CyberArkEPM

CyberArkEPM Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	CyberArk Support
Support Tier	Partner
Support Link	https://www.cyberark.com/services-support/technical-support-contact/
Categories	domains
Version	3.0.1
Author	CyberArk Business Development - business_development@cyberark.com
First Published	2022-04-10
Solution Folder	CyberArkEPM

Endpoint Privilege Manager, a critical and foundational endpoint control addresses the underlying weaknesses of endpoint defenses against a privileged attacker and helps enterprises defend against these attacks.

Data Connectors
Tables Used
Content Items

Data Connectors

This solution provides 1 data connector(s):

CyberArkEPM 🔶

🔶 CLv1: This connector ingests into a table that uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Tables Used

This solution uses 1 table(s):

Table	Used By Connectors	Used By Content
`CyberArkEPM_CL` 🔶	CyberArkEPM	Analytics, Hunting, Workbooks

🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Content Items

This solution includes 22 content item(s):

Content Type	Count
Analytic Rules	10
Hunting Queries	10
Workbooks	1
Parsers	1

Analytic Rules

Name	Severity	Tactics	Tables Used
CyberArkEPM - Attack attempt not blocked	High	Execution	`CyberArkEPM_CL`
CyberArkEPM - MSBuild usage as LOLBin	Medium	DefenseEvasion	`CyberArkEPM_CL`
CyberArkEPM - Multiple attack types	High	Execution	`CyberArkEPM_CL`
CyberArkEPM - Possible execution of Powershell Empire	High	Execution	`CyberArkEPM_CL`
CyberArkEPM - Process started from different locations	Medium	Execution, DefenseEvasion	`CyberArkEPM_CL`
CyberArkEPM - Renamed Windows binary	High	Execution, DefenseEvasion	`CyberArkEPM_CL`
CyberArkEPM - Uncommon Windows process started from System folder	Medium	Execution, DefenseEvasion	`CyberArkEPM_CL`
CyberArkEPM - Uncommon process Internet access	High	Execution, DefenseEvasion, CommandAndControl	`CyberArkEPM_CL`
CyberArkEPM - Unexpected executable extension	Medium	Execution, DefenseEvasion	`CyberArkEPM_CL`
CyberArkEPM - Unexpected executable location	Medium	Execution, DefenseEvasion	`CyberArkEPM_CL`

Hunting Queries

Name	Tactics	Tables Used
CyberArkEPM - Elevation requests	Execution, PrivilegeEscalation	`CyberArkEPM_CL`
CyberArkEPM - Powershell downloads	Execution	`CyberArkEPM_CL`
CyberArkEPM - Powershell scripts execution parameters	Execution	`CyberArkEPM_CL`
CyberArkEPM - Process hash changed	DefenseEvasion	`CyberArkEPM_CL`
CyberArkEPM - Processes run as admin	Execution, PrivilegeEscalation	`CyberArkEPM_CL`
CyberArkEPM - Processes with Internet access attempts	CommandAndControl	`CyberArkEPM_CL`
CyberArkEPM - Rare process run by users	Execution	`CyberArkEPM_CL`
CyberArkEPM - Rare process vendors	Execution	`CyberArkEPM_CL`
CyberArkEPM - Scripts executed on hosts	Execution	`CyberArkEPM_CL`
CyberArkEPM - Suspicious activity attempts	Execution	`CyberArkEPM_CL`

Workbooks

Name	Tables Used
CyberArkEPM	`CyberArkEPM_CL`

Parsers

Name	Description	Tables Used
CyberArkEPM	-	`CyberArkEPM_CL` (read)

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.0	27-07-2023	Updated solution to fix deployment validations
3.0.1	28-04-2025	Updated deployment instructions to use Python 3.10 version