Release notes for the Splunk Add-on for CyberArk

Version 1.2.0 of the Splunk Add-on for CyberArk was released on December 2, 2021.

About this release

Version 1.2.0 of the Splunk Add-on for CyberArk is compatible with the following software, CIM versions, and platforms.

Splunk platform versions	8.0, 8.1, 8.2
CIM	4.20.2
Platforms	Platform independent
Vendor Products	Privileged Threat Analytics (PTA) 12.2, Enterprise Password Vault (EPV) 12.2

Version 1.2.0 of the Splunk Add-on for CyberArk has the following new features.

Added the support for the latest CyberArk Enterprise Password Vault 12.2 and CyberArk Privileged Threat Analytics 12.2.
Added support for the latest Splunk Common Information Model version 4.20.2.

See the following tables for information on field changes between 1.1.0 and 1.2.0:

Source-type	sourcetype	Fields added	Fields removed
`['cyberark:epv:cef']`	cyberark:epv:cef	EventID, user_name, src_user_name, id, result_id, SourceAddress, object_id, description, signature_id

Source-type	sourcetype	Fields added	Fields removed
`['cyberark:pta:cef']`	cyberark:pta:cef	user_name, dvc, description

See the following table for a list of fields modified between 1.1.0 and 1.2.0:

Sourcetype	CIM Field	cef_name	Vendor Field in 1.1.1	Vendor Field in 1.2.0
cyberark:epv:cef	object	Add Location, Delete Location, Rename/Move Location, Update Location	suser, Example: user404	Static: location
Delete Group	suser, Example: user404	Static: group
Move Network Area, Rename Network Area, Update Network Area	suser, Example: user404	Static: network area
object_category	Add Note	Static: unknown	Static: note
Failure:CPM Reconcile Password Failed	Static: User	Sttaic: user
Clear User History	Static: file	Static: user
Failure: Open/Close Safe, Safe Access through Gateway	Static: object	Static: safe
Update Address	Static: unknown	Static: user
change_type	Add Owner, Update Owner	Static: vault	Static: Vault
Delete Group	Static: Group	Static: AAA
Set Password	Static: Password	Static: AAA
action	Failure:CPM Reconcile Password Failed	created	modified
Failure: User Has Expired, Failure: User Is Disabled	read	failure
result	Delete Folder	N/A	Static: folder deleted
Lock As Draft	N/A	Static: draft locked
Move File	N/A	Static: file moved
Rename File	N/A	Static: file renamed
reason	Window Title	reason, Example: explorer.exe	Static: success
`cyberar:pta:cef`	signature_id	All	EventId, Example: a2f3c7eb-0a56-41c9-8b55-99ceaab6cc97	cef_signature, Example: 24
severity		Static: unknown	Static: low
dest_type		Static: storage	Static: instance

See the following CIM model changes between 1.1.0 and 1.2.0:

Sourcetype	cef_name	Previous CIM model	New CIM model
cyberark:epv:cef	Set Password, Delete Group	Change:All_Changes	Change:Account_Management
User Has Expired, User Is Disabled	Change:Auditing_Changes	Authentication:Authentication
Update Safe, Delete Safe	Change:Account_Management	Change:All_Changes
Monitor DR Replication start, Monitor DR Replication end, Monitor Backup Replication start, Monitor Backup Replication end	N/A	Change:All_Changes
Privileged Threat Analytics Event	N/A	Alerts:Alerts
Update existing Add Account Bulk Operation succeeded	N/A	Change:Account_Management
`cyberark:pta:cef`	Privileged access to the Vault from irregular	N/A	Alerts:Alerts

Version 1.2.0 of the Splunk Add-on for CyberArk contains the following fixed issues. If this section is blank, there are no fixed issues.

Version 1.2.0 of the Splunk Add-on for CyberArk contains the following known issues. If this section is blank, there are no known issues.

Version 1.2.0 of the Splunk Add-on for CyberArk does not incorporate any third-party software.