Configure inputs
The following input type is new as of version 2.1.0 and collects data through the CyberArk EPM API version 24.5.0. This input has a "Start Date" field which can be configured by the user to collect data from the desired date and time:
- Admin Audit Logs
The following input types are new as of version 2.0.0 and collect data through the CyberArk EPM API version 23.3.0. These inputs have a "Start Date" field which can be configured by the user to collect data from the desired date and time:
- Inbox Events
- Policy Audit Events
The following deprecated inputs may be removed in future releases. We recommend that you use the new inputs which have better CyberArk API functionalities and enhanced event schema. For the following input types, by default, Splunk Add-on for CyberArk EPM starts collecting the data generated within the last six minutes on the EPM server. After that, the add-on collects the data based on the last ingested event.
- Application Events (deprecated as of Splunk Add-on for CyberArk EPM v2.0.0)
- Policy Audit (deprecated as of Splunk Add-on for CyberArk EPM v2.0.0)
- Threat Detection (deprecated as of Splunk Add-on for CyberArk EPM v2.0.0)
The Splunk Add-on for CyberArk EPM collects all events for the Policies and Computers input type.
Configure Inputs
You can use Splunk Web to configure these inputs.
- Open the Inputs tab.
- Click Create New Input.
- Select an Input Type.
- Enter the details using the following input parameters tables and click on the Add button.
Admin Audit Logs
Field | Description |
---|---|
Account (required) | The CyberArk EPM account to use to get the data in. The account should already be configured on the Configuration page. |
Interval (required) | Data collection interval. (Default value: 360) |
Index (required) | Index to ingest data in. |
Start Date (optional) | Date to start the data collection from. Default value is current UTC time - 6 minutes |
Inbox Events
Field | Description |
---|---|
Account (required) | The CyberArk EPM account to use to get the data in. The account should already be configured on the Configuration page. |
Application Type (required) | Type of application that triggers the event. Utilises "IN" filter operation in API
(Default value: All, Valid application types as per the API document of CyberArk EPM: Executable, Script, MSI, MSU, ActiveX, Com, Win8App, DLL, AdminTask, URL, UserRequest, Temp, DMG, PKG, MacAdminTask, MacExecutable) |
Publisher(optional) | A digital signature of the application that triggered the event (if applicable). Utilises "CONTAINS" filter operation in API |
Interval (required) | Data collection interval. (Default value: 360) |
Index (required) | Index to ingest data in. |
Justification (optional) | Determines if the event has justification details (Valid values: NULL, NOTNULL). Utilises "IS" filter operation in API |
Start Date (optional) | Date to start the data collection from. Default value: current UTC time - 6 minutes |
Api Type (required) | Type of API the user wants to collect data from (Valid values: Raw Events, Aggregated Events). Raw Events API Type brings enriched data and detailed events from the EPM environment. |
Policy Audit Events
Field | Description |
---|---|
Account (required) | The CyberArk EPM account to use to get the data in. The account should already be configured on the Configuration page. |
Application Type (required) | Type of application that triggers the event. Utilises "IN" filter operation in API
(Default value: All, Valid application types as per the API document of CyberArk EPM: Executable, Script, MSI, MSU, ActiveX, Com, Win8App, DLL, AdminTask, URL, UserRequest, Temp, DMG, PKG, MacAdminTask, MacExecutable) |
Publisher(optional) | A digital signature of the application that triggered the event (if applicable). Uses the "CONTAINS" filter operation in the API. |
Policy Name(optional) | Name of the policy that triggers the event. Utilises "CONTAINS" filter operation in API |
Interval (required) | Data collection interval. (Default value: 360) |
Index (required) | Index to ingest data in. |
Justification (optional) | Determines if the event has justification details (Valid values: NULL, NOTNULL). Utilises "IS" filter operation in API |
Start Date (optional) | Date to start the data collection from. Default value: current UTC time - 6 minutes |
Api Type (required) | Type of API the user wants to collect data from (Valid values: Raw Events, Aggregated Events). Raw Events API Type brings enriched data and detailed events from the EPM environment. |
Policies and Computers
Note that the Interval field cannot be modified and is fixed to 86400 seconds. It will fetch all available events on each invocation.
Field | Description |
---|---|
Account (required) | The CyberArk EPM account to get the data in. The account should be configured on the Configuration page. |
Collect Data For (required) | Collects data for selected options.
Default value: Policies, Computers, or Computer Groups |
Collect Policy Details | A checkbox to collect the Policy details. |
Index (required) | Index to ingest data in. |
Configure inputs (deprecated)
You can use Splunk Web to configure these inputs.
- Open the Inputs tab.
- Click Create New Input.
- Select an Input Type.
- Enter the details using the following input parameters tables and click on the Add button.
Application Events (deprecated as of Splunk Add-on for CyberArk EPM v2.0.0)
Field | Description |
---|---|
Account (required) | The CyberArk EPM account to use to get the data in. The account should already be configured on the Configuration page. |
Application Type (required) | Type of application that triggers the event.
(Default value: All, Valid application types as per the API document of CyberArk EPM: Executable, Script, MSI, MSU, ActiveX, Com, Win8App, DLL, DMG, PKG) |
Publisher | A digital signature of the application that triggered the event (if applicable). Wildcards and unsigned are supported. |
Interval (required) | Data collection interval. It should be in a range of 360 to 3600 seconds. |
Index (required) | Index to ingest data in. |
Justification (required) | Determines if the event has justification details (Default value: All, Valid values: All, WithJustification). |
Policy Audit (deprecated as of Splunk Add-on for CyberArk EPM v2.0.0)
Field | Description |
---|---|
Account (required) | The CyberArk EPM account to get the data in. The account should be configured on the Configuration page. |
Application Type (required) | Type of application that triggers the event.
(Default value: All, Valid application types as per the API document of CyberArk EPM: Executable, Script, MSI, MSU, ActiveX, Com, Win8App, DLL, DMG, PKG) |
Publisher | A digital signature of the application that triggered the event (if applicable). Wildcards and unsigned are supported. |
Policy Name | Name of the policy that triggers the event. Wildcards are supported. |
Interval (required) | Data collection interval. It should be in a range of 360 to 3600 seconds. |
Index (required) | Index to ingest data in. |
Justification (required) | Determines if the event has justification details (Default value: All, Valid values: All, WithJustification).- |
Threat Detection (deprecated as of Splunk Add-on for CyberArk EPM v2.0.0)
Field | Description |
---|---|
Account (required) | The CyberArk EPM account to get the data in. The account should be configured on the Configuration page. |
Publisher | A digital signature of the application that triggered the event (if applicable). Wildcards and unsigned are supported. |
Policy Name | Name of the policy that triggers the event. Wildcards are supported. |
Interval (required) | Data collection interval. It should be in a range of 360 to 3600 seconds. |
Index (required) | Index to ingest data in. |
Configure the Splunk Add-on for CyberArk EPM | Source types |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!