CyberArk EPM

CyberArk Endpoint Privilege Manager (EPM) is a security solution that helps organizations protect their endpoints from cyber threats and reduce the risk of data theft or encryption. EPM helps block and contain attacks on endpoint computers. For detailed information, please refer to the CyberArk’s official documentation.

Integration Method: API

Tables: Detection Finding (2004), Process Activity (1007)

This integration supports the following events.

This integration supports the following versions.

Prerequisites

• The user should have enabled Account Administrator with View Only permission and Allow to manage Sets option.

• The sets should be bound to the user.

• The user should have access to the DataBee console.

Configuration Overview

1. Create a User in the CyberArk console with the required permissions.

2. Add the CyberArk EPM data feed in the DataBee console with the below parameters

   DataBee Parameter	Dropbox Parameter
   Username	Username of the user
   Password	Password of the user
   Token URL <instance>	CyberArk dispatcher server name
   API Base URL <instance>	CyberArk EPM instance URL

CyberArk EPM Configuration

1. Go to your CyberArk EPM login page and get the Dispatcher Server name as highlighted below.
    

2. Log in to CyberArk EPM console.
    

3. Get the CyberArk EPM instance URL as highlighted below.
    

4. Click on Administration.
    

5. Click on the Create > Create User button.
    

6. Fill out the required details on the form like Email and Password. Ensure that Account Administrator with View Only permission and Allow to manage Sets are checked.
    

7. This email and password will be used later while configuring data source. Click on Next.
    

8. Select View Only Set Admin as roles for each set to bound this user to each set then click on the Finish button.
    
   

   Note:

   After creating new user, there will be an email verification. Login to CyberArk EPM console with newly created user credentials.

Binding user to new set

Note:

This step is not required initially but if we create a new set then we must bound new set to user which we have created previously. Only Administrator user can bind newly created user to new set.

1. Login into CyberArk EPM console using Administrator user credentials and then click on Administration.
    

2. In the Account Management portal, you can see the list of sets as highlighted below.
    

3. Select the set which you have newly created.
    

4. Click on Bind > Change binding for Set “<new_set>”.
    

5. Update Roles to View Only Set Admin for user which we have created previously.
    

6. Click on the OK button.
    

DataBee Configuration

1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
    
   

2. Search for the CyberArk EPM and click it as shown below.
    
   

3. Click on the API Ingest option for collection method.
    

4. Enter feed contact information and click Next.
    

5. In the configuration page, confirm the following:

   • Authorization Method: Token Url Auth

   • API Base URL: replace the <instance> with your CyberArk EPM instance URL.

   • Username: enter the Email Id of the user which we have created earlier.

   • Password: enter the Password of the user which we have created earlier.

   • Token URL: replace the <instance> with your CyberArk EPM dispatcher server name.

   • Event Types: preselected for all the event types that integration pulls.

   

6. Click Submit.

Troubleshooting Tips

• Make you we have provided correct CyberArk EPM dispatcher server name and Instance URL.

• If we are creating new set, then make sure we bind our user which we have created earlier to the newly created set

• Make sure we do the email verification by login into CyberArk EPM console for newly created user if we are getting 401 error.