From 7aa27155eea40d3878b21644cc92569fec67c439 Mon Sep 17 00:00:00 2001
From: rfaircloth-splunk <rfaircloth@splunk.com>
Date: Thu, 23 Jan 2020 09:05:26 -0800
Subject: [PATCH 1/3] Fixes #143 Support Cyberark PTA and EPV

---
 docs/sources/CyberArk/index.md                | 81 +++++++++++++++++++
 package/Dockerfile                            |  3 +-
 .../context/microfocus_arcsight_source.csv    |  4 +
 .../lp-microfocus_arcsight.conf.tmpl          | 11 ++-
 tests/test_cyberark.py                        | 56 +++++++++++++
 5 files changed, 151 insertions(+), 4 deletions(-)
 create mode 100644 docs/sources/CyberArk/index.md
 create mode 100644 tests/test_cyberark.py

diff --git a/docs/sources/CyberArk/index.md b/docs/sources/CyberArk/index.md
new file mode 100644
index 0000000..dd497d0
--- /dev/null
+++ b/docs/sources/CyberArk/index.md
@@ -0,0 +1,81 @@
+# Vendor - CyberArk
+
+## Product - EPV
+
+| Ref            | Link                                                                                                    |
+|----------------|---------------------------------------------------------------------------------------------------------|
+| Splunk Add-on CyberArk | https://splunkbase.splunk.com/app/2891/                                                              |
+| Add-on Manual | https://docs.splunk.com/Documentation/AddOns/latest/CyberArk/About                                                      |
+
+
+### Sourcetypes
+
+| sourcetype     | notes                                                                                                   |
+|----------------|---------------------------------------------------------------------------------------------------------|
+| cyberark:epv:cef        | None                                                                                                |
+
+### Index Configuration
+
+| key            | sourcetype     | index          | notes          |
+|----------------|----------------|----------------|----------------|
+| CyberArk_Vault      | cyberark:epv:cef      | netauth          | none          |
+
+### Filter type
+
+MSG Parse: This filter parses message content
+
+### Options
+
+| Variable       | default        | description    |
+|----------------|----------------|----------------|
+| SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT      | empty string      | Enable a TCP port for this specific vendor product using the number defined |
+
+### Verification
+
+An active site will generate frequent events use the following search to check for new events
+
+Verify timestamp, and host values match as expected    
+
+```
+index=<asconfigured> (sourcetype=cef sourcetype="cyberark:epv:cef")
+```
+
+## Product - PTA
+
+| Ref            | Link                                                                                                    |
+|----------------|---------------------------------------------------------------------------------------------------------|
+| Splunk Add-on CyberArk | https://splunkbase.splunk.com/app/2891/                                                              |
+| Add-on Manual | https://docs.splunk.com/Documentation/AddOns/latest/CyberArk/About                                                      |
+
+
+### Sourcetypes
+
+| sourcetype     | notes                                                                                                   |
+|----------------|---------------------------------------------------------------------------------------------------------|
+| cyberark:pta:cef        | None                                                                                                |
+
+### Index Configuration
+
+| key            | sourcetype     | index          | notes          |
+|----------------|----------------|----------------|----------------|
+| Cyber-Ark_Vault      | cyberark:pta:cef      | main          | none          |
+
+### Filter type
+
+MSG Parse: This filter parses message content
+
+### Options
+
+| Variable       | default        | description    |
+|----------------|----------------|----------------|
+| SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT      | empty string      | Enable a TCP port for this specific vendor product using the number defined |
+
+### Verification
+
+An active site will generate frequent events use the following search to check for new events
+
+Verify timestamp, and host values match as expected    
+
+```
+index=<asconfigured> (sourcetype=cef sourcetype="cyberark:pta:cef")
+```
diff --git a/package/Dockerfile b/package/Dockerfile
index 4e5771b..22dbf53 100644
--- a/package/Dockerfile
+++ b/package/Dockerfile
@@ -16,7 +16,8 @@ ENV DISTCHECK_CONFIGURE_FLAGS="--prefix=/opt/syslog-ng --with-ivykis=system --wi
 RUN dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm -y ;\
     dnf install 'dnf-command(config-manager)' -y ;\
     dnf config-manager --set-enabled PowerTools -y; \
-    dnf update -y
+    dnf update -y ;\
+    dnf upgrade
 
 RUN dnf group install "Development Tools" -y ;\
     dnf install findutils autoconf \
diff --git a/package/etc/conf.d/context/microfocus_arcsight_source.csv b/package/etc/conf.d/context/microfocus_arcsight_source.csv
index 6c5bd73..6d4b160 100644
--- a/package/etc/conf.d/context/microfocus_arcsight_source.csv
+++ b/package/etc/conf.d/context/microfocus_arcsight_source.csv
@@ -6,3 +6,7 @@ Microsoft_Microsoft Windows,index,oswinsec
 Incapsula_SIEMintegration,source,Imperva:Incapsula
 Incapsula_SIEMintegration,index,netwaf
 unknown,source,ArcSight:unknown
+Cyber-Ark_Vault,sourcetype,cyberark:epv:cef
+Cyber-Ark_Vault,index,netauth
+CyberArk_PTA,sourcetype,cyberark:pta:cef
+CyberArk_PTA,index,main
diff --git a/package/etc/conf.d/log_paths/lp-microfocus_arcsight.conf.tmpl b/package/etc/conf.d/log_paths/lp-microfocus_arcsight.conf.tmpl
index ae04a47..fd5a97a 100644
--- a/package/etc/conf.d/log_paths/lp-microfocus_arcsight.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-microfocus_arcsight.conf.tmpl
@@ -53,14 +53,19 @@ log {
     };
 
     rewrite {
-        set("microfocus_arcsight", value("fields.sc4s_vendor_product"));
         r_set_splunk_dest_default(sourcetype("cef"), index("main"))
     };
 
-    parser { p_add_context_splunk(key("cef_{fields.cef_device_vendor}_${fields.cef_device_product}")); };
-
     parser (p_microfocus_arcsight_header);
 
+    rewrite {
+        set("${fields.cef_device_vendor}_${fields.cef_device_product}", value("fields.sc4s_vendor_product"));
+    };
+
+    parser {
+        p_add_context_splunk(key("${fields.cef_device_vendor}_${fields.cef_device_product}"));
+    };
+
     # We already have the syslog msg time stamp however that may not be the best one
     # If we have an rt or end field that is best we use the If trick here so if this parser fails
     # We don't get sent to fallback.
diff --git a/tests/test_cyberark.py b/tests/test_cyberark.py
new file mode 100644
index 0000000..edb6985
--- /dev/null
+++ b/tests/test_cyberark.py
@@ -0,0 +1,56 @@
+# Copyright 2019 Splunk, Inc.
+#
+# Use of this source code is governed by a BSD-2-clause-style
+# license that can be found in the LICENSE-BSD2 file or at
+# https://opensource.org/licenses/BSD-2-Clause
+import random
+
+from jinja2 import Environment
+
+from .sendmessage import *
+from .splunkutils import *
+
+env = Environment(extensions=['jinja2_time.TimeExtension'])
+
+
+#<190>Jul 27 23:31:58 VAULT CEF:0|Cyber-Ark|Vault|9.20.0000|7|Logon|5|act="Logon" suser=##USER_NAME## fname= dvc= shost=##SOURCE_IP## dhost= duser= externalId= app= reason= cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2= cs3Label="Device Type" cs3=11111 cs4Label="Database" cs4=222222 cs5Label="Other info" cs5= cn1Label="Request Id" cn1= cn2Label="Ticket Id" cn2=  msg=
+def test_cyberark_epv(record_property, setup_wordlist, setup_splunk):
+    host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
+
+    mt = env.from_string(
+        "{{ mark }}{% now 'utc', '%b %d %H:%M:%S' %} {{ host }} CEF:0|Cyber-Ark|Vault|9.20.0000|7|Logon|5|act=\"Logon\" suser=##USER_NAME## fname= dvc= shost=##SOURCE_IP## dhost= duser= externalId= app= reason= cs1Label=\"Affected User Name\" cs1= cs2Label=\"Safe Name\" cs2= cs3Label=\"Device Type\" cs3=11111 cs4Label=\"Database\" cs4=222222 cs5Label=\"Other info\" cs5= cn1Label=\"Request Id\" cn1= cn2Label=\"Ticket Id\" cn2=  msg=\n")
+    message = mt.render(mark="<111>", host=host)
+
+    sendsingle(message)
+
+    st = env.from_string("search index=netauth host=\"{{ host }}\" sourcetype=\"cyberark:epv:cef\"| head 2")
+    search = st.render(host=host)
+
+    resultCount, eventCount = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", resultCount)
+    record_property("message", message)
+
+    assert resultCount == 1
+
+#<190>Jul 12 23:44:25 10.0.0.1 CEF:0|CyberArk|PTA|2.6.1|20|Privileged account anomaly|8|cs1Label=incidentId cs1=55a32ed8e4b0e4a90114e12c start=1436755482000 deviceCustomDate1Label=detectionDate deviceCustomDate1=1436759065017 msg=Incident updated. Now contains 7 anomalies cs2Label=link cs2=https://10.0.0.1/incidents/55a32ed8e4b0e4a90114e12c
+def test_cyberark_pta(record_property, setup_wordlist, setup_splunk):
+    host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
+
+    mt = env.from_string(
+        "{{ mark }}{% now 'utc', '%b %d %H:%M:%S' %} {{ host }} CEF:0|CyberArk|PTA|2.6.1|20|Privileged account anomaly|8|cs1Label=incidentId cs1=55a32ed8e4b0e4a90114e12c start=1436755482000 deviceCustomDate1Label=detectionDate deviceCustomDate1=1436759065017 msg=Incident updated. Now contains 7 anomalies cs2Label=link cs2=https://10.0.0.1/incidents/55a32ed8e4b0e4a90114e12c\n")
+    message = mt.render(mark="<111>", host=host)
+
+    sendsingle(message)
+
+    st = env.from_string("search index=main host=\"{{ host }}\" sourcetype=\"cyberark:pta:cef\"| head 2")
+    search = st.render(host=host)
+
+    resultCount, eventCount = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", resultCount)
+    record_property("message", message)
+
+    assert resultCount == 1

From 134199e9048af85880c49b017127bc54e488226f Mon Sep 17 00:00:00 2001
From: mbonsack <mbonsack@splunk.com>
Date: Thu, 23 Jan 2020 09:11:47 -0800
Subject: [PATCH 2/3] Reorder `microfocus_arcsight_source.csv`

* Reorder `microfocus_arcsight_source.csv` alphabetically by vendor with unknown at the end
---
 package/etc/conf.d/context/microfocus_arcsight_source.csv | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/etc/conf.d/context/microfocus_arcsight_source.csv b/package/etc/conf.d/context/microfocus_arcsight_source.csv
index 6d4b160..d668350 100644
--- a/package/etc/conf.d/context/microfocus_arcsight_source.csv
+++ b/package/etc/conf.d/context/microfocus_arcsight_source.csv
@@ -1,4 +1,8 @@
 ArcSight_ArcSight,source,ArcSight:ArcSight
+Cyber-Ark_Vault,sourcetype,cyberark:epv:cef
+Cyber-Ark_Vault,index,netauth
+CyberArk_PTA,sourcetype,cyberark:pta:cef
+CyberArk_PTA,index,main
 Microsoft_System or Application Event,source,CEFEventLog:System or Application Event
 Microsoft_System or Application Event,index,oswin
 Microsoft_Microsoft Windows,source,CEFEventLog:Microsoft Windows
@@ -6,7 +10,3 @@ Microsoft_Microsoft Windows,index,oswinsec
 Incapsula_SIEMintegration,source,Imperva:Incapsula
 Incapsula_SIEMintegration,index,netwaf
 unknown,source,ArcSight:unknown
-Cyber-Ark_Vault,sourcetype,cyberark:epv:cef
-Cyber-Ark_Vault,index,netauth
-CyberArk_PTA,sourcetype,cyberark:pta:cef
-CyberArk_PTA,index,main

From f77798038edf0bd07d80ba47959bc3fb21d89aea Mon Sep 17 00:00:00 2001
From: rfaircloth-splunk <rfaircloth@splunk.com>
Date: Thu, 23 Jan 2020 10:26:44 -0800
Subject: [PATCH 3/3] Update mkdocs.yml

---
 mkdocs.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mkdocs.yml b/mkdocs.yml
index d4497cb..3407538 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -14,6 +14,7 @@ nav:
       - About: sources/index.md
       - Checkpoint: sources/Checkpoint/index.md
       - Cisco: sources/Cisco/index.md
+      - CyberArk: sources/CyberArk/index.md
       - Forcepoint: sources/Forcepoint/index.md
       - Fortinet: sources/Fortinet/index.md
       - Imperva: sources/Imperva/index.md