Collect CyberArk Endpoint Privilege Manager logs

This document explains how to ingest CyberArk Endpoint Privilege Manager (EPM) logs to Google Security Operations using Bindplane. CyberArk EPM enforces least privilege on endpoints by removing local admin rights while enabling users to run approved applications. It provides application control, privilege management, and credential theft protection for Windows, macOS, and Linux endpoints.

Before you begin

Make sure you have the following prerequisites:

• A Google SecOps instance.
• A Windows 2016 or later or Linux host with systemd.
• If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements.
• Privileged access to the CyberArk EPM management console with administrator permissions.

Get Google SecOps ingestion authentication file

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Collection Agent.
3. Download the Ingestion Authentication File.
   • Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Profile.
3. Copy and save the Customer IDfrom the Organization Detailssection.

Install the Bindplane agent

Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

Windows installation

1. Open the Command Promptor PowerShellas an administrator.

2. Run the following command:

     msiexec 
     
    / 
    i 
     
    "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" 
     
    / 
    quiet 
    
   

Linux installation

1. Open a terminal with root or sudo privileges.

2. Run the following command:

    sudo  
   sh  
   -c  
    " 
    $( 
   curl  
   -fsSlL  
   https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) 
    " 
     
   install_unix.sh 
   

Additional installation resources

For additional installation options, consult this installation guide .

Configure the Bindplane agent to ingest Syslog and send to Google SecOps

1. Access the Configuration File:

   • Locate the config.yaml file. Typically, it's in the /opt/observiq-otel-collector/ directory on Linux or in the installation directory on Windows.
   • Open the file using a text editor (for example, nano , vi , or Notepad).

2. Edit the config.yaml file as follows:

     receivers 
    : 
     
    tcplog 
    : 
     
    # Replace the port and IP address as required 
     
    listen_address 
    : 
     
    "0.0.0.0:514" 
    exporters 
    : 
     
    chronicle/chronicle_w_labels 
    : 
     
    compression 
    : 
     
    gzip 
     
    # Adjust the path to the credentials file you downloaded in Step 1 
     
    creds_file_path 
    : 
     
    '/path/to/ingestion-authentication-file.json' 
     
    # Replace with your actual customer ID from Step 2 
     
    customer_id 
    : 
     
   < PLACEHOLDER_CUSTOMER_ID 
   >  
    endpoint 
    : 
     
    malachiteingestion-pa.googleapis.com 
     
    # Add optional ingestion labels for better organization 
     
    log_type 
    : 
     
    'CYBERARK_EPM' 
     
    raw_log_field 
    : 
     
    body 
     
    ingestion_labels 
    : 
    service 
    : 
     
    pipelines 
    : 
     
    logs/source0__chronicle_w_labels-0 
    : 
     
    receivers 
    : 
     
    - 
     
    tcplog 
     
    exporters 
    : 
     
    - 
     
    chronicle/chronicle_w_labels 
    
   

• Replace the port and IP address as required in your infrastructure.
• Replace <PLACEHOLDER_CUSTOMER_ID> with the actual Customer ID.
• Update /path/to/ingestion-authentication-file.json to the file path where the authentication file was saved in the Get Google SecOps ingestion authentication filesection.

Restart the Bindplane agent to apply the changes

1. To restart the Bindplane agent in Linux, run the following command:

    sudo  
   systemctl  
   restart  
   observiq-otel-collector 
   

2. To restart the Bindplane agent in Windows, you can either use the Servicesconsole or enter the following command:

    net stop observiq-otel-collector && net start observiq-otel-collector 
   

Configure CyberArk EPM syslog forwarding

1. Sign in to the CyberArk EPM Consoleas an administrator.
2. Go to Administration > System Configuration > SIEM Integration.
3. Select Enable SIEMto activate syslog forwarding.
4. Provide the following configuration details:
   • SIEM Type: Select Syslog.
   • Server Address: Enter the IP address of the Bindplane agent host (for example, 192.168.1.100 ).
   • Port: Enter the port number matching the Bindplane agent configuration (for example, 514 ).
   • Protocol: Select TCP.
   • Format: Select CEF(Common Event Format).
5. In the Event Typessection, select the event categories to forward:
   • Policy Audit Events: Policy enforcement actions.
   • Admin Audit Events: Administrative actions in EPM console.
   • Threat Protection Events: Credential theft and ransomware protection events.
   • Application Control Events: Application allow/block events.
6. Click Save.

7. Verify logs are being received by checking the Bindplane agent logs:

    sudo  
   journalctl  
   -u  
   observiq-otel-collector  
   -f 
   

For more information about CyberArk EPM syslog integration, see the CyberArk EPM administration guide .

UDM mapping table

Log Field	UDM Mapping	Logic
Header.deviceVendor	metadata.vendor_name	Mapped from the CEF header vendor field.
Header.deviceProduct	metadata.product_name	Mapped from the CEF header product field.
Header.deviceVersion	metadata.product_version	Mapped from the CEF header version field.
Header.signatureId	metadata.product_event_type	Mapped from the CEF signature ID field.
Header.name	metadata.description	Mapped from the CEF event name field.
Header.severity	security_result.severity	Mapped from CEF severity (0-3=LOW, 4-6=MEDIUM, 7-8=HIGH, 9-10=CRITICAL).
shost	principal.hostname	The source hostname where the event occurred.
src	principal.ip	The source IP address.
suser	principal.user.userid	The source username associated with the event.
fname	target.file.full_path	The file name or path involved in the event.
fileHash	target.file.md5	The MD5 hash of the file involved.
dhost	target.hostname	The destination hostname.
dst	target.ip	The destination IP address.
duser	target.user.userid	The destination or target username.
act	security_result.action_details	The action taken by EPM (for example, Block, Allow, Elevate).
cs1	security_result.detection_fields	Custom string field 1 (policy name or additional context).
cs2	security_result.detection_fields	Custom string field 2 (additional context).
rt	metadata.event_timestamp	The event receipt time.

Need more help? Get answers from Community members and Google SecOps professionals.