len(kwargs) > 0: - return requests.post(myURL, headers=hdr, params=kwargs, data=data) - else: - return requests.post(myURL, headers=hdr, data=data) - - -def getPolicyAuditRawEventDetails(epmserver, epmToken, authType, setid, data, next_cursor="start", limit=1000, - **kwargs): - """ - Get policy audit raw event details - This method enables the user to retrieve policy audit raw event details from EPM according - """ - - # build the URL - if next_cursor is not None: - myURL = epmserver + "/EPM/API/Sets/" + setid + "/policyaudits/search?nextCursor=" + next_cursor + "&limit=" + str( - limit) - else: - myURL = epmserver + "/EPM/API/Sets/" + setid + "/policyaudits/search?limit=" + str(limit) - - # build the header - hdr = {} - hdr['Content-Type'] = 'application/json' - if authType == 'EPM': - authToken = 'basic ' + epmToken - hdr['Authorization'] = authToken - else: - authToken = epmToken - hdr['VFUser'] = authToken - - # make the Rest API call - urllib3.disable_warnings() - # this url can take a query, the parameters for the query should be in kwargs - # check to see if there are any keyword arguments passed in to this function - # if so, use them - - if len(kwargs) > 0: - return requests.post(myURL, headers=hdr, params=kwargs, data=data) - else: - return requests.post(myURL, headers=hdr, data=data) - -def getAdminAuditEvents(epmserver, epmToken, authType, setid, start_time, end_time, limit=100): - """ - Get Admin Audit Data - This method enables the user to retrieve Admin Audit Data from EPM according - to a range of time (between start_time and end_time) - """ - # build the header - hdr = {} - hdr['Content-Type'] = 'application/json' - if authType == 'EPM': - authToken = 'basic ' + epmToken - hdr['Authorization'] = authToken - else: - authToken = epmToken - hdr['VFUser'] = authToken - - # make the Rest API call - urllib3.disable_warnings() - # this url can take a query, the parameters for the query should be in kwargs - # check to see if there are any keyword arguments passed in to this function - # if so, use them - - rowsCount = 0 - offset = 0 - events_json = [] - - while True: - #build the URL - myURL = epmserver + "/EPM/API/Sets/" + setid + "/AdminAudit?DateFrom=" + start_time + "&DateTo=" + end_time + "&limit=" + str(limit) + "&offset=" + str(offset) - r = requests.get(myURL, headers=hdr).json() - events_json += r["AdminAudits"] - #Get TotalCount from JSON - total_count = r["TotalCount"] - rowsCount += len(r["AdminAudits"]) - - if total_count > rowsCount: - offset += limit - else: - break; - if (len(events_json) > 0): - for adminauditevent in events_json: - adminauditevent["event_type"] = "admin_audit" - - return(events_json) \ No newline at end of file diff --git a/Solutions/CyberArkEPM/Package/3.1.0.zip b/Solutions/CyberArkEPM/Package/3.1.0.zip new file mode 100644 index 00000000000..6790cc5e3d6 Binary files /dev/null and b/Solutions/CyberArkEPM/Package/3.1.0.zip differ diff --git a/Solutions/CyberArkEPM/Package/createUiDefinition.json b/Solutions/CyberArkEPM/Package/createUiDefinition.json index 5202d9814f2..edb54cd9c06 100644 --- a/Solutions/CyberArkEPM/Package/createUiDefinition.json +++ b/Solutions/CyberArkEPM/Package/createUiDefinition.json @@ -1,466 +1,466 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", - "handler": "Microsoft.Azure.CreateUIDef", - "version": "0.1.2-preview", - "parameters": { - "config": { - "isWizard": false, - "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CyberArkEPM/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nEndpoint Privilege Manager, a critical and foundational endpoint control addresses the underlying weaknesses of endpoint defenses against a privileged attacker and helps enterprises defend against these attacks.\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", - "subscription": { - "resourceProviders": [ - "Microsoft.OperationsManagement/solutions", - "Microsoft.OperationalInsights/workspaces/providers/alertRules", - "Microsoft.Insights/workbooks", - "Microsoft.Logic/workflows" - ] - }, - "location": { - "metadata": { - "hidden": "Hiding location, we get it from the log analytics workspace" - }, - "visible": false - }, - "resourceGroup": { - "allowExisting": true - } - } - }, - "basics": [ - { - "name": "getLAWorkspace", - "type": "Microsoft.Solutions.ArmApiControl", - "toolTip": "This filters by workspaces that exist in the Resource Group selected", - "condition": "[greater(length(resourceGroup().name),0)]", - "request": { - "method": "GET", - "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" - } - }, - { - "name": "workspace", - "type": "Microsoft.Common.DropDown", - "label": "Workspace", - "placeholder": "Select a workspace", - "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", - "constraints": { - "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", - "required": true - }, - "visible": true - } - ], - "steps": [ - { - "name": "dataconnectors", - "label": "Data Connectors", - "bladeTitle": "Data Connectors", - "elements": [ - { - "name": "dataconnectors1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This Solution installs the data connector for CyberArkEPM. You can get CyberArkEPM custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, - { - "name": "dataconnectors-parser-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel." - } - }, - { - "name": "dataconnectors-link1", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more about connecting data sources", - "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" - } - } - } - ] - }, - { - "name": "workbooks", - "label": "Workbooks", - "subLabel": { - "preValidation": "Configure the workbooks", - "postValidation": "Done" - }, - "bladeTitle": "Workbooks", - "elements": [ - { - "name": "workbooks-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view." - } - }, - { - "name": "workbooks-link", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more", - "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" - } - } - }, - { - "name": "workbook1", - "type": "Microsoft.Common.Section", - "label": "CyberArk EPM", - "elements": [ - { - "name": "workbook1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Sets the time name for analysis" - } - } - ] - } - ] - }, - { - "name": "analytics", - "label": "Analytics", - "subLabel": { - "preValidation": "Configure the analytics", - "postValidation": "Done" - }, - "bladeTitle": "Analytics", - "elements": [ - { - "name": "analytics-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view." - } - }, - { - "name": "analytics-link", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more", - "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" - } - } - }, - { - "name": "analytic1", - "type": "Microsoft.Common.Section", - "label": "CyberArkEPM - Attack attempt not blocked", - "elements": [ - { - "name": "analytic1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This rule triggers on attack attempt which was not blocked by CyberArkEPM." - } - } - ] - }, - { - "name": "analytic2", - "type": "Microsoft.Common.Section", - "label": "CyberArkEPM - MSBuild usage as LOLBin", - "elements": [ - { - "name": "analytic2-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Detects usage of msbuild tool as LOLBin." - } - } - ] - }, - { - "name": "analytic3", - "type": "Microsoft.Common.Section", - "label": "CyberArkEPM - Multiple attack types", - "elements": [ - { - "name": "analytic3-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This rule triggers on multiple attack attemts triggered by same user." - } - } - ] - }, - { - "name": "analytic4", - "type": "Microsoft.Common.Section", - "label": "CyberArkEPM - Uncommon Windows process started from System folder", - "elements": [ - { - "name": "analytic4-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Detects when uncommon windows proccess is started from System folder." - } - } - ] - }, - { - "name": "analytic5", - "type": "Microsoft.Common.Section", - "label": "CyberArkEPM - Possible execution of Powershell Empire", - "elements": [ - { - "name": "analytic5-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Detects possible execution of Powershell Empire." - } - } - ] - }, - { - "name": "analytic6", - "type": "Microsoft.Common.Section", - "label": "CyberArkEPM - Process started from different locations", - "elements": [ - { - "name": "analytic6-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Detects when process started from different locations on a host." - } - } - ] - }, - { - "name": "analytic7", - "type": "Microsoft.Common.Section", - "label": "CyberArkEPM - Uncommon process Internet access", - "elements": [ - { - "name": "analytic7-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Detects access to the Internet by uncommon processes." - } - } - ] - }, - { - "name": "analytic8", - "type": "Microsoft.Common.Section", - "label": "CyberArkEPM - Renamed Windows binary", - "elements": [ - { - "name": "analytic8-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Detects renamed windows binaries." - } - } - ] - }, - { - "name": "analytic9", - "type": "Microsoft.Common.Section", - "label": "CyberArkEPM - Unexpected executable extension", - "elements": [ - { - "name": "analytic9-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Detects Windows executable with unexpected extension." - } - } - ] - }, - { - "name": "analytic10", - "type": "Microsoft.Common.Section", - "label": "CyberArkEPM - Unexpected executable location", - "elements": [ - { - "name": "analytic10-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Detects program run from unexpected location." - } - } - ] - } - ] - }, - { - "name": "huntingqueries", - "label": "Hunting Queries", - "bladeTitle": "Hunting Queries", - "elements": [ - { - "name": "huntingqueries-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view. " - } - }, - { - "name": "huntingqueries-link", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more", - "uri": "https://docs.microsoft.com/azure/sentinel/hunting" - } - } - }, - { - "name": "huntingquery1", - "type": "Microsoft.Common.Section", - "label": "CyberArkEPM - Elevation requests", - "elements": [ - { - "name": "huntingquery1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Query shows elevation requests. This hunting query depends on CyberArkEPM data connector (CyberArkEPM Parser or Table)" - } - } - ] - }, - { - "name": "huntingquery2", - "type": "Microsoft.Common.Section", - "label": "CyberArkEPM - Powershell downloads", - "elements": [ - { - "name": "huntingquery2-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Query shows powershell downloads. This hunting query depends on CyberArkEPM data connector (CyberArkEPM Parser or Table)" - } - } - ] - }, - { - "name": "huntingquery3", - "type": "Microsoft.Common.Section", - "label": "CyberArkEPM - Powershell scripts execution parameters", - "elements": [ - { - "name": "huntingquery3-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Query shows powershell scripts execution parameters. This hunting query depends on CyberArkEPM data connector (CyberArkEPM Parser or Table)" - } - } - ] - }, - { - "name": "huntingquery4", - "type": "Microsoft.Common.Section", - "label": "CyberArkEPM - Process hash changed", - "elements": [ - { - "name": "huntingquery4-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Query shows processes which hash has been changed recently. This hunting query depends on CyberArkEPM data connector (CyberArkEPM Parser or Table)" - } - } - ] - }, - { - "name": "huntingquery5", - "type": "Microsoft.Common.Section", - "label": "CyberArkEPM - Processes with Internet access attempts", - "elements": [ - { - "name": "huntingquery5-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Query shows processes which attempted to access Internet. This hunting query depends on CyberArkEPM data connector (CyberArkEPM Parser or Table)" - } - } - ] - }, - { - "name": "huntingquery6", - "type": "Microsoft.Common.Section", - "label": "CyberArkEPM - Processes run as admin", - "elements": [ - { - "name": "huntingquery6-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Query shows processes run as admin. This hunting query depends on CyberArkEPM data connector (CyberArkEPM Parser or Table)" - } - } - ] - }, - { - "name": "huntingquery7", - "type": "Microsoft.Common.Section", - "label": "CyberArkEPM - Rare process vendors", - "elements": [ - { - "name": "huntingquery7-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Query shows rare process vendors. This hunting query depends on CyberArkEPM data connector (CyberArkEPM Parser or Table)" - } - } - ] - }, - { - "name": "huntingquery8", - "type": "Microsoft.Common.Section", - "label": "CyberArkEPM - Rare process run by users", - "elements": [ - { - "name": "huntingquery8-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Query shows rare process run by users. This hunting query depends on CyberArkEPM data connector (CyberArkEPM Parser or Table)" - } - } - ] - }, - { - "name": "huntingquery9", - "type": "Microsoft.Common.Section", - "label": "CyberArkEPM - Scripts executed on hosts", - "elements": [ - { - "name": "huntingquery9-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Query shows scripts which where executed on hosts. This hunting query depends on CyberArkEPM data connector (CyberArkEPM Parser or Table)" - } - } - ] - }, - { - "name": "huntingquery10", - "type": "Microsoft.Common.Section", - "label": "CyberArkEPM - Suspicious activity attempts", - "elements": [ - { - "name": "huntingquery10-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Query shows suspicious activity attempts. This hunting query depends on CyberArkEPM data connector (CyberArkEPM Parser or Table)" - } - } - ] - } - ] - } - ], - "outputs": { - "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", - "location": "[location()]", - "workspace": "[basics('workspace')]" - } - } -} +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CyberArkEPM/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nEndpoint Privilege Manager, a critical and foundational endpoint control addresses the underlying weaknesses of endpoint defenses against a privileged attacker and helps enterprises defend against these attacks.\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "dataconnectors", + "label": "Data Connectors", + "bladeTitle": "Data Connectors", + "elements": [ + { + "name": "dataconnectors1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for CyberArkEPM. You can get CyberArkEPM custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for CyberArk EPM. You can get CyberArk EPM data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors-link2", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about connecting data sources", + "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" + } + } + } + ] + }, + { + "name": "workbooks", + "label": "Workbooks", + "subLabel": { + "preValidation": "Configure the workbooks", + "postValidation": "Done" + }, + "bladeTitle": "Workbooks", + "elements": [ + { + "name": "workbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view." + } + }, + { + "name": "workbooks-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" + } + } + }, + { + "name": "workbook1", + "type": "Microsoft.Common.Section", + "label": "CyberArk EPM", + "elements": [ + { + "name": "workbook1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Sets the time name for analysis" + } + } + ] + } + ] + }, + { + "name": "analytics", + "label": "Analytics", + "subLabel": { + "preValidation": "Configure the analytics", + "postValidation": "Done" + }, + "bladeTitle": "Analytics", + "elements": [ + { + "name": "analytics-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view." + } + }, + { + "name": "analytics-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + }, + { + "name": "analytic1", + "type": "Microsoft.Common.Section", + "label": "CyberArkEPM - Attack attempt not blocked", + "elements": [ + { + "name": "analytic1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This rule triggers on attack attempt which was not blocked by CyberArkEPM." + } + } + ] + }, + { + "name": "analytic2", + "type": "Microsoft.Common.Section", + "label": "CyberArkEPM - MSBuild usage as LOLBin", + "elements": [ + { + "name": "analytic2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects usage of msbuild tool as LOLBin." + } + } + ] + }, + { + "name": "analytic3", + "type": "Microsoft.Common.Section", + "label": "CyberArkEPM - Multiple attack types", + "elements": [ + { + "name": "analytic3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This rule triggers on multiple attack attemts triggered by same user." + } + } + ] + }, + { + "name": "analytic4", + "type": "Microsoft.Common.Section", + "label": "CyberArkEPM - Uncommon Windows process started from System folder", + "elements": [ + { + "name": "analytic4-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects when uncommon windows proccess is started from System folder." + } + } + ] + }, + { + "name": "analytic5", + "type": "Microsoft.Common.Section", + "label": "CyberArkEPM - Possible execution of Powershell Empire", + "elements": [ + { + "name": "analytic5-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects possible execution of Powershell Empire." + } + } + ] + }, + { + "name": "analytic6", + "type": "Microsoft.Common.Section", + "label": "CyberArkEPM - Process started from different locations", + "elements": [ + { + "name": "analytic6-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects when process started from different locations on a host." + } + } + ] + }, + { + "name": "analytic7", + "type": "Microsoft.Common.Section", + "label": "CyberArkEPM - Uncommon process Internet access", + "elements": [ + { + "name": "analytic7-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects access to the Internet by uncommon processes." + } + } + ] + }, + { + "name": "analytic8", + "type": "Microsoft.Common.Section", + "label": "CyberArkEPM - Renamed Windows binary", + "elements": [ + { + "name": "analytic8-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects renamed windows binaries." + } + } + ] + }, + { + "name": "analytic9", + "type": "Microsoft.Common.Section", + "label": "CyberArkEPM - Unexpected executable extension", + "elements": [ + { + "name": "analytic9-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects Windows executable with unexpected extension." + } + } + ] + }, + { + "name": "analytic10", + "type": "Microsoft.Common.Section", + "label": "CyberArkEPM - Unexpected executable location", + "elements": [ + { + "name": "analytic10-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects program run from unexpected location." + } + } + ] + } + ] + }, + { + "name": "huntingqueries", + "label": "Hunting Queries", + "bladeTitle": "Hunting Queries", + "elements": [ + { + "name": "huntingqueries-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view. " + } + }, + { + "name": "huntingqueries-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/hunting" + } + } + }, + { + "name": "huntingquery1", + "type": "Microsoft.Common.Section", + "label": "CyberArkEPM - Elevation requests", + "elements": [ + { + "name": "huntingquery1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Query shows elevation requests. This hunting query depends on CyberArkEPM data connector (CyberArkEPM Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery2", + "type": "Microsoft.Common.Section", + "label": "CyberArkEPM - Powershell downloads", + "elements": [ + { + "name": "huntingquery2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Query shows powershell downloads. This hunting query depends on CyberArkEPM data connector (CyberArkEPM Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery3", + "type": "Microsoft.Common.Section", + "label": "CyberArkEPM - Powershell scripts execution parameters", + "elements": [ + { + "name": "huntingquery3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Query shows powershell scripts execution parameters. This hunting query depends on CyberArkEPM data connector (CyberArkEPM Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery4", + "type": "Microsoft.Common.Section", + "label": "CyberArkEPM - Process hash changed", + "elements": [ + { + "name": "huntingquery4-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Query shows processes which hash has been changed recently. This hunting query depends on CyberArkEPM data connector (CyberArkEPM Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery5", + "type": "Microsoft.Common.Section", + "label": "CyberArkEPM - Processes with Internet access attempts", + "elements": [ + { + "name": "huntingquery5-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Query shows processes which attempted to access Internet. This hunting query depends on CyberArkEPM data connector (CyberArkEPM Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery6", + "type": "Microsoft.Common.Section", + "label": "CyberArkEPM - Processes run as admin", + "elements": [ + { + "name": "huntingquery6-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Query shows processes run as admin. This hunting query depends on CyberArkEPM data connector (CyberArkEPM Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery7", + "type": "Microsoft.Common.Section", + "label": "CyberArkEPM - Rare process vendors", + "elements": [ + { + "name": "huntingquery7-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Query shows rare process vendors. This hunting query depends on CyberArkEPM data connector (CyberArkEPM Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery8", + "type": "Microsoft.Common.Section", + "label": "CyberArkEPM - Rare process run by users", + "elements": [ + { + "name": "huntingquery8-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Query shows rare process run by users. This hunting query depends on CyberArkEPM data connector (CyberArkEPM Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery9", + "type": "Microsoft.Common.Section", + "label": "CyberArkEPM - Scripts executed on hosts", + "elements": [ + { + "name": "huntingquery9-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Query shows scripts which where executed on hosts. This hunting query depends on CyberArkEPM data connector (CyberArkEPM Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery10", + "type": "Microsoft.Common.Section", + "label": "CyberArkEPM - Suspicious activity attempts", + "elements": [ + { + "name": "huntingquery10-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Query shows suspicious activity attempts. This hunting query depends on CyberArkEPM data connector (CyberArkEPM Parser or Table)" + } + } + ] + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]" + } + } +} diff --git a/Solutions/CyberArkEPM/Package/mainTemplate.json b/Solutions/CyberArkEPM/Package/mainTemplate.json index 8d09ddea4c8..d32015778c2 100644 --- a/Solutions/CyberArkEPM/Package/mainTemplate.json +++ b/Solutions/CyberArkEPM/Package/mainTemplate.json @@ -1,2835 +1,3891 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "author": "CyberArk Business Development - business_development@cyberark.com", - "comments": "Solution template for CyberArkEPM" - }, - "parameters": { - "location": { - "type": "string", - "minLength": 1, - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" - } - }, - "workspace-location": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" - } - }, - "workspace": { - "defaultValue": "", - "type": "string", - "metadata": { - "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" - } - }, - "workbook1-name": { - "type": "string", - "defaultValue": "CyberArk EPM", - "minLength": 1, - "metadata": { - "description": "Name for the workbook" - } - } - }, - "variables": { - "email": "business_development@cyberark.com", - "_email": "[variables('email')]", - "_solutionName": "CyberArkEPM", - "_solutionVersion": "3.0.1", - "solutionId": "cyberark.cybr_epm_sentinel", - "_solutionId": "[variables('solutionId')]", - "uiConfigId1": "CyberArkEPM", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "CyberArkEPM", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", - "dataConnectorVersion1": "1.0.0", - "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", - "parserObject1": { - "_parserName1": "[concat(parameters('workspace'),'/','CyberArkEPM Data Parser')]", - "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'CyberArkEPM Data Parser')]", - "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('CyberArkEPM-Parser')))]", - "parserVersion1": "1.0.0", - "parserContentId1": "CyberArkEPM-Parser" - }, - "huntingQueryObject1": { - "huntingQueryVersion1": "1.0.0", - "_huntingQuerycontentId1": "20fc7ee2-5387-4c4c-8819-77fb7bfb8d2a", - "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('20fc7ee2-5387-4c4c-8819-77fb7bfb8d2a')))]" - }, - "huntingQueryObject2": { - "huntingQueryVersion2": "1.0.0", - "_huntingQuerycontentId2": "576cac40-d6f5-4ef9-9c3d-013b94656bea", - "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('576cac40-d6f5-4ef9-9c3d-013b94656bea')))]" - }, - "huntingQueryObject3": { - "huntingQueryVersion3": "1.0.0", - "_huntingQuerycontentId3": "f1490e77-2a5e-4f07-afd9-c2bb20e26d30", - "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('f1490e77-2a5e-4f07-afd9-c2bb20e26d30')))]" - }, - "huntingQueryObject4": { - "huntingQueryVersion4": "1.0.0", - "_huntingQuerycontentId4": "8d72be65-d837-4e86-bca8-4a30e6834a22", - "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('8d72be65-d837-4e86-bca8-4a30e6834a22')))]" - }, - "huntingQueryObject5": { - "huntingQueryVersion5": "1.0.0", - "_huntingQuerycontentId5": "cff4d318-eaec-43c9-8c3e-84f74c789b98", - "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('cff4d318-eaec-43c9-8c3e-84f74c789b98')))]" - }, - "huntingQueryObject6": { - "huntingQueryVersion6": "1.0.0", - "_huntingQuerycontentId6": "e96de960-f4d7-49a3-8de7-4f5b7e8537cf", - "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('e96de960-f4d7-49a3-8de7-4f5b7e8537cf')))]" - }, - "huntingQueryObject7": { - "huntingQueryVersion7": "1.0.0", - "_huntingQuerycontentId7": "37031fed-f7cb-45fc-a1c2-e2eab46cbba2", - "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('37031fed-f7cb-45fc-a1c2-e2eab46cbba2')))]" - }, - "huntingQueryObject8": { - "huntingQueryVersion8": "1.0.0", - "_huntingQuerycontentId8": "9cf63647-4e05-47cc-90ac-4a17cfd06a05", - "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('9cf63647-4e05-47cc-90ac-4a17cfd06a05')))]" - }, - "huntingQueryObject9": { - "huntingQueryVersion9": "1.0.0", - "_huntingQuerycontentId9": "bd8511dd-ee8f-4c76-a9c8-b8f263ec7355", - "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('bd8511dd-ee8f-4c76-a9c8-b8f263ec7355')))]" - }, - "huntingQueryObject10": { - "huntingQueryVersion10": "1.0.0", - "_huntingQuerycontentId10": "e60cf50c-3ae0-44ac-9de1-ea13886973b8", - "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('e60cf50c-3ae0-44ac-9de1-ea13886973b8')))]" - }, - "analyticRuleObject1": { - "analyticRuleVersion1": "1.0.0", - "_analyticRulecontentId1": "8e8978a2-9188-4187-8909-5ea00507bf16", - "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '8e8978a2-9188-4187-8909-5ea00507bf16')]", - "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('8e8978a2-9188-4187-8909-5ea00507bf16')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8e8978a2-9188-4187-8909-5ea00507bf16','-', '1.0.0')))]" - }, - "analyticRuleObject2": { - "analyticRuleVersion2": "1.0.0", - "_analyticRulecontentId2": "a11bf869-458e-49fd-be03-58021b14be15", - "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a11bf869-458e-49fd-be03-58021b14be15')]", - "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a11bf869-458e-49fd-be03-58021b14be15')))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a11bf869-458e-49fd-be03-58021b14be15','-', '1.0.0')))]" - }, - "analyticRuleObject3": { - "analyticRuleVersion3": "1.0.0", - "_analyticRulecontentId3": "c02f96b4-057b-4e63-87af-6376ef7a081b", - "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c02f96b4-057b-4e63-87af-6376ef7a081b')]", - "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c02f96b4-057b-4e63-87af-6376ef7a081b')))]", - "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c02f96b4-057b-4e63-87af-6376ef7a081b','-', '1.0.0')))]" - }, - "analyticRuleObject4": { - "analyticRuleVersion4": "1.0.0", - "_analyticRulecontentId4": "16b940d2-aaf8-4eaa-a5e1-05df5f5c3d43", - "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '16b940d2-aaf8-4eaa-a5e1-05df5f5c3d43')]", - "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('16b940d2-aaf8-4eaa-a5e1-05df5f5c3d43')))]", - "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','16b940d2-aaf8-4eaa-a5e1-05df5f5c3d43','-', '1.0.0')))]" - }, - "analyticRuleObject5": { - "analyticRuleVersion5": "1.0.0", - "_analyticRulecontentId5": "eddfd1fd-71df-4cc3-b050-287643bee398", - "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'eddfd1fd-71df-4cc3-b050-287643bee398')]", - "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('eddfd1fd-71df-4cc3-b050-287643bee398')))]", - "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','eddfd1fd-71df-4cc3-b050-287643bee398','-', '1.0.0')))]" - }, - "analyticRuleObject6": { - "analyticRuleVersion6": "1.0.0", - "_analyticRulecontentId6": "0d4e62da-0a64-4532-b93e-28cd2940c300", - "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '0d4e62da-0a64-4532-b93e-28cd2940c300')]", - "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('0d4e62da-0a64-4532-b93e-28cd2940c300')))]", - "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0d4e62da-0a64-4532-b93e-28cd2940c300','-', '1.0.0')))]" - }, - "analyticRuleObject7": { - "analyticRuleVersion7": "1.0.0", - "_analyticRulecontentId7": "9d0d44ab-54dc-472a-9931-53521e888932", - "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9d0d44ab-54dc-472a-9931-53521e888932')]", - "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9d0d44ab-54dc-472a-9931-53521e888932')))]", - "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9d0d44ab-54dc-472a-9931-53521e888932','-', '1.0.0')))]" - }, - "analyticRuleObject8": { - "analyticRuleVersion8": "1.0.0", - "_analyticRulecontentId8": "9281b7cc-8f05-45a9-bf10-17fb29492a84", - "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9281b7cc-8f05-45a9-bf10-17fb29492a84')]", - "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9281b7cc-8f05-45a9-bf10-17fb29492a84')))]", - "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9281b7cc-8f05-45a9-bf10-17fb29492a84','-', '1.0.0')))]" - }, - "analyticRuleObject9": { - "analyticRuleVersion9": "1.0.0", - "_analyticRulecontentId9": "911d5b75-a1ce-4f13-a839-9c2474768696", - "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '911d5b75-a1ce-4f13-a839-9c2474768696')]", - "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('911d5b75-a1ce-4f13-a839-9c2474768696')))]", - "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','911d5b75-a1ce-4f13-a839-9c2474768696','-', '1.0.0')))]" - }, - "analyticRuleObject10": { - "analyticRuleVersion10": "1.0.0", - "_analyticRulecontentId10": "c1fcbbd7-74f8-4f32-8116-0a533ebd3878", - "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c1fcbbd7-74f8-4f32-8116-0a533ebd3878')]", - "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c1fcbbd7-74f8-4f32-8116-0a533ebd3878')))]", - "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c1fcbbd7-74f8-4f32-8116-0a533ebd3878','-', '1.0.0')))]" - }, - "workbookVersion1": "1.0.0", - "workbookContentId1": "CyberArkEPMWorkbook", - "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", - "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", - "_workbookContentId1": "[variables('workbookContentId1')]", - "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", - "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", - "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" - }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "CyberArkEPM data connector with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "CyberArkEPM (using Azure Functions)", - "publisher": "CyberArk", - "descriptionMarkdown": "The [CyberArk Endpoint Privilege Manager](https://www.cyberark.com/products/endpoint-privilege-manager/) data connector provides the capability to retrieve security event logs of the CyberArk EPM services and more events into Microsoft Sentinel through the REST API. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.", - "additionalRequirementBanner": ">This data connector depends on a parser based on a Kusto Function to work as expected [**CyberArkEPM**](https://aka.ms/sentinel-CyberArkEPM-parser) which is deployed with the Microsoft Sentinel Solution.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "CyberArkEPM_CL", - "baseQuery": "CyberArkEPM_CL" - } - ], - "sampleQueries": [ - { - "description": "CyberArk EPM Events - All Activities.", - "query": "CyberArkEPM\n | sort by TimeGenerated desc" - } - ], - "dataTypes": [ - { - "name": "CyberArkEPM_CL", - "lastDataReceivedQuery": "CyberArkEPM_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CyberArkEPM_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions on the workspace are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "name": "Microsoft.Web/sites permissions", - "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." - }, - { - "name": "REST API Credentials/permissions", - "description": "**CyberArkEPMUsername**, **CyberArkEPMPassword** and **CyberArkEPMServerURL** are required for making API calls." - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This connector uses Azure Functions to connect to the Azure Blob Storage API to pull logs into Microsoft Sentinel. This might result in additional costs for data ingestion and for storing data in Azure Blob Storage costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) and [Azure Blob Storage pricing page](https://azure.microsoft.com/pricing/details/storage/blobs/) for details." - }, - { - "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." - }, - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**CyberArkEPM**](https://aka.ms/sentinel-CyberArkEPM-parser) which is deployed with the Microsoft Sentinel Solution." - }, - { - "description": "**STEP 1 - Configuration steps for the CyberArk EPM API**\n\n Follow the instructions to obtain the credentials.\n\n1. Use Username and Password for your CyberArk EPM account." - }, - { - "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the CyberArk EPM data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Workspace ID" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "fillWith": [ - "PrimaryKey" - ], - "label": "Primary Key" - }, - "type": "CopyableLabel" - } - ] - }, - { - "description": "Use this method for automated deployment of the CyberArk EPM data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-CyberArkEPMAPI-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **CyberArkEPMUsername**, **CyberArkEPMPassword**, **CyberArkEPMServerURL** and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", - "title": "Option 1 - Azure Resource Manager (ARM) Template" - }, - { - "description": "Use the following step-by-step instructions to deploy the CyberArk EPM data connector manually with Azure Functions (Deployment via Visual Studio Code).", - "title": "Option 2 - Manual Deployment of Azure Functions" - }, - { - "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CyberArkEPMAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CyberArkXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.10.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." - }, - { - "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tCyberArkEPMUsername\n\t\tCyberArkEPMPassword\n\t\tCyberArkEPMServerURL\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**." - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "CyberArkEPM", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "CyberArk Business Development", - "email": "[variables('_email')]" - }, - "support": { - "name": "CyberArk Support", - "email": "support@cyberark.com", - "tier": "Partner", - "link": "https://www.cyberark.com/services-support/technical-support-contact/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId1')]", - "contentKind": "DataConnector", - "displayName": "CyberArkEPM (using Azure Functions)", - "contentProductId": "[variables('_dataConnectorcontentProductId1')]", - "id": "[variables('_dataConnectorcontentProductId1')]", - "version": "[variables('dataConnectorVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "CyberArkEPM", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "CyberArk Business Development", - "email": "[variables('_email')]" - }, - "support": { - "name": "CyberArk Support", - "email": "support@cyberark.com", - "tier": "Partner", - "link": "https://www.cyberark.com/services-support/technical-support-contact/" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "CyberArkEPM (using Azure Functions)", - "publisher": "CyberArk", - "descriptionMarkdown": "The [CyberArk Endpoint Privilege Manager](https://www.cyberark.com/products/endpoint-privilege-manager/) data connector provides the capability to retrieve security event logs of the CyberArk EPM services and more events into Microsoft Sentinel through the REST API. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "CyberArkEPM_CL", - "baseQuery": "CyberArkEPM_CL" - } - ], - "dataTypes": [ - { - "name": "CyberArkEPM_CL", - "lastDataReceivedQuery": "CyberArkEPM_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CyberArkEPM_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "CyberArk EPM Events - All Activities.", - "query": "CyberArkEPM\n | sort by TimeGenerated desc" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions on the workspace are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "name": "Microsoft.Web/sites permissions", - "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." - }, - { - "name": "REST API Credentials/permissions", - "description": "**CyberArkEPMUsername**, **CyberArkEPMPassword** and **CyberArkEPMServerURL** are required for making API calls." - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This connector uses Azure Functions to connect to the Azure Blob Storage API to pull logs into Microsoft Sentinel. This might result in additional costs for data ingestion and for storing data in Azure Blob Storage costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) and [Azure Blob Storage pricing page](https://azure.microsoft.com/pricing/details/storage/blobs/) for details." - }, - { - "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." - }, - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**CyberArkEPM**](https://aka.ms/sentinel-CyberArkEPM-parser) which is deployed with the Microsoft Sentinel Solution." - }, - { - "description": "**STEP 1 - Configuration steps for the CyberArk EPM API**\n\n Follow the instructions to obtain the credentials.\n\n1. Use Username and Password for your CyberArk EPM account." - }, - { - "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the CyberArk EPM data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Workspace ID" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "fillWith": [ - "PrimaryKey" - ], - "label": "Primary Key" - }, - "type": "CopyableLabel" - } - ] - }, - { - "description": "Use this method for automated deployment of the CyberArk EPM data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-CyberArkEPMAPI-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **CyberArkEPMUsername**, **CyberArkEPMPassword**, **CyberArkEPMServerURL** and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", - "title": "Option 1 - Azure Resource Manager (ARM) Template" - }, - { - "description": "Use the following step-by-step instructions to deploy the CyberArk EPM data connector manually with Azure Functions (Deployment via Visual Studio Code).", - "title": "Option 2 - Manual Deployment of Azure Functions" - }, - { - "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CyberArkEPMAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CyberArkXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.10.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." - }, - { - "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tCyberArkEPMUsername\n\t\tCyberArkEPMPassword\n\t\tCyberArkEPMServerURL\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**." - } - ], - "id": "[variables('_uiConfigId1')]", - "additionalRequirementBanner": ">This data connector depends on a parser based on a Kusto Function to work as expected [**CyberArkEPM**](https://aka.ms/sentinel-CyberArkEPM-parser) which is deployed with the Microsoft Sentinel Solution." - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject1').parserTemplateSpecName1]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "CyberArkEPM Data Parser with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject1').parserVersion1]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject1')._parserName1]", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "CyberArkEPM Data Parser", - "category": "Microsoft Sentinel Parser", - "functionAlias": "CyberArkEPM", - "query": "CyberArkEPM_CL\n| extend EventVendor = 'CyberArk',\n EventProduct = 'Endpoint Privilege Manager',\n EventSchemaVersion = '0.1',\n EventCount=case(event_type_s == 'raw_event', agentEventCount_d, totalEvents_d),\n EventMessage=case(event_type_s == 'raw_event', displayName_s, lastEventDisplayName_s),\n ActingProcessFileInternalName=case(event_type_s == 'raw_event', fileName_s, lastEventFileName_s),\n Justification=case(event_type_s == 'raw_event', justification_s, lastEventJustification_s),\n EventSourceName=case(event_type_s == 'raw_event', sourceName_s, lastEventSourceName_s),\n EventSourceType=case(event_type_s == 'raw_event', sourceType_s, lastEventSourceType_s),\n ActorUsername=case(event_type_s == 'raw_event', userName_s, pack_array(firstEventUserName_s, lastEventUserName_s))\n| project-rename AccessAction=accessAction_s,\n AccessTargetName=accessTargetName_s,\n AccessTargetType=accessTargetType_s,\n AffectedComputers=affectedComputers_d,\n AffectedUsers=affectedUsers_d,\n AdminTaskId=adminTaskId_s,\n BundleId=bundleId_s,\n BundleName=bundleName_s,\n BundleVersion=bundleVersion_s,\n DvcId=agentId_g,\n AggregatedBy=aggregatedBy_s,\n AppType=applicationType_s,\n ApplicationSubType=applicationSubType_s,\n AppPackageDisplayName=appPackageDisplayName_s,\n CLSID=CLSID_s,\n ActingProcessFileCompany=company_s,\n DeceptionType=deceptionType_d,\n DefenceActionId=defenceActionId_d,\n EventType=event_type_s,\n EventSubType=eventType_s,\n Evidences=evidences_s,\n FileAccessPermission=fileAccessPermission_s,\n ActingProcessFileDescription=fileDescription_s,\n FileLocation=fileLocation_s,\n ActingProcessName=filePath_s,\n FileQualifier=fileQualifier_s,\n ActingProcessFileSize=fileSize_d,\n ActingProcessFileVersion=fileVersion_s,\n EventStartTime=firstEventDate_t,\n Hash=hash_s,\n JustificationEmail=justificationEmail_s,\n LastAgentId=lastAgentId_g,\n EventEndTime=lastEventDate_t,\n LogonAttemptTypeId=logonAttemptTypeId_d,\n LogonStatusId=logonStatusId_d,\n SrcFileMimeType=mimeType_s,\n ModificationTime=modificationTime_t,\n ActingProcessFileOriginalName=originalFileName_s,\n Owner=owner_s,\n PackageName=packageName_s,\n PolicyId=policyId_d,\n PolicyName=policyName_s,\n ActingProcessGuid=processCommandLine_g,\n ActingProcessCommandLine=processCommandLine_s,\n ActingProcessFileProduct=productName_s,\n ProductVersion=productVersion_s,\n Publisher=publisher_s,\n SetName=set_name_s,\n Skipped=skipped_b,\n SkippedCount=skippedCount_d,\n SrcProcessCommandLine=sourceProcessCommandLine_s,\n SrcProcessHash=sourceProcessHash_s,\n SrcProcessPublisher=sourceProcessPublisher_s,\n SrcProcessSigner=sourceProcessSigner_s,\n SrcProcessUsername=sourceProcessUsername_s,\t\n ThreatDetectionAction=threatDetectionAction_s,\n ThreatProtectionAction=threatProtectionAction_s,\n UrlOriginal=url_s,\n UserIsAdmin=userIsAdmin_b,\n WinEventRecordId=winEventRecordId_d,\n WinEventType=winEventType_d\n| project-away agentEventCount_d,\n totalEvents_d,\n displayName_s,\n lastEventDisplayName_s,\n fileName_s,\n lastEventFileName_s,\n justification_s,\n lastEventJustification_s,\n sourceName_s,\n lastEventSourceName_s,\n sourceType_s,\n lastEventSourceType_s,\n userName_s,\n firstEventUserName_s,\n lastEventUserName_s\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", - "dependsOn": [ - "[variables('parserObject1')._parserId1]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'CyberArkEPM Data Parser')]", - "contentId": "[variables('parserObject1').parserContentId1]", - "kind": "Parser", - "version": "[variables('parserObject1').parserVersion1]", - "source": { - "name": "CyberArkEPM", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "CyberArk Business Development", - "email": "[variables('_email')]" - }, - "support": { - "name": "CyberArk Support", - "email": "support@cyberark.com", - "tier": "Partner", - "link": "https://www.cyberark.com/services-support/technical-support-contact/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject1').parserContentId1]", - "contentKind": "Parser", - "displayName": "CyberArkEPM Data Parser", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", - "version": "[variables('parserObject1').parserVersion1]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", - "name": "[variables('parserObject1')._parserName1]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "CyberArkEPM Data Parser", - "category": "Microsoft Sentinel Parser", - "functionAlias": "CyberArkEPM", - "query": "CyberArkEPM_CL\n| extend EventVendor = 'CyberArk',\n EventProduct = 'Endpoint Privilege Manager',\n EventSchemaVersion = '0.1',\n EventCount=case(event_type_s == 'raw_event', agentEventCount_d, totalEvents_d),\n EventMessage=case(event_type_s == 'raw_event', displayName_s, lastEventDisplayName_s),\n ActingProcessFileInternalName=case(event_type_s == 'raw_event', fileName_s, lastEventFileName_s),\n Justification=case(event_type_s == 'raw_event', justification_s, lastEventJustification_s),\n EventSourceName=case(event_type_s == 'raw_event', sourceName_s, lastEventSourceName_s),\n EventSourceType=case(event_type_s == 'raw_event', sourceType_s, lastEventSourceType_s),\n ActorUsername=case(event_type_s == 'raw_event', userName_s, pack_array(firstEventUserName_s, lastEventUserName_s))\n| project-rename AccessAction=accessAction_s,\n AccessTargetName=accessTargetName_s,\n AccessTargetType=accessTargetType_s,\n AffectedComputers=affectedComputers_d,\n AffectedUsers=affectedUsers_d,\n AdminTaskId=adminTaskId_s,\n BundleId=bundleId_s,\n BundleName=bundleName_s,\n BundleVersion=bundleVersion_s,\n DvcId=agentId_g,\n AggregatedBy=aggregatedBy_s,\n AppType=applicationType_s,\n ApplicationSubType=applicationSubType_s,\n AppPackageDisplayName=appPackageDisplayName_s,\n CLSID=CLSID_s,\n ActingProcessFileCompany=company_s,\n DeceptionType=deceptionType_d,\n DefenceActionId=defenceActionId_d,\n EventType=event_type_s,\n EventSubType=eventType_s,\n Evidences=evidences_s,\n FileAccessPermission=fileAccessPermission_s,\n ActingProcessFileDescription=fileDescription_s,\n FileLocation=fileLocation_s,\n ActingProcessName=filePath_s,\n FileQualifier=fileQualifier_s,\n ActingProcessFileSize=fileSize_d,\n ActingProcessFileVersion=fileVersion_s,\n EventStartTime=firstEventDate_t,\n Hash=hash_s,\n JustificationEmail=justificationEmail_s,\n LastAgentId=lastAgentId_g,\n EventEndTime=lastEventDate_t,\n LogonAttemptTypeId=logonAttemptTypeId_d,\n LogonStatusId=logonStatusId_d,\n SrcFileMimeType=mimeType_s,\n ModificationTime=modificationTime_t,\n ActingProcessFileOriginalName=originalFileName_s,\n Owner=owner_s,\n PackageName=packageName_s,\n PolicyId=policyId_d,\n PolicyName=policyName_s,\n ActingProcessGuid=processCommandLine_g,\n ActingProcessCommandLine=processCommandLine_s,\n ActingProcessFileProduct=productName_s,\n ProductVersion=productVersion_s,\n Publisher=publisher_s,\n SetName=set_name_s,\n Skipped=skipped_b,\n SkippedCount=skippedCount_d,\n SrcProcessCommandLine=sourceProcessCommandLine_s,\n SrcProcessHash=sourceProcessHash_s,\n SrcProcessPublisher=sourceProcessPublisher_s,\n SrcProcessSigner=sourceProcessSigner_s,\n SrcProcessUsername=sourceProcessUsername_s,\t\n ThreatDetectionAction=threatDetectionAction_s,\n ThreatProtectionAction=threatProtectionAction_s,\n UrlOriginal=url_s,\n UserIsAdmin=userIsAdmin_b,\n WinEventRecordId=winEventRecordId_d,\n WinEventType=winEventType_d\n| project-away agentEventCount_d,\n totalEvents_d,\n displayName_s,\n lastEventDisplayName_s,\n fileName_s,\n lastEventFileName_s,\n justification_s,\n lastEventJustification_s,\n sourceName_s,\n lastEventSourceName_s,\n sourceType_s,\n lastEventSourceType_s,\n userName_s,\n firstEventUserName_s,\n lastEventUserName_s\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", - "dependsOn": [ - "[variables('parserObject1')._parserId1]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'CyberArkEPM Data Parser')]", - "contentId": "[variables('parserObject1').parserContentId1]", - "kind": "Parser", - "version": "[variables('parserObject1').parserVersion1]", - "source": { - "kind": "Solution", - "name": "CyberArkEPM", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "CyberArk Business Development", - "email": "[variables('_email')]" - }, - "support": { - "name": "CyberArk Support", - "email": "support@cyberark.com", - "tier": "Partner", - "link": "https://www.cyberark.com/services-support/technical-support-contact/" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryObject1').huntingQueryTemplateSpecName1]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "CyberArkEPMElevationRequests_HuntingQueries Hunting Query with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "CyberArkEPM_Hunting_Query_1", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "CyberArkEPM - Elevation requests", - "category": "Hunting Queries", - "query": "CyberArkEPM\n| where TimeGenerated > ago(24h)\n| where EventSubType =~ 'ElevationRequest'\n| extend AccountCustomEntity = ActorUsername\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "Query shows elevation requests." - }, - { - "name": "tactics", - "value": "Execution,PrivilegeEscalation" - }, - { - "name": "techniques", - "value": "T1204,T1078" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1),'/'))))]", - "properties": { - "description": "CyberArkEPM Hunting Query 1", - "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1)]", - "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryObject1').huntingQueryVersion1]", - "source": { - "kind": "Solution", - "name": "CyberArkEPM", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "CyberArk Business Development", - "email": "[variables('_email')]" - }, - "support": { - "name": "CyberArk Support", - "email": "support@cyberark.com", - "tier": "Partner", - "link": "https://www.cyberark.com/services-support/technical-support-contact/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", - "contentKind": "HuntingQuery", - "displayName": "CyberArkEPM - Elevation requests", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]", - "version": "1.0.0" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryObject2').huntingQueryTemplateSpecName2]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "CyberArkEPMPowershellDownloads_HuntingQueries Hunting Query with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "CyberArkEPM_Hunting_Query_2", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "CyberArkEPM - Powershell downloads", - "category": "Hunting Queries", - "query": "CyberArkEPM\n| where TimeGenerated > ago(24h)\n| where ActingProcessFileInternalName =~ 'powershell.exe'\n| where ActingProcessCommandLine has_any ('WebClient', 'DownloadString', 'DownloadFile')\n| extend AccountCustomEntity = ActorUsername\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "Query shows powershell downloads." - }, - { - "name": "tactics", - "value": "Execution" - }, - { - "name": "techniques", - "value": "T1204,T1059" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2),'/'))))]", - "properties": { - "description": "CyberArkEPM Hunting Query 2", - "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2)]", - "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryObject2').huntingQueryVersion2]", - "source": { - "kind": "Solution", - "name": "CyberArkEPM", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "CyberArk Business Development", - "email": "[variables('_email')]" - }, - "support": { - "name": "CyberArk Support", - "email": "support@cyberark.com", - "tier": "Partner", - "link": "https://www.cyberark.com/services-support/technical-support-contact/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", - "contentKind": "HuntingQuery", - "displayName": "CyberArkEPM - Powershell downloads", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.0')))]", - "version": "1.0.0" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryObject3').huntingQueryTemplateSpecName3]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "CyberArkEPMPowershellExecutionParameters_HuntingQueries Hunting Query with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "CyberArkEPM_Hunting_Query_3", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "CyberArkEPM - Powershell scripts execution parameters", - "category": "Hunting Queries", - "query": "CyberArkEPM\n| where TimeGenerated > ago(24h)\n| where ActingProcessFileInternalName =~ 'powershell.exe'\n| summarize count() by ActorUsername, ActingProcessCommandLine\n| extend AccountCustomEntity = ActorUsername\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "Query shows powershell scripts execution parameters." - }, - { - "name": "tactics", - "value": "Execution" - }, - { - "name": "techniques", - "value": "T1204,T1059" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3),'/'))))]", - "properties": { - "description": "CyberArkEPM Hunting Query 3", - "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3)]", - "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryObject3').huntingQueryVersion3]", - "source": { - "kind": "Solution", - "name": "CyberArkEPM", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "CyberArk Business Development", - "email": "[variables('_email')]" - }, - "support": { - "name": "CyberArk Support", - "email": "support@cyberark.com", - "tier": "Partner", - "link": "https://www.cyberark.com/services-support/technical-support-contact/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", - "contentKind": "HuntingQuery", - "displayName": "CyberArkEPM - Powershell scripts execution parameters", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]", - "version": "1.0.0" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryObject4').huntingQueryTemplateSpecName4]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "CyberArkEPMProcessNewHash_HuntingQueries Hunting Query with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "CyberArkEPM_Hunting_Query_4", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "CyberArkEPM - Process hash changed", - "category": "Hunting Queries", - "query": "CyberArkEPM\n| where TimeGenerated > ago(24h)\n| where isnotempty(Hash)\n| summarize hashes = makeset(Hash) by ActingProcessFileInternalName\n| where array_length(hashes) > 1\n| extend FileCustomEntity = ActingProcessFileInternalName\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "Query shows processes which hash has been changed recently." - }, - { - "name": "tactics", - "value": "DefenseEvasion" - }, - { - "name": "techniques", - "value": "T1036" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4),'/'))))]", - "properties": { - "description": "CyberArkEPM Hunting Query 4", - "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4)]", - "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryObject4').huntingQueryVersion4]", - "source": { - "kind": "Solution", - "name": "CyberArkEPM", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "CyberArk Business Development", - "email": "[variables('_email')]" - }, - "support": { - "name": "CyberArk Support", - "email": "support@cyberark.com", - "tier": "Partner", - "link": "https://www.cyberark.com/services-support/technical-support-contact/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", - "contentKind": "HuntingQuery", - "displayName": "CyberArkEPM - Process hash changed", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.0')))]", - "version": "1.0.0" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryObject5').huntingQueryTemplateSpecName5]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "CyberArkEPMProcessesAccessedInternet_HuntingQueries Hunting Query with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "CyberArkEPM_Hunting_Query_5", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "CyberArkEPM - Processes with Internet access attempts", - "category": "Hunting Queries", - "query": "CyberArkEPM\n| where TimeGenerated > ago(24h)\n| where EventSubType in~ ('DetectAccessInternet', 'Internet')\n| summarize count() by ActingProcessFileInternalName, ActorUsername\n| extend AccountCustomEntity = ActorUsername\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "Query shows processes which attempted to access Internet." - }, - { - "name": "tactics", - "value": "CommandAndControl" - }, - { - "name": "techniques", - "value": "T1095" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5),'/'))))]", - "properties": { - "description": "CyberArkEPM Hunting Query 5", - "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5)]", - "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryObject5').huntingQueryVersion5]", - "source": { - "kind": "Solution", - "name": "CyberArkEPM", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "CyberArk Business Development", - "email": "[variables('_email')]" - }, - "support": { - "name": "CyberArk Support", - "email": "support@cyberark.com", - "tier": "Partner", - "link": "https://www.cyberark.com/services-support/technical-support-contact/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", - "contentKind": "HuntingQuery", - "displayName": "CyberArkEPM - Processes with Internet access attempts", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.0')))]", - "version": "1.0.0" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryObject6').huntingQueryTemplateSpecName6]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "CyberArkEPMProcessesRunAsAdmin_HuntingQueries Hunting Query with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "CyberArkEPM_Hunting_Query_6", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "CyberArkEPM - Processes run as admin", - "category": "Hunting Queries", - "query": "CyberArkEPM\n| where TimeGenerated > ago(24h)\n| where UserIsAdmin == true\n| summarize count() by ActingProcessName, ActingProcessCommandLine, ActorUsername\n| extend AccountCustomEntity = ActorUsername\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "Query shows processes run as admin." - }, - { - "name": "tactics", - "value": "Execution,PrivilegeEscalation" - }, - { - "name": "techniques", - "value": "T1204,T1078" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6),'/'))))]", - "properties": { - "description": "CyberArkEPM Hunting Query 6", - "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6)]", - "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryObject6').huntingQueryVersion6]", - "source": { - "kind": "Solution", - "name": "CyberArkEPM", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "CyberArk Business Development", - "email": "[variables('_email')]" - }, - "support": { - "name": "CyberArk Support", - "email": "support@cyberark.com", - "tier": "Partner", - "link": "https://www.cyberark.com/services-support/technical-support-contact/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", - "contentKind": "HuntingQuery", - "displayName": "CyberArkEPM - Processes run as admin", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '1.0.0')))]", - "version": "1.0.0" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryObject7').huntingQueryTemplateSpecName7]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "CyberArkEPMRareProcVendors_HuntingQueries Hunting Query with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "CyberArkEPM_Hunting_Query_7", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "CyberArkEPM - Rare process vendors", - "category": "Hunting Queries", - "query": "CyberArkEPM\n| where TimeGenerated > ago(24h)\n| where isnotempty(ActingProcessFileCompany)\n| summarize count() by ActingProcessFileCompany, ActingProcessFileInternalName\n| top 25 by count_ asc\n| extend ProcCustomEntity = ActingProcessFileCompany\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "Query shows rare process vendors." - }, - { - "name": "tactics", - "value": "Execution" - }, - { - "name": "techniques", - "value": "T1204" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject7')._huntingQuerycontentId7),'/'))))]", - "properties": { - "description": "CyberArkEPM Hunting Query 7", - "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject7')._huntingQuerycontentId7)]", - "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryObject7').huntingQueryVersion7]", - "source": { - "kind": "Solution", - "name": "CyberArkEPM", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "CyberArk Business Development", - "email": "[variables('_email')]" - }, - "support": { - "name": "CyberArk Support", - "email": "support@cyberark.com", - "tier": "Partner", - "link": "https://www.cyberark.com/services-support/technical-support-contact/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]", - "contentKind": "HuntingQuery", - "displayName": "CyberArkEPM - Rare process vendors", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject7')._huntingQuerycontentId7,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject7')._huntingQuerycontentId7,'-', '1.0.0')))]", - "version": "1.0.0" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryObject8').huntingQueryTemplateSpecName8]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "CyberArkEPMRareProcessesRunByUsers_HuntingQueries Hunting Query with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "CyberArkEPM_Hunting_Query_8", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "CyberArkEPM - Rare process run by users", - "category": "Hunting Queries", - "query": "CyberArkEPM\n| where TimeGenerated > ago(24h)\n| where isnotempty(ActingProcessFileInternalName)\n| summarize count() by ActingProcessFileInternalName, ActorUsername\n| top 25 by count_ asc\n| extend AccountCustomEntity = ActorUsername\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "Query shows rare process run by users." - }, - { - "name": "tactics", - "value": "Execution" - }, - { - "name": "techniques", - "value": "T1204" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject8')._huntingQuerycontentId8),'/'))))]", - "properties": { - "description": "CyberArkEPM Hunting Query 8", - "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject8')._huntingQuerycontentId8)]", - "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryObject8').huntingQueryVersion8]", - "source": { - "kind": "Solution", - "name": "CyberArkEPM", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "CyberArk Business Development", - "email": "[variables('_email')]" - }, - "support": { - "name": "CyberArk Support", - "email": "support@cyberark.com", - "tier": "Partner", - "link": "https://www.cyberark.com/services-support/technical-support-contact/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]", - "contentKind": "HuntingQuery", - "displayName": "CyberArkEPM - Rare process run by users", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject8')._huntingQuerycontentId8,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject8')._huntingQuerycontentId8,'-', '1.0.0')))]", - "version": "1.0.0" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryObject9').huntingQueryTemplateSpecName9]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "CyberArkEPMScriptsExecuted_HuntingQueries Hunting Query with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "CyberArkEPM_Hunting_Query_9", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "CyberArkEPM - Scripts executed on hosts", - "category": "Hunting Queries", - "query": "CyberArkEPM\n| where TimeGenerated > ago(24h)\n| where AppType =~ 'Script'\n| project EventStartTime, EventEndTime, EventMessage, ActingProcessFileInternalName, Hash, ActorUsername, EventSourceName\n| extend FileCustomEntity = ActingProcessFileInternalName, AccountCustomEntity = ActorUsername\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "Query shows scripts which where executed on hosts." - }, - { - "name": "tactics", - "value": "Execution" - }, - { - "name": "techniques", - "value": "T1204" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject9')._huntingQuerycontentId9),'/'))))]", - "properties": { - "description": "CyberArkEPM Hunting Query 9", - "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject9')._huntingQuerycontentId9)]", - "contentId": "[variables('huntingQueryObject9')._huntingQuerycontentId9]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryObject9').huntingQueryVersion9]", - "source": { - "kind": "Solution", - "name": "CyberArkEPM", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "CyberArk Business Development", - "email": "[variables('_email')]" - }, - "support": { - "name": "CyberArk Support", - "email": "support@cyberark.com", - "tier": "Partner", - "link": "https://www.cyberark.com/services-support/technical-support-contact/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('huntingQueryObject9')._huntingQuerycontentId9]", - "contentKind": "HuntingQuery", - "displayName": "CyberArkEPM - Scripts executed on hosts", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject9')._huntingQuerycontentId9,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject9')._huntingQuerycontentId9,'-', '1.0.0')))]", - "version": "1.0.0" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryObject10').huntingQueryTemplateSpecName10]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "CyberArkEPMSuspiciousActivityAttempts_HuntingQueries Hunting Query with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "CyberArkEPM_Hunting_Query_10", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "CyberArkEPM - Suspicious activity attempts", - "category": "Hunting Queries", - "query": "CyberArkEPM\n| where TimeGenerated > ago(24h)\n| where EventSubType =~ 'SuspiciousActivityAttempt'\n| extend AccountCustomEntity = ActorUsername\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "Query shows suspicious activity attempts." - }, - { - "name": "tactics", - "value": "Execution" - }, - { - "name": "techniques", - "value": "T1204" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject10')._huntingQuerycontentId10),'/'))))]", - "properties": { - "description": "CyberArkEPM Hunting Query 10", - "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject10')._huntingQuerycontentId10)]", - "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryObject10').huntingQueryVersion10]", - "source": { - "kind": "Solution", - "name": "CyberArkEPM", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "CyberArk Business Development", - "email": "[variables('_email')]" - }, - "support": { - "name": "CyberArk Support", - "email": "support@cyberark.com", - "tier": "Partner", - "link": "https://www.cyberark.com/services-support/technical-support-contact/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]", - "contentKind": "HuntingQuery", - "displayName": "CyberArkEPM - Suspicious activity attempts", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject10')._huntingQuerycontentId10,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject10')._huntingQuerycontentId10,'-', '1.0.0')))]", - "version": "1.0.0" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "CyberArkEPMAttackAttemptNotBlocked_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This rule triggers on attack attempt which was not blocked by CyberArkEPM.", - "displayName": "CyberArkEPM - Attack attempt not blocked", - "enabled": false, - "query": "CyberArkEPM\n| where EventSubType =~ 'AttackAttempt'\n| where ThreatProtectionAction =~ 'Detect'\n| project EventEndTime, EventMessage, ActorUsername, ActingProcessFileInternalName, Evidences\n| extend AccountCustomEntity = ActorUsername\n", - "queryFrequency": "PT10M", - "queryPeriod": "PT10M", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "CyberArkEPM" - ], - "connectorId": "CyberArkEPM" - } - ], - "tactics": [ - "Execution" - ], - "techniques": [ - "T1204" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountCustomEntity", - "identifier": "Name" - } - ], - "entityType": "Account" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", - "properties": { - "description": "CyberArkEPM Analytics Rule 1", - "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", - "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", - "source": { - "kind": "Solution", - "name": "CyberArkEPM", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "CyberArk Business Development", - "email": "[variables('_email')]" - }, - "support": { - "name": "CyberArk Support", - "email": "support@cyberark.com", - "tier": "Partner", - "link": "https://www.cyberark.com/services-support/technical-support-contact/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "contentKind": "AnalyticsRule", - "displayName": "CyberArkEPM - Attack attempt not blocked", - "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", - "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "CyberArkEPMMSBuildLOLBin_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Detects usage of msbuild tool as LOLBin.", - "displayName": "CyberArkEPM - MSBuild usage as LOLBin", - "enabled": false, - "query": "CyberArkEPM\n| where EventSubType != 'AttackAttempt'\n| where ActingProcessName endswith @'msbuild.exe'\n| where ActingProcessCommandLine has_any ('xml', 'csproj', 'vcxproj', 'vbproj', 'fsproj')\n| extend AccountCustomEntity = ActorUsername\n", - "queryFrequency": "PT30M", - "queryPeriod": "PT30M", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "CyberArkEPM" - ], - "connectorId": "CyberArkEPM" - } - ], - "tactics": [ - "DefenseEvasion" - ], - "techniques": [ - "T1127" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountCustomEntity", - "identifier": "Name" - } - ], - "entityType": "Account" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", - "properties": { - "description": "CyberArkEPM Analytics Rule 2", - "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", - "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", - "source": { - "kind": "Solution", - "name": "CyberArkEPM", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "CyberArk Business Development", - "email": "[variables('_email')]" - }, - "support": { - "name": "CyberArk Support", - "email": "support@cyberark.com", - "tier": "Partner", - "link": "https://www.cyberark.com/services-support/technical-support-contact/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "contentKind": "AnalyticsRule", - "displayName": "CyberArkEPM - MSBuild usage as LOLBin", - "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", - "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", - "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "CyberArkEPMMultipleAttackAttempts_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This rule triggers on multiple attack attemts triggered by same user.", - "displayName": "CyberArkEPM - Multiple attack types", - "enabled": false, - "query": "CyberArkEPM\n| where EventSubType =~ 'AttackAttempt'\n| summarize LatestAttackTime=max(EventEndTime), att=makeset(EventMessage) by ActorUsername\n| where array_length(att) > 1\n| extend AccountCustomEntity = ActorUsername\n", - "queryFrequency": "PT10M", - "queryPeriod": "PT10M", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "CyberArkEPM" - ], - "connectorId": "CyberArkEPM" - } - ], - "tactics": [ - "Execution" - ], - "techniques": [ - "T1204" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountCustomEntity", - "identifier": "Name" - } - ], - "entityType": "Account" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]", - "properties": { - "description": "CyberArkEPM Analytics Rule 3", - "parentId": "[variables('analyticRuleObject3').analyticRuleId3]", - "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", - "source": { - "kind": "Solution", - "name": "CyberArkEPM", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "CyberArk Business Development", - "email": "[variables('_email')]" - }, - "support": { - "name": "CyberArk Support", - "email": "support@cyberark.com", - "tier": "Partner", - "link": "https://www.cyberark.com/services-support/technical-support-contact/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", - "contentKind": "AnalyticsRule", - "displayName": "CyberArkEPM - Multiple attack types", - "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", - "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", - "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "CyberArkEPMNewProcessStartetFromSystem_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Detects when uncommon windows proccess is started from System folder.", - "displayName": "CyberArkEPM - Uncommon Windows process started from System folder", - "enabled": false, - "query": "let lb_period = 14d;\nlet q_time = 1h;\nlet sys_proc = CyberArkEPM\n| where TimeGenerated between (ago(lb_period) .. ago(q_time))\n| where EventSubType != 'AttackAttempt'\n| where ActingProcessName has @'\\'\n| where ActingProcessName has_any ('System32', 'SysWOW64')\n| summarize makeset(ActingProcessFileInternalName);\nCyberArkEPM\n| where TimeGenerated > ago(q_time)\n| where EventSubType != 'AttackAttempt'\n| where ActingProcessName has @'\\'\n| where ActingProcessName has_any ('System32', 'SysWOW64')\n| where ActingProcessFileInternalName !in (sys_proc)\n| extend AccountCustomEntity = ActorUsername\n", - "queryFrequency": "PT1H", - "queryPeriod": "P14D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "CyberArkEPM" - ], - "connectorId": "CyberArkEPM" - } - ], - "tactics": [ - "Execution", - "DefenseEvasion" - ], - "techniques": [ - "T1204", - "T1036" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountCustomEntity", - "identifier": "Name" - } - ], - "entityType": "Account" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]", - "properties": { - "description": "CyberArkEPM Analytics Rule 4", - "parentId": "[variables('analyticRuleObject4').analyticRuleId4]", - "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject4').analyticRuleVersion4]", - "source": { - "kind": "Solution", - "name": "CyberArkEPM", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "CyberArk Business Development", - "email": "[variables('_email')]" - }, - "support": { - "name": "CyberArk Support", - "email": "support@cyberark.com", - "tier": "Partner", - "link": "https://www.cyberark.com/services-support/technical-support-contact/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", - "contentKind": "AnalyticsRule", - "displayName": "CyberArkEPM - Uncommon Windows process started from System folder", - "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", - "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", - "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "CyberArkEPMPossibleExecutionOfPowershellEmpire_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Detects possible execution of Powershell Empire.", - "displayName": "CyberArkEPM - Possible execution of Powershell Empire", - "enabled": false, - "query": "CyberArkEPM\n| where EventSubType != 'AttackAttempt'\n| where ActingProcessCommandLine has_any ('-NoP -sta -NonI -W Hidden -Enc', '-noP -sta -w 1 -enc', '-NoP -NonI -W Hidden -enc')\n| extend AccountCustomEntity = ActorUsername\n", - "queryFrequency": "PT10M", - "queryPeriod": "PT10M", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "CyberArkEPM" - ], - "connectorId": "CyberArkEPM" - } - ], - "tactics": [ - "Execution" - ], - "techniques": [ - "T1204" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountCustomEntity", - "identifier": "Name" - } - ], - "entityType": "Account" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]", - "properties": { - "description": "CyberArkEPM Analytics Rule 5", - "parentId": "[variables('analyticRuleObject5').analyticRuleId5]", - "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject5').analyticRuleVersion5]", - "source": { - "kind": "Solution", - "name": "CyberArkEPM", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "CyberArk Business Development", - "email": "[variables('_email')]" - }, - "support": { - "name": "CyberArk Support", - "email": "support@cyberark.com", - "tier": "Partner", - "link": "https://www.cyberark.com/services-support/technical-support-contact/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", - "contentKind": "AnalyticsRule", - "displayName": "CyberArkEPM - Possible execution of Powershell Empire", - "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", - "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", - "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "CyberArkEPMProcessChangedStartLocation_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Detects when process started from different locations on a host.", - "displayName": "CyberArkEPM - Process started from different locations", - "enabled": false, - "query": "CyberArkEPM\n| where EventSubType != 'AttackAttempt'\n| extend bin_path = tolower(extract(@'\\A(.*)(\\\\|/)', 1, ActingProcessName))\n| summarize p = makeset(bin_path) by ActingProcessFileInternalName, DvcId\n| where array_length(p) > 1\n| extend FileCustomEntity = ActingProcessFileInternalName\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "CyberArkEPM" - ], - "connectorId": "CyberArkEPM" - } - ], - "tactics": [ - "Execution", - "DefenseEvasion" - ], - "techniques": [ - "T1204", - "T1036" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "FileCustomEntity", - "identifier": "Name" - } - ], - "entityType": "File" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]", - "properties": { - "description": "CyberArkEPM Analytics Rule 6", - "parentId": "[variables('analyticRuleObject6').analyticRuleId6]", - "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject6').analyticRuleVersion6]", - "source": { - "kind": "Solution", - "name": "CyberArkEPM", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "CyberArk Business Development", - "email": "[variables('_email')]" - }, - "support": { - "name": "CyberArk Support", - "email": "support@cyberark.com", - "tier": "Partner", - "link": "https://www.cyberark.com/services-support/technical-support-contact/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", - "contentKind": "AnalyticsRule", - "displayName": "CyberArkEPM - Process started from different locations", - "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", - "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", - "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "CyberArkEPMRareProcInternetAccess_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Detects access to the Internet by uncommon processes.", - "displayName": "CyberArkEPM - Uncommon process Internet access", - "enabled": false, - "query": "let lb_period = 14d;\nlet q_time = 1h;\nlet inet_access_proc = CyberArkEPM\n| where TimeGenerated between (ago(lb_period) .. ago(q_time))\n| where EventSubType =~ 'DetectAccessInternet'\n| where isnotempty(ActingProcessFileInternalName)\n| summarize makeset(ActingProcessFileInternalName);\nCyberArkEPM\n| where TimeGenerated > ago(q_time)\n| where EventSubType =~ 'DetectAccessInternet'\n| where ActingProcessFileInternalName !in (inet_access_proc)\n| extend AccountCustomEntity = ActorUsername\n", - "queryFrequency": "PT30M", - "queryPeriod": "PT30M", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "CyberArkEPM" - ], - "connectorId": "CyberArkEPM" - } - ], - "tactics": [ - "Execution", - "DefenseEvasion", - "CommandAndControl" - ], - "techniques": [ - "T1204", - "T1036", - "T1095" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountCustomEntity", - "identifier": "Name" - } - ], - "entityType": "Account" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]", - "properties": { - "description": "CyberArkEPM Analytics Rule 7", - "parentId": "[variables('analyticRuleObject7').analyticRuleId7]", - "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject7').analyticRuleVersion7]", - "source": { - "kind": "Solution", - "name": "CyberArkEPM", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "CyberArk Business Development", - "email": "[variables('_email')]" - }, - "support": { - "name": "CyberArk Support", - "email": "support@cyberark.com", - "tier": "Partner", - "link": "https://www.cyberark.com/services-support/technical-support-contact/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", - "contentKind": "AnalyticsRule", - "displayName": "CyberArkEPM - Uncommon process Internet access", - "contentProductId": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", - "id": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", - "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "CyberArkEPMRenamedWindowsBinary_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Detects renamed windows binaries.", - "displayName": "CyberArkEPM - Renamed Windows binary", - "enabled": false, - "query": "CyberArkEPM\n| where EventSubType != 'AttackAttempt'\n| where ActingProcessName has @'\\'\n| where ActingProcessName !has ActingProcessFileInternalName\n| project EventEndTime, EventMessage, ActorUsername, ActingProcessFileInternalName\n| extend AccountCustomEntity = ActorUsername\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "CyberArkEPM" - ], - "connectorId": "CyberArkEPM" - } - ], - "tactics": [ - "Execution", - "DefenseEvasion" - ], - "techniques": [ - "T1204", - "T1036" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountCustomEntity", - "identifier": "Name" - } - ], - "entityType": "Account" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]", - "properties": { - "description": "CyberArkEPM Analytics Rule 8", - "parentId": "[variables('analyticRuleObject8').analyticRuleId8]", - "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject8').analyticRuleVersion8]", - "source": { - "kind": "Solution", - "name": "CyberArkEPM", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "CyberArk Business Development", - "email": "[variables('_email')]" - }, - "support": { - "name": "CyberArk Support", - "email": "support@cyberark.com", - "tier": "Partner", - "link": "https://www.cyberark.com/services-support/technical-support-contact/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", - "contentKind": "AnalyticsRule", - "displayName": "CyberArkEPM - Renamed Windows binary", - "contentProductId": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", - "id": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", - "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject9').analyticRuleTemplateSpecName9]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "CyberArkEPMUnexpectedExecutableExtension_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject9')._analyticRulecontentId9]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Detects Windows executable with unexpected extension.", - "displayName": "CyberArkEPM - Unexpected executable extension", - "enabled": false, - "query": "CyberArkEPM\n| where EventSubType != 'AttackAttempt'\n| where ActingProcessName has @'\\'\n| where ActingProcessName !endswith '.exe'\n| project EventEndTime, EventMessage, ActorUsername, ActingProcessFileInternalName\n| extend AccountCustomEntity = ActorUsername\n", - "queryFrequency": "PT30M", - "queryPeriod": "PT30M", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "CyberArkEPM" - ], - "connectorId": "CyberArkEPM" - } - ], - "tactics": [ - "Execution", - "DefenseEvasion" - ], - "techniques": [ - "T1204", - "T1036" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountCustomEntity", - "identifier": "Name" - } - ], - "entityType": "Account" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject9').analyticRuleId9,'/'))))]", - "properties": { - "description": "CyberArkEPM Analytics Rule 9", - "parentId": "[variables('analyticRuleObject9').analyticRuleId9]", - "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject9').analyticRuleVersion9]", - "source": { - "kind": "Solution", - "name": "CyberArkEPM", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "CyberArk Business Development", - "email": "[variables('_email')]" - }, - "support": { - "name": "CyberArk Support", - "email": "support@cyberark.com", - "tier": "Partner", - "link": "https://www.cyberark.com/services-support/technical-support-contact/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", - "contentKind": "AnalyticsRule", - "displayName": "CyberArkEPM - Unexpected executable extension", - "contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", - "id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", - "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject10').analyticRuleTemplateSpecName10]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "CyberArkEPMUnexpectedExecutableLocation_AnalyticalRules Analytics Rule with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject10')._analyticRulecontentId10]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Detects program run from unexpected location.", - "displayName": "CyberArkEPM - Unexpected executable location", - "enabled": false, - "query": "let susp_exe_folders = dynamic([@'\\tmp\\', @'\\TEMP\\', @'/tmp/', @'\\Users\\Public\\', @'\\$Recycle.bin', @'\\Windows\\Fonts\\', @'$']);\nCyberArkEPM\n| where EventSubType != 'AttackAttempt'\n| where ActingProcessName has_any (susp_exe_folders)\n| project EventEndTime, EventMessage, ActorUsername, ActingProcessFileInternalName\n| extend AccountCustomEntity = ActorUsername\n", - "queryFrequency": "PT30M", - "queryPeriod": "PT30M", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "CyberArkEPM" - ], - "connectorId": "CyberArkEPM" - } - ], - "tactics": [ - "Execution", - "DefenseEvasion" - ], - "techniques": [ - "T1204", - "T1036" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountCustomEntity", - "identifier": "Name" - } - ], - "entityType": "Account" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject10').analyticRuleId10,'/'))))]", - "properties": { - "description": "CyberArkEPM Analytics Rule 10", - "parentId": "[variables('analyticRuleObject10').analyticRuleId10]", - "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject10').analyticRuleVersion10]", - "source": { - "kind": "Solution", - "name": "CyberArkEPM", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "CyberArk Business Development", - "email": "[variables('_email')]" - }, - "support": { - "name": "CyberArk Support", - "email": "support@cyberark.com", - "tier": "Partner", - "link": "https://www.cyberark.com/services-support/technical-support-contact/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", - "contentKind": "AnalyticsRule", - "displayName": "CyberArkEPM - Unexpected executable location", - "contentProductId": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", - "id": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", - "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('workbookTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "CyberArkEPM Workbook with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('workbookVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Insights/workbooks", - "name": "[variables('workbookContentId1')]", - "location": "[parameters('workspace-location')]", - "kind": "shared", - "apiVersion": "2021-08-01", - "metadata": { - "description": "Sets the time name for analysis" - }, - "properties": { - "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This data connector depends on a parser based on Kusto Function **CyberArkEPM** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-cyberarkepm-parser)\"},\"name\":\"text - 8\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cd8447d9-b096-4673-92d8-2a1e8291a125\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"description\":\"Sets the time name for analysis\",\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":900000},{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CyberArkEPM\\r\\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Events over time\",\"color\":\"magenta\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"graphSettings\":{\"type\":0}},\"customWidth\":\"50\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"55\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dusr = CyberArkEPM\\n| where EventType == 'raw_event'\\n| where isnotempty(ActorUsername)\\n| summarize cnt = dcount(ActorUsername)\\n| extend title = 'Users';\\nlet agnt = CyberArkEPM\\n| where isnotempty(DvcId)\\n| summarize cnt = dcount(DvcId)\\n| extend title = 'Agents';\\nlet apps = CyberArkEPM\\n| where isnotempty(ActingProcessFileInternalName)\\n| summarize cnt = dcount(ActingProcessFileInternalName)\\n| extend title = 'Applications';\\nlet att = CyberArkEPM\\n| where EventSubType =~ 'AttackAttempt'\\n| summarize cnt = count()\\n| extend title = 'Attack Attempts';\\nunion isfuzzy=true dusr, agnt, apps, att\",\"size\":3,\"title\":\"Solution Summary\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"cnt\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false}},\"customWidth\":\"15\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CyberArkEPM\\r\\n| where EventSubType =~ 'AttackAttempt'\\r\\n| summarize AttackCount=count() by EventMessage\\r\\n| top 10 by AttackCount\\r\\n\\r\\n\",\"size\":3,\"title\":\"Top attacks\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"rowLimit\":10},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"e_count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"purple\"}},\"showBorder\":false}},\"customWidth\":\"35\",\"name\":\"query - 0\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CyberArkEPM\\r\\n| where isnotempty(ActingProcessFileInternalName)\\r\\n| summarize Events=count() by ActingProcessFileInternalName\\r\\n| top 10 by Events\",\"size\":3,\"title\":\"Top applications\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CyberArkEPM\\r\\n| where EventSubType =~ 'AttackAttempt'\\r\\n| where isnotempty(ActorUsername)\\r\\n| where ActorUsername !has '['\\r\\n| summarize Attacks = count() by ActorUsername\\r\\n| top 10 by Attacks\",\"size\":3,\"title\":\"Users with Attack events\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CyberArkEPM\\r\\n| where EventSubType =~ 'SuspiciousActivityAttempt'\\r\\n| where ActorUsername !has '['\\r\\n| top 10 by TimeGenerated\\r\\n| project TimeGenerated, PolicyName, ActorUsername\\r\\n\\r\\n\",\"size\":0,\"title\":\"Latest suspicious activities\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Hits\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redGreen\"}}],\"rowLimit\":50}},\"customWidth\":\"40\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CyberArkEPM\\r\\n| where EventSubType in~ ('AttackAttempt', 'SuspiciousActivityAttempt')\\r\\n| summarize by Process=ActingProcessFileInternalName, Hash\\r\\n\",\"size\":0,\"title\":\"Suspicious process hashes\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Process\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20ch\"}},{\"columnMatch\":\"Hash\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"50ch\"}}]}},\"customWidth\":\"30\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CyberArkEPM\\n| where EventSubType =~ 'AttackAttempt'\\n| sort by TimeGenerated\\n| project ActorUsername, PolicyName, Process=ActingProcessFileInternalName, FileLocation\\n| limit 10\\n\",\"size\":0,\"title\":\"Latest attacked users\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"customWidth\":\"70\",\"name\":\"query - 10\"}],\"fromTemplateId\":\"sentinel-CyberArkEPMWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", - "version": "1.0", - "sourceId": "[variables('workspaceResourceId')]", - "category": "sentinel" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", - "properties": { - "description": "@{workbookKey=CyberArkEPMWorkbook; logoFileName=CyberArk_Logo.svg; description=Sets the time name for analysis; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=CyberArk EPM; templateRelativePath=CyberArkEPM.json; subtitle=; provider=CyberArk}.description", - "parentId": "[variables('workbookId1')]", - "contentId": "[variables('_workbookContentId1')]", - "kind": "Workbook", - "version": "[variables('workbookVersion1')]", - "source": { - "kind": "Solution", - "name": "CyberArkEPM", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "CyberArk Business Development", - "email": "[variables('_email')]" - }, - "support": { - "name": "CyberArk Support", - "email": "support@cyberark.com", - "tier": "Partner", - "link": "https://www.cyberark.com/services-support/technical-support-contact/" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "contentId": "CyberArkEPM_CL", - "kind": "DataType" - }, - { - "contentId": "CyberArkEPM", - "kind": "DataConnector" - } - ] - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_workbookContentId1')]", - "contentKind": "Workbook", - "displayName": "[parameters('workbook1-name')]", - "contentProductId": "[variables('_workbookcontentProductId1')]", - "id": "[variables('_workbookcontentProductId1')]", - "version": "[variables('workbookVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", - "apiVersion": "2023-04-01-preview", - "location": "[parameters('workspace-location')]", - "properties": { - "version": "3.0.1", - "kind": "Solution", - "contentSchemaVersion": "3.0.0", - "displayName": "CyberArkEPM", - "publisherDisplayName": "CyberArk Support", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Endpoint Privilege Manager, a critical and foundational endpoint control addresses the underlying weaknesses of endpoint defenses against a privileged attacker and helps enterprises defend against these attacks.

\n

Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", - "contentKind": "Solution", - "contentProductId": "[variables('_solutioncontentProductId')]", - "id": "[variables('_solutioncontentProductId')]", - "icon": "", - "contentId": "[variables('_solutionId')]", - "parentId": "[variables('_solutionId')]", - "source": { - "kind": "Solution", - "name": "CyberArkEPM", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "CyberArk Business Development", - "email": "[variables('_email')]" - }, - "support": { - "name": "CyberArk Support", - "email": "support@cyberark.com", - "tier": "Partner", - "link": "https://www.cyberark.com/services-support/technical-support-contact/" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, - { - "kind": "Parser", - "contentId": "[variables('parserObject1').parserContentId1]", - "version": "[variables('parserObject1').parserVersion1]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", - "version": "[variables('huntingQueryObject1').huntingQueryVersion1]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", - "version": "[variables('huntingQueryObject2').huntingQueryVersion2]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", - "version": "[variables('huntingQueryObject3').huntingQueryVersion3]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", - "version": "[variables('huntingQueryObject4').huntingQueryVersion4]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", - "version": "[variables('huntingQueryObject5').huntingQueryVersion5]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", - "version": "[variables('huntingQueryObject6').huntingQueryVersion6]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]", - "version": "[variables('huntingQueryObject7').huntingQueryVersion7]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]", - "version": "[variables('huntingQueryObject8').huntingQueryVersion8]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('huntingQueryObject9')._huntingQuerycontentId9]", - "version": "[variables('huntingQueryObject9').huntingQueryVersion9]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]", - "version": "[variables('huntingQueryObject10').huntingQueryVersion10]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", - "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", - "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", - "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", - "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", - "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", - "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", - "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", - "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" - }, - { - "kind": "Workbook", - "contentId": "[variables('_workbookContentId1')]", - "version": "[variables('workbookVersion1')]" - } - ] - }, - "firstPublishDate": "2022-04-10", - "providers": [ - "CyberArk" - ], - "categories": { - "domains": [ - "Security - Threat Protection", - "Identity" - ] - } - }, - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" - } - ], - "outputs": {} -} +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "CyberArk Business Development - business_development@cyberark.com", + "comments": "Solution template for CyberArkEPM" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "subscription": { + "type": "string", + "defaultValue": "[last(split(subscription().id, '/'))]", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "CyberArk EPM", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + } + }, + "variables": { + "email": "business_development@cyberark.com", + "_email": "[variables('email')]", + "_solutionName": "CyberArkEPM", + "_solutionVersion": "3.1.0", + "solutionId": "cyberark.cybr_epm_sentinel", + "_solutionId": "[variables('solutionId')]", + "uiConfigId1": "CyberArkEPM", + "_uiConfigId1": "[variables('uiConfigId1')]", + "dataConnectorContentId1": "CyberArkEPM", + "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", + "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "_dataConnectorId1": "[variables('dataConnectorId1')]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", + "dataConnectorVersion1": "1.0.0", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "dataConnectorCCPVersion": "3.1.0", + "_dataConnectorContentIdConnectorDefinition2": "CyberArkEPMCCPDefinition", + "dataConnectorTemplateNameConnectorDefinition2": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition2')))]", + "_dataConnectorContentIdConnections2": "CyberArkEPMCCPDefinitionConnections", + "dataConnectorTemplateNameConnections2": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections2')))]", + "dataCollectionEndpointId2": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]", + "blanks": "[replace('b', 'b', '')]", + "parserObject1": { + "_parserName1": "[concat(parameters('workspace'),'/','CyberArkEPM')]", + "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'CyberArkEPM')]", + "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('CyberArkEPM-Parser')))]", + "parserVersion1": "1.0.0", + "parserContentId1": "CyberArkEPM-Parser" + }, + "huntingQueryObject1": { + "huntingQueryVersion1": "1.0.0", + "_huntingQuerycontentId1": "20fc7ee2-5387-4c4c-8819-77fb7bfb8d2a", + "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('20fc7ee2-5387-4c4c-8819-77fb7bfb8d2a')))]" + }, + "huntingQueryObject2": { + "huntingQueryVersion2": "1.0.0", + "_huntingQuerycontentId2": "576cac40-d6f5-4ef9-9c3d-013b94656bea", + "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('576cac40-d6f5-4ef9-9c3d-013b94656bea')))]" + }, + "huntingQueryObject3": { + "huntingQueryVersion3": "1.0.0", + "_huntingQuerycontentId3": "f1490e77-2a5e-4f07-afd9-c2bb20e26d30", + "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('f1490e77-2a5e-4f07-afd9-c2bb20e26d30')))]" + }, + "huntingQueryObject4": { + "huntingQueryVersion4": "1.0.0", + "_huntingQuerycontentId4": "8d72be65-d837-4e86-bca8-4a30e6834a22", + "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('8d72be65-d837-4e86-bca8-4a30e6834a22')))]" + }, + "huntingQueryObject5": { + "huntingQueryVersion5": "1.0.0", + "_huntingQuerycontentId5": "cff4d318-eaec-43c9-8c3e-84f74c789b98", + "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('cff4d318-eaec-43c9-8c3e-84f74c789b98')))]" + }, + "huntingQueryObject6": { + "huntingQueryVersion6": "1.0.0", + "_huntingQuerycontentId6": "e96de960-f4d7-49a3-8de7-4f5b7e8537cf", + "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('e96de960-f4d7-49a3-8de7-4f5b7e8537cf')))]" + }, + "huntingQueryObject7": { + "huntingQueryVersion7": "1.0.0", + "_huntingQuerycontentId7": "37031fed-f7cb-45fc-a1c2-e2eab46cbba2", + "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('37031fed-f7cb-45fc-a1c2-e2eab46cbba2')))]" + }, + "huntingQueryObject8": { + "huntingQueryVersion8": "1.0.0", + "_huntingQuerycontentId8": "9cf63647-4e05-47cc-90ac-4a17cfd06a05", + "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('9cf63647-4e05-47cc-90ac-4a17cfd06a05')))]" + }, + "huntingQueryObject9": { + "huntingQueryVersion9": "1.0.0", + "_huntingQuerycontentId9": "bd8511dd-ee8f-4c76-a9c8-b8f263ec7355", + "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('bd8511dd-ee8f-4c76-a9c8-b8f263ec7355')))]" + }, + "huntingQueryObject10": { + "huntingQueryVersion10": "1.0.0", + "_huntingQuerycontentId10": "e60cf50c-3ae0-44ac-9de1-ea13886973b8", + "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('e60cf50c-3ae0-44ac-9de1-ea13886973b8')))]" + }, + "analyticRuleObject1": { + "analyticRuleVersion1": "1.0.0", + "_analyticRulecontentId1": "8e8978a2-9188-4187-8909-5ea00507bf16", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '8e8978a2-9188-4187-8909-5ea00507bf16')]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('8e8978a2-9188-4187-8909-5ea00507bf16')))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8e8978a2-9188-4187-8909-5ea00507bf16','-', '1.0.0')))]" + }, + "analyticRuleObject2": { + "analyticRuleVersion2": "1.0.0", + "_analyticRulecontentId2": "a11bf869-458e-49fd-be03-58021b14be15", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a11bf869-458e-49fd-be03-58021b14be15')]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a11bf869-458e-49fd-be03-58021b14be15')))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a11bf869-458e-49fd-be03-58021b14be15','-', '1.0.0')))]" + }, + "analyticRuleObject3": { + "analyticRuleVersion3": "1.0.0", + "_analyticRulecontentId3": "c02f96b4-057b-4e63-87af-6376ef7a081b", + "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c02f96b4-057b-4e63-87af-6376ef7a081b')]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c02f96b4-057b-4e63-87af-6376ef7a081b')))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c02f96b4-057b-4e63-87af-6376ef7a081b','-', '1.0.0')))]" + }, + "analyticRuleObject4": { + "analyticRuleVersion4": "1.0.0", + "_analyticRulecontentId4": "16b940d2-aaf8-4eaa-a5e1-05df5f5c3d43", + "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '16b940d2-aaf8-4eaa-a5e1-05df5f5c3d43')]", + "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('16b940d2-aaf8-4eaa-a5e1-05df5f5c3d43')))]", + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','16b940d2-aaf8-4eaa-a5e1-05df5f5c3d43','-', '1.0.0')))]" + }, + "analyticRuleObject5": { + "analyticRuleVersion5": "1.0.0", + "_analyticRulecontentId5": "eddfd1fd-71df-4cc3-b050-287643bee398", + "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'eddfd1fd-71df-4cc3-b050-287643bee398')]", + "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('eddfd1fd-71df-4cc3-b050-287643bee398')))]", + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','eddfd1fd-71df-4cc3-b050-287643bee398','-', '1.0.0')))]" + }, + "analyticRuleObject6": { + "analyticRuleVersion6": "1.0.0", + "_analyticRulecontentId6": "0d4e62da-0a64-4532-b93e-28cd2940c300", + "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '0d4e62da-0a64-4532-b93e-28cd2940c300')]", + "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('0d4e62da-0a64-4532-b93e-28cd2940c300')))]", + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0d4e62da-0a64-4532-b93e-28cd2940c300','-', '1.0.0')))]" + }, + "analyticRuleObject7": { + "analyticRuleVersion7": "1.0.0", + "_analyticRulecontentId7": "9d0d44ab-54dc-472a-9931-53521e888932", + "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9d0d44ab-54dc-472a-9931-53521e888932')]", + "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9d0d44ab-54dc-472a-9931-53521e888932')))]", + "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9d0d44ab-54dc-472a-9931-53521e888932','-', '1.0.0')))]" + }, + "analyticRuleObject8": { + "analyticRuleVersion8": "1.0.0", + "_analyticRulecontentId8": "9281b7cc-8f05-45a9-bf10-17fb29492a84", + "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9281b7cc-8f05-45a9-bf10-17fb29492a84')]", + "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9281b7cc-8f05-45a9-bf10-17fb29492a84')))]", + "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9281b7cc-8f05-45a9-bf10-17fb29492a84','-', '1.0.0')))]" + }, + "analyticRuleObject9": { + "analyticRuleVersion9": "1.0.0", + "_analyticRulecontentId9": "911d5b75-a1ce-4f13-a839-9c2474768696", + "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '911d5b75-a1ce-4f13-a839-9c2474768696')]", + "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('911d5b75-a1ce-4f13-a839-9c2474768696')))]", + "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','911d5b75-a1ce-4f13-a839-9c2474768696','-', '1.0.0')))]" + }, + "analyticRuleObject10": { + "analyticRuleVersion10": "1.0.0", + "_analyticRulecontentId10": "c1fcbbd7-74f8-4f32-8116-0a533ebd3878", + "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c1fcbbd7-74f8-4f32-8116-0a533ebd3878')]", + "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c1fcbbd7-74f8-4f32-8116-0a533ebd3878')))]", + "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c1fcbbd7-74f8-4f32-8116-0a533ebd3878','-', '1.0.0')))]" + }, + "workbookVersion1": "1.0.0", + "workbookContentId1": "CyberArkEPMWorkbook", + "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", + "_workbookContentId1": "[variables('workbookContentId1')]", + "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "CyberArkEPM data connector with template version 3.1.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "CyberArkEPM", + "title": "CyberArkEPM (using Azure Functions)", + "publisher": "CyberArk", + "descriptionMarkdown": "The [CyberArk Endpoint Privilege Manager](https://www.cyberark.com/products/endpoint-privilege-manager/) data connector provides the capability to retrieve security event logs of the CyberArk EPM services and more events into Microsoft Sentinel through the REST API. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.", + "additionalRequirementBanner": ">This data connector depends on a parser based on a Kusto Function to work as expected [**CyberArkEPM**](https://aka.ms/sentinel-CyberArkEPM-parser) which is deployed with the Microsoft Sentinel Solution.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "CyberArkEPM_CL", + "baseQuery": "CyberArkEPM_CL" + } + ], + "sampleQueries": [ + { + "description": "CyberArk EPM Events - All Activities.", + "query": "CyberArkEPM\n | sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "CyberArkEPM_CL", + "lastDataReceivedQuery": "CyberArkEPM_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "CyberArkEPM_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "REST API Credentials/permissions", + "description": "**CyberArkEPMUsername**, **CyberArkEPMPassword** and **CyberArkEPMServerURL** are required for making API calls." + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This connector uses Azure Functions to connect to the Azure Blob Storage API to pull logs into Microsoft Sentinel. This might result in additional costs for data ingestion and for storing data in Azure Blob Storage costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) and [Azure Blob Storage pricing page](https://azure.microsoft.com/pricing/details/storage/blobs/) for details." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**CyberArkEPM**](https://aka.ms/sentinel-CyberArkEPM-parser) which is deployed with the Microsoft Sentinel Solution." + }, + { + "description": "**STEP 1 - Configuration steps for the CyberArk EPM API**\n\n Follow the instructions to obtain the credentials.\n\n1. Use Username and Password for your CyberArk EPM account." + }, + { + "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the CyberArk EPM data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "description": "Use this method for automated deployment of the CyberArk EPM data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-CyberArkEPMAPI-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **CyberArkEPMUsername**, **CyberArkEPMPassword**, **CyberArkEPMServerURL** and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", + "title": "Option 1 - Azure Resource Manager (ARM) Template" + }, + { + "description": "Use the following step-by-step instructions to deploy the CyberArk EPM data connector manually with Azure Functions (Deployment via Visual Studio Code).", + "title": "Option 2 - Manual Deployment of Azure Functions" + }, + { + "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CyberArkEPMAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CyberArkXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.10.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." + }, + { + "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tCyberArkEPMUsername\n\t\tCyberArkEPMPassword\n\t\tCyberArkEPMServerURL\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**." + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "CyberArkEPM", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "CyberArk Business Development", + "email": "[variables('_email')]" + }, + "support": { + "name": "CyberArk Support", + "email": "support@cyberark.com", + "tier": "Partner", + "link": "https://www.cyberark.com/services-support/technical-support-contact/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "CyberArkEPM (using Azure Functions)", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "id": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "version": "[variables('dataConnectorVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId1')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "CyberArkEPM", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "CyberArk Business Development", + "email": "[variables('_email')]" + }, + "support": { + "name": "CyberArk Support", + "email": "support@cyberark.com", + "tier": "Partner", + "link": "https://www.cyberark.com/services-support/technical-support-contact/" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "CyberArkEPM (using Azure Functions)", + "publisher": "CyberArk", + "descriptionMarkdown": "The [CyberArk Endpoint Privilege Manager](https://www.cyberark.com/products/endpoint-privilege-manager/) data connector provides the capability to retrieve security event logs of the CyberArk EPM services and more events into Microsoft Sentinel through the REST API. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "CyberArkEPM_CL", + "baseQuery": "CyberArkEPM_CL" + } + ], + "dataTypes": [ + { + "name": "CyberArkEPM_CL", + "lastDataReceivedQuery": "CyberArkEPM_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "CyberArkEPM_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "sampleQueries": [ + { + "description": "CyberArk EPM Events - All Activities.", + "query": "CyberArkEPM\n | sort by TimeGenerated desc" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "REST API Credentials/permissions", + "description": "**CyberArkEPMUsername**, **CyberArkEPMPassword** and **CyberArkEPMServerURL** are required for making API calls." + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This connector uses Azure Functions to connect to the Azure Blob Storage API to pull logs into Microsoft Sentinel. This might result in additional costs for data ingestion and for storing data in Azure Blob Storage costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) and [Azure Blob Storage pricing page](https://azure.microsoft.com/pricing/details/storage/blobs/) for details." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**CyberArkEPM**](https://aka.ms/sentinel-CyberArkEPM-parser) which is deployed with the Microsoft Sentinel Solution." + }, + { + "description": "**STEP 1 - Configuration steps for the CyberArk EPM API**\n\n Follow the instructions to obtain the credentials.\n\n1. Use Username and Password for your CyberArk EPM account." + }, + { + "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the CyberArk EPM data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "description": "Use this method for automated deployment of the CyberArk EPM data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-CyberArkEPMAPI-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **CyberArkEPMUsername**, **CyberArkEPMPassword**, **CyberArkEPMServerURL** and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", + "title": "Option 1 - Azure Resource Manager (ARM) Template" + }, + { + "description": "Use the following step-by-step instructions to deploy the CyberArk EPM data connector manually with Azure Functions (Deployment via Visual Studio Code).", + "title": "Option 2 - Manual Deployment of Azure Functions" + }, + { + "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CyberArkEPMAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CyberArkXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.10.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." + }, + { + "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tCyberArkEPMUsername\n\t\tCyberArkEPMPassword\n\t\tCyberArkEPMServerURL\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**." + } + ], + "id": "CyberArkEPM", + "additionalRequirementBanner": ">This data connector depends on a parser based on a Kusto Function to work as expected [**CyberArkEPM**](https://aka.ms/sentinel-CyberArkEPM-parser) which is deployed with the Microsoft Sentinel Solution." + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition2'), variables('dataConnectorCCPVersion'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]", + "displayName": "CyberArk EPM", + "contentKind": "DataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorCCPVersion')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition2'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "CyberArkEPMCCPDefinition", + "title": "CyberArk EPM", + "publisher": "CyberArk", + "descriptionMarkdown": "The [CyberArk Endpoint Privilege Manager](https://www.cyberark.com/products/endpoint-privilege-manager/) data connector enables Microsoft Sentinel to ingest security event logs and other events from CyberArk EPM via REST API.", + "graphQueriesTableName": "CyberArk_EPMEvents_CL", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "CyberArk EPM Events", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "CyberArk EPM Events - All Activities.", + "query": "{{graphQueriesTableName}}\n | sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n|summarize Time = max (TimeGenerated)\n|where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "CyberArk EPM Platform", + "description": "Access to perform required configurations in CyberArk EPM platform" + } + ] + }, + "instructionSteps": [ + { + "description": "Follow the configuration steps [here](https://docs.cyberark.com/epm/latest/en/content/webservices/authenticate-with-identity-administration.htm) to integrate Microsoft Sentinel with CyberArk EPM and enable centralized monitoring of endpoint events within Microsoft Sentinel.", + "instructions": [ + { + "type": "Textbox", + "parameters": { + "label": "Web App ID", + "validations": { + "required": true + }, + "placeholder": "The OAuth2 server web app ApplicationID", + "type": "text", + "name": "WebAppID" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Region based Tenant URL", + "validations": { + "required": true + }, + "placeholder": "e.g. api-na.epm.cyberark.cloud", + "type": "text", + "name": "TenantUrl" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Set ID", + "validations": { + "required": true + }, + "placeholder": "List of comma seperated EPM Set IDs to poll events from", + "type": "text", + "name": "SetId" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Identity Endpoint", + "validations": { + "required": true + }, + "placeholder": "e.g. kln9281.id.cyberark.cloud", + "type": "text", + "name": "IdentityEndpoint" + } + }, + { + "type": "OAuthForm", + "parameters": { + "clientIdLabel": "Oauth Username", + "clientSecretLabel": "Oauth Password", + "clientIdPlaceholder": "The service user created in Identity Administration", + "clientSecretPlaceholder": "The user password created in Identity Administration", + "connectButtonLabel": "Connect", + "disconnectButtonLabel": "Disconnect" + } + } + ], + "title": "Connect to CyberArk EPM API to start collecting event logs in Microsoft Sentinel" + } + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition2')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition2'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "CyberArk Business Development", + "email": "[variables('_email')]" + }, + "support": { + "name": "CyberArk Support", + "email": "support@cyberark.com", + "tier": "Partner", + "link": "https://www.cyberark.com/services-support/technical-support-contact/" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "name": "CyberArkEPMDCR", + "apiVersion": "2022-06-01", + "type": "Microsoft.Insights/dataCollectionRules", + "location": "[parameters('workspace-location')]", + "kind": "[variables('blanks')]", + "properties": { + "dataCollectionEndpointId": "[variables('dataCollectionEndpointId2')]", + "streamDeclarations": { + "Custom-CyberArkEPM": { + "columns": [ + { + "name": "TimeGenerated", + "type": "string" + }, + { + "name": "EventType", + "type": "string" + }, + { + "name": "SetId", + "type": "string" + }, + { + "name": "SetName", + "type": "string" + }, + { + "name": "EpmAgentId", + "type": "string" + }, + { + "name": "ComputerName", + "type": "string" + }, + { + "name": "UserName", + "type": "string" + }, + { + "name": "PolicyName", + "type": "string" + }, + { + "name": "PolicyAction", + "type": "string" + }, + { + "name": "CyberArkEventType", + "type": "string" + }, + { + "name": "FileName", + "type": "string" + }, + { + "name": "FilePath", + "type": "string" + }, + { + "name": "Hash", + "type": "string" + }, + { + "name": "Publisher", + "type": "string" + }, + { + "name": "SourceType", + "type": "string" + }, + { + "name": "SourceName", + "type": "string" + }, + { + "name": "FirstEventDate", + "type": "string" + }, + { + "name": "LastEventDate", + "type": "string" + }, + { + "name": "ArrivalTime", + "type": "string" + }, + { + "name": "TotalEvents", + "type": "int" + }, + { + "name": "AffectedComputers", + "type": "int" + }, + { + "name": "AffectedUsers", + "type": "int" + }, + { + "name": "AggregatedBy", + "type": "string" + }, + { + "name": "FileQualifier", + "type": "string" + }, + { + "name": "Skipped", + "type": "boolean" + }, + { + "name": "SkippedCount", + "type": "int" + }, + { + "name": "AdditionalFields", + "type": "dynamic" + } + ] + } + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[variables('workspaceResourceId')]", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-CyberArkEPM" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source | project TimeGenerated=todatetime(TimeGenerated), EventType=tostring(EventType), SetId=tostring(SetId), SetName=tostring(SetName), EpmAgentId=tostring(EpmAgentId), ComputerName=tostring(ComputerName), UserName=tostring(UserName), PolicyName=tostring(PolicyName), PolicyAction=tostring(PolicyAction), CyberArkEventType=tostring(CyberArkEventType), FileName=tostring(FileName), FilePath=tostring(FilePath), Hash=tostring(Hash), Publisher=tostring(Publisher), SourceType=tostring(SourceType), SourceName=tostring(SourceName), FirstEventDate=todatetime(FirstEventDate), LastEventDate=todatetime(LastEventDate), ArrivalTime=todatetime(ArrivalTime), TotalEvents=toint(TotalEvents), AffectedComputers=toint(AffectedComputers), AffectedUsers=toint(AffectedUsers), AggregatedBy=tostring(AggregatedBy), FileQualifier=tostring(FileQualifier), Skipped=tobool(Skipped), SkippedCount=toint(SkippedCount), AdditionalFields=parse_json(tostring(AdditionalFields))", + "outputStream": "Custom-CyberArk_EPMEvents_CL" + } + ] + } + }, + { + "name": "CyberArk_EPMEvents_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "schema": { + "name": "CyberArk_EPMEvents_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "DateTime" + }, + { + "name": "EventType", + "type": "string" + }, + { + "name": "SetId", + "type": "string" + }, + { + "name": "SetName", + "type": "string" + }, + { + "name": "EpmAgentId", + "type": "string" + }, + { + "name": "ComputerName", + "type": "string" + }, + { + "name": "UserName", + "type": "string" + }, + { + "name": "PolicyName", + "type": "string" + }, + { + "name": "PolicyAction", + "type": "string" + }, + { + "name": "CyberArkEventType", + "type": "string" + }, + { + "name": "FileName", + "type": "string" + }, + { + "name": "FilePath", + "type": "string" + }, + { + "name": "Hash", + "type": "string" + }, + { + "name": "Publisher", + "type": "string" + }, + { + "name": "SourceType", + "type": "string" + }, + { + "name": "SourceName", + "type": "string" + }, + { + "name": "FirstEventDate", + "type": "DateTime" + }, + { + "name": "LastEventDate", + "type": "DateTime" + }, + { + "name": "ArrivalTime", + "type": "DateTime" + }, + { + "name": "TotalEvents", + "type": "int" + }, + { + "name": "AffectedComputers", + "type": "int" + }, + { + "name": "AffectedUsers", + "type": "int" + }, + { + "name": "AggregatedBy", + "type": "string" + }, + { + "name": "FileQualifier", + "type": "string" + }, + { + "name": "Skipped", + "type": "bool" + }, + { + "name": "SkippedCount", + "type": "int" + }, + { + "name": "AdditionalFields", + "type": "dynamic" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition2'),'-', variables('dataConnectorCCPVersion'))))]", + "id": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition2'),'-', variables('dataConnectorCCPVersion'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorCCPVersion')]" + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition2'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "CyberArkEPMCCPDefinition", + "title": "CyberArk EPM", + "publisher": "CyberArk", + "descriptionMarkdown": "The [CyberArk Endpoint Privilege Manager](https://www.cyberark.com/products/endpoint-privilege-manager/) data connector enables Microsoft Sentinel to ingest security event logs and other events from CyberArk EPM via REST API.", + "graphQueriesTableName": "CyberArk_EPMEvents_CL", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "CyberArk EPM Events", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "CyberArk EPM Events - All Activities.", + "query": "{{graphQueriesTableName}}\n | sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n|summarize Time = max (TimeGenerated)\n|where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "CyberArk EPM Platform", + "description": "Access to perform required configurations in CyberArk EPM platform" + } + ] + }, + "instructionSteps": [ + { + "description": "Follow the configuration steps [here](https://docs.cyberark.com/epm/latest/en/content/webservices/authenticate-with-identity-administration.htm) to integrate Microsoft Sentinel with CyberArk EPM and enable centralized monitoring of endpoint events within Microsoft Sentinel.", + "instructions": [ + { + "type": "Textbox", + "parameters": { + "label": "Web App ID", + "validations": { + "required": true + }, + "placeholder": "The OAuth2 server web app ApplicationID", + "type": "text", + "name": "WebAppID" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Region based Tenant URL", + "validations": { + "required": true + }, + "placeholder": "e.g. api-na.epm.cyberark.cloud", + "type": "text", + "name": "TenantUrl" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Set ID", + "validations": { + "required": true + }, + "placeholder": "List of comma seperated EPM Set IDs to poll events from", + "type": "text", + "name": "SetId" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Identity Endpoint", + "validations": { + "required": true + }, + "placeholder": "e.g. kln9281.id.cyberark.cloud", + "type": "text", + "name": "IdentityEndpoint" + } + }, + { + "type": "OAuthForm", + "parameters": { + "clientIdLabel": "Oauth Username", + "clientSecretLabel": "Oauth Password", + "clientIdPlaceholder": "The service user created in Identity Administration", + "clientSecretPlaceholder": "The user password created in Identity Administration", + "connectButtonLabel": "Connect", + "disconnectButtonLabel": "Disconnect" + } + } + ], + "title": "Connect to CyberArk EPM API to start collecting event logs in Microsoft Sentinel" + } + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition2')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition2'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "CyberArk Business Development", + "email": "[variables('_email')]" + }, + "support": { + "name": "CyberArk Support", + "email": "support@cyberark.com", + "tier": "Partner", + "link": "https://www.cyberark.com/services-support/technical-support-contact/" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections2'), variables('dataConnectorCCPVersion'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "displayName": "CyberArk EPM", + "contentKind": "ResourcesDataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorCCPVersion')]", + "parameters": { + "guidValue": { + "defaultValue": "[[newGuid()]", + "type": "securestring" + }, + "innerWorkspace": { + "defaultValue": "[parameters('workspace')]", + "type": "securestring" + }, + "connectorDefinitionName": { + "defaultValue": "CyberArk EPM", + "type": "securestring", + "minLength": 1 + }, + "workspace": { + "defaultValue": "[parameters('workspace')]", + "type": "securestring" + }, + "dcrConfig": { + "defaultValue": { + "dataCollectionEndpoint": "data collection Endpoint", + "dataCollectionRuleImmutableId": "data collection rule immutableId" + }, + "type": "object" + }, + "WebAppID": { + "defaultValue": "WebAppID", + "type": "securestring", + "minLength": 1 + }, + "TenantUrl": { + "defaultValue": "TenantUrl", + "type": "securestring", + "minLength": 1 + }, + "SetId": { + "defaultValue": "SetId", + "type": "securestring", + "minLength": 1 + }, + "IdentityEndpoint": { + "defaultValue": "IdentityEndpoint", + "type": "securestring", + "minLength": 1 + }, + "ClientId": { + "defaultValue": "-NA-", + "type": "securestring", + "minLength": 1 + }, + "ClientSecret": { + "defaultValue": "-NA-", + "type": "securestring", + "minLength": 1 + }, + "AuthorizationCode": { + "defaultValue": "-NA-", + "type": "securestring", + "minLength": 1 + }, + "redirectUri": { + "defaultValue": "-NA-", + "type": "securestring", + "minLength": 1 + } + }, + "variables": { + "_dataConnectorContentIdConnections2": "[variables('_dataConnectorContentIdConnections2')]" + }, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections2')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections2'))]", + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "kind": "ResourcesDataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "CyberArk Business Development", + "email": "[variables('_email')]" + }, + "support": { + "name": "CyberArk Support", + "email": "support@cyberark.com", + "tier": "Partner", + "link": "https://www.cyberark.com/services-support/technical-support-contact/" + } + } + }, + { + "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'CyberArk EPM Events Polling Config', parameters('guidValue'))]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "CyberArkEPMCCPDefinition", + "dataType": "CyberArk_EPMEvents_CL", + "dcrConfig": { + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]", + "streamName": "Custom-CyberArkEPM" + }, + "auth": { + "type": "OAuth2", + "ClientSecret": "[[parameters('clientSecret')]", + "ClientId": "[[parameters('clientId')]", + "TokenEndpoint": "[[concat('https://',parameters('IdentityEndpoint'),'/oauth2/token/',parameters('WebAppID'))]", + "tokenEndpointHeaders": { + "Accept": "application/json", + "Content-Type": "application/x-www-form-urlencoded" + }, + "TokenEndpointQueryParameters": {}, + "grantType": "client_credentials" + }, + "request": { + "apiEndpoint": "[[concat('https://',parameters('TenantUrl'),'/EPM/API/Sets/',parameters('SetId'),'/events/aggregations/search')]", + "httpMethod": "POST", + "queryParameters": { + "nextCursor": "start", + "limit": 1000 + }, + "queryWindowInMin": 60, + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "rateLimitQps": 10, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Content-Type": "application/json", + "x-cybr-telemetry": "aW49TWljcm9zb2Z0IFNlbnRpbmVsIEVQTSZpdj0yLjAmdm49TWljcm9zb2Z0Jml0PVNJRU0=" + }, + "isPostPayloadJson": true, + "queryParametersTemplate": "{\"filter\":\"arrivalTime GE {_QueryWindowStartTime} AND arrivalTime LE {_QueryWindowEndTime}\"}" + }, + "response": { + "eventsJsonPaths": [ + "$.events" + ], + "format": "json" + }, + "paging": { + "pagingType": "NextPageToken", + "nextPageTokenJsonPath": "$.nextCursor", + "nextPageParaName": "nextCursor" + } + } + }, + { + "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'CyberArk EPM Raw Events Polling Config', parameters('guidValue'))]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "CyberArkEPMCCPDefinition", + "dataType": "CyberArk_EPMEvents_CL", + "dcrConfig": { + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]", + "streamName": "Custom-CyberArkEPM" + }, + "auth": { + "type": "OAuth2", + "ClientSecret": "[[parameters('clientSecret')]", + "ClientId": "[[parameters('clientId')]", + "TokenEndpoint": "[[concat('https://',parameters('IdentityEndpoint'),'/oauth2/token/',parameters('WebAppID'))]", + "tokenEndpointHeaders": { + "Accept": "application/json", + "Content-Type": "application/x-www-form-urlencoded" + }, + "TokenEndpointQueryParameters": {}, + "grantType": "client_credentials" + }, + "request": { + "apiEndpoint": "[[concat('https://',parameters('TenantUrl'),'/EPM/API/Sets/',parameters('SetId'),'/Events/Search')]", + "httpMethod": "POST", + "queryParameters": { + "nextCursor": "start", + "limit": 1000 + }, + "queryWindowInMin": 60, + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "rateLimitQps": 10, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Content-Type": "application/json", + "x-cybr-telemetry": "aW49TWljcm9zb2Z0IFNlbnRpbmVsIEVQTSZpdj0yLjAmdm49TWljcm9zb2Z0Jml0PVNJRU0=" + }, + "isPostPayloadJson": true, + "queryParametersTemplate": "{\"filter\":\"arrivalTime GE {_QueryWindowStartTime} AND arrivalTime LE {_QueryWindowEndTime}\"}" + }, + "response": { + "eventsJsonPaths": [ + "$.events" + ], + "format": "json" + }, + "paging": { + "pagingType": "NextPageToken", + "nextPageTokenJsonPath": "$.nextCursor", + "nextPageParaName": "nextCursor" + } + } + }, + { + "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'CyberArk EPM Aggregated Policy Audits Polling Config', parameters('guidValue'))]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "CyberArkEPMCCPDefinition", + "dataType": "CyberArk_EPMEvents_CL", + "dcrConfig": { + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]", + "streamName": "Custom-CyberArkEPM" + }, + "auth": { + "type": "OAuth2", + "ClientSecret": "[[parameters('clientSecret')]", + "ClientId": "[[parameters('clientId')]", + "TokenEndpoint": "[[concat('https://',parameters('IdentityEndpoint'),'/oauth2/token/',parameters('WebAppID'))]", + "tokenEndpointHeaders": { + "Accept": "application/json", + "Content-Type": "application/x-www-form-urlencoded" + }, + "TokenEndpointQueryParameters": {}, + "grantType": "client_credentials" + }, + "request": { + "apiEndpoint": "[[concat('https://',parameters('TenantUrl'),'/EPM/API/Sets/',parameters('SetId'),'/policyaudits/aggregations/search')]", + "httpMethod": "POST", + "queryParameters": { + "nextCursor": "start", + "limit": 1000 + }, + "queryWindowInMin": 60, + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "rateLimitQps": 10, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Content-Type": "application/json", + "x-cybr-telemetry": "aW49TWljcm9zb2Z0IFNlbnRpbmVsIEVQTSZpdj0yLjAmdm49TWljcm9zb2Z0Jml0PVNJRU0=" + }, + "isPostPayloadJson": true, + "queryParametersTemplate": "{\"filter\":\"arrivalTime GE {_QueryWindowStartTime} AND arrivalTime LE {_QueryWindowEndTime}\"}" + }, + "response": { + "eventsJsonPaths": [ + "$.events" + ], + "format": "json" + }, + "paging": { + "pagingType": "NextPageToken", + "nextPageTokenJsonPath": "$.nextCursor", + "nextPageParaName": "nextCursor" + } + } + }, + { + "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'CyberArk EPM Policy Audit Raw Event Details Polling Config', parameters('guidValue'))]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "CyberArkEPMCCPDefinition", + "dataType": "CyberArk_EPMEvents_CL", + "dcrConfig": { + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]", + "streamName": "Custom-CyberArkEPM" + }, + "auth": { + "type": "OAuth2", + "ClientSecret": "[[parameters('clientSecret')]", + "ClientId": "[[parameters('clientId')]", + "TokenEndpoint": "[[concat('https://',parameters('IdentityEndpoint'),'/oauth2/token/',parameters('WebAppID'))]", + "tokenEndpointHeaders": { + "Accept": "application/json", + "Content-Type": "application/x-www-form-urlencoded" + }, + "TokenEndpointQueryParameters": {}, + "grantType": "client_credentials" + }, + "request": { + "apiEndpoint": "[[concat('https://',parameters('TenantUrl'),'/EPM/API/Sets/',parameters('SetId'),'/policyaudits/search')]", + "httpMethod": "POST", + "queryParameters": { + "nextCursor": "start", + "limit": 1000 + }, + "queryWindowInMin": 60, + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "rateLimitQps": 10, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Content-Type": "application/json", + "x-cybr-telemetry": "aW49TWljcm9zb2Z0IFNlbnRpbmVsIEVQTSZpdj0yLjAmdm49TWljcm9zb2Z0Jml0PVNJRU0=" + }, + "isPostPayloadJson": true, + "queryParametersTemplate": "{\"filter\":\"arrivalTime GE {_QueryWindowStartTime} AND arrivalTime LE {_QueryWindowEndTime}\"}" + }, + "response": { + "eventsJsonPaths": [ + "$.events" + ], + "format": "json" + }, + "paging": { + "pagingType": "NextPageToken", + "nextPageTokenJsonPath": "$.nextCursor", + "nextPageParaName": "nextCursor" + } + } + }, + { + "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'CyberArk EPM Admin Audit Polling Config', parameters('guidValue'))]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "CyberArkEPMCCPDefinition", + "dataType": "CyberArk_EPMEvents_CL", + "dcrConfig": { + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]", + "streamName": "Custom-CyberArkEPM" + }, + "auth": { + "type": "OAuth2", + "ClientSecret": "[[parameters('clientSecret')]", + "ClientId": "[[parameters('clientId')]", + "TokenEndpoint": "[[concat('https://',parameters('IdentityEndpoint'),'/oauth2/token/',parameters('WebAppID'))]", + "tokenEndpointHeaders": { + "Accept": "application/json", + "Content-Type": "application/x-www-form-urlencoded" + }, + "TokenEndpointQueryParameters": {}, + "grantType": "client_credentials" + }, + "request": { + "apiEndpoint": "[[concat('https://',parameters('TenantUrl'),'/EPM/API/Sets/',parameters('SetId'),'/AdminAudit')]", + "httpMethod": "GET", + "queryParameters": { + "DateFrom": "{_QueryWindowStartTime}", + "DateTo": "{_QueryWindowEndTime}", + "limit": 100, + "offset": 0 + }, + "queryWindowInMin": 60, + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "rateLimitQps": 10, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json", + "x-cybr-telemetry": "aW49TWljcm9zb2Z0IFNlbnRpbmVsIEVQTSZpdj0yLjAmdm49TWljcm9zb2Z0Jml0PVNJRU0=" + } + }, + "response": { + "eventsJsonPaths": [ + "$.AdminAudits" + ], + "format": "json" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections2'),'-', variables('dataConnectorCCPVersion'))))]", + "id": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections2'),'-', variables('dataConnectorCCPVersion'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorCCPVersion')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject1').parserTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "CyberArkEPM Data Parser with template version 3.1.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject1').parserVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject1')._parserName1]", + "apiVersion": "2025-07-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for CyberArkEPM", + "category": "Microsoft Sentinel Parser", + "functionAlias": "CyberArkEPM", + "query": "CyberArkEPM_CL\n| extend EventVendor = 'CyberArk',\n EventProduct = 'Endpoint Privilege Manager',\n EventSchemaVersion = '0.1',\n EventCount=case(event_type_s == 'raw_event', agentEventCount_d, totalEvents_d),\n EventMessage=case(event_type_s == 'raw_event', displayName_s, lastEventDisplayName_s),\n ActingProcessFileInternalName=case(event_type_s == 'raw_event', fileName_s, lastEventFileName_s),\n Justification=case(event_type_s == 'raw_event', justification_s, lastEventJustification_s),\n EventSourceName=case(event_type_s == 'raw_event', sourceName_s, lastEventSourceName_s),\n EventSourceType=case(event_type_s == 'raw_event', sourceType_s, lastEventSourceType_s),\n ActorUsername=case(event_type_s == 'raw_event', userName_s, pack_array(firstEventUserName_s, lastEventUserName_s))\n| project-rename AccessAction=accessAction_s,\n AccessTargetName=accessTargetName_s,\n AccessTargetType=accessTargetType_s,\n AffectedComputers=affectedComputers_d,\n AffectedUsers=affectedUsers_d,\n AdminTaskId=adminTaskId_s,\n BundleId=bundleId_s,\n BundleName=bundleName_s,\n BundleVersion=bundleVersion_s,\n DvcId=agentId_g,\n AggregatedBy=aggregatedBy_s,\n AppType=applicationType_s,\n ApplicationSubType=applicationSubType_s,\n AppPackageDisplayName=appPackageDisplayName_s,\n CLSID=CLSID_s,\n ActingProcessFileCompany=company_s,\n DeceptionType=deceptionType_d,\n DefenceActionId=defenceActionId_d,\n EventType=event_type_s,\n EventSubType=eventType_s,\n Evidences=evidences_s,\n FileAccessPermission=fileAccessPermission_s,\n ActingProcessFileDescription=fileDescription_s,\n FileLocation=fileLocation_s,\n ActingProcessName=filePath_s,\n FileQualifier=fileQualifier_s,\n ActingProcessFileSize=fileSize_d,\n ActingProcessFileVersion=fileVersion_s,\n EventStartTime=firstEventDate_t,\n Hash=hash_s,\n JustificationEmail=justificationEmail_s,\n LastAgentId=lastAgentId_g,\n EventEndTime=lastEventDate_t,\n LogonAttemptTypeId=logonAttemptTypeId_d,\n LogonStatusId=logonStatusId_d,\n SrcFileMimeType=mimeType_s,\n ModificationTime=modificationTime_t,\n ActingProcessFileOriginalName=originalFileName_s,\n Owner=owner_s,\n PackageName=packageName_s,\n PolicyId=policyId_d,\n PolicyName=policyName_s,\n ActingProcessGuid=processCommandLine_g,\n ActingProcessCommandLine=processCommandLine_s,\n ActingProcessFileProduct=productName_s,\n ProductVersion=productVersion_s,\n Publisher=publisher_s,\n SetName=set_name_s,\n Skipped=skipped_b,\n SkippedCount=skippedCount_d,\n SrcProcessCommandLine=sourceProcessCommandLine_s,\n SrcProcessHash=sourceProcessHash_s,\n SrcProcessPublisher=sourceProcessPublisher_s,\n SrcProcessSigner=sourceProcessSigner_s,\n SrcProcessUsername=sourceProcessUsername_s,\t\n ThreatDetectionAction=threatDetectionAction_s,\n ThreatProtectionAction=threatProtectionAction_s,\n UrlOriginal=url_s,\n UserIsAdmin=userIsAdmin_b,\n WinEventRecordId=winEventRecordId_d,\n WinEventType=winEventType_d\n| project-away agentEventCount_d,\n totalEvents_d,\n displayName_s,\n lastEventDisplayName_s,\n fileName_s,\n lastEventFileName_s,\n justification_s,\n lastEventJustification_s,\n sourceName_s,\n lastEventSourceName_s,\n sourceType_s,\n lastEventSourceType_s,\n userName_s,\n firstEventUserName_s,\n lastEventUserName_s\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", + "dependsOn": [ + "[variables('parserObject1')._parserId1]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'CyberArkEPM')]", + "contentId": "[variables('parserObject1').parserContentId1]", + "kind": "Parser", + "version": "[variables('parserObject1').parserVersion1]", + "source": { + "name": "CyberArkEPM", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "CyberArk Business Development", + "email": "[variables('_email')]" + }, + "support": { + "name": "CyberArk Support", + "email": "support@cyberark.com", + "tier": "Partner", + "link": "https://www.cyberark.com/services-support/technical-support-contact/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject1').parserContentId1]", + "contentKind": "Parser", + "displayName": "Parser for CyberArkEPM", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", + "version": "[variables('parserObject1').parserVersion1]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2025-07-01", + "name": "[variables('parserObject1')._parserName1]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for CyberArkEPM", + "category": "Microsoft Sentinel Parser", + "functionAlias": "CyberArkEPM", + "query": "CyberArkEPM_CL\n| extend EventVendor = 'CyberArk',\n EventProduct = 'Endpoint Privilege Manager',\n EventSchemaVersion = '0.1',\n EventCount=case(event_type_s == 'raw_event', agentEventCount_d, totalEvents_d),\n EventMessage=case(event_type_s == 'raw_event', displayName_s, lastEventDisplayName_s),\n ActingProcessFileInternalName=case(event_type_s == 'raw_event', fileName_s, lastEventFileName_s),\n Justification=case(event_type_s == 'raw_event', justification_s, lastEventJustification_s),\n EventSourceName=case(event_type_s == 'raw_event', sourceName_s, lastEventSourceName_s),\n EventSourceType=case(event_type_s == 'raw_event', sourceType_s, lastEventSourceType_s),\n ActorUsername=case(event_type_s == 'raw_event', userName_s, pack_array(firstEventUserName_s, lastEventUserName_s))\n| project-rename AccessAction=accessAction_s,\n AccessTargetName=accessTargetName_s,\n AccessTargetType=accessTargetType_s,\n AffectedComputers=affectedComputers_d,\n AffectedUsers=affectedUsers_d,\n AdminTaskId=adminTaskId_s,\n BundleId=bundleId_s,\n BundleName=bundleName_s,\n BundleVersion=bundleVersion_s,\n DvcId=agentId_g,\n AggregatedBy=aggregatedBy_s,\n AppType=applicationType_s,\n ApplicationSubType=applicationSubType_s,\n AppPackageDisplayName=appPackageDisplayName_s,\n CLSID=CLSID_s,\n ActingProcessFileCompany=company_s,\n DeceptionType=deceptionType_d,\n DefenceActionId=defenceActionId_d,\n EventType=event_type_s,\n EventSubType=eventType_s,\n Evidences=evidences_s,\n FileAccessPermission=fileAccessPermission_s,\n ActingProcessFileDescription=fileDescription_s,\n FileLocation=fileLocation_s,\n ActingProcessName=filePath_s,\n FileQualifier=fileQualifier_s,\n ActingProcessFileSize=fileSize_d,\n ActingProcessFileVersion=fileVersion_s,\n EventStartTime=firstEventDate_t,\n Hash=hash_s,\n JustificationEmail=justificationEmail_s,\n LastAgentId=lastAgentId_g,\n EventEndTime=lastEventDate_t,\n LogonAttemptTypeId=logonAttemptTypeId_d,\n LogonStatusId=logonStatusId_d,\n SrcFileMimeType=mimeType_s,\n ModificationTime=modificationTime_t,\n ActingProcessFileOriginalName=originalFileName_s,\n Owner=owner_s,\n PackageName=packageName_s,\n PolicyId=policyId_d,\n PolicyName=policyName_s,\n ActingProcessGuid=processCommandLine_g,\n ActingProcessCommandLine=processCommandLine_s,\n ActingProcessFileProduct=productName_s,\n ProductVersion=productVersion_s,\n Publisher=publisher_s,\n SetName=set_name_s,\n Skipped=skipped_b,\n SkippedCount=skippedCount_d,\n SrcProcessCommandLine=sourceProcessCommandLine_s,\n SrcProcessHash=sourceProcessHash_s,\n SrcProcessPublisher=sourceProcessPublisher_s,\n SrcProcessSigner=sourceProcessSigner_s,\n SrcProcessUsername=sourceProcessUsername_s,\t\n ThreatDetectionAction=threatDetectionAction_s,\n ThreatProtectionAction=threatProtectionAction_s,\n UrlOriginal=url_s,\n UserIsAdmin=userIsAdmin_b,\n WinEventRecordId=winEventRecordId_d,\n WinEventType=winEventType_d\n| project-away agentEventCount_d,\n totalEvents_d,\n displayName_s,\n lastEventDisplayName_s,\n fileName_s,\n lastEventFileName_s,\n justification_s,\n lastEventJustification_s,\n sourceName_s,\n lastEventSourceName_s,\n sourceType_s,\n lastEventSourceType_s,\n userName_s,\n firstEventUserName_s,\n lastEventUserName_s\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", + "dependsOn": [ + "[variables('parserObject1')._parserId1]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'CyberArkEPM')]", + "contentId": "[variables('parserObject1').parserContentId1]", + "kind": "Parser", + "version": "[variables('parserObject1').parserVersion1]", + "source": { + "kind": "Solution", + "name": "CyberArkEPM", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "CyberArk Business Development", + "email": "[variables('_email')]" + }, + "support": { + "name": "CyberArk Support", + "email": "support@cyberark.com", + "tier": "Partner", + "link": "https://www.cyberark.com/services-support/technical-support-contact/" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject1').huntingQueryTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "CyberArkEPMElevationRequests_HuntingQueries Hunting Query with template version 3.1.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2025-07-01", + "name": "CyberArkEPM_Hunting_Query_1", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "CyberArkEPM - Elevation requests", + "category": "Hunting Queries", + "query": "CyberArkEPM\n| where TimeGenerated > ago(24h)\n| where EventSubType =~ 'ElevationRequest'\n| extend AccountCustomEntity = ActorUsername\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Query shows elevation requests." + }, + { + "name": "tactics", + "value": "Execution,PrivilegeEscalation" + }, + { + "name": "techniques", + "value": "T1204,T1078" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1),'/'))))]", + "properties": { + "description": "CyberArkEPM Hunting Query 1", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1)]", + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject1').huntingQueryVersion1]", + "source": { + "kind": "Solution", + "name": "CyberArkEPM", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "CyberArk Business Development", + "email": "[variables('_email')]" + }, + "support": { + "name": "CyberArk Support", + "email": "support@cyberark.com", + "tier": "Partner", + "link": "https://www.cyberark.com/services-support/technical-support-contact/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", + "contentKind": "HuntingQuery", + "displayName": "CyberArkEPM - Elevation requests", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]", + "version": "1.0.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject2').huntingQueryTemplateSpecName2]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "CyberArkEPMPowershellDownloads_HuntingQueries Hunting Query with template version 3.1.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2025-07-01", + "name": "CyberArkEPM_Hunting_Query_2", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "CyberArkEPM - Powershell downloads", + "category": "Hunting Queries", + "query": "CyberArkEPM\n| where TimeGenerated > ago(24h)\n| where ActingProcessFileInternalName =~ 'powershell.exe'\n| where ActingProcessCommandLine has_any ('WebClient', 'DownloadString', 'DownloadFile')\n| extend AccountCustomEntity = ActorUsername\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Query shows powershell downloads." + }, + { + "name": "tactics", + "value": "Execution" + }, + { + "name": "techniques", + "value": "T1204,T1059" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2),'/'))))]", + "properties": { + "description": "CyberArkEPM Hunting Query 2", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2)]", + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject2').huntingQueryVersion2]", + "source": { + "kind": "Solution", + "name": "CyberArkEPM", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "CyberArk Business Development", + "email": "[variables('_email')]" + }, + "support": { + "name": "CyberArk Support", + "email": "support@cyberark.com", + "tier": "Partner", + "link": "https://www.cyberark.com/services-support/technical-support-contact/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", + "contentKind": "HuntingQuery", + "displayName": "CyberArkEPM - Powershell downloads", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.0')))]", + "version": "1.0.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject3').huntingQueryTemplateSpecName3]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "CyberArkEPMPowershellExecutionParameters_HuntingQueries Hunting Query with template version 3.1.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2025-07-01", + "name": "CyberArkEPM_Hunting_Query_3", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "CyberArkEPM - Powershell scripts execution parameters", + "category": "Hunting Queries", + "query": "CyberArkEPM\n| where TimeGenerated > ago(24h)\n| where ActingProcessFileInternalName =~ 'powershell.exe'\n| summarize count() by ActorUsername, ActingProcessCommandLine\n| extend AccountCustomEntity = ActorUsername\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Query shows powershell scripts execution parameters." + }, + { + "name": "tactics", + "value": "Execution" + }, + { + "name": "techniques", + "value": "T1204,T1059" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3),'/'))))]", + "properties": { + "description": "CyberArkEPM Hunting Query 3", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3)]", + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject3').huntingQueryVersion3]", + "source": { + "kind": "Solution", + "name": "CyberArkEPM", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "CyberArk Business Development", + "email": "[variables('_email')]" + }, + "support": { + "name": "CyberArk Support", + "email": "support@cyberark.com", + "tier": "Partner", + "link": "https://www.cyberark.com/services-support/technical-support-contact/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", + "contentKind": "HuntingQuery", + "displayName": "CyberArkEPM - Powershell scripts execution parameters", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]", + "version": "1.0.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject4').huntingQueryTemplateSpecName4]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "CyberArkEPMProcessNewHash_HuntingQueries Hunting Query with template version 3.1.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2025-07-01", + "name": "CyberArkEPM_Hunting_Query_4", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "CyberArkEPM - Process hash changed", + "category": "Hunting Queries", + "query": "CyberArkEPM\n| where TimeGenerated > ago(24h)\n| where isnotempty(Hash)\n| summarize hashes = makeset(Hash) by ActingProcessFileInternalName\n| where array_length(hashes) > 1\n| extend FileCustomEntity = ActingProcessFileInternalName\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Query shows processes which hash has been changed recently." + }, + { + "name": "tactics", + "value": "DefenseEvasion" + }, + { + "name": "techniques", + "value": "T1036" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4),'/'))))]", + "properties": { + "description": "CyberArkEPM Hunting Query 4", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4)]", + "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject4').huntingQueryVersion4]", + "source": { + "kind": "Solution", + "name": "CyberArkEPM", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "CyberArk Business Development", + "email": "[variables('_email')]" + }, + "support": { + "name": "CyberArk Support", + "email": "support@cyberark.com", + "tier": "Partner", + "link": "https://www.cyberark.com/services-support/technical-support-contact/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", + "contentKind": "HuntingQuery", + "displayName": "CyberArkEPM - Process hash changed", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.0')))]", + "version": "1.0.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject5').huntingQueryTemplateSpecName5]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "CyberArkEPMProcessesAccessedInternet_HuntingQueries Hunting Query with template version 3.1.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2025-07-01", + "name": "CyberArkEPM_Hunting_Query_5", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "CyberArkEPM - Processes with Internet access attempts", + "category": "Hunting Queries", + "query": "CyberArkEPM\n| where TimeGenerated > ago(24h)\n| where EventSubType in~ ('DetectAccessInternet', 'Internet')\n| summarize count() by ActingProcessFileInternalName, ActorUsername\n| extend AccountCustomEntity = ActorUsername\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Query shows processes which attempted to access Internet." + }, + { + "name": "tactics", + "value": "CommandAndControl" + }, + { + "name": "techniques", + "value": "T1095" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5),'/'))))]", + "properties": { + "description": "CyberArkEPM Hunting Query 5", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5)]", + "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject5').huntingQueryVersion5]", + "source": { + "kind": "Solution", + "name": "CyberArkEPM", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "CyberArk Business Development", + "email": "[variables('_email')]" + }, + "support": { + "name": "CyberArk Support", + "email": "support@cyberark.com", + "tier": "Partner", + "link": "https://www.cyberark.com/services-support/technical-support-contact/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", + "contentKind": "HuntingQuery", + "displayName": "CyberArkEPM - Processes with Internet access attempts", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.0')))]", + "version": "1.0.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject6').huntingQueryTemplateSpecName6]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "CyberArkEPMProcessesRunAsAdmin_HuntingQueries Hunting Query with template version 3.1.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2025-07-01", + "name": "CyberArkEPM_Hunting_Query_6", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "CyberArkEPM - Processes run as admin", + "category": "Hunting Queries", + "query": "CyberArkEPM\n| where TimeGenerated > ago(24h)\n| where UserIsAdmin == true\n| summarize count() by ActingProcessName, ActingProcessCommandLine, ActorUsername\n| extend AccountCustomEntity = ActorUsername\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Query shows processes run as admin." + }, + { + "name": "tactics", + "value": "Execution,PrivilegeEscalation" + }, + { + "name": "techniques", + "value": "T1204,T1078" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6),'/'))))]", + "properties": { + "description": "CyberArkEPM Hunting Query 6", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6)]", + "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject6').huntingQueryVersion6]", + "source": { + "kind": "Solution", + "name": "CyberArkEPM", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "CyberArk Business Development", + "email": "[variables('_email')]" + }, + "support": { + "name": "CyberArk Support", + "email": "support@cyberark.com", + "tier": "Partner", + "link": "https://www.cyberark.com/services-support/technical-support-contact/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", + "contentKind": "HuntingQuery", + "displayName": "CyberArkEPM - Processes run as admin", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '1.0.0')))]", + "version": "1.0.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject7').huntingQueryTemplateSpecName7]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "CyberArkEPMRareProcVendors_HuntingQueries Hunting Query with template version 3.1.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2025-07-01", + "name": "CyberArkEPM_Hunting_Query_7", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "CyberArkEPM - Rare process vendors", + "category": "Hunting Queries", + "query": "CyberArkEPM\n| where TimeGenerated > ago(24h)\n| where isnotempty(ActingProcessFileCompany)\n| summarize count() by ActingProcessFileCompany, ActingProcessFileInternalName\n| top 25 by count_ asc\n| extend ProcCustomEntity = ActingProcessFileCompany\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Query shows rare process vendors." + }, + { + "name": "tactics", + "value": "Execution" + }, + { + "name": "techniques", + "value": "T1204" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject7')._huntingQuerycontentId7),'/'))))]", + "properties": { + "description": "CyberArkEPM Hunting Query 7", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject7')._huntingQuerycontentId7)]", + "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject7').huntingQueryVersion7]", + "source": { + "kind": "Solution", + "name": "CyberArkEPM", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "CyberArk Business Development", + "email": "[variables('_email')]" + }, + "support": { + "name": "CyberArk Support", + "email": "support@cyberark.com", + "tier": "Partner", + "link": "https://www.cyberark.com/services-support/technical-support-contact/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]", + "contentKind": "HuntingQuery", + "displayName": "CyberArkEPM - Rare process vendors", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject7')._huntingQuerycontentId7,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject7')._huntingQuerycontentId7,'-', '1.0.0')))]", + "version": "1.0.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject8').huntingQueryTemplateSpecName8]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "CyberArkEPMRareProcessesRunByUsers_HuntingQueries Hunting Query with template version 3.1.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2025-07-01", + "name": "CyberArkEPM_Hunting_Query_8", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "CyberArkEPM - Rare process run by users", + "category": "Hunting Queries", + "query": "CyberArkEPM\n| where TimeGenerated > ago(24h)\n| where isnotempty(ActingProcessFileInternalName)\n| summarize count() by ActingProcessFileInternalName, ActorUsername\n| top 25 by count_ asc\n| extend AccountCustomEntity = ActorUsername\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Query shows rare process run by users." + }, + { + "name": "tactics", + "value": "Execution" + }, + { + "name": "techniques", + "value": "T1204" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject8')._huntingQuerycontentId8),'/'))))]", + "properties": { + "description": "CyberArkEPM Hunting Query 8", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject8')._huntingQuerycontentId8)]", + "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject8').huntingQueryVersion8]", + "source": { + "kind": "Solution", + "name": "CyberArkEPM", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "CyberArk Business Development", + "email": "[variables('_email')]" + }, + "support": { + "name": "CyberArk Support", + "email": "support@cyberark.com", + "tier": "Partner", + "link": "https://www.cyberark.com/services-support/technical-support-contact/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]", + "contentKind": "HuntingQuery", + "displayName": "CyberArkEPM - Rare process run by users", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject8')._huntingQuerycontentId8,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject8')._huntingQuerycontentId8,'-', '1.0.0')))]", + "version": "1.0.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject9').huntingQueryTemplateSpecName9]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "CyberArkEPMScriptsExecuted_HuntingQueries Hunting Query with template version 3.1.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2025-07-01", + "name": "CyberArkEPM_Hunting_Query_9", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "CyberArkEPM - Scripts executed on hosts", + "category": "Hunting Queries", + "query": "CyberArkEPM\n| where TimeGenerated > ago(24h)\n| where AppType =~ 'Script'\n| project EventStartTime, EventEndTime, EventMessage, ActingProcessFileInternalName, Hash, ActorUsername, EventSourceName\n| extend FileCustomEntity = ActingProcessFileInternalName, AccountCustomEntity = ActorUsername\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Query shows scripts which where executed on hosts." + }, + { + "name": "tactics", + "value": "Execution" + }, + { + "name": "techniques", + "value": "T1204" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject9')._huntingQuerycontentId9),'/'))))]", + "properties": { + "description": "CyberArkEPM Hunting Query 9", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject9')._huntingQuerycontentId9)]", + "contentId": "[variables('huntingQueryObject9')._huntingQuerycontentId9]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject9').huntingQueryVersion9]", + "source": { + "kind": "Solution", + "name": "CyberArkEPM", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "CyberArk Business Development", + "email": "[variables('_email')]" + }, + "support": { + "name": "CyberArk Support", + "email": "support@cyberark.com", + "tier": "Partner", + "link": "https://www.cyberark.com/services-support/technical-support-contact/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject9')._huntingQuerycontentId9]", + "contentKind": "HuntingQuery", + "displayName": "CyberArkEPM - Scripts executed on hosts", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject9')._huntingQuerycontentId9,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject9')._huntingQuerycontentId9,'-', '1.0.0')))]", + "version": "1.0.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject10').huntingQueryTemplateSpecName10]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "CyberArkEPMSuspiciousActivityAttempts_HuntingQueries Hunting Query with template version 3.1.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2025-07-01", + "name": "CyberArkEPM_Hunting_Query_10", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "CyberArkEPM - Suspicious activity attempts", + "category": "Hunting Queries", + "query": "CyberArkEPM\n| where TimeGenerated > ago(24h)\n| where EventSubType =~ 'SuspiciousActivityAttempt'\n| extend AccountCustomEntity = ActorUsername\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Query shows suspicious activity attempts." + }, + { + "name": "tactics", + "value": "Execution" + }, + { + "name": "techniques", + "value": "T1204" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject10')._huntingQuerycontentId10),'/'))))]", + "properties": { + "description": "CyberArkEPM Hunting Query 10", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject10')._huntingQuerycontentId10)]", + "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject10').huntingQueryVersion10]", + "source": { + "kind": "Solution", + "name": "CyberArkEPM", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "CyberArk Business Development", + "email": "[variables('_email')]" + }, + "support": { + "name": "CyberArk Support", + "email": "support@cyberark.com", + "tier": "Partner", + "link": "https://www.cyberark.com/services-support/technical-support-contact/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]", + "contentKind": "HuntingQuery", + "displayName": "CyberArkEPM - Suspicious activity attempts", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject10')._huntingQuerycontentId10,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject10')._huntingQuerycontentId10,'-', '1.0.0')))]", + "version": "1.0.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "CyberArkEPMAttackAttemptNotBlocked_AnalyticalRules Analytics Rule with template version 3.1.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This rule triggers on attack attempt which was not blocked by CyberArkEPM.", + "displayName": "CyberArkEPM - Attack attempt not blocked", + "enabled": false, + "query": "CyberArkEPM\n| where EventSubType =~ 'AttackAttempt'\n| where ThreatProtectionAction =~ 'Detect'\n| project EventEndTime, EventMessage, ActorUsername, ActingProcessFileInternalName, Evidences\n| extend AccountCustomEntity = ActorUsername\n", + "queryFrequency": "PT10M", + "queryPeriod": "PT10M", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "CyberArkEPM", + "dataTypes": [ + "CyberArkEPM" + ] + } + ], + "tactics": [ + "Execution" + ], + "techniques": [ + "T1204" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "AccountCustomEntity", + "identifier": "Name" + } + ], + "entityType": "Account" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", + "properties": { + "description": "CyberArkEPM Analytics Rule 1", + "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "source": { + "kind": "Solution", + "name": "CyberArkEPM", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "CyberArk Business Development", + "email": "[variables('_email')]" + }, + "support": { + "name": "CyberArk Support", + "email": "support@cyberark.com", + "tier": "Partner", + "link": "https://www.cyberark.com/services-support/technical-support-contact/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "contentKind": "AnalyticsRule", + "displayName": "CyberArkEPM - Attack attempt not blocked", + "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "CyberArkEPMMSBuildLOLBin_AnalyticalRules Analytics Rule with template version 3.1.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects usage of msbuild tool as LOLBin.", + "displayName": "CyberArkEPM - MSBuild usage as LOLBin", + "enabled": false, + "query": "CyberArkEPM\n| where EventSubType != 'AttackAttempt'\n| where ActingProcessName endswith @'msbuild.exe'\n| where ActingProcessCommandLine has_any ('xml', 'csproj', 'vcxproj', 'vbproj', 'fsproj')\n| extend AccountCustomEntity = ActorUsername\n", + "queryFrequency": "PT30M", + "queryPeriod": "PT30M", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "CyberArkEPM", + "dataTypes": [ + "CyberArkEPM" + ] + } + ], + "tactics": [ + "DefenseEvasion" + ], + "techniques": [ + "T1127" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "AccountCustomEntity", + "identifier": "Name" + } + ], + "entityType": "Account" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", + "properties": { + "description": "CyberArkEPM Analytics Rule 2", + "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "source": { + "kind": "Solution", + "name": "CyberArkEPM", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "CyberArk Business Development", + "email": "[variables('_email')]" + }, + "support": { + "name": "CyberArk Support", + "email": "support@cyberark.com", + "tier": "Partner", + "link": "https://www.cyberark.com/services-support/technical-support-contact/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "contentKind": "AnalyticsRule", + "displayName": "CyberArkEPM - MSBuild usage as LOLBin", + "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "CyberArkEPMMultipleAttackAttempts_AnalyticalRules Analytics Rule with template version 3.1.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This rule triggers on multiple attack attemts triggered by same user.", + "displayName": "CyberArkEPM - Multiple attack types", + "enabled": false, + "query": "CyberArkEPM\n| where EventSubType =~ 'AttackAttempt'\n| summarize LatestAttackTime=max(EventEndTime), att=makeset(EventMessage) by ActorUsername\n| where array_length(att) > 1\n| extend AccountCustomEntity = ActorUsername\n", + "queryFrequency": "PT10M", + "queryPeriod": "PT10M", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "CyberArkEPM", + "dataTypes": [ + "CyberArkEPM" + ] + } + ], + "tactics": [ + "Execution" + ], + "techniques": [ + "T1204" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "AccountCustomEntity", + "identifier": "Name" + } + ], + "entityType": "Account" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]", + "properties": { + "description": "CyberArkEPM Analytics Rule 3", + "parentId": "[variables('analyticRuleObject3').analyticRuleId3]", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", + "source": { + "kind": "Solution", + "name": "CyberArkEPM", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "CyberArk Business Development", + "email": "[variables('_email')]" + }, + "support": { + "name": "CyberArk Support", + "email": "support@cyberark.com", + "tier": "Partner", + "link": "https://www.cyberark.com/services-support/technical-support-contact/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "contentKind": "AnalyticsRule", + "displayName": "CyberArkEPM - Multiple attack types", + "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "CyberArkEPMNewProcessStartetFromSystem_AnalyticalRules Analytics Rule with template version 3.1.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects when uncommon windows proccess is started from System folder.", + "displayName": "CyberArkEPM - Uncommon Windows process started from System folder", + "enabled": false, + "query": "let lb_period = 14d;\nlet q_time = 1h;\nlet sys_proc = CyberArkEPM\n| where TimeGenerated between (ago(lb_period) .. ago(q_time))\n| where EventSubType != 'AttackAttempt'\n| where ActingProcessName has @'\\'\n| where ActingProcessName has_any ('System32', 'SysWOW64')\n| summarize makeset(ActingProcessFileInternalName);\nCyberArkEPM\n| where TimeGenerated > ago(q_time)\n| where EventSubType != 'AttackAttempt'\n| where ActingProcessName has @'\\'\n| where ActingProcessName has_any ('System32', 'SysWOW64')\n| where ActingProcessFileInternalName !in (sys_proc)\n| extend AccountCustomEntity = ActorUsername\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "CyberArkEPM", + "dataTypes": [ + "CyberArkEPM" + ] + } + ], + "tactics": [ + "Execution", + "DefenseEvasion" + ], + "techniques": [ + "T1204", + "T1036" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "AccountCustomEntity", + "identifier": "Name" + } + ], + "entityType": "Account" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]", + "properties": { + "description": "CyberArkEPM Analytics Rule 4", + "parentId": "[variables('analyticRuleObject4').analyticRuleId4]", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]", + "source": { + "kind": "Solution", + "name": "CyberArkEPM", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "CyberArk Business Development", + "email": "[variables('_email')]" + }, + "support": { + "name": "CyberArk Support", + "email": "support@cyberark.com", + "tier": "Partner", + "link": "https://www.cyberark.com/services-support/technical-support-contact/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "contentKind": "AnalyticsRule", + "displayName": "CyberArkEPM - Uncommon Windows process started from System folder", + "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "CyberArkEPMPossibleExecutionOfPowershellEmpire_AnalyticalRules Analytics Rule with template version 3.1.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects possible execution of Powershell Empire.", + "displayName": "CyberArkEPM - Possible execution of Powershell Empire", + "enabled": false, + "query": "CyberArkEPM\n| where EventSubType != 'AttackAttempt'\n| where ActingProcessCommandLine has_any ('-NoP -sta -NonI -W Hidden -Enc', '-noP -sta -w 1 -enc', '-NoP -NonI -W Hidden -enc')\n| extend AccountCustomEntity = ActorUsername\n", + "queryFrequency": "PT10M", + "queryPeriod": "PT10M", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "CyberArkEPM", + "dataTypes": [ + "CyberArkEPM" + ] + } + ], + "tactics": [ + "Execution" + ], + "techniques": [ + "T1204" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "AccountCustomEntity", + "identifier": "Name" + } + ], + "entityType": "Account" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]", + "properties": { + "description": "CyberArkEPM Analytics Rule 5", + "parentId": "[variables('analyticRuleObject5').analyticRuleId5]", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]", + "source": { + "kind": "Solution", + "name": "CyberArkEPM", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "CyberArk Business Development", + "email": "[variables('_email')]" + }, + "support": { + "name": "CyberArk Support", + "email": "support@cyberark.com", + "tier": "Partner", + "link": "https://www.cyberark.com/services-support/technical-support-contact/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "contentKind": "AnalyticsRule", + "displayName": "CyberArkEPM - Possible execution of Powershell Empire", + "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "CyberArkEPMProcessChangedStartLocation_AnalyticalRules Analytics Rule with template version 3.1.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects when process started from different locations on a host.", + "displayName": "CyberArkEPM - Process started from different locations", + "enabled": false, + "query": "CyberArkEPM\n| where EventSubType != 'AttackAttempt'\n| extend bin_path = tolower(extract(@'\\A(.*)(\\\\|/)', 1, ActingProcessName))\n| summarize p = makeset(bin_path) by ActingProcessFileInternalName, DvcId\n| where array_length(p) > 1\n| extend FileCustomEntity = ActingProcessFileInternalName\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "CyberArkEPM", + "dataTypes": [ + "CyberArkEPM" + ] + } + ], + "tactics": [ + "Execution", + "DefenseEvasion" + ], + "techniques": [ + "T1204", + "T1036" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "FileCustomEntity", + "identifier": "Name" + } + ], + "entityType": "File" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]", + "properties": { + "description": "CyberArkEPM Analytics Rule 6", + "parentId": "[variables('analyticRuleObject6').analyticRuleId6]", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]", + "source": { + "kind": "Solution", + "name": "CyberArkEPM", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "CyberArk Business Development", + "email": "[variables('_email')]" + }, + "support": { + "name": "CyberArk Support", + "email": "support@cyberark.com", + "tier": "Partner", + "link": "https://www.cyberark.com/services-support/technical-support-contact/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "contentKind": "AnalyticsRule", + "displayName": "CyberArkEPM - Process started from different locations", + "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "CyberArkEPMRareProcInternetAccess_AnalyticalRules Analytics Rule with template version 3.1.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects access to the Internet by uncommon processes.", + "displayName": "CyberArkEPM - Uncommon process Internet access", + "enabled": false, + "query": "let lb_period = 14d;\nlet q_time = 1h;\nlet inet_access_proc = CyberArkEPM\n| where TimeGenerated between (ago(lb_period) .. ago(q_time))\n| where EventSubType =~ 'DetectAccessInternet'\n| where isnotempty(ActingProcessFileInternalName)\n| summarize makeset(ActingProcessFileInternalName);\nCyberArkEPM\n| where TimeGenerated > ago(q_time)\n| where EventSubType =~ 'DetectAccessInternet'\n| where ActingProcessFileInternalName !in (inet_access_proc)\n| extend AccountCustomEntity = ActorUsername\n", + "queryFrequency": "PT30M", + "queryPeriod": "PT30M", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "CyberArkEPM", + "dataTypes": [ + "CyberArkEPM" + ] + } + ], + "tactics": [ + "Execution", + "DefenseEvasion", + "CommandAndControl" + ], + "techniques": [ + "T1204", + "T1036", + "T1095" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "AccountCustomEntity", + "identifier": "Name" + } + ], + "entityType": "Account" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]", + "properties": { + "description": "CyberArkEPM Analytics Rule 7", + "parentId": "[variables('analyticRuleObject7').analyticRuleId7]", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]", + "source": { + "kind": "Solution", + "name": "CyberArkEPM", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "CyberArk Business Development", + "email": "[variables('_email')]" + }, + "support": { + "name": "CyberArk Support", + "email": "support@cyberark.com", + "tier": "Partner", + "link": "https://www.cyberark.com/services-support/technical-support-contact/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "contentKind": "AnalyticsRule", + "displayName": "CyberArkEPM - Uncommon process Internet access", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9d0d44ab-54dc-472a-9931-53521e888932','-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9d0d44ab-54dc-472a-9931-53521e888932','-', '1.0.0')))]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "CyberArkEPMRenamedWindowsBinary_AnalyticalRules Analytics Rule with template version 3.1.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects renamed windows binaries.", + "displayName": "CyberArkEPM - Renamed Windows binary", + "enabled": false, + "query": "CyberArkEPM\n| where EventSubType != 'AttackAttempt'\n| where ActingProcessName has @'\\'\n| where ActingProcessName !has ActingProcessFileInternalName\n| project EventEndTime, EventMessage, ActorUsername, ActingProcessFileInternalName\n| extend AccountCustomEntity = ActorUsername\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "CyberArkEPM", + "dataTypes": [ + "CyberArkEPM" + ] + } + ], + "tactics": [ + "Execution", + "DefenseEvasion" + ], + "techniques": [ + "T1204", + "T1036" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "AccountCustomEntity", + "identifier": "Name" + } + ], + "entityType": "Account" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]", + "properties": { + "description": "CyberArkEPM Analytics Rule 8", + "parentId": "[variables('analyticRuleObject8').analyticRuleId8]", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]", + "source": { + "kind": "Solution", + "name": "CyberArkEPM", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "CyberArk Business Development", + "email": "[variables('_email')]" + }, + "support": { + "name": "CyberArk Support", + "email": "support@cyberark.com", + "tier": "Partner", + "link": "https://www.cyberark.com/services-support/technical-support-contact/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "contentKind": "AnalyticsRule", + "displayName": "CyberArkEPM - Renamed Windows binary", + "contentProductId": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", + "id": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject9').analyticRuleTemplateSpecName9]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "CyberArkEPMUnexpectedExecutableExtension_AnalyticalRules Analytics Rule with template version 3.1.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects Windows executable with unexpected extension.", + "displayName": "CyberArkEPM - Unexpected executable extension", + "enabled": false, + "query": "CyberArkEPM\n| where EventSubType != 'AttackAttempt'\n| where ActingProcessName has @'\\'\n| where ActingProcessName !endswith '.exe'\n| project EventEndTime, EventMessage, ActorUsername, ActingProcessFileInternalName\n| extend AccountCustomEntity = ActorUsername\n", + "queryFrequency": "PT30M", + "queryPeriod": "PT30M", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "CyberArkEPM", + "dataTypes": [ + "CyberArkEPM" + ] + } + ], + "tactics": [ + "Execution", + "DefenseEvasion" + ], + "techniques": [ + "T1204", + "T1036" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "AccountCustomEntity", + "identifier": "Name" + } + ], + "entityType": "Account" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject9').analyticRuleId9,'/'))))]", + "properties": { + "description": "CyberArkEPM Analytics Rule 9", + "parentId": "[variables('analyticRuleObject9').analyticRuleId9]", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]", + "source": { + "kind": "Solution", + "name": "CyberArkEPM", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "CyberArk Business Development", + "email": "[variables('_email')]" + }, + "support": { + "name": "CyberArk Support", + "email": "support@cyberark.com", + "tier": "Partner", + "link": "https://www.cyberark.com/services-support/technical-support-contact/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "contentKind": "AnalyticsRule", + "displayName": "CyberArkEPM - Unexpected executable extension", + "contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", + "id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject10').analyticRuleTemplateSpecName10]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "CyberArkEPMUnexpectedExecutableLocation_AnalyticalRules Analytics Rule with template version 3.1.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects program run from unexpected location.", + "displayName": "CyberArkEPM - Unexpected executable location", + "enabled": false, + "query": "let susp_exe_folders = dynamic([@'\\tmp\\', @'\\TEMP\\', @'/tmp/', @'\\Users\\Public\\', @'\\$Recycle.bin', @'\\Windows\\Fonts\\', @'$']);\nCyberArkEPM\n| where EventSubType != 'AttackAttempt'\n| where ActingProcessName has_any (susp_exe_folders)\n| project EventEndTime, EventMessage, ActorUsername, ActingProcessFileInternalName\n| extend AccountCustomEntity = ActorUsername\n", + "queryFrequency": "PT30M", + "queryPeriod": "PT30M", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "CyberArkEPM", + "dataTypes": [ + "CyberArkEPM" + ] + } + ], + "tactics": [ + "Execution", + "DefenseEvasion" + ], + "techniques": [ + "T1204", + "T1036" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "AccountCustomEntity", + "identifier": "Name" + } + ], + "entityType": "Account" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject10').analyticRuleId10,'/'))))]", + "properties": { + "description": "CyberArkEPM Analytics Rule 10", + "parentId": "[variables('analyticRuleObject10').analyticRuleId10]", + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]", + "source": { + "kind": "Solution", + "name": "CyberArkEPM", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "CyberArk Business Development", + "email": "[variables('_email')]" + }, + "support": { + "name": "CyberArk Support", + "email": "support@cyberark.com", + "tier": "Partner", + "link": "https://www.cyberark.com/services-support/technical-support-contact/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "contentKind": "AnalyticsRule", + "displayName": "CyberArkEPM - Unexpected executable location", + "contentProductId": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", + "id": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "CyberArkEPM Workbook with template version 3.1.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId1')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Sets the time name for analysis" + }, + "properties": { + "displayName": "[parameters('workbook1-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This data connector depends on a parser based on Kusto Function **CyberArkEPM** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-cyberarkepm-parser)\"},\"name\":\"text - 8\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cd8447d9-b096-4673-92d8-2a1e8291a125\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"description\":\"Sets the time name for analysis\",\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":900000},{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CyberArkEPM\\r\\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Events over time\",\"color\":\"magenta\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"graphSettings\":{\"type\":0}},\"customWidth\":\"50\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"55\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dusr = CyberArkEPM\\n| where EventType == 'raw_event'\\n| where isnotempty(ActorUsername)\\n| summarize cnt = dcount(ActorUsername)\\n| extend title = 'Users';\\nlet agnt = CyberArkEPM\\n| where isnotempty(DvcId)\\n| summarize cnt = dcount(DvcId)\\n| extend title = 'Agents';\\nlet apps = CyberArkEPM\\n| where isnotempty(ActingProcessFileInternalName)\\n| summarize cnt = dcount(ActingProcessFileInternalName)\\n| extend title = 'Applications';\\nlet att = CyberArkEPM\\n| where EventSubType =~ 'AttackAttempt'\\n| summarize cnt = count()\\n| extend title = 'Attack Attempts';\\nunion isfuzzy=true dusr, agnt, apps, att\",\"size\":3,\"title\":\"Solution Summary\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"cnt\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false}},\"customWidth\":\"15\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CyberArkEPM\\r\\n| where EventSubType =~ 'AttackAttempt'\\r\\n| summarize AttackCount=count() by EventMessage\\r\\n| top 10 by AttackCount\\r\\n\\r\\n\",\"size\":3,\"title\":\"Top attacks\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"rowLimit\":10},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"e_count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"purple\"}},\"showBorder\":false}},\"customWidth\":\"35\",\"name\":\"query - 0\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CyberArkEPM\\r\\n| where isnotempty(ActingProcessFileInternalName)\\r\\n| summarize Events=count() by ActingProcessFileInternalName\\r\\n| top 10 by Events\",\"size\":3,\"title\":\"Top applications\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CyberArkEPM\\r\\n| where EventSubType =~ 'AttackAttempt'\\r\\n| where isnotempty(ActorUsername)\\r\\n| where ActorUsername !has '['\\r\\n| summarize Attacks = count() by ActorUsername\\r\\n| top 10 by Attacks\",\"size\":3,\"title\":\"Users with Attack events\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CyberArkEPM\\r\\n| where EventSubType =~ 'SuspiciousActivityAttempt'\\r\\n| where ActorUsername !has '['\\r\\n| top 10 by TimeGenerated\\r\\n| project TimeGenerated, PolicyName, ActorUsername\\r\\n\\r\\n\",\"size\":0,\"title\":\"Latest suspicious activities\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Hits\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redGreen\"}}],\"rowLimit\":50}},\"customWidth\":\"40\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CyberArkEPM\\r\\n| where EventSubType in~ ('AttackAttempt', 'SuspiciousActivityAttempt')\\r\\n| summarize by Process=ActingProcessFileInternalName, Hash\\r\\n\",\"size\":0,\"title\":\"Suspicious process hashes\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Process\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20ch\"}},{\"columnMatch\":\"Hash\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"50ch\"}}]}},\"customWidth\":\"30\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CyberArkEPM\\n| where EventSubType =~ 'AttackAttempt'\\n| sort by TimeGenerated\\n| project ActorUsername, PolicyName, Process=ActingProcessFileInternalName, FileLocation\\n| limit 10\\n\",\"size\":0,\"title\":\"Latest attacked users\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"customWidth\":\"70\",\"name\":\"query - 10\"}],\"fromTemplateId\":\"sentinel-CyberArkEPMWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", + "properties": { + "description": "@{workbookKey=CyberArkEPMWorkbook; logoFileName=CyberArk_Logo.svg; description=Sets the time name for analysis; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=CyberArk EPM; templateRelativePath=CyberArkEPM.json; subtitle=; provider=CyberArk}.description", + "parentId": "[variables('workbookId1')]", + "contentId": "[variables('_workbookContentId1')]", + "kind": "Workbook", + "version": "[variables('workbookVersion1')]", + "source": { + "kind": "Solution", + "name": "CyberArkEPM", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "CyberArk Business Development", + "email": "[variables('_email')]" + }, + "support": { + "name": "CyberArk Support", + "email": "support@cyberark.com", + "tier": "Partner", + "link": "https://www.cyberark.com/services-support/technical-support-contact/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "CyberArkEPM_CL", + "kind": "DataType" + }, + { + "contentId": "CyberArkEPM", + "kind": "DataConnector" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId1')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook1-name')]", + "contentProductId": "[variables('_workbookcontentProductId1')]", + "id": "[variables('_workbookcontentProductId1')]", + "version": "[variables('workbookVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.1.0", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "CyberArkEPM", + "publisherDisplayName": "CyberArk Support", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Endpoint Privilege Manager, a critical and foundational endpoint control addresses the underlying weaknesses of endpoint defenses against a privileged attacker and helps enterprises defend against these attacks.

\n

Data Connectors: 2, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "CyberArkEPM", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "CyberArk Business Development", + "email": "[variables('_email')]" + }, + "support": { + "name": "CyberArk Support", + "email": "support@cyberark.com", + "tier": "Partner", + "link": "https://www.cyberark.com/services-support/technical-support-contact/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId1')]", + "version": "[variables('dataConnectorVersion1')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "version": "[variables('dataConnectorCCPVersion')]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject1').parserContentId1]", + "version": "[variables('parserObject1').parserVersion1]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", + "version": "[variables('huntingQueryObject1').huntingQueryVersion1]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", + "version": "[variables('huntingQueryObject2').huntingQueryVersion2]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", + "version": "[variables('huntingQueryObject3').huntingQueryVersion3]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", + "version": "[variables('huntingQueryObject4').huntingQueryVersion4]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", + "version": "[variables('huntingQueryObject5').huntingQueryVersion5]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", + "version": "[variables('huntingQueryObject6').huntingQueryVersion6]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]", + "version": "[variables('huntingQueryObject7').huntingQueryVersion7]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]", + "version": "[variables('huntingQueryObject8').huntingQueryVersion8]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject9')._huntingQuerycontentId9]", + "version": "[variables('huntingQueryObject9').huntingQueryVersion9]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]", + "version": "[variables('huntingQueryObject10').huntingQueryVersion10]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId1')]", + "version": "[variables('workbookVersion1')]" + } + ] + }, + "firstPublishDate": "2022-04-10", + "providers": [ + "CyberArk" + ], + "categories": { + "domains": [ + "Security - Threat Protection", + "Identity" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" + } + ], + "outputs": {} +} diff --git a/Solutions/CyberArkEPM/Package/testParameters.json b/Solutions/CyberArkEPM/Package/testParameters.json index 7f50eff81e8..e3ec9b6f973 100644 --- a/Solutions/CyberArkEPM/Package/testParameters.json +++ b/Solutions/CyberArkEPM/Package/testParameters.json @@ -21,6 +21,20 @@ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" } }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "subscription": { + "type": "string", + "defaultValue": "[last(split(subscription().id, '/'))]", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } + }, "workbook1-name": { "type": "string", "defaultValue": "CyberArk EPM", diff --git a/Solutions/CyberArkEPM/data/Solution_CyberArkEPM.json b/Solutions/CyberArkEPM/data/Solution_CyberArkEPM.json index 3b55f3b02de..179907702c3 100644 --- a/Solutions/CyberArkEPM/data/Solution_CyberArkEPM.json +++ b/Solutions/CyberArkEPM/data/Solution_CyberArkEPM.json @@ -4,7 +4,8 @@ "Logo": "", "Description": "Endpoint Privilege Manager, a critical and foundational endpoint control addresses the underlying weaknesses of endpoint defenses against a privileged attacker and helps enterprises defend against these attacks.", "Data Connectors": [ - "DataConnectors/CyberArkEPM_API_FunctionApp.json" + "Data Connectors/CyberArkEPM_API_FunctionApp.json", + "Data Connectors/CyberArkEPM_CCP/CyberArkEPM_DataConnectorDefinition.json" ], "Parsers": [ "Parsers/CyberArkEPM.yaml" @@ -37,7 +38,7 @@ "Workbooks/CyberArkEPM.json" ], "BasePath": "C:/GitHub/Azure-Sentinel/Solutions/CyberArkEPM/", - "Version": "3.0.1", + "Version": "3.1.0", "Metadata": "SolutionMetadata.json", "TemplateSpec": true } \ No newline at end of file