search

elastic / integrations

Elastic Integrations
https://www.elastic.co/integrations
Other
187 stars 400 forks source link

New Integration Request: Admin By Request #10404

Open jvalente-salemstate opened 2 weeks ago

jvalente-salemstate commented 2 weeks ago

Description

Our Desktop Support Team recently onboarded Admin By Request, an Endpoint Privilege Management solution.

Admin By Request enables IT departments to identify Local Admin rights usage, automate rights revocation and replace permanent un-audited admin rights use with an easy to use per request or time limited privilege elevation system with full audit trail.

With Admin By Request, office based or remote workers can safely perform tasks that would previously have required support tickets and valuable helpdesk time. Elevated rights operations such as printer setups, installation/removal of approved software and plugin management can all be safely performed by users, maximising productivity whilst still maintaining full security framework compliance.

There are several components of its Public API. The only one excluded in this request is the PIN Code API since is only for obtaining a single code for a specified endpoint.

Sample responses are copied from the API docs

Audit Log

The Audit Log API returns an array of audit events. These can be correlated with other data like from the Requests API


[
  {
    "id": 615669,
    "traceNo": "34376579",
    "settingsName": "Global",
    "type": "Run As Admin",
    "typeCode": 0,
    "status": "Finished",
    "statusCode": 2,
    "reason": "Need to update reader. It says out of date when trying to open PDF files from our supplier.",
    "approvedBy": "Jim Kerr",
    "deniedReason": null,
    "deniedBy": null,
    "ssoValidated": false,
    "requestTime": "2020-04-01T12:03:00",
    "requestTimeUTC": "2020-04-01T12:03:00",
    "startTime": "2020-04-01T12:03:30",
    "startTimeUTC": "2020-04-01T12:03:30",
    "endTime": "2020-04-01T12:09:11",
    "endTimeUTC": "2020-04-01T12:09:11",
    "responseTime": "00:00:05.4100000",
    "auditlogLink": "https://www.adminbyrequest.com/AuditLog?Page=AppElevations&ID=34376579&ShowFilter=false",
    "user": {
      "account": "ACME\\PDH",
      "fullName": "Paul David Hewson",
      "email": "pdh@acme.com",
      "phone": "555.345.6789",
      "isAdmin": false
    },
    "computer": {
      "name": "W1005623",
      "platform": "Windows",
      "platformCode": 0,
      "make": "Dell Inc.",
      "model": "XPS 15 9550"
    },
    "application": {
      "file": "readerdc_uk_fb_crd_install.exe",
      "path": "C:\installers",
      "name": "Adobe Download Manager",
      "vendor": "Adobe Inc.",
      "version": "2.0.0.495s",
      "sha256": "9369FB712545F6B6FEC5FBF8B1DD228E57CA7899933BBE354B7C4351C8700C99",
      "scanResult": "Clean",
      "scanResultCode": 0,
      "threat": null,
      "virustotalLink": "https://www.virustotal.com/latest-scan/9369FB712545F6B6FEC5FBF8B1DD228E57CA7899933BBE354B7C4351C8700C99",
      "preapproved": false
    },
    "installs": [
      {
        "application": "Adobe Acrobat Reader DC",
        "version": "20.006.20042",
        "vendor": "Adobe Systems Incorporated"
      }
    ],
    "uninstalls": [
      {
        "application": "Adobe Reader XI (11.0.23)  MUI",
        "version": "11.0.23",
        "vendor": "Adobe Systems Incorporated"
      }
    ],
    "elevatedApplications": [
      {
        "name": "Adobe Download Manager",
        "path": "C:\\Users\\pdh\\Downloads",
        "file": "readerdc_uk_fb_crd_install.exe",
        "version": "2.0.0.495s",
        "vendor": "Adobe Inc.",
        "sha256": "9369FB712545F6B6FEC5FBF8B1DD228E57CA7899933BBE354B7C4351C8700C99",
        "scanResult": "Clean",
        "scanResultCode": 0,
        "threat": null,
        "virustotalLink": "https://www.virustotal.com/latest-scan/9369FB712545F6B6FEC5FBF8B1DD228E57CA7899933BBE354B7C4351C8700C99"
      },
      {
        "name": "Adobe Self Extractor",
        "path": "C:\\Users\\pdh\\AppData\\Local\\Adobe\\E1F06F26-140E-4556-A421-788F6C2015BD\\DA1C2141-106A-4BC6-B096-658FCF15DBFC",
        "file": "C12D10CF-96D9-4985-BE1E-00B35267FB0C",
        "version": "20.6.20042.371103",
        "vendor": "Adobe Inc.",
        "sha256": "912525F339CFC46D2CE7402366FC213084D79DEAD70D754F4A73C8BA4AA40650",
        "scanResult": "Clean",
        "scanResultCode": 0,
        "threat": null,
        "virustotalLink": "https://www.virustotal.com/latest-scan/912525F339CFC46D2CE7402366FC213084D79DEAD70D754F4A73C8BA4AA40650"
      },
      {
        "name": "Adobe Acrobat Reader DC",
        "path": "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader",
        "file": "AcroRd32.exe",
        "version": "20.6.20042.371103",
        "vendor": "Adobe Inc.",
        "sha256": "DCD82008D913BFB6FA1ACBC209CB113E24042919FBB8C3E4E9431F194C5B3B47",
        "scanResult": "Clean",
        "scanResultCode": 0,
        "threat": null,
        "virustotalLink": "https://www.virustotal.com/latest-scan/DCD82008D913BFB6FA1ACBC209CB113E24042919FBB8C3E4E9431F194C5B3B47"
      }
    ],
    "scanResults": [
      {
        "scanResult": "Clean",
        "scanResultCode": 0,
        "engine": "BitDefender",
        "threat": null
      },
      {
        "scanResult": "Clean",
        "scanResultCode": 0,
        "engine": "CrowdStrike",
        "threat": null
      },
      {
        "scanResult": "Clean",
        "scanResultCode": 0,
        "engine": "McAfee",
        "threat": null
      }
    ]
  }
]

Events

The Events API returns an array of events. Correlation, where applicable, is also possible with the Audit Log API


[
    {
        "id": 49287606,
        "eventCode": 40,
        "eventLevel": 0,
        "eventText": "Admin By Request Workstation installed",
        "eventTime": "2022-01-23T15:49:20.597",
        "eventTimeUTC": "2022-01-23T15:49:20.597",
        "computerName": "FTWIN11",
        "userAccount": null,
        "userName": null,
        "alertAccount": null,
        "auditLogURL": null,
        "rollback": false,
        "additionalData": "7.3.0",
        "application": {
            "file": null,
            "path": null,
            "name": null,
            "vendor": null,
            "version": null,
            "sha256": null
        }
    },
    {
        "id": 53820480,
        "eventCode": 92,
        "eventLevel": 0,
        "eventText": "Execution of file blocked by policy",
        "eventTime": "2022-01-27T12:16:38.817",
        "eventTimeUTC": "2022-01-27T12:16:38.817",
        "computerName": "FTWIN11",
        "userAccount": "TEST",
        "userName": "FastTrack Support",
        "alertAccount": null,
        "auditLogURL": null,
        "rollback": false,
        "additionalData": null,
        "application": {
            "file": "msedge.exe",
            "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application",
            "name": "Microsoft Edge",
            "vendor": "Microsoft Corporation",
            "version": "msedge.exe",
            "sha256": "3BC499B8B30FE66A91FABC2FF5AE6E6A9452C116AEDCAC7DBC5AEEEAEED2EB9C"
        }
    },
    {
        "id": 53821158,
        "eventCode": 5,
        "eventLevel": 0,
        "eventText": "Audited administrator logged on",
        "eventTime": "2022-01-27T12:30:13.357",
        "eventTimeUTC": "2022-01-27T12:30:13.357",
        "computerName": "FTWIN11",
        "userAccount": "ADMINISTRATOR",
        "userName": "Administrator",
        "alertAccount": null,
        "auditLogURL": null,
        "rollback": false,
        "additionalData": null,
        "application": {
            "file": null,
            "path": null,
            "name": null,
            "vendor": null,
            "version": null,
            "sha256": null
        }
    }
]

Inventory

The Inventory API returns an inventory of devices with ABR installed

It can optionally also include a software inventory and device group information.

Having this as a dataset also provides extra entity data for hosts. Additionally, this seems like a neat use case for enrichment indexes to identify vulnerable versions of software. 


[
  {
    "id": 49779198,
    "name": "W10405945",
    "inventoryAvailable": true,
    "inventoryDate": "2020-03-27T08:17:11",
    "abrClientVersion": "6.3.0",
    "abrClientInstallDate": "2020-03-27T08:15:32",
    "notes": null,
    "user": {
      "account": "PDH",
      "fullName": "Paul David Hewson",
      "email": "pdh@acme.com",
      "phone": "555.345.6789",
      "domain": "ACME",
      "orgUnit": "Users",
      "orgUnitPath": "\\Users",
      "isAdmin": false,
      "isDomainJoined": true,
      "isAzureJoined": false,
      "groups": [
        "Domain Users",
        "Users"
      ]
    },
    "owner": {
        "account": "support@fasttracksoftware.com",
        "fullName": "FastTrack Software Support"
    },
    "computer": {
      "domain": "ACME",
      "isDomainJoined": true,
      "isAzureJoined": false,
      "orgUnit": "Computers",
      "orgUnitPath": "\\Computers",
      "groups": [
        "Domain Computers"
      ],
      "localAdmins": [
        "Administrator",
        "ACME\\Domain Admins"
      ],
      "users": []
    },
    "operatingSystem": {
      "platform": "Windows",
      "platformCode": 0,
      "name": "Windows 11 Pro Insider Preview",
      "version": "22H2",
      "release": 2009,
      "build": 25231,
      "buildUpdate": 1000,
      "type": "Workstation",
      "typeCode": 0,
      "bits": 64,
      "installDate": "2022-10-30T00:00:00"
    },
    "hardware": {
      "make": "Dell Inc.",
      "model": "XPS 9550",
      "type": "Laptop",
      "typeCode": 0,
      "serviceTag": "4577-7924-6610-3168-2590-1337-74",
      "cpu": "Intel Core i7-3520M CPU @ 2.90GHz",
      "cpuSpeed": 2893,
      "cpuCores": 4,
      "diskSize": 135,
      "diskFree": 84,
      "diskStatus": "OK",
      "memory": 2147,
      "noMonitors": 1,
      "monitorResolution": "1024x768",
      "bitlockerEnabled": true,
      "isCompliant": true,
      "tpmEnabled": true,
      "tpmVersion": "2.0"
    },
    "network": {
      "publicIP": "10.20.30.40",
      "privateIP": "10.10.129.52",
      "macAddress": "AF:4F:E3:23:62:E1",
      "nicSpeed": "1000 mbit",
      "hostName": "internal.acme.dk"
    },
    "location": {
      "city": "San Francisco",
      "region": "California",
      "country": "Unites States",
      "latitude": "37.7576948",
      "longitude": "122.4727052",
      "googleMapsLink": "https://maps.google.com/?q=37.7576948,122.4727052",
      "hourOffset": 8
    },
    "software": [
      {
        "name": "Admin By Request Workstation",
        "version": "8.0.0.0",
        "vendor": "FastTrack Software",
        "installDate": "2023-02-01T00:00:00",
        "size": 2,
        "bits": 64
      },
      {
        "name": "Adobe Acrobat Reader DC",
        "version": "20.006.20042",
        "vendor": "Adobe Systems Incorporated",
        "installDate": "2020-04-01T00:00:00"
      },
      {
        "name": "Microsoft Office 365 ProPlus - en-us",
        "version": "16.0.11929.20648",
        "vendor": "Microsoft Corporation",
        "installDate": null
      },
      {
        "name": "Mozilla Firefox 67.0.1 (x86 en-US)",
        "version": "67.0.1",
        "vendor": "Mozilla",
        "installDate": null
      },
      {
        "name": "OPSWAT Client",
        "version": "7.6.271.0",
        "vendor": "OPSWAT, Inc.",
        "installDate": null
      },
      {
        "name": "Visual Studio Community 2019",
        "version": "16.4.29709.97",
        "vendor": "Microsoft Corporation",
        "installDate": "2020-01-19T00:00:00"
      }
    ]
  }
]

Requests

The Requests API returns an array of user requests to run something as administrator.

This data stream would likely work best with a transform or an aggregation query to capture the latest status. The API may return a document for the initial request and one when approved/denied


[
  {
    "id": 615669,
    "traceNo": "34376579",
    "settingsName": "Global",
    "type": "Run As Admin",
    "typeCode": 0,
    "status": "Pending approval",
    "statusCode": 4,
    "reason": "Need to update reader. It says out of date when trying to open PDF files from our supplier.",
    "approvedBy": null,
    "deniedReason": null,
    "deniedBy": null,
    "requestTime": "2020-04-01T12:03:00",
    "auditLogLink": "https://www.adminbyrequest.com/AuditLog?Page=AppElevations&ID=34376579&ShowFilter=false",
    "user": {
      "account": "ACME\\PDH",
      "fullName": "Paul David Hewson",
      "email": "pdh@acme.com",
      "phone": "555.345.6789"
    },
    "computer": {
      "name": "W1005623",
      "platform": "Windows",
      "platformCode": 0,
      "make": "Dell Inc.",
      "model": "XPS 15 9550"
    },
    "application": {
      "file": "readerdc_uk_fb_crd_install.exe",
      "name": "Adobe Download Manager",
      "vendor": "Adobe Inc.",
      "version": "2.0.0.495s",
      "sha256": "9369FB712545F6B6FEC5FBF8B1DD228E57CA7899933BBE354B7C4351C8700C99",
      "scanResult": "Clean",
      "scanResultCode": 0,
      "threat": null,
      "virustotalLink": "https://www.virustotal.com/latest-scan/9369FB712545F6B6FEC5FBF8B1DD228E57CA7899933BBE354B7C4351C8700C99",
      "preapproved": false
    },
    "scanResults": [
      {
        "scanResult": "Clean",
        "scanResultCode": 0,
        "engine": "BitDefender",
        "threat": null
      },
      {
        "scanResult": "Clean",
        "scanResultCode": 0,
        "engine": "CrowdStrike",
        "threat": null
      },
      {
        "scanResult": "Clean",
        "scanResultCode": 0,
        "engine": "McAfee",
        "threat": null
      }
    ]
  }
]
elasticmachine commented 2 weeks ago

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)