Skip to content

Commit

Permalink
Update: readme, dashboard and detection rules
Browse files Browse the repository at this point in the history
  • Loading branch information
@manan-crest
manan-crest committed Dec 10, 2024
1 parent 5c23ac5 commit 72b1b79
Show file tree
Hide file tree
Showing 6 changed files with 152 additions and 167 deletions.
22 changes: 12 additions & 10 deletions delinea_privilege_manager/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,15 @@

[Delinea Privilege Manager][3] is an endpoint least privilege and application control solution for Windows and macOS, capable of supporting enterprises and fast-growing organizations at scale. Local Security and Application Control are the two major components of Delinea Privilege Manager.

This integration parses the following types of logs:
This integration supports the following types of logs:
- **Application Action Events** : Application Action Events contain generic information about the application that ran, the policy that was triggered, the date and time stamp, the computer, and the user.
- **Application Justification Events** : Application Justification Events are generated when an application requiring a justification workflow is run by a user.
- **Bad Rated Application Action Events** : Bad Rated Application Action Events are generated when an application is being installed or executed, that is identified with a bad security rating.
- **Password Disclosure Events** : Password Disclosure Events contain any type of password disclosure activity.
- **Newly Discovered File Events** : Newly Discovered File Events contain information about newly discovered files on the system.
- **Change History Events** : Change History Events contain information about any changes made in Delinea Privilege Manager.

Visualize detailed insights into these logs through the out-of-the-box dashboards. Additionally, out-of-the-box detection rules are available to help you monitor and respond to potential security threats effectively.
Visualize detailed insights into these logs through the out-of-the-box dashboards. Additionally, it includes ready-to-use Cloud SIEM detection rules for enhanced monitoring and security.


## Setup
Expand Down Expand Up @@ -66,19 +66,23 @@ Linux command
- For TCP, configuration would look like this: tcp://[host]:port
- For UDP, configuration would look like this: udp://[host]:port

**host**: ip address where your datadog-agent is running.
**host**: IP address where your datadog-agent is running.

**port**: port number to send syslog messages.
**port**: Port number to send syslog messages.
4. Click on the **Create** button. Confirm the details added and get back to the Admin Menu.
- Setting Up Syslog Server Tasks:
1. After adding a new Syslog connection, to send logs to your Syslog Server, go to **Admin** > **Tasks**.
2. Expand the **Server Tasks** folder, then **Foreign Systems**, select **SysLog** and click **Create**.
3. From the **Template** drop-down, select the **Send Application Action Events to Syslog** template.
4. Add a **Name** for this task (set to **Application Action Events**) and **Event Name** (set to **Application Action Events**), and specify the **Event Severity**(0-Lowest, 10-Highest) or keep it as is.
4. Add a **Name** for this task (set to **Application Action Events**) and **Event Name** (set to **Application Action Events**), and specify the **Event Severity**(0-Lowest, 10-Highest) or keep it as is.

5. From the **SysLog System** drop-down select your SysLog server foreign system (configured above).
6. Provide value for **Security Ratings Provider** if required or keep it as is.
7. Click **Create**.
8. Once created, Scroll down to the Schedule section, click on **New Schedule** button. Provide Below Details:

**Note**: Do not alter the **Data source**, and ensure the **Replace spaces** toggle is disabled, as any changes to these parameters will directly impact the functionality of the Delinea Privilege Manager integration.

8. Once created, scroll down to the Schedule section, click on the **New Schedule** button. Provide below details:
1. Schedule Details:
- Provide **Schedule Name**.
2. Schedule:
Expand All @@ -88,7 +92,7 @@ Linux command

This process configures the Syslog forwarding task for **Application Action Events**. For other types of events mentioned in the table below, create new tasks for each event with respective template and event name, and follow all the above steps.

**Note**: In step 4, ensure to set the **Name** for the task and the **Event Name** according to the selected **Template**, as specified in the table below:
**Note**: In step 4, ensure to set the **Name** for the task and the **Event Name** according to the selected Template, as specified in the table below. The **Event Name** is essential to the functionality of the Delinea Privilege Manager Pipeline and must be provided exactly as specified.

| Template | Event Name | Name |
| --------- | -------------- |--------------
Expand All @@ -109,7 +113,7 @@ This process configures the Syslog forwarding task for **Application Action Even

| Format | Event Types |
| --------- | -------------- |
| JSON | Application Action Events, Bad Rated Application Action Events, Application Justification Events, Password Disclosure Events, Newly Discovered File Events, Change History Events |
| CEF | Application Action Events, Bad Rated Application Action Events, Application Justification Events, Password Disclosure Events, Newly Discovered File Events, Change History Events |

### Metrics

Expand All @@ -123,8 +127,6 @@ The Delinea Privilege Manager integration does not include any events.

The Delinea Privilege Manager integration does not include any service checks.

See [service_checks.json][5] for a list of service checks provided by this integration.

## Troubleshooting

**Permission denied while port binding:**
Expand Down
23 changes: 15 additions & 8 deletions ...ilege_manager/assets/dashboards/delinea_privilege_manager_application_control_events.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -795,14 +795,14 @@
"x": 0,
"y": 4,
"width": 12,
"height": 39
"height": 1
}
},
{
"id": 7405800016622172,
"definition": {
"title": "Application Justification Events",
"background_color": "vivid_pink",
"background_color": "vivid_green",
"show_title": true,
"type": "group",
"layout_type": "ordered",
Expand Down Expand Up @@ -1569,7 +1569,7 @@
},
"layout": {
"x": 0,
"y": 43,
"y": 5,
"width": 12,
"height": 1
}
Expand Down Expand Up @@ -2067,10 +2067,7 @@
{
"formulas": [
{
"formula": "query1",
"limit": {
"order": "desc"
}
"formula": "query1"
}
],
"queries": [
Expand Down Expand Up @@ -2114,6 +2111,16 @@
"response_format": "scalar",
"style": {
"palette": "datadog16"
},
"sort": {
"count": 500,
"order_by": [
{
"type": "formula",
"index": 0,
"order": "desc"
}
]
}
}
],
Expand Down Expand Up @@ -2197,7 +2204,7 @@
},
"layout": {
"x": 0,
"y": 44,
"y": 6,
"width": 12,
"height": 1,
"is_column_break": true
Expand Down
3 changes: 2 additions & 1 deletion ..._privilege_manager/assets/dashboards/delinea_privilege_manager_local_security_events.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1092,7 +1092,8 @@
"x": 0,
"y": 5,
"width": 12,
"height": 1
"height": 1,
"is_column_break": true
}
},
{
Expand Down
Loading

0 comments on commit 72b1b79

Please sign in to comment.