HEX
Server: LiteSpeed
System: Linux kapuas.iixcp.rumahweb.net 5.14.0-427.42.1.el9_4.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Nov 1 14:58:02 EDT 2024 x86_64
User: mirz4654 (1666)
PHP: 8.1.33
Disabled: system,exec,escapeshellarg,escapeshellcmd,passthru,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,shell_exec,popen,pclose,dl,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setsid,posix_setuid,posix_setpgid,ini_alter,show_source,define_syslog_variables,symlink,syslog,openlog,openlog,closelog,ocinumcols,listen,chgrp,apache_note,apache_setenv,debugger_on,debugger_off,ftp_exec,dll,ftp,myshellexec,socket_bind,mail,posix_getwpuid
$ pwd: /usr/lib/python3.9/site-packages/ansible_collections/cyberark/pas/rulebooks/
Upload Files
File: //usr/lib/python3.9/site-packages/ansible_collections/cyberark/pas/rulebooks/cyberark_test_rule.yml
- name: Demo rules with CyberArk syslog as source
  hosts: localhost 
  sources:
    - cyberark.pas.syslog:
        host: 0.0.0.0 
        port: 1514
  rules:
    - name: Check For User Suspension Event, Then Disable The User and Notify
      condition: event.cyberark.syslog.audit_record.Severity == "Error" and event.cyberark.syslog.audit_record.MessageID == "5"
      action:
        run_playbook:
          name: disable_user.yml
          extra_vars:
            username: "{{ event.cyberark.syslog.audit_record.Issuer }}"  
    - name: Check For PTA irregular IP OR irregular Hours Access and Notify
      condition: event.cyberark.DeviceEventClassID == "25" or event.cyberark.DeviceEventClassID == "23"
      action:
        run_playbook:
          name: pta_disable_notify.yml
          extra_vars:
            username: "{{ event.cyberark.suser }}"
            #username: "{{ event.cyberark.suser | ansible.builtin.regex_search('^[a-zA-Z0-9_]+') }}"
            eventname: "{{ event.cyberark.DeviceName }}"
            eventurl: "{{ event.cyberark.PTALink }}"
            station: "{{ event.cyberark.shost }}"
@ Telegram