diff --git a/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cyberark-source.md b/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cyberark-source.md index b565e82482..5ee36cafe1 100644 --- a/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cyberark-source.md +++ b/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cyberark-source.md @@ -18,7 +18,7 @@ import useBaseUrl from '@docusaurus/useBaseUrl'; The CyberArk Endpoint Privilege Manager (EPM) is a security solution that helps organizations reduce the risk of information theft or ransomware attacks by enforcing the principle of least privilege and preventing unauthorized access to critical systems and data. The solution employs a combination of privilege security, application control, and credential theft prevention to reduce the likelihood of malware infections. -The integration with CyberArk EPM's API allows for retrieving administrative, detailed raw, policy audit, and policy audit raw events from every set in the environment. The [API documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/EPM/Latest/en/Content/LandingPages/LPDeveloper.htm) provides guidance on accessing and utilizing this information. This integration facilitates retrieving various audit events, including administrative actions, policy violations, and application usage, to generate alerts, reports, and remediation actions that enhance the organization's security posture. +The integration with CyberArk EPM's API allows for retrieving administrative, detailed raw, policy audit, policy audit raw events, and aggregated events from every set in the environment. The [API documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/EPM/Latest/en/Content/LandingPages/LPDeveloper.htm) provides guidance on accessing and utilizing this information. This integration facilitates retrieving various audit events, including administrative actions, policy violations, and application usage, to generate alerts, reports, and remediation actions that enhance the organization's security posture. ## Data collected @@ -29,6 +29,7 @@ The integration with CyberArk EPM's API allows for retrieving administrative, de | 10 minutes | Detailed Raw Events | | 10 minutes | Aggregated Policy Audit Events | | 10 minutes | Policy Audit Raw Events | +| 10 minutes | Aggregated Events | ## Setup @@ -60,9 +61,10 @@ To configure a CyberArk EPM Source, follow the steps below: * For the US datacenter, the dispatch server URL is `https://login.epm.cyberark.com`. * For the EU datacenter, the dispatch server URL is `https://eu.epm.cyberark.com`. 1. **Application ID**. An application ID is a unique identifier that helps an API recognize which application or program is accessing it. It's like a name tag that allows the API to keep track of different applications using it. For example, *sumologic*. -1. **Collect Detailed Raw Events**. This option enables the CyberArk C2C Source to collect detailed raw events from the CyberArk EPM. By default, the source can make 1000 requests every 5 minutes to [Detailed Raw Events](https://docs.cyberark.com/EPM/Latest/en/Content/WebServices/GetDetailedRawEvents.htm) endpoint, as stated in the [CyberArk API documentation](https://docs.cyberark.com/EPM/Latest/en/Content/WebServices/WebServicesIntro.htm). Use below options to adjust this settings. -1. **Collect Aggregated Policy Audit Events**. This option enables the C2C Source to collect aggregated policy audit events from the CyberArk EPM. By default, the source can make 1000 requests every 5 minutes to [Aggregated Policy Audit Events](https://docs.cyberark.com/EPM/Latest/en/Content/WebServices/GetAggregatedPolicyAudits.htm) endpoint, as stated in the [CyberArk API documentation](https://docs.cyberark.com/EPM/Latest/en/Content/WebServices/WebServicesIntro.htm). Use below options to adjust this settings. -1. **Collect Policy Audit Raw Events**. This option enables the C2C Source to collect policy audit raw events from the CyberArk EPM. By default, the source can make 1000 requests every 5 minutes to [Policy Audit Raw Events](https://docs.cyberark.com/EPM/Latest/en/Content/WebServices/GetPolicyAuditRawEventDetails.htm) endpoint, as stated in the [CyberArk API documentation](https://docs.cyberark.com/EPM/Latest/en/Content/WebServices/WebServicesIntro.htm). Use below options to adjust this settings. +1. **Collect Detailed Raw Events**. Select this checkbox to enable the CyberArk C2C Source to collect detailed raw events from the CyberArk EPM. By default, the source can make 1000 requests every 5 minutes to [Detailed Raw Events](https://docs.cyberark.com/EPM/Latest/en/Content/WebServices/GetDetailedRawEvents.htm) endpoint, as stated in the [CyberArk API documentation](https://docs.cyberark.com/EPM/Latest/en/Content/WebServices/WebServicesIntro.htm). +1. **Collect Aggregated Policy Audit Events**. Select this checkbox to enable the C2C Source to collect aggregated policy audit events from the CyberArk EPM. By default, the source can make 1000 requests every 5 minutes to [Aggregated Policy Audit Events](https://docs.cyberark.com/EPM/Latest/en/Content/WebServices/GetAggregatedPolicyAudits.htm) endpoint, as stated in the [CyberArk API documentation](https://docs.cyberark.com/EPM/Latest/en/Content/WebServices/WebServicesIntro.htm). +1. **Collect Policy Audit Raw Events**. Select this checkbox to enable the C2C Source to collect policy audit raw events from the CyberArk EPM. By default, the source can make 1000 requests every 5 minutes to [Policy Audit Raw Events](https://docs.cyberark.com/EPM/Latest/en/Content/WebServices/GetPolicyAuditRawEventDetails.htm) endpoint, as stated in the [CyberArk API documentation](https://docs.cyberark.com/EPM/Latest/en/Content/WebServices/WebServicesIntro.htm). +1. **Collect Aggregated Events**. Select this checkbox to enable the C2C Source to collect aggregated events from the CyberArk EPM. By default, the source can make 1000 requests every 5 minutes to [Aggregated Events](https://docs.cyberark.com/epm/latest/en/content/webservices/getaggregatedevents.htm) endpoint, as stated in the [CyberArk API documentation](https://docs.cyberark.com/EPM/Latest/en/Content/WebServices/WebServicesIntro.htm). 1. **Polling Interval**. The polling interval is the frequency at which the CyberArk C2C Source will check for updates from the CyberArk EPM (Endpoint Privilege Manager). This field is pre-filled with 600. 1. When you are finished configuring the Source, click **Save**. @@ -100,6 +102,7 @@ Sources can be configured using UTF-8 encoded JSON files with the Collector Ma | detailed_raw_events | boolean | No | False | Collects detailed raw events. | | | aggregated_policy_audits | boolean | No | False | Collects aggregated policy audits events. | | | policy_audit_raw_events | boolean | No | False | Collects policy audit raw events. | | +| aggregated_events | boolean | No | False | Collects policy aggregated events. | | | polling_interval | integer | Yes | 600 | Frequency of C2C updates from EPM. | | ### JSON example @@ -128,4 +131,4 @@ When setting the poll frequency, it's recommended to consider these limitations :::info Click [here](/docs/c2c/info) for more information about Cloud-to-Cloud sources. -::: \ No newline at end of file +::: diff --git a/static/files/c2c/cyberark/example.json b/static/files/c2c/cyberark/example.json index 949b8a51d3..bf215319fc 100644 --- a/static/files/c2c/cyberark/example.json +++ b/static/files/c2c/cyberark/example.json @@ -10,6 +10,7 @@ "detailed_raw_events": false, "aggregated_policy_audits": false, "policy_audit_raw_events": false, + "aggregated_events": false, "polling_interval": 600 }, "schemaRef": { diff --git a/static/files/c2c/cyberark/example.tf b/static/files/c2c/cyberark/example.tf index 21aec69155..8c40ef6d4f 100644 --- a/static/files/c2c/cyberark/example.tf +++ b/static/files/c2c/cyberark/example.tf @@ -12,6 +12,7 @@ resource "sumologic_cloud_to_cloud_source" "cyberark_test_source" { "detailed_raw_events": false, "aggregated_policy_audits": false, "policy_audit_raw_events": false, + "aggregated_events": false, "polling_interval": 600 }) }