Skip to content

Events for the Splunk Add-on for Cyberark EPM

This section lists some of the most relevant EPM events you can collect.

Account Admin Audit Logs

  • Account related action carried out by EPM administrator.

Admin Audit Logs

  • Action carried out by EPM administrator.

Credential theft

  • Browsers
  • IT applications
  • Remote Access Applications
  • Windows OS

Privilege threats

Request to boot in Safe Mode Request to set “Always Install Elevated” Privilege deception Privilege Management events.

High risk applications

  • CMD
  • PowerShell
  • admin tasks (for example, mmc, local groups, network settings, and so on.)
  • Unsigned applications that require elevation
  • Blocked applications due to organization policy
  • Creation of a JIT policy

You can identify these events using a combination of output fields (like EventName, EventType, PolicyName, Action, and so on) as described in your CyberArk EPM documentation.