Splunk® Supported Add-ons

Splunk Add-on for CyberArk EPM

Events for the Splunk Add-on for Cyberark EPM

Here are some of the most relevant EPM events you can collect.

Admin Audit Logs

  • Action carried out by EPM administrator.

Credential theft

  • Browsers
  • IT applications
  • Remote Access Applications
  • Windows OS

Privilege threats

Request to boot in Safe Mode Request to set "Always Install Elevated" Privilege deception Privilege Management events

High risk applications

  • CMD
  • PowerShell
  • admin tasks (e.g. mmc, local groups, network settings, etc.)
  • Unsigned applications that require elevation
  • Blocked applications due to organization policy
  • Creation of a JIT policy

You can identify these events using a combination of output fields (like EventName, EventType, PolicyName, Action etc.) as described in your CyberArk EPM documentation.

Last modified on 22 July, 2024
Source types   Lookups for the Splunk Add-on for CyberArk EPM

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters