CONN-4232: Added docs code for Cyberark Audit C2C source (#5104)

* CONN-4232: Added docs code for Cyberark Audit C2C source

* Updates from review

* minor content fix

* minor fix

* added release note and fixed the parameter table

* Update docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cyberark-audit-source.md

---------

Co-authored-by: John Pipkin <[email protected]>
Co-authored-by: Jagadisha V <[email protected]>

Author: 3 people

blog-service/2025-02-27-collection.md

@@ -0,0 +1,14 @@
+---
+title: CyberArk Audit Source (Collection)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - collection
+  - cyberark-audit-source
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<a href="https://help.sumologic.com/release-notes-service/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>
+
+We're excited to announce the release of our new cloud-to-cloud source for CyberArk Audit. This source aims to collect the audit events from the CyberArk platform using the CyberArk SIEM integrations API and send them to Sumo Logic for streamlined analysis. [Learn more](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cyberark-audit-source).

cid-redirects.json

@@ -1755,6 +1755,7 @@
   "/cid/10691": "/docs/metrics/metric-rules-editor",
   "/cid/10692": "/docs/metrics/metric-rules-editor",
   "/cid/106992": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cyberark-source",
+  "/cid/20016": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cyberark-audit-source",
   "/cid/1071": "/docs/integrations/web-servers/heroku",
   "/cid/10228": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/abnormal-security-source",
   "/cid/1072": "/docs/alerts/webhook-connections/microsoft-azure-functions",

docs/integrations/product-list/product-list-a-l.md

@@ -171,7 +171,7 @@ For descriptions of the different types of integrations Sumo Logic offers, see [
 | <img src={useBaseUrl('img/platform-services/automation-service/app-central/logos/criminal-ip.png')} alt="Thumbnail icon" width="100"/> | [Criminal IP](https://www.criminalip.io/) | Automation integration: [Criminal IP](/docs/platform-services/automation-service/app-central/integrations/criminal-ip) |
 |  <img src={useBaseUrl('img/integrations/security-threat-detection/crowdstrike.png')} alt="Thumbnail icon" width="75"/>   | [CrowdStrike](https://www.crowdstrike.com/)  | Apps: <br/>- [CrowdStrike Falcon Endpoint Protection](/docs/integrations/security-threat-detection/crowdstrike-falcon-endpoint-protection/) <br/>- [CrowdStrike Falcon FileVantage](/docs/integrations/saas-cloud/crowdstrike-falcon-filevantage/) <br/>- [Threat Intel Quick Analysis](/docs/integrations/security-threat-detection/threat-intel-quick-analysis/)	<br/>- [CrowdStrike FDR Host Inventory](/docs/integrations/saas-cloud/crowdstrike-fdr-host-inventory)  <br/>- [CrowdStrike Spotlight](/docs/integrations/saas-cloud/crowdstrike-spotlight) <br/>Automation integrations: <br/>- [CrowdStrike Falcon](/docs/platform-services/automation-service/app-central/integrations/crowdstrike-falcon/) <br/>- [CrowdStrike Falcon Discover](/docs/platform-services/automation-service/app-central/integrations/crowdstrike-falcon-discover/) <br/>-  [CrowdStrike Falcon Intelligence](/docs/platform-services/automation-service/app-central/integrations/crowdstrike-falcon-intelligence/) <br/>-  [CrowdStrike Falcon Sandbox](/docs/platform-services/automation-service/app-central/integrations/crowdstrike-falcon-sandbox/) <br/>Cloud SIEM integrations: <br/>- [CrowdStrike](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/79ade329-b6d4-43ae-8db1-2a9cc45c0fb0.md) <br/>- [PreemptSecurity](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/15c77a62-0fbb-4a60-9fae-ead49ec423f9.md) <br/>Collectors:<br/>- [CrowdStrike Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-source/) <br/>- [Crowdstrike FDR Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-fdr-source/)<br/>- [CrowdStrike FDR Host Inventory Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-fdr-host-inventory-source/) <br/>- [CrowdStrike FileVantage Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-filevantage-source/)<br/>- [CrowdStrike Spotlight Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-spotlight-source/) <!-- <br/>- [CrowdStrike Threat Intel Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-threat-intel-source/) --> |
 | <img src={useBaseUrl('img/platform-services/automation-service/app-central/logos/cuckoo.png')} alt="Thumbnail icon" width="75"/>  | [Cuckoo](https://cuckoo.readthedocs.io/en/latest/#) | Automation integration: [Cuckoo](/docs/platform-services/automation-service/app-central/integrations/cuckoo/) |
-|  <img src={useBaseUrl('img/send-data/cyberark.png')} alt="Thumbnail icon" width="50"/>   |  [CyberArk](https://www.cyberark.com/) | Automation integrations: <br/>- [CyberArk AAM](/docs/platform-services/automation-service/app-central/integrations/cyberark-aam/) <br/>- [CyberArk PAM](/docs/platform-services/automation-service/app-central/integrations/cyberark-pam) <br/>Cloud SIEM integration: [CyberArk](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/8a3d333e-ffad-49ed-9edd-0cf1c797b24f.md) <br/>Collector: [CyberArk EPM Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cyberark-source/) |
+|  <img src={useBaseUrl('img/send-data/cyberark.png')} alt="Thumbnail icon" width="50"/>   |  [CyberArk](https://www.cyberark.com/) | Automation integrations: <br/>- [CyberArk AAM](/docs/platform-services/automation-service/app-central/integrations/cyberark-aam/) <br/>- [CyberArk PAM](/docs/platform-services/automation-service/app-central/integrations/cyberark-pam) <br/>Cloud SIEM integration: [CyberArk](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/8a3d333e-ffad-49ed-9edd-0cf1c797b24f.md) <br/>Collector: <br/>- [CyberArk EPM Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cyberark-source/)<br/>- [CyberArk Audit Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cyberark-audit-source/) |
 | <img src={useBaseUrl('/img/platform-services/automation-service/app-central/logos/cyberint.png')} alt="cyberint" width="75"/>  | [CyberInt](https://cyberint.com/)  | Automation integration: [Cyberint](/docs/platform-services/automation-service/app-central/integrations/cyberint)  |
 |  <img src={useBaseUrl('img/integrations/security-threat-detection/cybereason-logo.png')} alt="Thumbnail icon" width="50"/>   |  [Cybereason](https://www.cybereason.com/) | Automation integration: [Cybereason](/docs/platform-services/automation-service/app-central/integrations/cybereason/) <br/>Cloud SIEM integration: [Cybereason](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/1a51cb88-ebc9-4655-bce4-3d788bf19e89.md) <br/>Collector: [Cybereason Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cybereason-source/)	<br/>Partner integration: [Cybereason](https://github.com/SumoLogic/sumologic-public-partner-apps/tree/master/Cybereason) |
 | <img src={useBaseUrl('img/platform-services/automation-service/app-central/logos/cybersecurity-help.png')} alt="Thumbnail icon" width="100"/>  | [Cybersecurity Help](https://www.cybersecurity-help.cz/) | Automation integration: [Cybersecurity Help](/docs/platform-services/automation-service/app-central/integrations/cybersecurity-help/) |

docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cyberark-audit-source.md

@@ -0,0 +1,115 @@
+---
+id: cyberark-audit-source
+title: CyberArk Audit Source
+sidebar_label: CyberArk Audit
+tags:
+  - cloud-to-cloud
+  - cyberark-audit
+description: This integration accesses CyberArk SIEM integration API to retrieve audit events.
+---
+import CodeBlock from '@theme/CodeBlock';
+import ExampleJSON from '/files/c2c/cyberark-audit/example.json';
+import MyComponentSource from '!!raw-loader!/files/c2c/cyberark-audit/example.json';
+import TerraformExample from '!!raw-loader!/files/c2c/cyberark-audit/example.tf';
+import ForwardToSiem from '/docs/reuse/forward-to-siem.md';
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<img src={useBaseUrl('img/send-data/cyberark.png')} alt="icon" width="50"/>
+
+The CyberArk Identity Security platform is a comprehensive identity management solution that enhances enterprise security through features such as single sign-on, multi-factor authentication, and privileged access control. It streamlines identity operations while providing extensive protection against both external and internal cyber threats. 
+
+The Audit service offers detailed audit trails for activities, events, and sessions conducted by any integrated service on the Shared Services platform. An audit trail is a recorded history of activities that have taken place within the system. This information can be utilized for various purposes, including security, regulatory compliance, incident response investigations, and troubleshooting.
+
+## Data collected
+
+| Polling Interval | Data |
+| :--- | :--- |
+| 5 minutes | [Audits](https://docs.cyberark.com/audit/latest/en/content/audit/isp_siem-integration-api.htm?tocpath=Developer%7C_____1) |
+
+## Setup
+
+### Vendor configuration
+
+In this configuration, you will set up a CyberArk audit source and configure it to be authorized and authenticated to use CyberArk Audit SIEM API. CyberArk audit supports OAuth authentication. 
+
+Follow the instructions mentioned in the [CyberArk Documentation](https://docs.cyberark.com/audit/latest/en/content/audit/isp_siem-integration.htm?tocpath=SIEM%20integrations%7C_____1) to retrieve the following parameters to configure the CyberArk audit source.
+
+1. Identity Id
+1. App Id
+1. Username(Client ID)
+1. Password(Client Secret)
+1. Tenant URL
+1. API Key
+
+### Source configuration
+
+When you create a CyberArk Audit Source, you add it to a Hosted Collector. Before creating the Source, identify the Hosted Collector you want to use or create a new Hosted Collector. For instructions, see [Configure a Hosted Collector](/docs/send-data/hosted-collectors/configure-hosted-collector.md).
+
+To configure a CyberArk Audit source, follow the steps below:
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the Sumo Logic top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 
+1. On the Collection page, click **Add Source** next to a Hosted Collector.
+1. Search for and select **CyberArk Audit**.
+1. **Name**. Enter a name to display for the source. The description is optional.
+1. (Optional) For **Source Category**, enter any string to tag the output collected from the source. Category metadata is stored in a searchable field called `_sourceCategory`.
+1. (Optional) **Fields**. Click the **+Add** button to define the fields you want to associate. Each field needs a name (key) and value.
+   * ![green check circle.png](/img/reuse/green-check-circle.png) A green circle with a check mark is shown when the field exists in the Fields table schema.
+   * ![orange exclamation point.png](/img/reuse/orange-exclamation-point.png) An orange triangle with an exclamation point is shown when the field doesn't exist in the Fields table schema. In this case, an option to automatically add the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo Logic that does not exist in the Fields schema is ignored, known as dropped.
+1. **Identity ID**. Enter your identity ID collected from the [Vendor configuration](#vendor-configuration) section. For example, `abr4338`.
+1. **Web Application ID**. Enter your application ID collected from the [Vendor configuration](#vendor-configuration) section. For example, `sumologic`.
+1. **Username**. Enter your username(client-id) collected from the [Vendor configuration](#vendor-configuration) section. For example, `[email protected]`.
+1. **Password**. Enter your password(client-secret) collected from the [Vendor configuration](#vendor-configuration) section.
+1. **Tenant URL**. Enter your tenant URL collected from the [Vendor configuration](#vendor-configuration) section. For example, `https://sumologic.audit.cyberark.cloud`.
+1. **API Key**. Enter your API key collected from the [Vendor configuration](#vendor-configuration) section.
+1. (Optional) **Service Type**. Enter the service types to filter the audits.
+1. (Optional) **Status Type**. Enter the status types to filter the audits.
+1. (Optional) **Action Type**. Enter the action types to filter the audits.
+1. **Polling Interval**. The polling interval is the frequency at which the CyberArk Audit C2C source will check for updates from the CyberArk Audit API. By default, the polling interval is set to 5 minutes.
+1. (Optional) **Processing Rules for Logs**. Configure any desired filters, such as allowlist, denylist, hash, or mask, as described in [Create a Processing Rule](/docs/send-data/collection/processing-rules/create-processing-rule).
+1. When you are finished configuring the Source, click **Save**.
+
+## JSON schema
+
+Sources can be configured using UTF-8 encoded JSON files with the Collector Management API. See [how to use JSON to configure Sources](/docs/send-data/use-json-configure-sources) for details. 
+
+| Parameter | Type | Value | Required | Description |
+|:--|:--|:--|:--|:--|
+| schemaRef | JSON Object  | `{“type”: “CyberArk Audit”}` | Yes | Define the specific schema type. |
+| sourceType | String | `"Universal"` | Yes | Type of source. |
+| config | JSON Object | [Configuration object](#configuration-object) | Yes | Source type specific values. |
+
+### Configuration Object
+
+| Parameter | Type | Required | Default | Description | Example |
+|:--|:--|:--|:--|:--|:--|
+| name | String | Yes | `null` | Type a desired name of the source. The name must be unique per Collector. This value is assigned to the [metadata](/docs/search/get-started-with-search/search-basics/built-in-metadata) field `_source`. | `"mySource"` |
+| description | String | No | `null` | Type a description of the source. | `"Testing source"` |
+| category | String | No | `null` | Type a category of the source. This value is assigned to the [metadata](/docs/search/get-started-with-search/search-basics/built-in-metadata) field `_sourceCategory`. See [best practices](/docs/send-data/best-practices) for details. | `"mySource/test"` |
+| fields | JSON Object | No | `null` | JSON map of key-value fields (metadata) to apply to the collector or source. Use the boolean field `_siemForward` to enable forwarding to SIEM.| `{"_siemForward": false, "fieldA": "valueA"}` |
+| identityId | String | Yes | `null` | Identity ID for your CyberArk account. | `abr4338` |
+| appId | String | Yes |  `null` | App ID for your CyberArk account. | `sumologic` |
+| username | String | Yes |  `null` | Username(Client ID) for your configured server. | `[email protected]` |
+| password | String | Yes |  `null` | Password for your configured server. | |
+| tenantURL | String | Yes |  `null` | Tenant URL for your configured server. | `https://sumologic.audit.cyberark.cloud` |
+| apiKey | String | Yes |  `null` | API key for your configured server. | |
+| serviceType | Array | No | `null` | Type of audit services to filter data from. |  |
+| statusType | Array | No | `null` | Type of audit statuses to filter data from. |  |
+| actionType | Array | No | `null` | Type of audit actions to filter data from. |  |
+| pollingIntervalMin | integer | Yes | 5 minutes | Frequency of C2C updates from CyberArk Audit. |  |  
+
+### JSON example
+
+<CodeBlock language="json">{MyComponentSource}</CodeBlock>
+
+<a href="/files/c2c/cyberark-audit/example.json" target="_blank">Download example</a>
+
+### Terraform example
+
+<CodeBlock language="json">{TerraformExample}</CodeBlock>
+
+<a href="/files/c2c/cyberark-audit/example.tf" target="_blank">Download example</a>
+
+## FAQ
+
+:::info
+Click [here](/docs/c2c/info) for more information about Cloud-to-Cloud sources.
+:::

docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/index.md

@@ -237,6 +237,12 @@ In this section, we'll introduce the following concepts:
   <p>Before configuring an AWS Source give Sumo Logic access to your AWS product</p>
   </div>
 </div>
+<div className="box smallbox card">
+  <div className="container">
+  <a href="/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cyberark-audit-source"><img src={useBaseUrl('img/send-data/cyberark.png')} alt="icon" width="50"/><h4>CyberArk Audit</h4></a>
+  <p>Learn to collect audits using the CyberArk SIEM integrations API.</p>
+  </div>
+</div>
 <div className="box smallbox card">
   <div className="container">
   <a href="/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cybereason-source"><img src={useBaseUrl('img/send-data/cybereason-logo.png')} alt="icon" width="60"/><h4>Cybereason</h4></a>

sidebars.ts

@@ -455,6 +455,7 @@ module.exports = {
                 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-spotlight-source',
                 //'send-data/hosted-collectors/cloud-to-cloud-integration-framework/crowdstrike-threat-intel-source',
                 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/cyberark-source',
+                'send-data/hosted-collectors/cloud-to-cloud-integration-framework/cyberark-audit-source',
                 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/cybereason-source',
                 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/digital-guardian-source',
                 'send-data/hosted-collectors/cloud-to-cloud-integration-framework/docusign-source',

static/files/c2c/cyberark-audit/example.json

@@ -0,0 +1,22 @@
+{
+	"api.version": "v1",
+	"source": {
+		"config": {
+            "name": "CyberArkAudit",
+            "identityId": "abr43969",
+            "appId": "sumologic",
+            "username": "[email protected]",
+            "password": "rECxxxx__4_xxxx_G4n6",
+            "tenantURL": "https://sumologic.audit.cyberark.cloud",
+            "apiKey": "JxxxxxxS9gFJv96LcKcxxxxxxxxxxxxxYqP09OGxxxY",
+            "serviceType": [],
+            "statusType": [],
+            "actionType": [],
+            "pollingIntervalMin": 5
+          },
+		"schemaRef": {
+			"type": "CyberArk Audit"
+		},
+		"sourceType": "Universal"
+	}
+}

static/files/c2c/cyberark-audit/example.tf

@@ -0,0 +1,23 @@
+resource "sumologic_cloud_to_cloud_source" "cyberark_audit_test_source" {
+  collector_id = sumologic_collector.collector.id
+  schema_ref = {
+    type = "CyberArk Audit"
+  }
+  config = jsonencode({
+			"name": "CyberArkAudit",
+			"identityId": "abr43969",
+            "appId": "sumologic",
+            "username": "[email protected]",
+            "password": "rECxxxx__4_xxxx_G4n6",
+            "tenantURL": "https://sumologic.audit.cyberark.cloud",
+            "apiKey": "JxxxxxxS9gFJv96LcKcxxxxxxxxxxxxxYqP09OGxxxY",
+            "serviceType": [],
+            "statusType": [],
+            "actionType": [],
+            "pollingIntervalMin": 5
+  })
+}
+resource "sumologic_collector" "collector" {
+  name        = "my-collector"
+  description = "Just testing this"
+}