From 1d7a8c0ac515012c84ec72a0e75bee120f54fcd1 Mon Sep 17 00:00:00 2001 From: mikiodehartj1 <113941652+mikiodehartj1@users.noreply.github.com> Date: Wed, 10 Apr 2024 11:26:10 -0600 Subject: [PATCH 1/5] Create cyberark-idaptive-misconfigurations --- .../cyberark-idaptive-misconfigurations | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 rule-packs/cyberark-idaptive-misconfigurations diff --git a/rule-packs/cyberark-idaptive-misconfigurations b/rule-packs/cyberark-idaptive-misconfigurations new file mode 100644 index 0000000..656825f --- /dev/null +++ b/rule-packs/cyberark-idaptive-misconfigurations @@ -0,0 +1,62 @@ +[ + { + "name": "cyberark-idaptive-MFA-disabled", + "description": "This query will look for devices that do not have SSO enabled.", + "queries": [ + { + "name": "query0", + "query": "FIND cyberark_idaptive_device THAT HAS << cyberark_idaptive_user with ssoEnabled != true", + "version": "v1" + } + ], + "alertLevel": "MEDIUM" + }, + { + "name": "cyberark-idaptive-no-user-assigned-to-account", + "description": "This query will look for cyberark accounts that have no user associated.", + "queries": [ + { + "name": "query0", + "query": "FIND cyberark_idaptive_account THAT !HAS cyberark_idaptive_user", + "version": "v1" + } + ], + "alertLevel": "INFO" + }, + { + "name": "cyberark-idaptive-no-user-assigned-role", + "description": "This query will look for cyberark users that have no role assigned.", + "queries": [ + { + "name": "query0", + "query": "FIND cyberark_idaptive_user THAT !ASSIGNED cyberark_idaptive_role", + "version": "v1" + } + ], + "alertLevel": "INFO" + }, + { + "name": "cyberark-idaptive-no-longer-active-devices", + "description": "This query will look for cyberark devices that may no longer be valid.", + "queries": [ + { + "name": "query0", + "query": "FIND cyberark_idaptive_device WITH lastSeenOn > DATE.now - 30 days", + "version": "v1" + } + ], + "alertLevel": "INFO" + }, + { + "name": "cyberark-idaptive-non-compliant-device", + "description": "This query will look for cyberark devices that aren't compliant.", + "queries": [ + { + "name": "query0", + "query": "FIND cyberark_idaptive_device WITH complianceState != 'compliant' OR 'Compliant'", + "version": "v1" + } + ], + "alertLevel": "INFO" + } +] From c2ce819623e7d3da961c02b98f3aae959daf67fe Mon Sep 17 00:00:00 2001 From: mikiodehartj1 <113941652+mikiodehartj1@users.noreply.github.com> Date: Wed, 10 Apr 2024 14:38:07 -0600 Subject: [PATCH 2/5] Update index.js --- rule-packs/index.js | 1 + 1 file changed, 1 insertion(+) diff --git a/rule-packs/index.js b/rule-packs/index.js index 3902a70..3cb8685 100644 --- a/rule-packs/index.js +++ b/rule-packs/index.js @@ -15,3 +15,4 @@ module.exports.IntegrationMonitoring = require("./integration-monitoring.json"); module.exports.SophosEndpointSecurity = require("./sophos-endpoint-security.json"); module.exports.ArmisEndpointSecurity = require("./armis-endpoint-security.json"); module.exports.TrellixEndpointSecurity = require("./trellix-endpoint-security.json"); +module.exports.CyberarkIdaptiveMisconfigurations = require("./cyberark-idaptive-misconfigurations.json"); From 0a8f702a6426e3f3f77dd81bf51abd0ec9de818b Mon Sep 17 00:00:00 2001 From: mikiodehartj1 <113941652+mikiodehartj1@users.noreply.github.com> Date: Wed, 10 Apr 2024 14:41:40 -0600 Subject: [PATCH 3/5] Rename cyberark-idaptive-misconfigurations to cyberark-idaptive-misconfigurations.json --- ...misconfigurations => cyberark-idaptive-misconfigurations.json} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rule-packs/{cyberark-idaptive-misconfigurations => cyberark-idaptive-misconfigurations.json} (100%) diff --git a/rule-packs/cyberark-idaptive-misconfigurations b/rule-packs/cyberark-idaptive-misconfigurations.json similarity index 100% rename from rule-packs/cyberark-idaptive-misconfigurations rename to rule-packs/cyberark-idaptive-misconfigurations.json From 18c58e250188d2d3d072254bb50a1dabd4fe5c82 Mon Sep 17 00:00:00 2001 From: mikiodehartj1 <113941652+mikiodehartj1@users.noreply.github.com> Date: Thu, 11 Apr 2024 12:06:34 -0600 Subject: [PATCH 4/5] Update cyberark-idaptive-misconfigurations.json --- rule-packs/cyberark-idaptive-misconfigurations.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rule-packs/cyberark-idaptive-misconfigurations.json b/rule-packs/cyberark-idaptive-misconfigurations.json index 656825f..4f504cf 100644 --- a/rule-packs/cyberark-idaptive-misconfigurations.json +++ b/rule-packs/cyberark-idaptive-misconfigurations.json @@ -41,7 +41,7 @@ "queries": [ { "name": "query0", - "query": "FIND cyberark_idaptive_device WITH lastSeenOn > DATE.now - 30 days", + "query": "FIND cyberark_idaptive_device WITH lastSeenOn < DATE.now - 30 days", "version": "v1" } ], From a9a55854f4114343c1c526717c948ffabae50945 Mon Sep 17 00:00:00 2001 From: mikiodehartj1 <113941652+mikiodehartj1@users.noreply.github.com> Date: Thu, 11 Apr 2024 12:07:47 -0600 Subject: [PATCH 5/5] Update package.json --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 732b10c..bab1a82 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@jupiterone/jupiterone-alert-rules", - "version": "0.24.1", + "version": "0.26.2", "description": "Alert rule packages for the JupiterOne platform", "scripts": { "validate": "tsx ./scripts/validate.ts"