Idira Endpoint Privilege Manager for Microsoft Sentinel
Solution: CyberArkEPM
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
| Attribute | Value |
|---|---|
| Publisher | CyberArk Support |
| Support Tier | Partner |
| Support Link | https://www.cyberark.com/services-support/technical-support-contact/ |
| Categories | Security - Threat Protection,Identity |
| Version | 3.1.0 |
| Author | CyberArk Business Development - business_development@cyberark.com |
| First Published | 2022-04-10 |
| Last Updated | 2026-06-11 |
| Solution Folder | CyberArkEPM |
| Marketplace | Azure Marketplace · Rating: ★☆☆☆☆ 1.0/5 (1 ratings) · Popularity: ⚪ Very Low (0%) |
Endpoint Privilege Manager, a critical and foundational endpoint control addresses the underlying weaknesses of endpoint defenses against a privileged attacker and helps enterprises defend against these attacks.
Contents
Data Connectors
This solution provides 2 data connector(s):
Tables Used
This solution uses 1 table(s):
| Table | Used By Connectors | Used By Content |
|---|---|---|
CyberArkEPM_Events_CL |
CyberArkEPM | Analytics, Hunting, Workbooks |
Content Items
This solution includes 22 content item(s):
| Content Type | Count |
|---|---|
| Analytic Rules | 10 |
| Hunting Queries | 10 |
| Workbooks | 1 |
| Parsers | 1 |
Analytic Rules
| Name | Severity | Tactics | Tables Used |
|---|---|---|---|
| CyberArkEPM - Attack attempt not blocked | High | Execution | CyberArkEPM_Events_CL |
| CyberArkEPM - MSBuild usage as LOLBin | Medium | DefenseEvasion | CyberArkEPM_Events_CL |
| CyberArkEPM - Multiple attack types | High | Execution | CyberArkEPM_Events_CL |
| CyberArkEPM - Possible execution of Powershell Empire | High | Execution | CyberArkEPM_Events_CL |
| CyberArkEPM - Process started from different locations | Medium | Execution, DefenseEvasion | CyberArkEPM_Events_CL |
| CyberArkEPM - Renamed Windows binary | High | Execution, DefenseEvasion | CyberArkEPM_Events_CL |
| CyberArkEPM - Uncommon Windows process started from System folder | Medium | Execution, DefenseEvasion | CyberArkEPM_Events_CL |
| CyberArkEPM - Uncommon process Internet access | High | Execution, DefenseEvasion, CommandAndControl | CyberArkEPM_Events_CL |
| CyberArkEPM - Unexpected executable extension | Medium | Execution, DefenseEvasion | CyberArkEPM_Events_CL |
| CyberArkEPM - Unexpected executable location | Medium | Execution, DefenseEvasion | CyberArkEPM_Events_CL |
Hunting Queries
| Name | Tactics | Tables Used |
|---|---|---|
| CyberArkEPM - Elevation requests | Execution, PrivilegeEscalation | CyberArkEPM_Events_CL |
| CyberArkEPM - Powershell downloads | Execution | CyberArkEPM_Events_CL |
| CyberArkEPM - Powershell scripts execution parameters | Execution | CyberArkEPM_Events_CL |
| CyberArkEPM - Process hash changed | DefenseEvasion | CyberArkEPM_Events_CL |
| CyberArkEPM - Processes run as admin | Execution, PrivilegeEscalation | CyberArkEPM_Events_CL |
| CyberArkEPM - Processes with Internet access attempts | CommandAndControl | CyberArkEPM_Events_CL |
| CyberArkEPM - Rare process run by users | Execution | CyberArkEPM_Events_CL |
| CyberArkEPM - Rare process vendors | Execution | CyberArkEPM_Events_CL |
| CyberArkEPM - Scripts executed on hosts | Execution | CyberArkEPM_Events_CL |
| CyberArkEPM - Suspicious activity attempts | Execution | CyberArkEPM_Events_CL |
Workbooks
| Name | Tables Used |
|---|---|
| CyberArkEPM | CyberArkEPM_Events_CL |
Parsers
| Name | Description | Tables Used |
|---|---|---|
| CyberArkEPM | - | CyberArkEPM_Events_CL (read) |
Release Notes
| Version | Date Modified (DD-MM-YYYY) | Change History |
|---|---|---|
| 3.1.0 | 19-05-2026 | Update reporting mechanism to use DCR. Switch to Oauth login for EPM |
| 3.0.1 | 28-04-2025 | Updated deployment instructions to use Python 3.10 version |
| 3.0.0 | 27-07-2023 | Updated solution to fix deployment validations |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊