Splunk® Supported Add-ons

Splunk Add-on for CyberArk EPM

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure inputs

The following input types are newly introduced as of version 2.0.0 and collect data through the CyberArk EPM API version 23.3.0. These inputs have a "Start Date" field which can be configured by the user to collect data from the desired date and time:

  • Inbox Events
  • Policy Audit Events

The following deprecated inputs may be removed in future releases. We recommend that you use the new inputs which have better CyberArk API functionalities and enhanced event schema. For the following input types, by default, Splunk Add-on for CyberArk EPM starts collecting the data generated within the last six minutes on the EPM server. After that, the add-on collects the data based on the last ingested event.

  • Application Events (deprecated as of Splunk Add-on for CyberArk EPM v2.0.0)
  • Policy Audit (deprecated as of Splunk Add-on for CyberArk EPM v2.0.0)
  • Threat Detection (deprecated as of Splunk Add-on for CyberArk EPM v2.0.0)

The Splunk Add-on for CyberArk EPM collects all events for the Policies and Computers input type.

Configure Inputs

You can use Splunk Web to configure these inputs.

  1. Open the Inputs tab.
  2. Click Create New Input.
  3. Select an Input Type.
  4. Enter the details using the following input parameters tables and click on the Add button.

Inbox Events

Field Description
Account (required) The CyberArk EPM account to use to get the data in. The account should already be configured on the Configuration page.
Application Type (required) Type of application that triggers the event. Utilises "IN" filter operation in API

(Default value: All, Valid application types as per the API document of CyberArk EPM: Executable, Script, MSI, MSU, ActiveX, Com, Win8App, DLL, AdminTask, URL, UserRequest, Temp, DMG, PKG, MacAdminTask, MacExecutable)

Publisher(optional) A digital signature of the application that triggered the event (if applicable). Utilises "CONTAINS" filter operation in API
Interval (required) Data collection interval. (Default value: 360)
Index (required) Index to ingest data in.
Justification (optional) Determines if the event has justification details (Valid values: NULL, NOTNULL). Utilises "IS" filter operation in API
Start Date (optional) Date to start the data collection from. Default value: current UTC time - 6 minutes
Api Type (required) Type of API the user wants to collect data from (Valid values: Raw Events, Aggregated Events). Raw Events API Type brings enriched data and detailed events from the EPM environment.

Policy Audit Events

Field Description
Account (required) The CyberArk EPM account to use to get the data in. The account should already be configured on the Configuration page.
Application Type (required) Type of application that triggers the event. Utilises "IN" filter operation in API

(Default value: All, Valid application types as per the API document of CyberArk EPM: Executable, Script, MSI, MSU, ActiveX, Com, Win8App, DLL, AdminTask, URL, UserRequest, Temp, DMG, PKG, MacAdminTask, MacExecutable)

Publisher(optional) A digital signature of the application that triggered the event (if applicable). Uses the "CONTAINS" filter operation in the API.
Policy Name(optional) Name of the policy that triggers the event. Utilises "CONTAINS" filter operation in API
Interval (required) Data collection interval. (Default value: 360)
Index (required) Index to ingest data in.
Justification (optional) Determines if the event has justification details (Valid values: NULL, NOTNULL). Utilises "IS" filter operation in API
Start Date (optional) Date to start the data collection from. Default value: current UTC time - 6 minutes
Api Type (required) Type of API the user wants to collect data from (Valid values: Raw Events, Aggregated Events). Raw Events API Type brings enriched data and detailed events from the EPM environment.

Policies and Computers

Note that the Interval field cannot be modified and is fixed to 86400 seconds. It will fetch all available events on each invocation.

Field Description
Account (required) The CyberArk EPM account to get the data in. The account should be configured on the Configuration page.
Collect Data For (required) Collects data for selected options.

Default value: Policies, Computers, or Computer Groups

Collect Policy Details A checkbox to collect the Policy details.
Index (required) Index to ingest data in.

Configure inputs (deprecated)

You can use Splunk Web to configure these inputs.

  1. Open the Inputs tab.
  2. Click Create New Input.
  3. Select an Input Type.
  4. Enter the details using the following input parameters tables and click on the Add button.

Application Events (deprecated as of Splunk Add-on for CyberArk EPM v2.0.0)

Field Description
Account (required) The CyberArk EPM account to use to get the data in. The account should already be configured on the Configuration page.
Application Type (required) Type of application that triggers the event.

(Default value: All, Valid application types as per the API document of CyberArk EPM: Executable, Script, MSI, MSU, ActiveX, Com, Win8App, DLL, DMG, PKG)

Publisher A digital signature of the application that triggered the event (if applicable). Wildcards and unsigned are supported.
Interval (required) Data collection interval. It should be in a range of 360 to 3600 seconds.
Index (required) Index to ingest data in.
Justification (required) Determines if the event has justification details (Default value: All, Valid values: All, WithJustification).

Policy Audit (deprecated as of Splunk Add-on for CyberArk EPM v2.0.0)

Field Description
Account (required) The CyberArk EPM account to get the data in. The account should be configured on the Configuration page.
Application Type (required) Type of application that triggers the event.

(Default value: All, Valid application types as per the API document of CyberArk EPM: Executable, Script, MSI, MSU, ActiveX, Com, Win8App, DLL, DMG, PKG)

Publisher A digital signature of the application that triggered the event (if applicable). Wildcards and unsigned are supported.
Policy Name Name of the policy that triggers the event. Wildcards are supported.
Interval (required) Data collection interval. It should be in a range of 360 to 3600 seconds.
Index (required) Index to ingest data in.
Justification (required) Determines if the event has justification details (Default value: All, Valid values: All, WithJustification).-

Threat Detection (deprecated as of Splunk Add-on for CyberArk EPM v2.0.0)

Field Description
Account (required) The CyberArk EPM account to get the data in. The account should be configured on the Configuration page.
Publisher A digital signature of the application that triggered the event (if applicable). Wildcards and unsigned are supported.
Policy Name Name of the policy that triggers the event. Wildcards are supported.
Interval (required) Data collection interval. It should be in a range of 360 to 3600 seconds.
Index (required) Index to ingest data in.
Last modified on 13 December, 2023
PREVIOUS
Configure the Splunk Add-on for CyberArk EPM 		  NEXT
Source types

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters