Skip to main content

CyberArk EPM

CyberArk Endpoint Privilege Manager (EPM) enforces least privilege and allows organizations to block and contain attacks at the endpoint, reducing the risk of information being stolen or encrypted and held for ransom. A combination of privilege security, application control, and credential theft prevention reduces the risk of malware infection.

This integration accesses the CyberArk EPM API to retrieve administrative audit events from every Set in the environment. API documents can be found here.

Data Sources

The CyberArk EPM Source consumes Sets and admin audit events.

  • Sets are logical groupings of systems grouped around a single parameter such as OS Type or Location.
  • Admin Audit Events are events created by performing actions using the EPM console, after login in, either directed or remotely by API.

Create a CyberArk EPM Source​

When you create a CyberArk EPM Source, you add it to a Hosted Collector. Before creating the Source, identify the Hosted Collector you want to use or create a new Hosted Collector. For instructions, see Configure a Hosted Collector.

To configure a CyberArk EPM Source

  1. In Sumo Logic, select Manage Data > Collection > Collection.
  2. On the Collectors page, click Add Source next to a Hosted Collector.
  3. Select CyberArk EPM.
  4. Name. Enter a Name to display for the Source in the Sumo Logic web application.
  5. Description. (Optional)
  6. Source Category. Enter any string to tag the output collected from the Source. Category metadata is stored in a searchable field called _sourceCategory.
  7. Forward to SIEM. Check the checkbox to forward your data to Cloud SIEM Enterprise. When configured with the Forward to SIEM option the following metadata fields are set:
    • _siemVendor—Cyber-Ark
    • _siemProduct—EPM
    • _siemFormat—JSON
    • _parser—/Parsers/System/Cyber-Ark/CyberArk EPM JSON
  8. Fields. (Optional) Click +Add to ad additional fields; each field needs a name (key) and value.
    • green check circle.png A green circle with a check mark is shown when the field exists and is enabled in the Fields table schema.
    • orange exclamation point.png An orange triangle with an exclamation point is shown when the field doesn't exist, or is disabled, in the Fields table schema. In this case, an option to automatically add or enable the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo that does not exist in the Fields schema or is disabled it is ignored, known as dropped.
  9. EPM Username. Enter your EPM username.
  10. EPM User Password. Enter your EPM password.
  11. CyberArk EPM Dispatch Server. Enter your CyberArk EPM Dispatch Server URL. For example,

    This is not your instance URL.

  12. Application ID. Used to identify what's accessing the API. For example, sumologic.
  13. Rate Limit C2C. The EPM Dispatch Server limits requests to 3 request per 5 minutes. The Sumo Logic connector will adhere to that limit when this box is checked. If the box is unchecked, the connector won't limit the number of requests, but unless you ask CyberArk Support to change the Dispatch Server rate limit, requests will be rate-limited on the EPM side.
  14. Polling Interval. This field is pre-filled with 600.

API Limitations

Session Timeout

The session timeout for all APIs is part of the session token and is defined by the Timeout for inactive session Server Configuration parameter.

Sumo Logic YouTubeSumo Logic Twitter
Privacy Statement
Terms of Use

Copyright © 2022 by Sumo Logic, Inc.