Vendor - CyberArk

Product - EPV

Ref	Link
Splunk Add-on CyberArk	https://splunkbase.splunk.com/app/2891/
Add-on Manual	https://docs.splunk.com/Documentation/AddOns/latest/CyberArk/About

Sourcetypes

sourcetype	notes
cyberark:epv:cef	None

Index Configuration

key	sourcetype	index	notes
CyberArk_Vault	cyberark:epv:cef	netauth	none

Filter type

MSG Parse: This filter parses message content

Options

Variable	default	description
SC4S_LISTEN_CEF_TCP_PORT	empty string	Enable a TCP port for this specific vendor product using a comma-separated list of port numbers

• NOTE: Set only one set of CEF variables for the entire SC4S deployment, regardless of how many ports are in use by this CEF source (or any others). See the “Common Event Format” source documentation for more information.

Verification

An active site will generate frequent events use the following search to check for new events

Verify timestamp, and host values match as expected

index=<asconfigured> (sourcetype=cef sourcetype="cyberark:epv:cef")

Product - PTA

Ref	Link
Splunk Add-on CyberArk	https://splunkbase.splunk.com/app/2891/
Add-on Manual	https://docs.splunk.com/Documentation/AddOns/latest/CyberArk/About

Sourcetypes

sourcetype	notes
cyberark:pta:cef	None

Index Configuration

key	sourcetype	index	notes
Cyber-Ark_Vault	cyberark:pta:cef	main	none

Filter type

MSG Parse: This filter parses message content

Options

Variable	default	description
SC4S_LISTEN_CEF_TCP_PORT	empty string	Enable a TCP port for this specific vendor product using a comma-separated list of port numbers

• NOTE: Set only one set of CEF variables for the entire SC4S deployment, regardless of how many ports are in use by this CEF source (or any others). See the “Common Event Format” source documentation for more information.

Verification

An active site will generate frequent events use the following search to check for new events

Verify timestamp, and host values match as expected

index=<asconfigured> (sourcetype=cef sourcetype="cyberark:pta:cef")