Kno 358

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jupiterone/jupiterone-alert-rules",
-  "version": "0.24.2",
+  "version": "0.26.2",
   "description": "Alert rule packages for the JupiterOne platform",
   "scripts": {
     "validate": "tsx ./scripts/validate.ts"

rule-packs/cyberark-idaptive-misconfigurations.json

@@ -0,0 +1,62 @@
+[
+  {
+    "name": "cyberark-idaptive-MFA-disabled",
+    "description": "This query will look for devices that do not have SSO enabled.",
+    "queries": [
+      {
+        "name": "query0",
+        "query": "FIND cyberark_idaptive_device THAT HAS << cyberark_idaptive_user with ssoEnabled != true",
+        "version": "v1"
+      }
+    ],
+    "alertLevel": "MEDIUM"
+  },
+  {
+    "name": "cyberark-idaptive-no-user-assigned-to-account",
+    "description": "This query will look for cyberark accounts that have no user associated.",
+    "queries": [
+      {
+        "name": "query0",
+        "query": "FIND cyberark_idaptive_account THAT !HAS cyberark_idaptive_user",
+        "version": "v1"
+      }
+    ],
+    "alertLevel": "INFO"
+  },
+  {
+    "name": "cyberark-idaptive-no-user-assigned-role",
+    "description": "This query will look for cyberark users that have no role assigned.",
+    "queries": [
+      {
+        "name": "query0",
+        "query": "FIND cyberark_idaptive_user THAT !ASSIGNED cyberark_idaptive_role",
+        "version": "v1"
+      }
+    ],
+    "alertLevel": "INFO"
+  },
+  {
+    "name": "cyberark-idaptive-no-longer-active-devices",
+    "description": "This query will look for cyberark devices that may no longer be valid.",
+    "queries": [
+      {
+        "name": "query0",
+        "query": "FIND cyberark_idaptive_device WITH lastSeenOn < DATE.now - 30 days",
+        "version": "v1"
+      }
+    ],
+    "alertLevel": "INFO"
+  },
+  {
+    "name": "cyberark-idaptive-non-compliant-device",
+    "description": "This query will look for cyberark devices that aren't compliant.",
+    "queries": [
+      {
+        "name": "query0",
+        "query": "FIND cyberark_idaptive_device WITH complianceState != 'compliant' OR 'Compliant'",
+        "version": "v1"
+      }
+    ],
+    "alertLevel": "INFO"
+  }
+]

rule-packs/index.js

@@ -15,4 +15,5 @@ module.exports.IntegrationMonitoring = require("./integration-monitoring.json");
 module.exports.SophosEndpointSecurity = require("./sophos-endpoint-security.json");
 module.exports.ArmisEndpointSecurity = require("./armis-endpoint-security.json");
 module.exports.TrellixEndpointSecurity = require("./trellix-endpoint-security.json");
+module.exports.CyberarkIdaptiveMisconfigurations = require("./cyberark-idaptive-misconfigurations.json");
 module.exports.CyberarkEPMMisconfigurations = require("./cyberark-epm-misconfigurations.json");