Collect CyberArk Endpoint Privilege Manager logs

Supported in:

This document explains how to ingest CyberArk Endpoint Privilege Manager (EPM) logs to Google Security Operations using Bindplane. CyberArk EPM enforces least privilege on endpoints by removing local admin rights while enabling users to run approved applications. It provides application control, privilege management, and credential theft protection for Windows, macOS, and Linux endpoints.

Before you begin

Make sure you have the following prerequisites:

  • A Google SecOps instance.
  • A Windows 2016 or later or Linux host with systemd.
  • If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements.
  • Privileged access to the CyberArk EPM management console with administrator permissions.

Get Google SecOps ingestion authentication file

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Collection Agent.
  3. Download the Ingestion Authentication File.
    • Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Profile.
  3. Copy and save the Customer ID from the Organization Details section.

Install the Bindplane agent

Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

Windows installation

  1. Open the Command Prompt or PowerShell as an administrator.

  2. Run the following command:

    msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet

Linux installation

  1. Open a terminal with root or sudo privileges.

  2. Run the following command:

    sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh

Additional installation resources

For additional installation options, consult this installation guide.

Configure the Bindplane agent to ingest Syslog and send to Google SecOps

  1. Access the Configuration File:

    • Locate the config.yaml file. Typically, it's in the /opt/observiq-otel-collector/ directory on Linux or in the installation directory on Windows.
    • Open the file using a text editor (for example, nano, vi, or Notepad).

  2. Edit the config.yaml file as follows:

    receivers:
    tcplog:
        # Replace the port and IP address as required
        listen_address: "0.0.0.0:514"

exporters:
    chronicle/chronicle_w_labels:
        compression: gzip
        # Adjust the path to the credentials file you downloaded in Step 1
        creds_file_path: '/path/to/ingestion-authentication-file.json'
        # Replace with your actual customer ID from Step 2
        customer_id: <PLACEHOLDER_CUSTOMER_ID>
        endpoint: malachiteingestion-pa.googleapis.com
        # Add optional ingestion labels for better organization
        log_type: 'CYBERARK_EPM'
        raw_log_field: body
        ingestion_labels:

service:
    pipelines:
        logs/source0__chronicle_w_labels-0:
            receivers:
                - tcplog
            exporters:
                - chronicle/chronicle_w_labels
  • Replace the port and IP address as required in your infrastructure.
  • Replace <PLACEHOLDER_CUSTOMER_ID> with the actual Customer ID.
  • Update /path/to/ingestion-authentication-file.json to the file path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.

Restart the Bindplane agent to apply the changes

  1. To restart the Bindplane agent in Linux, run the following command:

    sudo systemctl restart observiq-otel-collector

  2. To restart the Bindplane agent in Windows, you can either use the Services console or enter the following command:

    net stop observiq-otel-collector && net start observiq-otel-collector

Configure CyberArk EPM syslog forwarding

  1. Sign in to the CyberArk EPM Console as an administrator.
  2. Go to Administration > System Configuration > SIEM Integration.
  3. Select Enable SIEM to activate syslog forwarding.
  4. Provide the following configuration details:
    • SIEM Type: Select Syslog.
    • Server Address: Enter the IP address of the Bindplane agent host (for example, 192.168.1.100).
    • Port: Enter the port number matching the Bindplane agent configuration (for example, 514).
    • Protocol: Select TCP.
    • Format: Select CEF (Common Event Format).
  5. In the Event Types section, select the event categories to forward:
    • Policy Audit Events: Policy enforcement actions.
    • Admin Audit Events: Administrative actions in EPM console.
    • Threat Protection Events: Credential theft and ransomware protection events.
    • Application Control Events: Application allow/block events.
  6. Click Save.

  7. Verify logs are being received by checking the Bindplane agent logs:

    sudo journalctl -u observiq-otel-collector -f

For more information about CyberArk EPM syslog integration, see the CyberArk EPM administration guide.

UDM mapping table

Log Field UDM Mapping Logic
Header.deviceVendor metadata.vendor_name Mapped from the CEF header vendor field.
Header.deviceProduct metadata.product_name Mapped from the CEF header product field.
Header.deviceVersion metadata.product_version Mapped from the CEF header version field.
Header.signatureId metadata.product_event_type Mapped from the CEF signature ID field.
Header.name metadata.description Mapped from the CEF event name field.
Header.severity security_result.severity Mapped from CEF severity (0-3=LOW, 4-6=MEDIUM, 7-8=HIGH, 9-10=CRITICAL).
shost principal.hostname The source hostname where the event occurred.
src principal.ip The source IP address.
suser principal.user.userid The source username associated with the event.
fname target.file.full_path The file name or path involved in the event.
fileHash target.file.md5 The MD5 hash of the file involved.
dhost target.hostname The destination hostname.
dst target.ip The destination IP address.
duser target.user.userid The destination or target username.
act security_result.action_details The action taken by EPM (for example, Block, Allow, Elevate).
cs1 security_result.detection_fields Custom string field 1 (policy name or additional context).
cs2 security_result.detection_fields Custom string field 2 (additional context).
rt metadata.event_timestamp The event receipt time.

Need more help? Get answers from Community members and Google SecOps professionals.