CyberArkEPM_Events_CL

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Tables Index

Attribute	Value
Ingestion API Supported	✓ Yes

Contents

Schema
Solutions
Connectors
Content Items
Parsers

Schema (35 columns)

Source: KQL validation test schema

Column Name	Type
_ResourceId	string
AdditionalFields	dynamic
AffectedComputers	int
AffectedUsers	int
AggregatedBy	string
ArrivalTime	datetime
Computer	string
ComputerName	string
CyberArkEventType	string
EpmAgentId	string
EventType	string
FileName	string
FilePath	string
FileQualifier	string
FirstEventDate	datetime
Hash	string
LastEventDate	datetime
ManagementGroupName	string
MG	string
PolicyAction	string
PolicyName	string
Publisher	string
RawData	string
SetId	string
SetName	string
Skipped	bool
SkippedCount	int
SourceName	string
SourceSystem	string
SourceType	string
TenantId	string
TimeGenerated	datetime
TotalEvents	int
Type	string
UserName	string

Solutions (1)

This table is used by the following solutions:

CyberArkEPM

Connectors (1)

This table is ingested by the following connectors:

Connector	Selection Criteria
CyberArkEPM

Content Items Using This Table (21)

Analytic Rules (10)

In solution CyberArkEPM:

Analytic Rule	Selection Criteria
CyberArkEPM - Attack attempt not blocked
CyberArkEPM - MSBuild usage as LOLBin
CyberArkEPM - Multiple attack types
CyberArkEPM - Possible execution of Powershell Empire
CyberArkEPM - Process started from different locations
CyberArkEPM - Renamed Windows binary
CyberArkEPM - Uncommon Windows process started from System folder
CyberArkEPM - Uncommon process Internet access
CyberArkEPM - Unexpected executable extension
CyberArkEPM - Unexpected executable location

Hunting Queries (10)

In solution CyberArkEPM:

Hunting Query	Selection Criteria
CyberArkEPM - Elevation requests
CyberArkEPM - Powershell downloads
CyberArkEPM - Powershell scripts execution parameters
CyberArkEPM - Process hash changed
CyberArkEPM - Processes run as admin
CyberArkEPM - Processes with Internet access attempts
CyberArkEPM - Rare process run by users
CyberArkEPM - Rare process vendors
CyberArkEPM - Scripts executed on hosts
CyberArkEPM - Suspicious activity attempts

Workbooks (1)

In solution CyberArkEPM:

Workbook	Selection Criteria
CyberArkEPM

Parsers Using This Table (1)

Other Parsers (1)

Parser	Solution	Selection Criteria
CyberArkEPM	CyberArkEPM

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Tables Index