CyberArk EPM: Migration to DCR and OAuth Authentication Replaces Deprecated Log Analytics API

What Changed

Major update to CyberArk EPM (Endpoint Privilege Management) solution migrating from the deprecated Log Analytics API to Data Collection Rules (DCR) and implementing OAuth 2.0 authentication for EPM API access.

Security Impact (Visibility & Fidelity)

Critical infrastructure update: The Log Analytics API deprecation would have caused complete data ingestion failure for CyberArk EPM deployments. This update prevents a future blind spot by:

• Migrating to DCR-based ingestion to maintain privileged access monitoring visibility
• Implementing OAuth 2.0 authentication for secure EPM API connections
• Preserving endpoint privilege escalation detection capabilities

The connector continues to ingest:

• Aggregated events: Summary-level endpoint privilege activities
• Raw event details: Full forensic context for privilege escalations
• Policy audits: Privileged access policy violations and changes
• Policy audit raw events: Detailed compliance and violation data

Technical Details

• New ingestion method: Replaced Log Analytics API with DCR/DCE architecture
• Authentication upgrade: OAuth 2.0 client credentials flow replaces legacy authentication
• Data structure: Maintains existing CyberArkEPM_Events_CL table schema for backward compatibility
• Function App improvements: Enhanced error handling with retry logic for 403/429 status codes
• Parser updates: Updated KQL parser logic to accommodate new data flow patterns
• Hunting queries: Refreshed to work with DCR-ingested data

CyberArk EPM provides critical visibility into endpoint privilege escalation activities and policy violations - essential for detecting lateral movement and privilege abuse in MITRE ATT&CK techniques like T1078 (Valid Accounts) and T1134 (Access Token Manipulation).

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/CyberArkEPM_Events_CL.json
Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/TODO
Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/__init__.py
Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/epm.py
Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/exporter.py
Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/function.json
Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/main.py
Solutions/CyberArkEPM/Data Connectors/CyberArkEPMSentinelConnector/storage.py
Solutions/CyberArkEPM/Data Connectors/CyberArkEPM_API_FunctionApp.json
Solutions/CyberArkEPM/Data Connectors/azuredeploy_Connector_CyberArkEPM_API_AzureFunction.json
Solutions/CyberArkEPM/Data Connectors/host.json
Solutions/CyberArkEPM/Data Connectors/proxies.json
Solutions/CyberArkEPM/Data Connectors/requirements.txt
Solutions/CyberArkEPM/DataConnectors/CyberArkEPMSentinelConnector/__init__.py
Solutions/CyberArkEPM/DataConnectors/CyberArkEPMSentinelConnector/pyepm.py
Solutions/CyberArkEPM/DataConnectors/CyberArkEPMSentinelConnector/state_manager.py
Solutions/CyberArkEPM/DataConnectors/azuredeploy_Connector_CyberArkEPM_API_AzureFunction.json
Solutions/CyberArkEPM/Hunting Queries/CyberArkEPMRareProcVendors.yaml
Solutions/CyberArkEPM/Hunting Queries/CyberArkEPMScriptsExecuted.yaml
Solutions/CyberArkEPM/Package/testParameters.json
Solutions/CyberArkEPM/Parsers/CyberArkEPM.yaml
Solutions/CyberArkEPM/Workbooks/CyberArkEPM.json
(packaging artefacts: 3.1.0.zip, CyberArkEPMSentinelConn.zip, ReleaseNotes.md, Solution_CyberArkEPM.json, createUiDefinition.json, mainTemplate.json)