Document toolboxDocument toolbox

epm.cyberark

Introduction

The tags beginning with epm.cyberark identify events generated by CyberArk Endpoint Privilege Management.

Valid tags and data tables

The full tag must have 4 levels. The first two are fixed as epm.cyberark. The third level identifies the type of events sent. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

CyberArk EPM

epm.cyberark.epm.admin_audit

epm.cyberark.epm.admin_audit

epm.cyberark.epm.event

epm.cyberark.epm.event

epm.cyberark.epm.policy_audit

epm.cyberark.epm.policy_audit

epm.cyberark.epm.event_aggregated

epm.cyberark.epm.event_aggregated

epm.cyberark.epm.policy_audit_aggregated

epm.cyberark.epm.policy_audit_aggregated

For more information, read more About Devo tags.

Table structure

These are the fields displayed in these tables:

epm.cyberark.epm.admin_audit

Field

Type

Extra field

Field transformation

Source field name

Field

Type

Extra field

Field transformation

Source field name

eventdate

timestamp

 

 

 

hostname

str

 

 

 

set_name

str

 

 

 

event_time

timestamp

 

 

 

permission_description

str

 

 

 

description

str

 

 

 

feature

str

 

 

 

logged_at

timestamp

 

 

 

logged_from_str

str

 

 

 

logger_from_ip4

ip4

 

ip4(logged_from_str)

logged_from_str

logger_from_ip6

ip6

 

ip6(logged_from_str)

logged_from_str

administrator

str

 

 

 

internal_session_id

int4

 

 

 

role

str

 

 

 

at_devo_pulling_id

str

 

 

 

hostchain

str

✓

 

 

tag

str

✓

 

 

rawMessage

str

✓

 

 

epm.cyberark.epm.event

Field

Type

Extra field

Field

Type

Extra field

eventdate

timestamp

 

hostname

str

 

file_name

str

 

original_file_name

str

 

display_name

str

 

policy_name

str

 

hash

str

 

publisher

str

 

event_type

str

 

source_type

str

 

source_name

str

 

last_event_date

timestamp

 

first_event_date

timestamp

 

username

str

 

justification

str

 

justification_email

str

 

file_size

int4

 

threat_protection_action

str

 

threat_protection_action_id

int4

 

package_name

str

 

company

str

 

file_path

str

 

file_path_without_filename

str

 

file_description

str

 

product_name

str

 

product_version

str

 

bundle_name

str

 

bundle_version

str

 

bundle_id

str

 

application_sub_type

str

 

interpreter

str

 

run_as_username

str

 

working_directory

str

 

origin_user_uid

str

 

file_access_permission

str

 

sym_link

str

 

file_version

str

 

modification_time

str

 

user_is_admin

bool

 

agent_event_count

int4

 

skipped_count

int4

 

event_count

int4

 

access_action

str

 

access_target_type

str

 

access_target_name

str

 

process_command_line

str

 

source_process_command_line

str

 

source_process_username

str

 

source_process_hash

str

 

source_process_publisher

str

 

source_process_signer

str

 

evidences

str

 

exposed_users

str

 

owner

str

 

file_qualifier

str

 

source_process_certificate_issuer

str

 

process_certificate_issuer

str

 

operating_system_type

str

 

arrival_time

timestamp

 

policy_category

str

 

deception_type

int4

 

lure_user

str

 

source_ws_name

str

 

father_process

str

 

source_ws_ip

str

 

win_event_type

int4

 

win_event_record_id

int4

 

logon_attempt_type_id

int4

 

logon_status_id

int4

 

product_code

str

 

upgrade_code

str

 

agent_id

str

 

computer_name

str

 

at_devo_pulling_id

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

epm.cyberark.epm.policy_audit

Field

Type

Extra field

Field

Type

Extra field

eventdate

timestamp

 

hostname

str

 

hash

str

 

publisher

str

 

event_type

str

 

source_type

str

 

source_name

str

 

last_event_date

timestamp

 

username

str

 

file_name

str

 

file_size

int4

 

file_description

str

 

package_name

str

 

company

str

 

file_path

str

 

first_event_date

timestamp

 

product_name

str

 

product_version

str

 

bundle_name

str

 

bundle_version

str

 

file_version

str

 

modification_time

timestamp

 

user_is_admin

bool

 

agent_event_count

int4

 

skipped_count

int4

 

working_directory

str

 

run_as_username

str

 

origin_user_uid

str

 

interpreter

str

 

file_access_permission

str

 

command_info

str

 

arguments

str

 

justification

str

 

justification_email

str

 

display_name

str

 

original_file_name

str

 

owner

str

 

policy_name

str

 

file_qualifier

str

 

arrival_time

timestamp

 

operating_system_type

str

 

application_sub_type

str

 

agent_id

str

 

computer_name

str

 

at_devo_pulling_id

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓