Skip to content

CyberArk Identity Audit Logs

Overview

  • Supported environment: SaaS
  • Detection based on: Audit
  • Supported application or feature:
    • Audit Events

Warning

Important note - This format is currently in beta. We highly value your feedback to improve its performance.

Configure

How to create credentials

  1. Log in the CyberArk Administration Console
  2. On the left panel, click on the application switcher and click Audit

    step2

  3. On the left panel, Click SIEM integrations

    step3

  4. Click Create SIEM integration

    step4 step5

  5. Click on the link on the first link to go on the CyberArk Identity Administration console

  6. On the left panel, go to Apps & Widgets > Web Apps
  7. Click Add Web Apps

    step5c

  8. In the popup, click on the tab Custom

  9. Look for OAuth2 Server and click Add

    step5d

  10. Click Yes in the new popup

    step5e

  11. Type an Application ID, a Name, and a Category

    step5f

  12. Go to the section Scope

  13. Click the Add button and type isp.audit.events:read in the new entry

    step5g

  14. Go to the section Token

  15. Select jwtRS256 as token type
  16. Check Client creds as authentication method and uncheck other options

    step5h

  17. Go to the section Advanced

  18. Paste the following script

        setClaim('tenant_id', TenantData.Get("CybrTenantID"));
        setClaim('aud', 'cyberark.isp.audit');
    

    step5c

  19. Click Save

  20. On the left panel, go to Core Services > Users
  21. On the right panel, Select CyberArk Cloud Directory Users then click Add User

    step5c

  22. In the section Status, check Is service user and Is OAuth confidential client

  23. Type a login name, a display name, and a password
  24. Click Create User

    step5c

  25. Click on the user and go to the section Application Settings

  26. Click Add

    step5c

  27. Select the Web application previous created

    step5c

  28. On the left panel, go to Apps & Widgets > Web Apps

  29. Click on the application previously created
  30. Go to the section Permissions
  31. Click Add

    step5c

  32. Look for the user previously created

  33. Check it and click Add

    step5c

  34. Check Grant, View, Manage, and Delete for the user

  35. Click Save

    step5c

  36. On the Create SIEM Page, type the name and the description of the integration and click Apply

Instruction on Sekoia

Configure Your Intake

This section will guide you through creating the intake object in Sekoia, which provides a unique identifier called the "Intake key." The Intake key is essential for later configuration, as it references the Community, Entity, and Parser (Intake Format) used when receiving raw events on Sekoia.

  1. Go to the Sekoia Intake page.
  2. Click on the + New Intake button at the top right of the page.
  3. Search for your Intake by the product name in the search bar.
  4. Give it a Name and associate it with an Entity (and a Community if using multi-tenant mode).
  5. Click on Create.

Note

For more details on how to use the Intake page and to find the Intake key you just created, refer to this documentation.

Raw Events Samples

In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.

{
    "uuid": "5fe03d80-98b2-4857-8288-1a0a0ff03e47",
    "tenantId": "43de6333-65f1-4626-aeec-2cff238e61ca",
    "timestamp": 1739269449904,
    "username": "john.doe@cyberark.cloud.xxxxx",
    "applicationCode": "IDP",
    "auditCode": "IDP2001",
    "auditType": "Info",
    "action": "add-user",
    "userId": "7f93b762-618e-4e6e-b6dd-36ab6fc13e69",
    "source": "2a01:e34:ec57:b230:f188:56c5:7089:d987",
    "actionType": "Create",
    "component": "Identity",
    "serviceName": "Identity",
    "accessMethod": null,
    "accountId": null,
    "target": null,
    "command": null,
    "sessionId": null,
    "message": "add-user",
    "customData": {
        "directory_service_id": "38ca614f-6315-4af6-a4ee-f4ea9d5a747c",
        "user_id": "b94d0198-1e2d-4008-9fee-73ce2bd682aa",
        "user_name": "example@cyberark.cloud.xxxxx"
    },
    "cloudProvider": "aws",
    "cloudWorkspacesAndRoles": [],
    "cloudIdentities": null,
    "cloudAssets": null,
    "safe": null,
    "accountName": null,
    "targetPlatform": null,
    "targetAccount": null,
    "identityType": "HUMAN"
}
{
    "uuid": "66f9ee7e-8d2d-4a32-9997-4f5beaeffa98",
    "tenantId": "43de6333-65f1-4626-aeec-2cff238e61ca",
    "timestamp": 1739156795332,
    "username": "CYBERARKACCOUNTSINTEGRATION",
    "applicationCode": "IDP",
    "auditCode": "IDP2009",
    "auditType": "Info",
    "action": "cloud.core.oauthtoken.create",
    "userId": "9a3416a8-3f8c-49ad-962e-663cc57fd224",
    "source": "1.2.3.4",
    "actionType": "Create",
    "component": "Identity",
    "serviceName": "Identity",
    "accessMethod": null,
    "accountId": null,
    "target": null,
    "command": null,
    "sessionId": null,
    "message": "cloud.core.oauthtoken.create",
    "customData": {
        "start_time": "2/10/2025 3:06:30 AM",
        "is_internal_application": true,
        "end_time": "2/10/2025 3:21:30 AM",
        "client": "__idaptive_cybr_user_oidc",
        "user_guid": "9a3416a8-3f8c-49ad-962e-663cc57fd224",
        "scopes": "openid api profile",
        "token_type": "Id",
        "app_id": "__idaptive_cybr_user_oidc"
    },
    "cloudProvider": "aws",
    "cloudWorkspacesAndRoles": [],
    "cloudIdentities": null,
    "cloudAssets": null,
    "safe": null,
    "accountName": null,
    "targetPlatform": null,
    "targetAccount": null,
    "identityType": "HUMAN"
}
{
    "uuid": "de0c99e4-d692-4b61-96c4-5c5e62639232",
    "tenantId": "43de6333-65f1-4626-aeec-2cff238e61ca",
    "timestamp": 1739268304920,
    "username": "john.doe@cyberark.cloud.xxxxx",
    "applicationCode": "IDP",
    "auditCode": "IDP6004",
    "auditType": "Info",
    "action": "cloud.saas.application.appmodify",
    "userId": "7f93b762-618e-4e6e-b6dd-36ab6fc13e69",
    "source": "2a01:e34:ec57:b230:f188:56c5:7089:d987",
    "actionType": "Edit",
    "component": "Identity",
    "serviceName": "Identity",
    "accessMethod": null,
    "accountId": null,
    "target": null,
    "command": null,
    "sessionId": null,
    "message": "cloud.saas.application.appmodify",
    "customData": {
        "app_url": "",
        "not_self_service": true,
        "service_name": "MyAppId",
        "geoip_latitude": 48.8717,
        "description": "Integration to pull events from CyberArk",
        "app_display_name": "MyApp",
        "geoip_city_name": "Paris",
        "type": "Web",
        "web_app_type": "OAuth",
        "web_app_type_display_name": "Other Type",
        "app_type_display_name": "Web - Other Type",
        "on_prem": false,
        "auth_method": "OAuth2",
        "request_browser_name": "Chrome",
        "geoip_country_name": "France",
        "request_device_os": "Linux",
        "name": "Example",
        "id": "5bdc0c20-b605-4972-be9a-6c93794ec987",
        "category": "Other",
        "geoip_longitude": 2.32075,
        "geoip_country_code": "FR"
    },
    "cloudProvider": "aws",
    "cloudWorkspacesAndRoles": [],
    "cloudIdentities": null,
    "cloudAssets": null,
    "safe": null,
    "accountName": null,
    "targetPlatform": null,
    "targetAccount": null,
    "identityType": "HUMAN"
}
{
    "uuid": "66f9ee7e-8d2d-4a32-9997-4f5beaeffa98",
    "tenantId": "43de6333-65f1-4626-aeec-2cff238e61ca",
    "timestamp": 1739268337147,
    "username": "john.doe@cyberark.cloud.xxxxx",
    "applicationCode": "IDP",
    "auditCode": "IDP6010",
    "auditType": "Info",
    "action": "cloud.saas.application.appdelete",
    "userId": "7f93b762-618e-4e6e-b6dd-36ab6fc13e69",
    "source": "2a01:e34:ec57:b230:f188:56c5:7089:d987",
    "actionType": "Delete",
    "component": "Identity",
    "serviceName": "Identity",
    "accessMethod": null,
    "accountId": null,
    "target": null,
    "command": null,
    "sessionId": null,
    "message": "cloud.saas.application.appdelete",
    "customData": {
        "not_self_service": false,
        "service_name": "",
        "geoip_latitude": 48.8717,
        "geoip_city_name": "Paris",
        "type": "Web",
        "web_app_type": "OAuth",
        "on_prem": false,
        "auth_method": "OAuth2",
        "request_browser_name": "Chrome",
        "geoip_country_name": "France",
        "request_device_os": "Linux",
        "name": "Example",
        "id": "5bdc0c20-b605-4972-be9a-6c93794ec987",
        "geoip_longitude": 2.32075,
        "geoip_country_code": "FR"
    },
    "cloudProvider": "aws",
    "cloudWorkspacesAndRoles": [],
    "cloudIdentities": null,
    "cloudAssets": null,
    "safe": null,
    "accountName": null,
    "targetPlatform": null,
    "targetAccount": null,
    "identityType": "HUMAN"
}
{
    "uuid": "f6397849-56d5-4bb3-b6ed-bdda7f15051f",
    "tenantId": "43de6333-65f1-4626-aeec-2cff238e61ca",
    "timestamp": 1739363055593,
    "username": "john.doe@cyberark.cloud.xxxxx",
    "applicationCode": "PAM",
    "auditCode": "PAM00032",
    "auditType": "Info",
    "action": "Add Owner",
    "userId": "john.doe@cyberark.cloud.xxxxx",
    "source": "PVWA",
    "actionType": "Edit",
    "component": "Vault",
    "serviceName": "Privilege Cloud",
    "accessMethod": null,
    "accountId": "",
    "target": "",
    "command": null,
    "sessionId": null,
    "message": "",
    "customData": {
        "PAM": {
            "new_target": "",
            "target": "PVWAGWUser"
        }
    },
    "cloudProvider": null,
    "cloudWorkspacesAndRoles": [],
    "cloudIdentities": null,
    "cloudAssets": null,
    "safe": "Integration safe",
    "accountName": "",
    "targetPlatform": "",
    "targetAccount": "",
    "identityType": null
}
{
    "uuid": "fee8499d-faf4-41bf-bb30-45475d2d1056",
    "tenantId": "43de6333-65f1-4626-aeec-2cff238e61ca",
    "timestamp": 1739147898151,
    "username": "PVWAGWUser",
    "applicationCode": "PAM",
    "auditCode": "PAM00088",
    "auditType": "Info",
    "action": "Set Password",
    "userId": "PVWAGWUser",
    "source": "PVWAAPP",
    "actionType": "Password",
    "component": "Vault",
    "serviceName": "Privilege Cloud",
    "accessMethod": null,
    "accountId": null,
    "target": "",
    "command": null,
    "sessionId": null,
    "message": "",
    "customData": {
        "PAM": {
            "new_target": "",
            "target": ""
        }
    },
    "cloudProvider": null,
    "cloudWorkspacesAndRoles": [],
    "cloudIdentities": null,
    "cloudAssets": null,
    "safe": "",
    "accountName": "",
    "targetPlatform": "",
    "targetAccount": "",
    "identityType": null
}
{
    "uuid": "fe2b3e00-d8f9-4942-aa63-5fcaebc489f2",
    "tenantId": "43de6333-65f1-4626-aeec-2cff238e61ca",
    "timestamp": 1739266337571,
    "username": "john.doe@cyberark.cloud.xxxxx",
    "applicationCode": "PAM",
    "auditCode": "PAM00099",
    "auditType": "Info",
    "action": "Open File",
    "userId": "john.doe@cyberark.cloud.xxxxx",
    "source": "PVWA",
    "actionType": "Execute",
    "component": "Vault",
    "serviceName": "Privilege Cloud",
    "accessMethod": null,
    "accountId": null,
    "target": "",
    "command": null,
    "sessionId": null,
    "message": "",
    "customData": {
        "PAM": {
            "new_target": "",
            "target": "Root\\PVConfiguration.xml"
        }
    },
    "cloudProvider": null,
    "cloudWorkspacesAndRoles": [],
    "cloudIdentities": null,
    "cloudAssets": null,
    "safe": "PVWAConfig",
    "accountName": "",
    "targetPlatform": "",
    "targetAccount": "",
    "identityType": null
}
{
    "uuid": "b81f8a47-19db-4a7f-ad8b-3f855fcf868d",
    "tenantId": "43de6333-65f1-4626-aeec-2cff238e61ca",
    "timestamp": 1739363115168,
    "username": "john.doe@cyberark.cloud.xxxxx",
    "applicationCode": "PAM",
    "auditCode": "PAM00105",
    "auditType": "Info",
    "action": "Add File Category",
    "userId": "john.doe@cyberark.cloud.xxxxx",
    "source": "PVWA",
    "actionType": "Create",
    "component": "Vault",
    "serviceName": "Privilege Cloud",
    "accessMethod": null,
    "accountId": "15_3",
    "target": "127.0.0.1",
    "command": null,
    "sessionId": null,
    "message": "Value=[PVWA]",
    "customData": {
        "PAM": {
            "new_target": "CreationMethod",
            "target": "Root\\Operating System-UnixSSH-127.0.0.1-integrationteam"
        }
    },
    "cloudProvider": null,
    "cloudWorkspacesAndRoles": [],
    "cloudIdentities": null,
    "cloudAssets": null,
    "safe": "Integration safe",
    "accountName": "Operating System-UnixSSH-127.0.0.1-integrationteam",
    "targetPlatform": "UnixSSH",
    "targetAccount": "integrationteam",
    "identityType": null
}
{
    "uuid": "fc32fb82-5321-46f8-811d-4de63e539e5a",
    "tenantId": "43de6333-65f1-4626-aeec-2cff238e61ca",
    "timestamp": 1739363055534,
    "username": "mjohn.doe@cyberark.cloud.xxxxx",
    "applicationCode": "PAM",
    "auditCode": "PAM00185",
    "auditType": "Info",
    "action": "Add Safe",
    "userId": "john.doe@cyberark.cloud.xxxxx",
    "source": "PVWA",
    "actionType": "Execute",
    "component": "Vault",
    "serviceName": "Privilege Cloud",
    "accessMethod": null,
    "accountId": "",
    "target": "",
    "command": null,
    "sessionId": null,
    "message": "",
    "customData": {
        "PAM": {
            "new_target": "",
            "target": ""
        }
    },
    "cloudProvider": null,
    "cloudWorkspacesAndRoles": [],
    "cloudIdentities": null,
    "cloudAssets": null,
    "safe": "Integration safe",
    "accountName": "",
    "targetPlatform": "",
    "targetAccount": "",
    "identityType": null
}
{
    "uuid": "f0db2c85-adf5-402d-9adc-f8d35eb49154",
    "tenantId": "43de6333-65f1-4626-aeec-2cff238e61ca",
    "timestamp": 1739363055693,
    "username": "john.doe@cyberark.cloud.xxxxx",
    "applicationCode": "PAM",
    "auditCode": "PAM00273",
    "auditType": "Info",
    "action": "Remove Owner",
    "userId": "john.doe@cyberark.cloud.xxxxx",
    "source": "PVWA",
    "actionType": "Edit",
    "component": "Vault",
    "serviceName": "Privilege Cloud",
    "accessMethod": null,
    "accountId": "",
    "target": "",
    "command": null,
    "sessionId": null,
    "message": "",
    "customData": {
        "PAM": {
            "new_target": "",
            "target": "PVWAGWUser"
        }
    },
    "cloudProvider": null,
    "cloudWorkspacesAndRoles": [],
    "cloudIdentities": null,
    "cloudAssets": null,
    "safe": "Integration safe",
    "accountName": "",
    "targetPlatform": "",
    "targetAccount": "",
    "identityType": null
}
{
    "uuid": "09ad5ce5-996b-406c-a6cc-4ef0f3869d4c",
    "tenantId": "43de6333-65f1-4626-aeec-2cff238e61ca",
    "timestamp": 1739363114854,
    "username": "john.doe@cyberark.cloud.xxxxx",
    "applicationCode": "PAM",
    "auditCode": "PAM00294",
    "auditType": "Info",
    "action": "Store password",
    "userId": "john.doe@cyberark.cloud.xxxxx",
    "source": "PVWA",
    "actionType": "Password",
    "component": "Vault",
    "serviceName": "Privilege Cloud",
    "accessMethod": null,
    "accountId": "15_3",
    "target": "",
    "command": null,
    "sessionId": null,
    "message": "",
    "customData": {
        "PAM": {
            "new_target": "",
            "target": "Root\\Operating System-UnixSSH-127.0.0.1-integrationteam"
        }
    },
    "cloudProvider": null,
    "cloudWorkspacesAndRoles": [],
    "cloudIdentities": null,
    "cloudAssets": null,
    "safe": "Integration safe",
    "accountName": "Operating System-UnixSSH-127.0.0.1-integrationteam",
    "targetPlatform": "",
    "targetAccount": "",
    "identityType": null
}
{
    "uuid": "6f00a100-43af-4787-a22e-567ca5c9845a",
    "tenantId": "43de6333-65f1-4626-aeec-2cff238e61ca",
    "timestamp": 1739363136939,
    "username": "john.doe@cyberark.cloud.xxxxx",
    "applicationCode": "PAM",
    "auditCode": "PAM00295",
    "auditType": "Info",
    "action": "Retrieve password",
    "userId": "john.doe@cyberark.cloud.xxxxx",
    "source": "PVWA",
    "actionType": "Password",
    "component": "Vault",
    "serviceName": "Privilege Cloud",
    "accessMethod": null,
    "accountId": "15_3",
    "target": "127.0.0.1",
    "command": null,
    "sessionId": null,
    "message": "(Action: Copy Password)access",
    "customData": {
        "PAM": {
            "new_target": "",
            "target": "Root\\Operating System-UnixSSH-127.0.0.1-integrationteam"
        }
    },
    "cloudProvider": null,
    "cloudWorkspacesAndRoles": [],
    "cloudIdentities": null,
    "cloudAssets": null,
    "safe": "Integration safe",
    "accountName": "Operating System-UnixSSH-127.0.0.1-integrationteam",
    "targetPlatform": "UnixSSH",
    "targetAccount": "integrationteam",
    "identityType": null
}

Detection section

The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.

No related built-in rules was found. This message is automatically generated.

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Application logs None
Authentication logs None

In details, the following table denotes the type of events produced by this integration.

Name Values
Kind ``
Category authentication, configuration, iam
Type access, change, creation, deletion, info, start

Transformed Events Samples after Ingestion

This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.

{
    "message": "{\"uuid\": \"5fe03d80-98b2-4857-8288-1a0a0ff03e47\", \"tenantId\": \"43de6333-65f1-4626-aeec-2cff238e61ca\", \"timestamp\": 1739269449904, \"username\": \"john.doe@cyberark.cloud.xxxxx\", \"applicationCode\": \"IDP\", \"auditCode\": \"IDP2001\", \"auditType\": \"Info\", \"action\": \"add-user\", \"userId\": \"7f93b762-618e-4e6e-b6dd-36ab6fc13e69\", \"source\": \"2a01:e34:ec57:b230:f188:56c5:7089:d987\", \"actionType\": \"Create\", \"component\": \"Identity\", \"serviceName\": \"Identity\", \"accessMethod\": null, \"accountId\": null, \"target\": null, \"command\": null, \"sessionId\": null, \"message\": \"add-user\", \"customData\": {\"directory_service_id\": \"38ca614f-6315-4af6-a4ee-f4ea9d5a747c\", \"user_id\": \"b94d0198-1e2d-4008-9fee-73ce2bd682aa\", \"user_name\": \"example@cyberark.cloud.xxxxx\"}, \"cloudProvider\": \"aws\", \"cloudWorkspacesAndRoles\": [], \"cloudIdentities\": null, \"cloudAssets\": null, \"safe\": null, \"accountName\": null, \"targetPlatform\": null, \"targetAccount\": null, \"identityType\": \"HUMAN\"}",
    "event": {
        "action": "add-user",
        "category": [
            "configuration"
        ],
        "code": "IDP2001",
        "dataset": "IDP",
        "provider": "Identity",
        "reason": "add-user",
        "type": [
            "creation"
        ]
    },
    "@timestamp": "2025-02-11T10:24:09.904000Z",
    "cloud": {
        "provider": "aws"
    },
    "cyberark": {
        "audit": {
            "directory_service_id": "38ca614f-6315-4af6-a4ee-f4ea9d5a747c",
            "uuid": "5fe03d80-98b2-4857-8288-1a0a0ff03e47"
        }
    },
    "observer": {
        "product": "Identity",
        "vendor": "CyberArk"
    },
    "organization": {
        "id": "43de6333-65f1-4626-aeec-2cff238e61ca"
    },
    "related": {
        "ip": [
            "2a01:e34:ec57:b230:f188:56c5:7089:d987"
        ]
    },
    "source": {
        "address": "2a01:e34:ec57:b230:f188:56c5:7089:d987",
        "ip": "2a01:e34:ec57:b230:f188:56c5:7089:d987"
    },
    "user": {
        "email": "john.doe@cyberark.cloud.xxxxx",
        "id": "7f93b762-618e-4e6e-b6dd-36ab6fc13e69",
        "target": {
            "email": "example@cyberark.cloud.xxxxx",
            "id": "b94d0198-1e2d-4008-9fee-73ce2bd682aa"
        }
    }
}
{
    "message": "{\"uuid\": \"66f9ee7e-8d2d-4a32-9997-4f5beaeffa98\", \"tenantId\": \"43de6333-65f1-4626-aeec-2cff238e61ca\", \"timestamp\": 1739156795332, \"username\": \"CYBERARKACCOUNTSINTEGRATION\", \"applicationCode\": \"IDP\", \"auditCode\": \"IDP2009\", \"auditType\": \"Info\", \"action\": \"cloud.core.oauthtoken.create\", \"userId\": \"9a3416a8-3f8c-49ad-962e-663cc57fd224\", \"source\": \"1.2.3.4\", \"actionType\": \"Create\", \"component\": \"Identity\", \"serviceName\": \"Identity\", \"accessMethod\": null, \"accountId\": null, \"target\": null, \"command\": null, \"sessionId\": null, \"message\": \"cloud.core.oauthtoken.create\", \"customData\": {\"start_time\": \"2/10/2025 3:06:30 AM\", \"is_internal_application\": true, \"end_time\": \"2/10/2025 3:21:30 AM\", \"client\": \"__idaptive_cybr_user_oidc\", \"user_guid\": \"9a3416a8-3f8c-49ad-962e-663cc57fd224\", \"scopes\": \"openid api profile\", \"token_type\": \"Id\", \"app_id\": \"__idaptive_cybr_user_oidc\"}, \"cloudProvider\": \"aws\", \"cloudWorkspacesAndRoles\": [], \"cloudIdentities\": null, \"cloudAssets\": null, \"safe\": null, \"accountName\": null, \"targetPlatform\": null, \"targetAccount\": null, \"identityType\": \"HUMAN\"}",
    "event": {
        "action": "cloud.core.oauthtoken.create",
        "category": [
            "authentication"
        ],
        "code": "IDP2009",
        "dataset": "IDP",
        "provider": "Identity",
        "reason": "cloud.core.oauthtoken.create",
        "type": [
            "start"
        ]
    },
    "@timestamp": "2025-02-10T03:06:35.332000Z",
    "cloud": {
        "provider": "aws"
    },
    "cyberark": {
        "audit": {
            "uuid": "66f9ee7e-8d2d-4a32-9997-4f5beaeffa98"
        }
    },
    "observer": {
        "product": "Identity",
        "vendor": "CyberArk"
    },
    "organization": {
        "id": "43de6333-65f1-4626-aeec-2cff238e61ca"
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ],
        "user": [
            "CYBERARKACCOUNTSINTEGRATION"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4"
    },
    "user": {
        "id": "9a3416a8-3f8c-49ad-962e-663cc57fd224",
        "name": "CYBERARKACCOUNTSINTEGRATION"
    }
}
{
    "message": "{\"uuid\": \"de0c99e4-d692-4b61-96c4-5c5e62639232\", \"tenantId\": \"43de6333-65f1-4626-aeec-2cff238e61ca\", \"timestamp\": 1739268304920, \"username\": \"john.doe@cyberark.cloud.xxxxx\", \"applicationCode\": \"IDP\", \"auditCode\": \"IDP6004\", \"auditType\": \"Info\", \"action\": \"cloud.saas.application.appmodify\", \"userId\": \"7f93b762-618e-4e6e-b6dd-36ab6fc13e69\", \"source\": \"2a01:e34:ec57:b230:f188:56c5:7089:d987\", \"actionType\": \"Edit\", \"component\": \"Identity\", \"serviceName\": \"Identity\", \"accessMethod\": null, \"accountId\": null, \"target\": null, \"command\": null, \"sessionId\": null, \"message\": \"cloud.saas.application.appmodify\", \"customData\": {\"app_url\": \"\", \"not_self_service\": true, \"service_name\": \"MyAppId\", \"geoip_latitude\": 48.8717, \"description\": \"Integration to pull events from CyberArk\", \"app_display_name\": \"MyApp\", \"geoip_city_name\": \"Paris\", \"type\": \"Web\", \"web_app_type\": \"OAuth\", \"web_app_type_display_name\": \"Other Type\", \"app_type_display_name\": \"Web - Other Type\", \"on_prem\": false, \"auth_method\": \"OAuth2\", \"request_browser_name\": \"Chrome\", \"geoip_country_name\": \"France\", \"request_device_os\": \"Linux\", \"name\": \"Example\", \"id\": \"5bdc0c20-b605-4972-be9a-6c93794ec987\", \"category\": \"Other\", \"geoip_longitude\": 2.32075, \"geoip_country_code\": \"FR\"}, \"cloudProvider\": \"aws\", \"cloudWorkspacesAndRoles\": [], \"cloudIdentities\": null, \"cloudAssets\": null, \"safe\": null, \"accountName\": null, \"targetPlatform\": null, \"targetAccount\": null, \"identityType\": \"HUMAN\"}",
    "event": {
        "action": "cloud.saas.application.appmodify",
        "category": [
            "configuration"
        ],
        "code": "IDP6004",
        "dataset": "IDP",
        "provider": "Identity",
        "reason": "cloud.saas.application.appmodify",
        "type": [
            "change"
        ]
    },
    "@timestamp": "2025-02-11T10:05:04.920000Z",
    "cloud": {
        "provider": "aws"
    },
    "cyberark": {
        "audit": {
            "application": {
                "description": "Integration to pull events from CyberArk",
                "display_name": "MyApp",
                "id": "5bdc0c20-b605-4972-be9a-6c93794ec987",
                "service_name": "MyAppId"
            },
            "uuid": "de0c99e4-d692-4b61-96c4-5c5e62639232"
        }
    },
    "host": {
        "os": {
            "platform": "Linux"
        }
    },
    "observer": {
        "product": "Identity",
        "vendor": "CyberArk"
    },
    "organization": {
        "id": "43de6333-65f1-4626-aeec-2cff238e61ca"
    },
    "related": {
        "ip": [
            "2a01:e34:ec57:b230:f188:56c5:7089:d987"
        ]
    },
    "source": {
        "address": "2a01:e34:ec57:b230:f188:56c5:7089:d987",
        "geo": {
            "city_name": "Paris",
            "country_iso_code": "FR",
            "country_name": "France"
        },
        "ip": "2a01:e34:ec57:b230:f188:56c5:7089:d987"
    },
    "user": {
        "email": "john.doe@cyberark.cloud.xxxxx",
        "id": "7f93b762-618e-4e6e-b6dd-36ab6fc13e69"
    },
    "user_agent": {
        "name": "Chrome"
    }
}
{
    "message": "{\"uuid\": \"66f9ee7e-8d2d-4a32-9997-4f5beaeffa98\", \"tenantId\": \"43de6333-65f1-4626-aeec-2cff238e61ca\", \"timestamp\": 1739268337147, \"username\": \"john.doe@cyberark.cloud.xxxxx\", \"applicationCode\": \"IDP\", \"auditCode\": \"IDP6010\", \"auditType\": \"Info\", \"action\": \"cloud.saas.application.appdelete\", \"userId\": \"7f93b762-618e-4e6e-b6dd-36ab6fc13e69\", \"source\": \"2a01:e34:ec57:b230:f188:56c5:7089:d987\", \"actionType\": \"Delete\", \"component\": \"Identity\", \"serviceName\": \"Identity\", \"accessMethod\": null, \"accountId\": null, \"target\": null, \"command\": null, \"sessionId\": null, \"message\": \"cloud.saas.application.appdelete\", \"customData\": {\"not_self_service\": false, \"service_name\": \"\", \"geoip_latitude\": 48.8717, \"geoip_city_name\": \"Paris\", \"type\": \"Web\", \"web_app_type\": \"OAuth\", \"on_prem\": false, \"auth_method\": \"OAuth2\", \"request_browser_name\": \"Chrome\", \"geoip_country_name\": \"France\", \"request_device_os\": \"Linux\", \"name\": \"Example\", \"id\": \"5bdc0c20-b605-4972-be9a-6c93794ec987\", \"geoip_longitude\": 2.32075, \"geoip_country_code\": \"FR\"}, \"cloudProvider\": \"aws\", \"cloudWorkspacesAndRoles\": [], \"cloudIdentities\": null, \"cloudAssets\": null, \"safe\": null, \"accountName\": null, \"targetPlatform\": null, \"targetAccount\": null, \"identityType\": \"HUMAN\"}",
    "event": {
        "action": "cloud.saas.application.appdelete",
        "category": [
            "configuration"
        ],
        "code": "IDP6010",
        "dataset": "IDP",
        "provider": "Identity",
        "reason": "cloud.saas.application.appdelete",
        "type": [
            "deletion"
        ]
    },
    "@timestamp": "2025-02-11T10:05:37.147000Z",
    "cloud": {
        "provider": "aws"
    },
    "cyberark": {
        "audit": {
            "uuid": "66f9ee7e-8d2d-4a32-9997-4f5beaeffa98"
        }
    },
    "host": {
        "os": {
            "platform": "Linux"
        }
    },
    "observer": {
        "product": "Identity",
        "vendor": "CyberArk"
    },
    "organization": {
        "id": "43de6333-65f1-4626-aeec-2cff238e61ca"
    },
    "related": {
        "ip": [
            "2a01:e34:ec57:b230:f188:56c5:7089:d987"
        ]
    },
    "source": {
        "address": "2a01:e34:ec57:b230:f188:56c5:7089:d987",
        "geo": {
            "city_name": "Paris",
            "country_iso_code": "FR",
            "country_name": "France"
        },
        "ip": "2a01:e34:ec57:b230:f188:56c5:7089:d987"
    },
    "user": {
        "email": "john.doe@cyberark.cloud.xxxxx",
        "id": "7f93b762-618e-4e6e-b6dd-36ab6fc13e69"
    },
    "user_agent": {
        "name": "Chrome"
    }
}
{
    "message": "{\"uuid\": \"f6397849-56d5-4bb3-b6ed-bdda7f15051f\", \"tenantId\": \"43de6333-65f1-4626-aeec-2cff238e61ca\", \"timestamp\": 1739363055593, \"username\": \"john.doe@cyberark.cloud.xxxxx\", \"applicationCode\": \"PAM\", \"auditCode\": \"PAM00032\", \"auditType\": \"Info\", \"action\": \"Add Owner\", \"userId\": \"john.doe@cyberark.cloud.xxxxx\", \"source\": \"PVWA\", \"actionType\": \"Edit\", \"component\": \"Vault\", \"serviceName\": \"Privilege Cloud\", \"accessMethod\": null, \"accountId\": \"\", \"target\": \"\", \"command\": null, \"sessionId\": null, \"message\": \"\", \"customData\": {\"PAM\": {\"new_target\": \"\", \"target\": \"PVWAGWUser\"}}, \"cloudProvider\": null, \"cloudWorkspacesAndRoles\": [], \"cloudIdentities\": null, \"cloudAssets\": null, \"safe\": \"Integration safe\", \"accountName\": \"\", \"targetPlatform\": \"\", \"targetAccount\": \"\", \"identityType\": null}",
    "event": {
        "action": "Add Owner",
        "category": [
            "configuration"
        ],
        "code": "PAM00032",
        "dataset": "PAM",
        "provider": "Vault",
        "type": [
            "creation"
        ]
    },
    "@timestamp": "2025-02-12T12:24:15.593000Z",
    "cyberark": {
        "audit": {
            "safe": "Integration safe",
            "uuid": "f6397849-56d5-4bb3-b6ed-bdda7f15051f"
        }
    },
    "observer": {
        "name": "PVWA",
        "product": "Privilege Cloud",
        "vendor": "CyberArk"
    },
    "organization": {
        "id": "43de6333-65f1-4626-aeec-2cff238e61ca"
    },
    "user": {
        "email": "john.doe@cyberark.cloud.xxxxx",
        "id": "john.doe@cyberark.cloud.xxxxx"
    }
}
{
    "message": "{\"uuid\": \"fee8499d-faf4-41bf-bb30-45475d2d1056\", \"tenantId\": \"43de6333-65f1-4626-aeec-2cff238e61ca\", \"timestamp\": 1739147898151, \"username\": \"PVWAGWUser\", \"applicationCode\": \"PAM\", \"auditCode\": \"PAM00088\", \"auditType\": \"Info\", \"action\": \"Set Password\", \"userId\": \"PVWAGWUser\", \"source\": \"PVWAAPP\", \"actionType\": \"Password\", \"component\": \"Vault\", \"serviceName\": \"Privilege Cloud\", \"accessMethod\": null, \"accountId\": null, \"target\": \"\", \"command\": null, \"sessionId\": null, \"message\": \"\", \"customData\": {\"PAM\": {\"new_target\": \"\", \"target\": \"\"}}, \"cloudProvider\": null, \"cloudWorkspacesAndRoles\": [], \"cloudIdentities\": null, \"cloudAssets\": null, \"safe\": \"\", \"accountName\": \"\", \"targetPlatform\": \"\", \"targetAccount\": \"\", \"identityType\": null}",
    "event": {
        "action": "Set Password",
        "category": [
            "configuration"
        ],
        "code": "PAM00088",
        "dataset": "PAM",
        "provider": "Vault",
        "type": [
            "change"
        ]
    },
    "@timestamp": "2025-02-10T00:38:18.151000Z",
    "cyberark": {
        "audit": {
            "uuid": "fee8499d-faf4-41bf-bb30-45475d2d1056"
        }
    },
    "observer": {
        "name": "PVWAAPP",
        "product": "Privilege Cloud",
        "vendor": "CyberArk"
    },
    "organization": {
        "id": "43de6333-65f1-4626-aeec-2cff238e61ca"
    },
    "related": {
        "user": [
            "PVWAGWUser"
        ]
    },
    "user": {
        "id": "PVWAGWUser",
        "name": "PVWAGWUser"
    }
}
{
    "message": "{\"uuid\": \"fe2b3e00-d8f9-4942-aa63-5fcaebc489f2\", \"tenantId\": \"43de6333-65f1-4626-aeec-2cff238e61ca\", \"timestamp\": 1739266337571, \"username\": \"john.doe@cyberark.cloud.xxxxx\", \"applicationCode\": \"PAM\", \"auditCode\": \"PAM00099\", \"auditType\": \"Info\", \"action\": \"Open File\", \"userId\": \"john.doe@cyberark.cloud.xxxxx\", \"source\": \"PVWA\", \"actionType\": \"Execute\", \"component\": \"Vault\", \"serviceName\": \"Privilege Cloud\", \"accessMethod\": null, \"accountId\": null, \"target\": \"\", \"command\": null, \"sessionId\": null, \"message\": \"\", \"customData\": {\"PAM\": {\"new_target\": \"\", \"target\": \"Root\\\\PVConfiguration.xml\"}}, \"cloudProvider\": null, \"cloudWorkspacesAndRoles\": [], \"cloudIdentities\": null, \"cloudAssets\": null, \"safe\": \"PVWAConfig\", \"accountName\": \"\", \"targetPlatform\": \"\", \"targetAccount\": \"\", \"identityType\": null}",
    "event": {
        "action": "Open File",
        "category": [
            "configuration"
        ],
        "code": "PAM00099",
        "dataset": "PAM",
        "provider": "Vault",
        "type": [
            "access"
        ]
    },
    "@timestamp": "2025-02-11T09:32:17.571000Z",
    "cyberark": {
        "audit": {
            "safe": "PVWAConfig",
            "uuid": "fe2b3e00-d8f9-4942-aa63-5fcaebc489f2"
        }
    },
    "file": {
        "name": "PVConfiguration.xml",
        "path": "Root\\PVConfiguration.xml"
    },
    "observer": {
        "name": "PVWA",
        "product": "Privilege Cloud",
        "vendor": "CyberArk"
    },
    "organization": {
        "id": "43de6333-65f1-4626-aeec-2cff238e61ca"
    },
    "user": {
        "email": "john.doe@cyberark.cloud.xxxxx",
        "id": "john.doe@cyberark.cloud.xxxxx"
    }
}
{
    "message": "{\"uuid\": \"b81f8a47-19db-4a7f-ad8b-3f855fcf868d\", \"tenantId\": \"43de6333-65f1-4626-aeec-2cff238e61ca\", \"timestamp\": 1739363115168, \"username\": \"john.doe@cyberark.cloud.xxxxx\", \"applicationCode\": \"PAM\", \"auditCode\": \"PAM00105\", \"auditType\": \"Info\", \"action\": \"Add File Category\", \"userId\": \"john.doe@cyberark.cloud.xxxxx\", \"source\": \"PVWA\", \"actionType\": \"Create\", \"component\": \"Vault\", \"serviceName\": \"Privilege Cloud\", \"accessMethod\": null, \"accountId\": \"15_3\", \"target\": \"127.0.0.1\", \"command\": null, \"sessionId\": null, \"message\": \"Value=[PVWA]\", \"customData\": {\"PAM\": {\"new_target\": \"CreationMethod\", \"target\": \"Root\\\\Operating System-UnixSSH-127.0.0.1-integrationteam\"}}, \"cloudProvider\": null, \"cloudWorkspacesAndRoles\": [], \"cloudIdentities\": null, \"cloudAssets\": null, \"safe\": \"Integration safe\", \"accountName\": \"Operating System-UnixSSH-127.0.0.1-integrationteam\", \"targetPlatform\": \"UnixSSH\", \"targetAccount\": \"integrationteam\", \"identityType\": null}",
    "event": {
        "action": "Add File Category",
        "category": [
            "configuration"
        ],
        "code": "PAM00105",
        "dataset": "PAM",
        "provider": "Vault",
        "reason": "Value=[PVWA]",
        "type": [
            "creation"
        ]
    },
    "@timestamp": "2025-02-12T12:25:15.168000Z",
    "cyberark": {
        "audit": {
            "account_id": "15_3",
            "account_name": "Operating System-UnixSSH-127.0.0.1-integrationteam",
            "new_target": "CreationMethod",
            "safe": "Integration safe",
            "target_platform": "UnixSSH",
            "uuid": "b81f8a47-19db-4a7f-ad8b-3f855fcf868d"
        }
    },
    "destination": {
        "address": "127.0.0.1",
        "ip": "127.0.0.1"
    },
    "observer": {
        "name": "PVWA",
        "product": "Privilege Cloud",
        "vendor": "CyberArk"
    },
    "organization": {
        "id": "43de6333-65f1-4626-aeec-2cff238e61ca"
    },
    "related": {
        "ip": [
            "127.0.0.1"
        ],
        "user": [
            "Operating System-UnixSSH-127.0.0.1-integrationteam"
        ]
    },
    "user": {
        "email": "john.doe@cyberark.cloud.xxxxx",
        "id": "john.doe@cyberark.cloud.xxxxx",
        "target": {
            "domain": "Root",
            "name": "Operating System-UnixSSH-127.0.0.1-integrationteam"
        }
    }
}
{
    "message": "{\"uuid\": \"fc32fb82-5321-46f8-811d-4de63e539e5a\", \"tenantId\": \"43de6333-65f1-4626-aeec-2cff238e61ca\", \"timestamp\": 1739363055534, \"username\": \"mjohn.doe@cyberark.cloud.xxxxx\", \"applicationCode\": \"PAM\", \"auditCode\": \"PAM00185\", \"auditType\": \"Info\", \"action\": \"Add Safe\", \"userId\": \"john.doe@cyberark.cloud.xxxxx\", \"source\": \"PVWA\", \"actionType\": \"Execute\", \"component\": \"Vault\", \"serviceName\": \"Privilege Cloud\", \"accessMethod\": null, \"accountId\": \"\", \"target\": \"\", \"command\": null, \"sessionId\": null, \"message\": \"\", \"customData\": {\"PAM\": {\"new_target\": \"\", \"target\": \"\"}}, \"cloudProvider\": null, \"cloudWorkspacesAndRoles\": [], \"cloudIdentities\": null, \"cloudAssets\": null, \"safe\": \"Integration safe\", \"accountName\": \"\", \"targetPlatform\": \"\", \"targetAccount\": \"\", \"identityType\": null}",
    "event": {
        "action": "Add Safe",
        "category": [
            "configuration"
        ],
        "code": "PAM00185",
        "dataset": "PAM",
        "provider": "Vault",
        "type": [
            "creation"
        ]
    },
    "@timestamp": "2025-02-12T12:24:15.534000Z",
    "cyberark": {
        "audit": {
            "safe": "Integration safe",
            "uuid": "fc32fb82-5321-46f8-811d-4de63e539e5a"
        }
    },
    "observer": {
        "name": "PVWA",
        "product": "Privilege Cloud",
        "vendor": "CyberArk"
    },
    "organization": {
        "id": "43de6333-65f1-4626-aeec-2cff238e61ca"
    },
    "user": {
        "email": "mjohn.doe@cyberark.cloud.xxxxx",
        "id": "john.doe@cyberark.cloud.xxxxx"
    }
}
{
    "message": "{\"uuid\": \"f0db2c85-adf5-402d-9adc-f8d35eb49154\", \"tenantId\": \"43de6333-65f1-4626-aeec-2cff238e61ca\", \"timestamp\": 1739363055693, \"username\": \"john.doe@cyberark.cloud.xxxxx\", \"applicationCode\": \"PAM\", \"auditCode\": \"PAM00273\", \"auditType\": \"Info\", \"action\": \"Remove Owner\", \"userId\": \"john.doe@cyberark.cloud.xxxxx\", \"source\": \"PVWA\", \"actionType\": \"Edit\", \"component\": \"Vault\", \"serviceName\": \"Privilege Cloud\", \"accessMethod\": null, \"accountId\": \"\", \"target\": \"\", \"command\": null, \"sessionId\": null, \"message\": \"\", \"customData\": {\"PAM\": {\"new_target\": \"\", \"target\": \"PVWAGWUser\"}}, \"cloudProvider\": null, \"cloudWorkspacesAndRoles\": [], \"cloudIdentities\": null, \"cloudAssets\": null, \"safe\": \"Integration safe\", \"accountName\": \"\", \"targetPlatform\": \"\", \"targetAccount\": \"\", \"identityType\": null}",
    "event": {
        "action": "Remove Owner",
        "category": [
            "configuration"
        ],
        "code": "PAM00273",
        "dataset": "PAM",
        "provider": "Vault",
        "type": [
            "deletion"
        ]
    },
    "@timestamp": "2025-02-12T12:24:15.693000Z",
    "cyberark": {
        "audit": {
            "safe": "Integration safe",
            "uuid": "f0db2c85-adf5-402d-9adc-f8d35eb49154"
        }
    },
    "observer": {
        "name": "PVWA",
        "product": "Privilege Cloud",
        "vendor": "CyberArk"
    },
    "organization": {
        "id": "43de6333-65f1-4626-aeec-2cff238e61ca"
    },
    "user": {
        "email": "john.doe@cyberark.cloud.xxxxx",
        "id": "john.doe@cyberark.cloud.xxxxx"
    }
}
{
    "message": "{\"uuid\": \"09ad5ce5-996b-406c-a6cc-4ef0f3869d4c\", \"tenantId\": \"43de6333-65f1-4626-aeec-2cff238e61ca\", \"timestamp\": 1739363114854, \"username\": \"john.doe@cyberark.cloud.xxxxx\", \"applicationCode\": \"PAM\", \"auditCode\": \"PAM00294\", \"auditType\": \"Info\", \"action\": \"Store password\", \"userId\": \"john.doe@cyberark.cloud.xxxxx\", \"source\": \"PVWA\", \"actionType\": \"Password\", \"component\": \"Vault\", \"serviceName\": \"Privilege Cloud\", \"accessMethod\": null, \"accountId\": \"15_3\", \"target\": \"\", \"command\": null, \"sessionId\": null, \"message\": \"\", \"customData\": {\"PAM\": {\"new_target\": \"\", \"target\": \"Root\\\\Operating System-UnixSSH-127.0.0.1-integrationteam\"}}, \"cloudProvider\": null, \"cloudWorkspacesAndRoles\": [], \"cloudIdentities\": null, \"cloudAssets\": null, \"safe\": \"Integration safe\", \"accountName\": \"Operating System-UnixSSH-127.0.0.1-integrationteam\", \"targetPlatform\": \"\", \"targetAccount\": \"\", \"identityType\": null}",
    "event": {
        "action": "Store password",
        "category": [
            "configuration"
        ],
        "code": "PAM00294",
        "dataset": "PAM",
        "provider": "Vault",
        "type": [
            "change"
        ]
    },
    "@timestamp": "2025-02-12T12:25:14.854000Z",
    "cyberark": {
        "audit": {
            "account_id": "15_3",
            "account_name": "Operating System-UnixSSH-127.0.0.1-integrationteam",
            "safe": "Integration safe",
            "uuid": "09ad5ce5-996b-406c-a6cc-4ef0f3869d4c"
        }
    },
    "observer": {
        "name": "PVWA",
        "product": "Privilege Cloud",
        "vendor": "CyberArk"
    },
    "organization": {
        "id": "43de6333-65f1-4626-aeec-2cff238e61ca"
    },
    "related": {
        "user": [
            "Operating System-UnixSSH-127.0.0.1-integrationteam"
        ]
    },
    "user": {
        "email": "john.doe@cyberark.cloud.xxxxx",
        "id": "john.doe@cyberark.cloud.xxxxx",
        "target": {
            "domain": "Root",
            "name": "Operating System-UnixSSH-127.0.0.1-integrationteam"
        }
    }
}
{
    "message": "{\"uuid\": \"6f00a100-43af-4787-a22e-567ca5c9845a\", \"tenantId\": \"43de6333-65f1-4626-aeec-2cff238e61ca\", \"timestamp\": 1739363136939, \"username\": \"john.doe@cyberark.cloud.xxxxx\", \"applicationCode\": \"PAM\", \"auditCode\": \"PAM00295\", \"auditType\": \"Info\", \"action\": \"Retrieve password\", \"userId\": \"john.doe@cyberark.cloud.xxxxx\", \"source\": \"PVWA\", \"actionType\": \"Password\", \"component\": \"Vault\", \"serviceName\": \"Privilege Cloud\", \"accessMethod\": null, \"accountId\": \"15_3\", \"target\": \"127.0.0.1\", \"command\": null, \"sessionId\": null, \"message\": \"(Action: Copy Password)access\", \"customData\": {\"PAM\": {\"new_target\": \"\", \"target\": \"Root\\\\Operating System-UnixSSH-127.0.0.1-integrationteam\"}}, \"cloudProvider\": null, \"cloudWorkspacesAndRoles\": [], \"cloudIdentities\": null, \"cloudAssets\": null, \"safe\": \"Integration safe\", \"accountName\": \"Operating System-UnixSSH-127.0.0.1-integrationteam\", \"targetPlatform\": \"UnixSSH\", \"targetAccount\": \"integrationteam\", \"identityType\": null}",
    "event": {
        "action": "Retrieve password",
        "category": [
            "configuration"
        ],
        "code": "PAM00295",
        "dataset": "PAM",
        "provider": "Vault",
        "reason": "(Action: Copy Password)access",
        "type": [
            "access"
        ]
    },
    "@timestamp": "2025-02-12T12:25:36.939000Z",
    "cyberark": {
        "audit": {
            "account_id": "15_3",
            "account_name": "Operating System-UnixSSH-127.0.0.1-integrationteam",
            "safe": "Integration safe",
            "target_platform": "UnixSSH",
            "uuid": "6f00a100-43af-4787-a22e-567ca5c9845a"
        }
    },
    "destination": {
        "address": "127.0.0.1",
        "ip": "127.0.0.1"
    },
    "observer": {
        "name": "PVWA",
        "product": "Privilege Cloud",
        "vendor": "CyberArk"
    },
    "organization": {
        "id": "43de6333-65f1-4626-aeec-2cff238e61ca"
    },
    "related": {
        "ip": [
            "127.0.0.1"
        ],
        "user": [
            "Operating System-UnixSSH-127.0.0.1-integrationteam"
        ]
    },
    "user": {
        "email": "john.doe@cyberark.cloud.xxxxx",
        "id": "john.doe@cyberark.cloud.xxxxx",
        "target": {
            "domain": "Root",
            "name": "Operating System-UnixSSH-127.0.0.1-integrationteam"
        }
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
@timestamp date Date/time when the event originated.
cloud.provider keyword Name of the cloud provider.
cyberark.audit.account_id keyword
cyberark.audit.account_name keyword
cyberark.audit.application.description keyword
cyberark.audit.application.display_name keyword
cyberark.audit.application.id keyword
cyberark.audit.application.service_name keyword
cyberark.audit.directory_service_id keyword
cyberark.audit.new_target keyword
cyberark.audit.safe keyword
cyberark.audit.session_id keyword
cyberark.audit.target_platform keyword
cyberark.audit.uuid keyword
destination.ip ip IP address of the destination.
event.action keyword The action captured by the event.
event.category keyword Event category. The second categorization field in the hierarchy.
event.code keyword Identification code for this event.
event.dataset keyword Name of the dataset.
event.provider keyword Source of the event.
event.reason keyword Reason why this event happened, according to the source
event.type keyword Event type. The third categorization field in the hierarchy.
file.name keyword Name of the file including the extension, without the directory.
file.path keyword Full path to the file, including the file name.
host.os.platform keyword Operating system platform (such centos, ubuntu, windows).
observer.name keyword Custom name of the observer.
observer.product keyword The product name of the observer.
observer.vendor keyword Vendor name of the observer.
organization.id keyword Unique identifier for the organization.
source.geo.city_name keyword City name.
source.geo.country_iso_code keyword Country ISO code.
source.geo.country_name keyword Country name.
source.ip ip IP address of the source.
user.email keyword User email address.
user.id keyword Unique identifier of the user.
user.name keyword Short name or login of the user.
user.target.domain keyword Name of the directory the user is a member of.
user.target.email keyword User email address.
user.target.id keyword Unique identifier of the user.
user.target.name keyword Short name or login of the user.
user_agent.name keyword Name of the user agent.

For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.

Further readings