[New integration] CyberArk EPM

[cpascale43]

Description

In addition to CyberArk Privileged Access Security and CyberArk PAS, we've also seen strong demand for Cyberark Endpoint Privilege Manager (EPM).

Architecture

CyberArk exposes relevant events via their Web Services API. The integration should ingest the following event types:

• Inbox events
• Policy audit events
• Admin audit logs
• Raw events

See also:

• CyberArk EPM SaaS - Key Concepts
• Splunk source types reference
• Splunk events reference

Dashboard Ideas

The dashboard should provide answers to questions about endpoint security posture, user activities and potential threats across the environment managed by CyberArk EPM. It should enable real-time monitoring of privileged access patterns, authentication attempts and application usage. These are a few suggestions:

• Administrative activity

  • Line graph showing admin actions
  • Heat map of admin activities by date
  • Counter showing total admin sessions and policy changes in last 24h
  • Timeline of policy modifications and deployments

• Credential theft monitoring

  • Alerts for unusual credential access patterns
  • Distribution of theft attempts by source (browsers, IT applications, remote access applications, Windows OS)
  • Geographic visualization of theft attempts

• Privilege escalation tracking

  • Bar chart of privilege escalation attempts by type
  • Table of "Always Install Elevated" attempts
  • Privilege deception incident tracking
  • JIT policy creation monitoring

• High risk application analysis

  • Distribution chart of high-risk app usage (CMD, PowerShell, mmc)
  • Line graph showing unsigned application elevations over time
  • Table of blocked applications due to organization policy