topic Re: CyberArk Audit for Splunk in Getting Data In

CyberArk Audit for Splunk

vh — Wed, 26 Mar 2025 14:17:36 GMT

Is there any documentation on creating an input for this app? (https://splunkbase.splunk.com/app/6608)

I installed the app.

Upon launching, it's asking for certificate and private key.

There is no place for me to configure the API endpoint.

thanks,

Re: CyberArk Audit for Splunk

PickleRick — Wed, 26 Mar 2025 14:43:46 GMT

I have no idea what they mean by "certificate" and "private key" since the fields are just text fields (and neither splunkbase page nor Cyberark's docs help here). But when you type anything in and click save, you'll get to the "add input" dialog, where you can type in stuff like API endpoint or region.

Re: CyberArk Audit for Splunk

kiran_panchavat — Wed, 26 Mar 2025 15:36:31 GMT

@vh

I’ve set up this add-on in my lab environment and can see the data input option listed below. Could you please take a look and confirm?

Navigate to Settings > Data Inputs.

Multiple CyberArk data inputs.

Re: CyberArk Audit for Splunk

luizlimapg — Wed, 26 Mar 2025 18:35:57 GMT

Hello @vh ,

It took some work, but I finally got this addon up and running.
On the addon's setup screen, you need to paste the contents of the certificate and the private key generated in the CyberArk console.

The certificate and private key contents are in the following format:
-----BEGIN%20CERTIFICATE-----xxxxxxxxxxxxxxxxxx-----END%20CERTIFICATE-----%0A

To generate the necessary information in the CyberArk console, follow the procedure available at the following link:
https://docs.cyberark.com/admin-space/latest/en/content/siem-integration/siem-export-splunk.htm

After the setup, you can create the input at Settings > Data Input > CyberArk Audit for Splunk, filling in the fields with the data generated in the CyberArk console.

You can monitor the addon's operation through the logs available at:
index=_internal source="*splunkd.log" cyberark

If you need to redo the addon's setup, you can do so by clicking the "Setup" link under Apps > Manage Apps.

Re: CyberArk Audit for Splunk

vh — Thu, 27 Mar 2025 15:20:35 GMT

Hi @luizlimapg

Thank you for the response.

Upon launching the app for the first time, I got prompted to enter the cert and private key, which I did.

After this process, it is supposed to take me to an input page so I can fill in the rest of the information generated on the CyberArk side.

However, the Input page is showing a 404 Error stead.

I have removed and reinstalled this app a few times with no success.

The server I'm having this issue is running Splunk Enterprise version 9.3.2.

I installed this app on an older version of Splunk Enterprise, version 9.2.3, and got the expected inputs screen.

So, I'm wondering if it's a versioning info.

I don't want to downgrade Splunk Enterprise to test this.

I plan to upgrade the problematic server to 9.4.1 later anyway (for other reasons too.)

Any more thoughts on this?

Thanks again.

Re: CyberArk Audit for Splunk

vh — Thu, 27 Mar 2025 15:22:43 GMT

Yes, that's the expected behavior.

Instead, after entering the cert and key info, I'm redirected to a 404 error page (where it's supposed to display the input page.)

thanks for the response.

Re: CyberArk Audit for Splunk

luizlimapg — Thu, 27 Mar 2025 16:51:25 GMT

Hey @vh,

Quite strange behavior. Here I'm using version 1.0.23 of the add-on and 9.2.4 of Splunk Enterprise.

You could try installing an earlier version of the add-on, it might work.
On Splunkbase, the last version that supports only Splunk Enterprise is 1.0.24, that's a good version to try

As a last resort, you could have only the heavy forwarder running version 9.2.3 of Splunk with the add-on installed. It would work, but it's not ideal.

Let me know if it works

Re: CyberArk Audit for Splunk

Vardhan — Thu, 08 Jan 2026 16:41:14 GMT

Hi,

I also working on similar integration, and I have a question regarding CIM Normalization. There is a existing CyberArk addon available for On prem CyberArk CEF format logs. However, using this CyberArk Audit addon we will receive logs in JSON and I don't see any Splunk addon can help with normalization. Can you please tell me how did you manage to parse the logs?