Overview ↵
About the Splunk Add-on for CyberArk EPM¶
| Component | Description |
|---|---|
| Version | 3.1.0 |
| Vendor Products | CyberArk Endpoint Privilege Manager v21.1, v23.3.0, v24.5.0, v25.6.1 |
The Splunk Add-on for CyberArk EPM allows a Splunk software administrator to pull raw and aggregated events of Inbox Events, Policy Audit Events, Admin Audit Logs and can also collect logs related to policies, computers, and computer groups using the cloud administration APIs of CyberArk EPM. Inbox Events are comprised of events related to Application Events and Threat Detection events.
Release notes¶
For a summary of new features, fixed issues, and known issues, and for more information on release history, see Release notes for the Splunk Add-on for CyberArk EPM.
Compatibility¶
This add-on provides modular inputs and CIM-compatible knowledge to use with other Splunk apps, such as Splunk Enterprise Security and the Splunk App for PCI Compliance.
This add-on is only Python3 compatible.
Source types and lookups¶
For more information about the source types for Splunk Add-on for CyberArk EPM, see Source types.
Download the add-on¶
Download the Splunk Add-on for CyberArk EPM from Splunkbase.
Install and configure the add-on¶
To install and configure the Splunk Add-on for CyberArk EPM, see Installation and configuration overview for the Splunk Add-on for CyberArk EPM.
Hardware and software requirements¶
For more information, see Hardware and software requirements.
Additional resources¶
See Troubleshooting guidelines specific for this add-on.
Hardware and software requirements¶
You must have access to the CyberArk EPM Admin Console so that you can configure it and send data to the Splunk platform instance. Since this is modular input TA and Universal Forwarders do not come with a UI, Universal Forwarders are not supported for configuration in Splunk Web.
Splunk platform requirements¶
Because this add-on runs on the Splunk platform, all of the system requirements apply to the Splunk software that you use to run this add-on.
- You must be running version 8.1 or later of Splunk Platform.
- For Splunk Enterprise system requirements: see System Requirements in the Splunk Enterprise Installation Manual.
- If you manage on-premises forwarders to get data into Splunk Cloud, see System Requirements in the Splunk Enterprise Installation Manual, which includes information about forwarders.
Release notes for the Splunk Add-on for CyberArk EPM¶
Version 3.1.0 of the Splunk Add-on for CyberArk EPM was released on July 24, 2025.
About this release¶
Version 3.1.0 of the Splunk Add-on for CyberArk EPM is compatible with the following software, CIM versions, and platforms.
| Component | Description |
|---|---|
| Splunk platform versions | 9.x, 10.0.x |
| CIM | 6.1.0 |
| Platforms | Platform independent |
| Vendor Products | CyberArk Endpoint Privilege Manager v21.1, v23.3.0, v24.5.0, v25.6.1 |
New features¶
-
Added support for SetID Filter in the input configuration. A new SetID filter option was added to the following inputs:
- Admin Audit Logs
- Inbox Events
- Policy Audit Events
-
Policies and Computers
This enhancement introduces a dropdown menu in the input configuration, allowing you to filter event data based on specific SetIDs and collect events specific to the selected SetID.
Note
The
SetIDvalue will now appear in the raw events for the inputs listed in this section. -
The Common Information Model (CIM) was upgraded from version 5.3.2 to 6.1.0 to maintain compatibility with the latest data models and Splunk best practices.
-
Added support of CyberArk EPM API v25.6.1
Fixed issues¶
Version 3.1.0 of the Splunk Add-on for CyberArk EPM has the following fixed issues. If no issues appear in this section, no issues have yet been reported:
Known issues¶
Version 3.1.0 of the Splunk Add-on for CyberArk EPM has the following reported known issues. If no issues appear in this section, no issues have yet been reported:
Release notes history¶
The latest release of Splunk Add-on for CyberArk EPM is version 3.1.0. For information, see Release notes for the Splunk Add-on for CyberArk EPM.
Version 3.0.0¶
Splunk Add-on for CyberArk EPM version 3.0.0 was released on January 30, 2025.
Compatibility¶
Version 3.0.0 of the Splunk Add-on for CyberArk EPM is compatible with the following software, CIM versions, and platforms.
| Component | Description |
|---|---|
| Splunk platform versions | 9.0.x 9.1.x, 9.2.x, 9.3.x, 9.4.x |
| CIM | 5.3.2 |
| Platforms | Platform independent |
| Vendor Products | CyberArk EPM v21.10, v23.3.0, v24.5.0 |
New features¶
- Introduced new input to collect Account Admin Audit Logs for improved tracking of account admin activities.
- Added CIM support of the Change data model to the Account Admin Audit Logs collected using the modular input.
- Added support for the UCC Monitoring Dashboard.
- This dashboard enables users to visualize data volume metrics based on source, index, sourcetype, event trendlines etc, and also visualize errors in the Splunk add-on for CyberArk EPM.
- Added validation for the URLs that do not use basic authentication when you provide a EPM Dispatcher Server URL value during account configuration.
Fixed issues¶
Version 3.0.0 of the Splunk Add-on for CyberArk EPM has no reported fixed issues.
Known issues¶
Version 3.0.0 of the Splunk Add-on for CyberArk EPM has no reported known issues.
Version 2.1.0¶
Splunk Add-on for CyberArk EPM version 2.1.0 was released on July 22, 2024.
Compatibility¶
Version 2.1.0 of the Splunk Add-on for CyberArk EPM is compatible with the following software, CIM versions, and platforms.
| Component | Description |
|---|---|
| Splunk platform versions | 9.0.x 9.1.x, 9.2.x |
| CIM | 5.3.2 |
| Platforms | Platform independent |
| Vendor Products | CyberArk EPM v21.10, v23.3.0, v24.5.0 |
New features¶
- Support for CyberArk EPM APIs v24.5.0.
- Introduced new input for fetching Admin Audit Logs.
- Added CIM support of the Change data model to the Admin Audit Logs collected using the modular input.
- IPv6 support - the Splunk Add-on for CyberArk EPM is now compatible with Splunk running on the IPv6 environment.
- Support of Python 3.9.
Fixed issues¶
Version 2.1.0 of the Splunk Add-on for CyberArk EPM has no reported fixed issues.
Known issues¶
Version 2.1.0 of the Splunk Add-on for CyberArk EPM has no reported known issues.
Version 2.0.1¶
Splunk Add-on for CyberArk EPM version 2.0.1 was released on December 12, 2023.
Compatibility¶
Version 2.0.1 of the Splunk Add-on for CyberArk EPM is compatible with the following software, CIM versions, and platforms.
| Component | Description |
|---|---|
| Splunk platform versions | 9.0.x 9.1.x |
| CIM | 5.1.0 |
| Platforms | Platform independent |
| Vendor Products | CyberArk EPM v21.10, v23.3.0 |
New features¶
Fixed the security vulnerabilities found in the certifi and urllib3 libraries by upgrading their versions from 2022.12.7 to 2023.11.17 and 1.26.9 to 1.26.18 respectively.
Fixed issues¶
Version 2.0.1 of the Splunk Add-on for CyberArk EPM has no reported fixed issues.
Known issues¶
Version 3.0.0 of the Splunk Add-on for CyberArk EPM has no reported known issues.
Version 2.0.0¶
Splunk Add-on for CyberArk EPM version 2.0.0 was released on March 27, 2023.
Compatibility¶
Version 2.0.0 of the Splunk Add-on for CyberArk EPM is compatible with the following software, CIM versions, and platforms.
| Component | Description |
|---|---|
| Splunk platform versions | 8.1, 8.2, 9.0.x |
| CIM | 5.1.0 |
| Platforms | Platform independent |
| Vendor Products | CyberArk EPM v21.10, v23.3.0 |
New features¶
Version 2.0.0 of the Splunk Add-on for CyberArk EPM provides the following improvement:
- Support for CyberArk EPM APIs v23.3.0
- Support for Raw Events along with Aggregated Events
- Introduced 2 new inputs which collects data using both the API types - Inbox Events and Policy Audit Events
- Introduced 4 new sourcetypes. 2 each for both the inputs -
cyberark:epm:raw:events- Collects Inbox Events from raw API endpointcyberark:epm:aggregated:events- Collects Inbox Events from aggregated API endpointcyberark:epm:raw:policy:audit- Collects Policy Audit Events from raw API endpointcyberark:epm:aggregated:policy:audit- Collects Policy Audit Events from aggregated API endpoint
- Added functionality of “Start Date” to start the data collection as and when needed, for the 2 new inputs
- Provided support of CIM version 5.1.0
- Upgraded certifi library to version 2022.12.7 to fix a security vulnerability
Application Events, Policy Audit, and Threat Detection are marked as deprecated inputs in the UI. When configuring these inputs, a warning message appears that suggests using the newly introduced input to utilize the enhanced APIs introduced by CyberArk. The deprecated inputs will be removed in a future release.
Fixed issues¶
Version 2.0.0 of the Splunk Add-on for CyberArk EPM has no reported fixed issues.
Known issues¶
Version 2.0.0 of the Splunk Add-on for CyberArk EPM has no reported known issues.
Version 1.2.0¶
Splunk Add-on for CyberArk EPM version 1.2.0 was released on December 2, 2021.
Compatibility¶
Version 1.2.0 of the Splunk Add-on for CyberArk EPM is compatible with the following software, CIM versions, and platforms.
| Component | Description |
|---|---|
| Splunk platform versions | 8.0, 8.1, 8.2 |
| CIM | 4.20.2 |
| Platforms | Platform independent |
| Vendor Products | CyberArk EPM v11.6, v21.10 |
Note
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, see the Splunk Enterprise Release Notes.
New features¶
Version 1.2.0 of the Splunk Add-on for CyberArk EPM provides the following improvement:
- Support for CyberArk EPM v21.10 Enhanced CIM mapping and compatibility with CIM v4.20.2
- For
cyberark:epm:computerssourcetype added Inventory Data Model mappings. - For
cyberark:epm:threat:detectionsourcetype ThreatDetectionAction=Detected Data Model has been changed from Change DM to Intrusion Detection DM. - Due to DM changes the following changes have been made for these events:
destfield has been removed from these events.actionfield value has been changed from read to allowed.
Known issues¶
Version 1.2.0 of the Splunk Add-on for CyberArk EPM has no reported known issues.
Version 1.1.0¶
Splunk Add-on for CyberArk EPM version 1.1.0 was released on July 14, 2021.
Compatibility¶
Version 1.1.0 of the Splunk Add-on for CyberArk EPM is compatible with the following software, CIM versions, and platforms.
| Component | Description |
|---|---|
| Splunk platform versions | 8.0, 8.1, 8.2 |
| CIM | 4.16 |
| Platforms | Platform independent |
| Vendor Products | CyberArk EPM v11.6 |
Note
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New features¶
Version 1.1.0 of the Splunk Add-on for CyberArk EPM provides the following improvement:
- Support for the latest UCC Framework 5.4.3.
- Restarts on search heads are no longer required.
Known issues¶
Version 1.1.0 of the Splunk Add-on for CyberArk EPM has no reported known issues.
Version 1.0.0¶
Compatibility¶
Version 1.0.0 of the Splunk Add-on for CyberArk EPM is compatible with the following software, CIM versions, and platforms.
| Component | Description |
|---|---|
| Splunk platform versions | 8.0 |
| CIM | 4.16 |
| Platforms | Platform independent |
| Vendor Products | CyberArk EPM v11.6 |
Note
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New features¶
Version 1.0.0 of the Splunk Add-on for CyberArk EPM provides the following features:
- Let a Splunk software administrator pull aggregated events of Application Events, Policy Audit, and Threat Detection categories using the cloud administration APIs of CyberArk EPM.
- Collects logs related to Policies, Computers, and Computer Groups.
- Supported the following Data Models (CIM v4.16):
- Change
- Intrusion Detection
- Endpoint
Known issues¶
Version 1.0.0 of the Splunk Add-on for CyberArk EPM has no reported known issues.
Third-party software attribution¶
A complete listing of third-party software information for this add-on is available as a text edit file for download: Third-party credits.
Installation overview¶
Complete the following steps to install and configure this add-on.
Ended: Overview
Installation ↵
Install the Splunk Add-on for CyberArk EPM¶
Use the tables to determine where and how to install this add-on in your deployment.
If you need step-by-step instructions on how to install an add-on in your specific deployment environment, see the installation walkthroughs section at the bottom of this page for links to installation instructions specific to a single-instance deployment, distributed deployment, or Splunk Cloud.
Distributed deployments¶
Use the tables on this page to determine where and how to install this add-on in a distributed deployment of Splunk Enterprise or any deployment for which you are using forwarders to get your data in. Depending on your environment, your preferences, and the requirements of the add-on, you may need to install the add-on in multiple places.
Where to install this add-on¶
Unless otherwise noted, all supported add-ons can be safely installed to all tiers of a distributed Splunk platform deployment. See Installing add-ons in Splunk Add-ons for more information.
This table provides a reference for installing this specific add-on to a distributed deployment of Splunk Enterprise.
| Splunk instance type | Required | Supported | Comments |
|---|---|---|---|
| Search Heads | Yes | Yes | Install this add-on to all search heads where CyberArk knowledge management is required. |
| Indexers | No | Yes | Not required, because this add-on does not include any index-time operations. |
| Heavy Forwarders | Yes | Yes | |
| Universal Forwarders | No | No |
Distributed deployment feature compatibility¶
This table describes the compatibility of this add-on with Splunk distributed deployment features.
| Distributed deployment feature | Supported | Actions required |
|---|---|---|
| Search Head Clusters | Yes | You can install this add-on on a search head cluster for all search-time functionality, but configure inputs only on a forwarder to avoid duplicate data collection. |
| Indexer Clusters | Yes | |
| Deployment Server | Yes | Supported for deploying configured add-on to multiple nodes. |
Installation walkthroughs¶
The Splunk Add-Ons manual includes an Installing add-ons guide that helps you successfully install any Splunk-supported add-on to your Splunk platform.
For a walkthrough of the installation procedure, follow the link that matches your deployment scenario:
Ended: Installation
Configuration ↵
Configure the Splunk Add-on for CyberArk EPM¶
Use the user interface to set up CyberArk EPM credentials and optional proxy and logging levels. When you complete this task, you then configure inputs.
Set up your account¶
Use Splunk Web to set up your CyberArk EPM account to collect data and make it available to Splunk.
- In the Splunk Add-on for CyberArk EPM go to the Accounts tab.
- Click Add.
- Add a unique Account Name.
- Add the EPM Dispatcher Server URL. The URL must start with
https. - Add a Username for the CyberArk EPM account.
- Add a Password for the CyberArk EPM account.
- Click Add to save the new account.
Set up Proxy and Logging level¶
If you are using a proxy, you must set up your proxy and logging levels.
- Check Enable Proxy.
- Specify the Host, Port, Username, and Password values.
- Check DNS resolution to perform DNS resolution through your proxy.
- Select your proxy type in the Proxy Type field.
- Optionally select a different Logging level.
- Click Save.
Configure inputs¶
The following input type is new as of version 3.0.0 and collects data through the CyberArk EPM API version 24.5.0. This input has a “Start Date” field which can be configured by the user to collect data from the desired date and time:
- Account Admin Audit Logs
The following input type is new as of version 2.1.0 and collects data through the CyberArk EPM API version 24.5.0. This input has a “Start Date” field which can be configured by the user to collect data from the desired date and time:
- Admin Audit Logs
The following input types are new as of version 2.0.0 and collect data through the CyberArk EPM API version 23.3.0. These inputs have a “Start Date” field which can be configured by the user to collect data from the desired date and time:
- Inbox Events
- Policy Audit Events
The following deprecated inputs may be removed in future releases. We recommend that you use the new inputs which have better CyberArk API functionalities and enhanced event schema. For the following input types, by default, Splunk Add-on for CyberArk EPM starts collecting the data generated within the last six minutes on the EPM server. After that, the add-on collects the data based on the last ingested event.
- Application Events (deprecated as of Splunk Add-on for CyberArk EPM v2.0.0)
- Policy Audit (deprecated as of Splunk Add-on for CyberArk EPM v2.0.0)
- Threat Detection (deprecated as of Splunk Add-on for CyberArk EPM v2.0.0)
The Splunk Add-on for CyberArk EPM collects all events for the Policies and Computers input type.
Configure inputs¶
You can use Splunk Web to configure these inputs.
- Go to the Inputs tab.
- Select Create New Input.
- Select an Input Type.
- Enter the details using the following input parameters tables and select the Add button.
Account Admin Audit logs¶
| Field | Description |
|---|---|
| Account (required) | The CyberArk EPM account to use to get the data in. The account should already be configured on the Configuration page. |
| Interval (required) | Data collection interval. (Default value: 360) |
| Index (required) | Index to ingest data in. |
| Start Date (optional) | Date to start the data collection from. Default value is current UTC time - 6 minutes |
Admin Audit logs¶
| Field | Description |
|---|---|
| Account (required) | The CyberArk EPM account to use to get the data in. The account should already be configured on the Configuration page. |
| Interval (required) | Data collection interval. (Default value: 360) |
| Index (required) | Index to ingest data in. |
| Start Date (optional) | Date to start the data collection from. Default value is current UTC time - 6 minutes |
| SetIDs (required) | Fetch data only for the selected Set IDs to ensure targeted and relevant event collection. Note: The SetID value will now appear in the raw events. |
Inbox events¶
| Field | Description |
|---|---|
| Account (required) | The CyberArk EPM account to use to get the data in. The account should already be configured on the Configuration page. |
| Application Type (required) | Type of application that triggers the event. Utilises “IN” filter operation in API (Default value: All, Valid application types as per the API document of CyberArk EPM: Executable, Script, MSI, MSU, ActiveX, Com, Win8App, DLL, AdminTask, URL, UserRequest, Temp, DMG, PKG, MacAdminTask, MacExecutable) |
| Publisher(optional) | A digital signature of the application that triggered the event (if applicable). Utilises “CONTAINS” filter operation in API |
| Interval (required) | Data collection interval. (Default value: 360) |
| Index (required) | Index to ingest data in. |
| Justification (optional) | Determines if the event has justification details (Valid values: NULL, NOTNULL). Utilises “IS” filter operation in API |
| Start Date (optional) | Date to start the data collection from. Default value: current UTC time - 6 minutes |
| Api Type (required) | Type of API the user wants to collect data from (Valid values: Raw Events, Aggregated Events). Raw Events API Type brings enriched data and detailed events from the EPM environment. |
| SetIDs (required) | Fetch data only for the selected Set IDs to ensure targeted and relevant event collection. Note: The SetID value will now appear in the raw events. |
Policy Audit events¶
| Field | Description |
|---|---|
| Account (required) | The CyberArk EPM account to use to get the data in. The account should already be configured on the Configuration page. |
| Application Type (required) | Type of application that triggers the event. Utilizes “IN” filter operation in API (Default value: All, Valid application types as per the API document of CyberArk EPM: Executable, Script, MSI, MSU, ActiveX, Com, Win8App, DLL, AdminTask, URL, UserRequest, Temp, DMG, PKG, MacAdminTask, MacExecutable) |
| Publisher(optional) | A digital signature of the application that triggered the event (if applicable). Uses the “CONTAINS” filter operation in the API. |
| Policy Name(optional) | Name of the policy that triggers the event. Utilizes “CONTAINS” filter operation in API |
| Interval (required) | Data collection interval. (Default value: 360) |
| Index (required) | Index to ingest data in. |
| Justification (optional) | Determines if the event has justification details (Valid values: NULL, NOTNULL). Utilises “IS” filter operation in API |
| Start Date (optional) | Date to start the data collection from. Default value: current UTC time - 6 minutes |
| Api Type (required) | Type of API the user wants to collect data from (Valid values: Raw Events, Aggregated Events). Raw Events API Type brings enriched data and detailed events from the EPM environment. |
| SetIDs (required) | Fetch data only for the selected Set IDs to ensure targeted and relevant event collection. Note: The SetID value will now appear in the raw events. |
Policies and Computers¶
Note that the Interval field cannot be modified and is fixed to 86400 seconds. It will fetch all available events on each invocation.
| Field | Description |
|---|---|
| Account (required) | The CyberArk EPM account to get the data in. The account should be configured on the Configuration page. |
| Collect Data For (required) | Collects data for selected options. Default value: Policies, Computers, or Computer Groups |
| Collect Policy Details | A checkbox to collect the Policy details. |
| Index (required) | Index to ingest data in. |
| SetIDs (required) | Fetch data only for the selected Set IDs to ensure targeted and relevant event collection. Note: The SetID value will now appear in the raw events. |
Configure inputs (deprecated)¶
You can use Splunk Web to configure these inputs.
- Open the Inputs tab.
- Click Create New Input.
- Select an Input Type.
- Enter the details using the following input parameters tables and click on the Add button.
Application Events (deprecated as of Splunk Add-on for CyberArk EPM v2.0.0)¶
| Field | Description |
|---|---|
| Account (required) | The CyberArk EPM account to use to get the data in. The account should already be configured on the Configuration page. |
| Application Type (required) | Type of application that triggers the event. (Default value: All, Valid application types as per the API document of CyberArk EPM: Executable, Script, MSI, MSU, ActiveX, Com, Win8App, DLL, DMG, PKG) |
| Publisher | A digital signature of the application that triggered the event (if applicable). Wildcards and unsigned are supported. |
| Interval (required) | Data collection interval. It should be in a range of 360 to 3600 seconds. |
| Index (required) | Index to ingest data in. |
| Justification (required) | Determines if the event has justification details (Default value: All, Valid values: All, WithJustification). |
Policy Audit (deprecated as of Splunk Add-on for CyberArk EPM v2.0.0)¶
| Field | Description |
|---|---|
| Account (required) | The CyberArk EPM account to get the data in. The account should be configured on the Configuration page. |
| Application Type (required) | Type of application that triggers the event. (Default value: All, Valid application types as per the API document of CyberArk EPM: Executable, Script, MSI, MSU, ActiveX, Com, Win8App, DLL, DMG, PKG) |
| Publisher | A digital signature of the application that triggered the event (if applicable). Wildcards and unsigned are supported. |
| Policy Name | Name of the policy that triggers the event. Wildcards are supported. |
| Interval (required) | Data collection interval. It should be in a range of 360 to 3600 seconds. |
| Index (required) | Index to ingest data in. |
| Justification (required) | Determines if the event has justification details (Default value: All, Valid values: All, WithJustification). |
Threat Detection (deprecated as of Splunk Add-on for CyberArk EPM v2.0.0)¶
| Field | Description |
|---|---|
| Account (required) | The CyberArk EPM account to get the data in. The account should be configured on the Configuration page. |
| Publisher | A digital signature of the application that triggered the event (if applicable). Wildcards and unsigned are supported. |
| Policy Name | Name of the policy that triggers the event. Wildcards are supported. |
| Interval (required) | Data collection interval. It should be in a range of 360 to 3600 seconds. |
| Index (required) | Index to ingest data in. |
Ended: Configuration
Troubleshooting ↵
Troubleshoot the Splunk Add-on for CyberArk EPM¶
For troubleshooting tips that apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.
Delay in data ingestion¶
Before performing the task below, verify that you provided the correct CyberArk EPM account information and that your inputs are configured correctly.
Verify your API call limits:
- Go to Configuration > Logging and set the log level to DEBUG.
-
Execute:
index="_internal" source="*splunk_ta_cyberark_epm*" "Maximum limit" -
Check for the following log message:
Maximum limit <number> for number of API calls exceeded. Going into sleep for <number> minute(s)This message indicates that the input is working but it hits the API limit of your account.
-
To increase the API limit for your account, contact CyberArk Support at support@cyberark.com.
If you face any errors related to API limitations for new inputs, it might be because of the API limitations of CyberArk EPM v23.3.0. See the CyberArk documentation for more details at https://community.cyberark.com/s/article/EPM-RestAPI-Limitations.
Data is not ingested in Splunk¶
For best results when experiencing issues in data ingestion or data collection, use the Splunk Add-on for CyberArk EPM v2.0.0 and later for it’s enhanced functionalities
- Verify Account and Inputs are configured properly.
- Verify KV Store is enabled and working.
- Check that data is available within the time range. By default, the add-on starts collecting the data generated within the last 6 minutes on the EPM server. After that, it collects the data as per the last ingested event.
- To collect historical data, you can utilize the “Start Date” field provided in the new inputs.
Note
See CyberArk EPM API limitation documentation for details regarding number of allowed API calls within a time range.
Event truncation¶
For sourcetype cyberark:epm:policies, when the user selects collect_policy_details option to collect the details of the policy, then it might happen that the event gets truncated because the policy details are more in length but Splunk allows an event of maximum 10k bytes.
Issue with account configuration¶
- If “EPM server cannot process the request. Bad Request” error is encountered in the UI during account configuration, make sure there is no whitespace in the username field.
- If “Could not connect to CyberArk Server. Check Network and Configuration settings.” error is encountered in the UI during account configuration, make sure that the EPM server can be reached and the url does not contain any whitespaces.
- To further troubleshoot any issue, check the logs file.
Ended: Troubleshooting
Reference ↵
Events for the Splunk Add-on for Cyberark EPM¶
This section lists some of the most relevant EPM events you can collect.
Account Admin Audit Logs¶
- Account related action carried out by EPM administrator.
Admin Audit Logs¶
- Action carried out by EPM administrator.
Credential theft¶
- Browsers
- IT applications
- Remote Access Applications
- Windows OS
Privilege threats¶
Request to boot in Safe Mode Request to set “Always Install Elevated” Privilege deception Privilege Management events.
High risk applications¶
- CMD
- PowerShell
- admin tasks (for example, mmc, local groups, network settings, and so on.)
- Unsigned applications that require elevation
- Blocked applications due to organization policy
- Creation of a JIT policy
You can identify these events using a combination of output fields (like EventName, EventType, PolicyName, Action, and so on) as described in your CyberArk EPM documentation.
Lookups for the Splunk Add-on for CyberArk EPM¶
The Splunk Add-on for CyberArk EPM has the following lookups. The CSV lookup files are located in $SPLUNK\_HOME/etc/apps/Splunk\_TA\_cyberark\_epm/lookups.
| Lookup name | Description |
|---|---|
| cyberark_epm_action_name.csv | Action(integer) field from the event is mapped to the ActionName field in sourcetype cyberark:epm:policies |
Source types¶
The Splunk Add-on for CyberArk EPM supports the following source types.
| Source type | Event type | CIM compatibility |
|---|---|---|
| cyberark:epm:account:admin:audit | cyberark_epm_account_admin_audit_logs_all_changes, cyberark_epm_account_admin_audit_logs_account_changes | Change - All_Changes, Change - Account_Management |
| cyberark:epm:admin:audit | cyberark_epm_admin_audit_logs_all_changes, cyberark_epm_admin_audit_logs_account_changes | Change - All_Changes, Change - Account_Management |
| cyberark:epm:application:events | cyberark_epm_endoint_process | Endpoint - Processes |
| cyberark:epm:policy:audit | cyberark_epm_endoint_process | Endpoint - Processes |
| cyberark:epm:threat:detection | cyberark_epm_attack | Intrusion Detection |
| cyberark:epm:policies | N/A | N/A |
| cyberark:epm:computers | cyberark_epm_computers | Inventory |
| cyberark:epm:computer:groups | N/A | N/A |
| cyberark:epm:raw:events | cyberark_epm_raw_events_endpoint_process, cyberark_epm_events_ids_attack, cyberark_epm_events_malware_attack | Endpoint - Processes, Intrusion Detection, Malware Attacks |
| cyberark:epm:aggregated:events | cyberark_epm_events_ids_attack, cyberark_epm_events_malware_attack | Intrusion Detection, Malware Attacks |
| cyberark:epm:raw:policy:audit | cyberark_epm_raw_policyaudit_endpoint_process | Endpoint - Processes |
| cyberark:epm:aggregated:policy:audit | N/A | N/A |