This addon works with SPLUNK >V7.X and V8.X. TA is used to get data from CyberArk API and to index it in Splunk.
It`s built with Splunk Add-on Builder
Technology Add-on (TA) for CyberArk enables current CyberArk customers to ingest data from 3 inputs based on API endpoints CyberArk.
Compatible with: Splunk Enterprise version: 7.1.x, 7.2.x, 7.3.x, 8.0.x, 8.1.x
1.In order to successfully ingest event data a valid username and password are required. Based on the username and password , an authentication token is generated and used for each API Call.
(DAP issues a short-lived access token after authenticating a requester. The token is valid for 8 minutes by default. The token is a JSON Web Token (JWT). It is cryptographically signed by a DAP private key (RSA 2048), which includes the host or user id along with the expiration timestamp. DAP uses OpenSSL to generate the RSA key pair, validate, and sign the tokens.)
Install the Add-on on Heavy Forwarders or Splunk Enterprise Standalone Instance. Downloading the TA package and follow the instructions below:
1. In the UI navigate to: “Manage Apps”
2. In the top right corner select “Install app from file”
3. Select ‘Choose File’ and select the TA package (.spl or .tar)
4. Select ‘Upload’ and follow the prompts to restart Splunk.
In Configuration\add-on-settings add the FQDN of CyberArk API, click save.
The inputs should be configured only on heavy-forwarders or Splunk Enterprise standalone instance. There are 4 REST APIs endpoints that are used:
INFO: In order to authenticate successfully, the add-on needs to use authentication header with each API call. The authentication header provides a token, which originally should be obtained by calling the Logon service via username and password.
NOTE The main index is used by default unless specified otherwise. If data is to be sent to a specific indexer, ensure the outputs.conf file is adjusted with the Indexer’s IP address.
The default LOG level is set to: INFO
The data should be indexed in the index which you selected or the "main" one.
Additionally you could try to check the internal log:
Error codes category regarding REST:
For reference you can check:
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.