Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[New integration] CyberArk EPM #11795

Open
cpascale43 opened this issue Nov 20, 2024 · 1 comment · May be fixed by #12187
Open

[New integration] CyberArk EPM #11795

cpascale43 opened this issue Nov 20, 2024 · 1 comment · May be fixed by #12187
Assignees
Labels
Crest Epic Integration:cyberark_epm [Integration not found in source] New Integration Issue or pull request for creating a new integration package. Partner

Comments

@cpascale43
Copy link

cpascale43 commented Nov 20, 2024

Description

In addition to CyberArk Privileged Access Security and CyberArk PAS, we've also seen strong demand for Cyberark Endpoint Privilege Manager (EPM).

Architecture

CyberArk exposes relevant events via their Web Services API. The integration should ingest the following event types:

See also:

Dashboard Ideas

The dashboard should provide answers to questions about endpoint security posture, user activities and potential threats across the environment managed by CyberArk EPM. It should enable real-time monitoring of privileged access patterns, authentication attempts and application usage. These are a few suggestions:

  • Administrative activity

    • Line graph showing admin actions
    • Heat map of admin activities by date
    • Counter showing total admin sessions and policy changes in last 24h
    • Timeline of policy modifications and deployments
  • Credential theft monitoring

    • Alerts for unusual credential access patterns
    • Distribution of theft attempts by source (browsers, IT applications, remote access applications, Windows OS)
    • Geographic visualization of theft attempts
  • Privilege escalation tracking

    • Bar chart of privilege escalation attempts by type
    • Table of "Always Install Elevated" attempts
    • Privilege deception incident tracking
    • JIT policy creation monitoring
  • High risk application analysis

    • Distribution chart of high-risk app usage (CMD, PowerShell, mmc)
    • Line graph showing unsigned application elevations over time
    • Table of blocked applications due to organization policy
@cpascale43 cpascale43 self-assigned this Nov 20, 2024
@cpascale43 cpascale43 changed the title Add support for Cyberark EPM [New integration] CyberArk EPM Nov 20, 2024
@andrewkroh andrewkroh added New Integration Issue or pull request for creating a new integration package. Epic Partner Crest Integration:cyberark_epm [Integration not found in source] and removed Epic Partner Crest Integration:cyberark_epm [Integration not found in source] labels Nov 20, 2024
@piyush-elastic
Copy link
Contributor

Hi @cpascale43 -
We have reviewed the endpoints mentioned in the Web Service API documentation and noted that Splunk and Sumologic support new endpoints as per the documentation API.
We recommend supporting the following 5 endpoints, which are similar to those mentioned in the issue:
Raw Events: Get Detailed Raw Events
Aggregated Events: Get Aggregated Events
Policy Audit Raw Events: Get Policy Audit Raw Event Details
Policy Audit Aggregated Events: Get Aggregated Policy Audits
Set Admin Audit Events: Get Admin Audit Data

@brijesh-elastic brijesh-elastic linked a pull request Dec 24, 2024 that will close this issue
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Crest Epic Integration:cyberark_epm [Integration not found in source] New Integration Issue or pull request for creating a new integration package. Partner
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants