Skip to main content

CyberArk EPM Event Collector

This Integration is part of the CyberArk Endpoint Privilege Manager Pack.#

Supported versions

Supported Cortex XSOAR versions: 8.2.0 and later.

CyberArk EPM Event Collector fetches events. This integration was integrated and tested with version 23.12.0 of CyberArk EPM.

Configure CyberArk EPM Event Collector in Cortex#

ParameterDescriptionRequired
SAML/EPM Logon URLSAML example: https://login.epm.cyberark.com/SAML/Logon.True
UsernameTrue
PasswordTrue
Set nameA comma-separated list of set names.True
Application IDRequired for local(EPM) authentication only.False
Authentication URLRequired for SAML authentication only, Example for PAN OKTA: https://paloaltonetworks.okta.com/api/v1/authn.False
Application URLRequired for SAML authentication only, Example for PAN OKTA: https://paloaltonetworks.okta.com/home/\[APP_NAME\]/\[APP_ID\].False
Trust any certificate (not secure)False
Use system proxy settingsFalse
Maximum number of events per fetchFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

cyberarkepm-get-admin-audits#


Gets admin audits from Cyber Ark EPM.

Base Command#

cyberarkepm-get-admin-audits

Input#

Argument NameDescriptionRequired
should_push_eventsIf true, the command will create events, otherwise it will only display them. Possible values are: true, false. Default is false.Required
limitMaximum number of results to return.Optional
from_dateDate to return results from. (in ISO format '01-01-24T00:00:00.123Z').Optional

Human Readable Output#

Admin Audits#

AdministratorDescriptionEventTimeFeatureInternalSessionIdLoggedAtLoggedFromPermissionDescriptionRoleSetName_timeeventTypeXsiam
admin@paloaltonetworks.comAPI Get Admin audit data /API/Sets/47f5830e-383a-4db1-9e5f-b38ed0448a92/AdminAudit?dateFrom=2023-12-17T12:17:35.384Z&limit=250 GET DateFrom: 2023-12-17T12:17:35.384Z, DateTo: , offset: 0, limit: 2502023-12-17T12:38:26.53ZPublic API2390762023-12-14T13:09:49.81Z1.1.1.1NoneSetUserPANW Production(palo alto networks inc.)2023-12-17T12:38:26.53Zset admin audit data
admin@paloaltonetworks.comAPI Get Admin audit data /API/Sets/47f5830e-383a-4db1-9e5f-b38ed0448a92/AdminAudit?dateFrom=2023-12-17T12:38:01.454Z&limit=250 GET DateFrom: 2023-12-17T12:38:01.454Z, DateTo: , offset: 0, limit: 2502023-12-17T12:39:26.703ZPublic API2390762023-12-14T13:09:49.81Z1.1.1.1NoneSetUserPANW Production(palo alto networks inc.)2023-12-17T12:39:26.703Zset admin audit data

Context Output#

There is no context output for this command.

cyberarkepm-get-policy-audits#


Gets policy audits from Cyber Ark EPM.

Base Command#

cyberarkepm-get-policy-audits

Input#

Argument NameDescriptionRequired
should_push_eventsIf true, the command will create events, otherwise it will only display them. Possible values are: true, false. Default is false.Required
limitMaximum number of results to return.Optional
from_dateDate to return results from. (in ISO format '01-01-24T00:00:00.123Z').Optional

Human Readable Output#

Policy Audits#

_timeaccessTargetNameaccessTargetTypeagentEventCountagentIdapplicationSubTypeargumentsarrivalTimeauthorizationRightsbundleNamebundleVersioncodeURLcommandInfocompanycomputerNamedisplayNameeventTypeeventTypeXsiamfileAccessPermissionfileDescriptionfileNamefilePathfileQualifierfileSizefileVersionfirstEventDatehashinterpreterjustificationjustificationEmaillastEventDatemimeTypemodificationTimeoperatingSystemTypeoriginUserUIDoriginalFileNameownerpackageNamepolicyActionpolicyNameproductCodeproductNameproductVersionpublisherrunAsUsernameskippedCountsourceNamesourceTypesymLinkupgradeCodeuserIsAdminuserNameworkingDirectory
2023-12-17T12:43:54.659ZInternet3636ebc011f-bdbd-4e0c-84ac-8ea7611c40192023-12-17T12:43:54.659ZGoogle Chrome Helper (Renderer)6045.199M-VKY33Q227QGoogle Chrome Helper (Renderer) (Google Chrome Helper (Renderer))Launchpolicy audit raw event detailsGoogle Chrome Helper (Renderer)/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/119.0.6045.199/Helpers/Google Chrome Helper (Renderer).app/Contents/MacOS/Google Chrome Helper (Renderer)68436427698397124255188322023-12-17T04:44:50Z537ce868dd185f032e7ae18900eb3ec100ed35ef2023-12-17T12:43:37Z2023-11-27T22:43:23ZMacOSrootGoogle Chrome Helper (Renderer) (Google Chrome Helper (Renderer))Run Normallypanw-macos-prod-all-users-allowGoogle LLC (EQHXZ8M8AV)0/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/119.0.6045.199/Helpers/Google Chrome Helper (Renderer).app/Contents/MacOS/Google Chrome Helper (Renderer)LocalDisktrue.\csvensson
2023-12-17T12:43:54.658ZInternet166ebc011f-bdbd-4e0c-84ac-8ea7611c40192023-12-17T12:43:54.658ZWeatherWidget484M-VKY33Q227QWeatherWidget (WeatherWidget)Launchpolicy audit raw event detailsWeatherWidget/System/Applications/Weather.app/Contents/PlugIns/WeatherWidget.appex/Contents/MacOS/WeatherWidget281052704666345053037339522023-12-17T04:52:33Z951815b591c7255b6de67adac3931549892c2fee2023-12-17T12:43:30Z2023-11-02T22:44:56ZMacOSrootWeatherWidget (WeatherWidget)Run Normallypanw-macos-prod-all-users-allowSoftware Signing0/System/Applications/Weather.app/Contents/PlugIns/WeatherWidget.appex/Contents/MacOS/WeatherWidgetLocalDisktrue.\csvensson

Context Output#

There is no context output for this command.

cyberarkepm-get-events#


Gets events from Cyber Ark EPM.

Base Command#

cyberarkepm-get-events

Input#

Argument NameDescriptionRequired
should_push_eventsIf true, the command will create events, otherwise it will only display them. Possible values are: true, false. Default is false.Required
limitMaximum number of results to return.Optional
from_dateDate to return results from. (in ISO format '01-01-24T00:00:00.123Z').Optional

Human Readable Output#

Detailed Evens#

_timeaccessActionaccessTargetNameaccessTargetTypeagentEventCountagentIdapplicationSubTypearrivalTimeauthorizationRightsbundleIdbundleNamebundleVersioncompanycomputerNamedeceptionTypedisplayNameeventCounteventTypeeventTypeXsiamevidencesexposedUsersfatherProcessfileAccessPermissionfileDescriptionfileNamefilePathfilePathWithoutFilenamefileQualifierfileSizefileVersionfirstEventDatehashinterpreterjustificationjustificationEmaillastEventDatelogonAttemptTypeIdlogonStatusIdlureUsermodificationTimeoperatingSystemTypeoriginUserUIDoriginalFileNameownerpackageNamepolicyCategorypolicyNameprocessCertificateIssuerprocessCommandLineproductCodeproductNameproductVersionpublisherrunAsUsernameskippedCountsourceNamesourceProcessCertificateIssuersourceProcessCommandLinesourceProcessHashsourceProcessPublishersourceProcessSignersourceProcessUsernamesourceTypesourceWSIpsourceWSNamesymLinkthreatProtectionActionthreatProtectionActionIdupgradeCodeuserIsAdminuserNamewinEventRecordIdwinEventTypeworkingDirectory
2023-12-17T12:37:11.855ZfalseInternet1f8443d50-4e35-442e-a886-d543080d5def2023-12-17T12:37:11.855ZMicrosoft CorporationW-5CG3423Q0T0Settings (SystemSettingsAdminFlows.exe)1Trustdetailed rawSettingsSystemSettingsAdminFlows.exeC:\WINDOWS\system32\SystemSettingsAdminFlows.exeC:\WINDOWS\system32\ 496508144556856733068330410.0.22621.27922023-12-17T12:37:06.555Z6F15BDE5240C45B44449A82B0F7F834D7993AE8C2023-12-17T12:37:06.555Z002023-12-15T02:32:22.31ZWindowsSystemSettingsAdminFlows.EXENT SERVICE\TrustedInstallerMicrosoft® Windows® Operating System (TiWorker.exe)ChangeStartupTaskStatus 9223372036854775808 \"Logitech Download Assistant\" 0Microsoft® Windows® Operating System10.0.22621.2792Microsoft Windows0Microsoft® Windows® Operating System (TiWorker.exe)LocalDiskALL0truePALOALTONETWORK\cbartuvia00
2023-12-17T12:36:16.408ZfalseInternet1f8443d50-4e35-442e-a886-d543080d5def2023-12-17T12:36:16.408ZMicrosoft CorporationW-5CG3423Q0T0Settings (SystemSettingsAdminFlows.exe)1Trustdetailed rawSettingsSystemSettingsAdminFlows.exeC:\WINDOWS\system32\SystemSettingsAdminFlows.exeC:\WINDOWS\system32\ 496508144556856733068330410.0.22621.27922023-12-17T12:36:10.435Z6F15BDE5240C45B44449A82B0F7F834D7993AE8C2023-12-17T12:36:10.435Z002023-12-15T02:32:22.31ZWindowsSystemSettingsAdminFlows.EXENT SERVICE\TrustedInstallerMicrosoft® Windows® Operating System (TiWorker.exe)ChangeStartupTaskStatus 9223372036854775808 \"RTKUGUI\" 0Microsoft® Windows® Operating System10.0.22621.2792Microsoft Windows0Microsoft® Windows® Operating System (TiWorker.exe)LocalDiskALL0truePALOALTONETWORK\cbartuvia00

Context Output#

There is no context output for this command.