Splunk® Supported Add-ons

Splunk Add-on for CyberArk

Release notes for the Splunk Add-on for CyberArk

Version 1.2.0 of the Splunk Add-on for CyberArk was released on December 2, 2021.

About this release

Version 1.2.0 of the Splunk Add-on for CyberArk is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 8.0, 8.1, 8.2
CIM 4.20.2
Platforms Platform independent
Vendor Products Privileged Threat Analytics (PTA) 12.2, Enterprise Password Vault (EPV) 12.2

New features

Version 1.2.0 of the Splunk Add-on for CyberArk has the following new features.

  • Added the support for the latest CyberArk Enterprise Password Vault 12.2 and CyberArk Privileged Threat Analytics 12.2.
  • Added support for the latest Splunk Common Information Model version 4.20.2.

See the following tables for information on field changes between 1.1.0 and 1.2.0:

Source-type sourcetype Fields added Fields removed
['cyberark:epv:cef'] cyberark:epv:cef EventID, user_name, src_user_name, id, result_id, SourceAddress, object_id, description, signature_id
Source-type sourcetype Fields added Fields removed
['cyberark:pta:cef'] cyberark:pta:cef user_name, dvc, description


See the following table for a list of fields modified between 1.1.0 and 1.2.0:

Sourcetype CIM Field cef_name Vendor Field in 1.1.1 Vendor Field in 1.2.0
cyberark:epv:cef object Add Location, Delete Location, Rename/Move Location, Update Location suser,
Example: user404
Static: location
Delete Group suser,
Example: user404
Static: group
Move Network Area, Rename Network Area, Update Network Area suser,
Example: user404
Static: network area
object_category Add Note Static: unknown Static: note
Failure:CPM Reconcile Password Failed Static: User Sttaic: user
Clear User History Static: file Static: user
Failure: Open/Close Safe, Safe Access through Gateway Static: object Static: safe
Update Address Static: unknown Static: user
change_type Add Owner, Update Owner Static: vault Static: Vault
Delete Group Static: Group Static: AAA
Set Password Static: Password Static: AAA
action Failure:CPM Reconcile Password Failed created modified
Failure: User Has Expired, Failure: User Is Disabled read failure
result Delete Folder N/A Static: folder deleted
Lock As Draft N/A Static: draft locked
Move File N/A Static: file moved
Rename File N/A Static: file renamed
reason Window Title reason,
Example: explorer.exe
Static: success
cyberar:pta:cef signature_id All EventId,
Example: a2f3c7eb-0a56-41c9-8b55-99ceaab6cc97
cef_signature,
Example: 24
severity Static: unknown Static: low
dest_type Static: storage Static: instance


CIM model changes

See the following CIM model changes between 1.1.0 and 1.2.0:

Sourcetype cef_name Previous CIM model New CIM model
cyberark:epv:cef Set Password, Delete Group Change:All_Changes Change:Account_Management
User Has Expired, User Is Disabled Change:Auditing_Changes Authentication:Authentication
Update Safe, Delete Safe Change:Account_Management Change:All_Changes
Monitor DR Replication start, Monitor DR Replication end, Monitor Backup Replication start, Monitor Backup Replication end N/A Change:All_Changes
Privileged Threat Analytics Event N/A Alerts:Alerts
Update existing Add Account Bulk Operation succeeded N/A Change:Account_Management
cyberark:pta:cef Privileged access to the Vault from irregular N/A Alerts:Alerts


Fixed issues

Version 1.2.0 of the Splunk Add-on for CyberArk contains the following fixed issues. If this section is blank, there are no fixed issues.

Known issues

Version 1.2.0 of the Splunk Add-on for CyberArk contains the following known issues. If this section is blank, there are no known issues.

Third-party software attributions

Version 1.2.0 of the Splunk Add-on for CyberArk does not incorporate any third-party software.

Last modified on 08 December, 2021
Source types for the Splunk Add-on for CyberArk   Release notes history

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters