CyberArk Identity Audit Logs
Overview
- Supported environment: SaaS
- Detection based on: Audit
- Supported application or feature:
- Audit Events
Warning
Important note - This format is currently in beta. We highly value your feedback to improve its performance.
Configure
How to create credentials
- Log in the CyberArk Administration Console
-
On the left panel, click on the application switcher and click
Audit
-
On the left panel, Click
SIEM integrations
-
Click
Create SIEM integration
-
Click on the link on the first link to go on the CyberArk Identity Administration console
- On the left panel, go to
Apps & Widgets
>Web Apps
-
Click
Add Web Apps
-
In the popup, click on the tab
Custom
-
Look for
OAuth2 Server
and clickAdd
-
Click
Yes
in the new popup -
Type an
Application ID
, aName
, and aCategory
-
Go to the section
Scope
-
Click the
Add
button and typeisp.audit.events:read
in the new entry -
Go to the section
Token
- Select
jwtRS256
as token type -
Check
Client creds
as authentication method and uncheck other options -
Go to the section
Advanced
-
Paste the following script
setClaim('tenant_id', TenantData.Get("CybrTenantID")); setClaim('aud', 'cyberark.isp.audit');
-
Click
Save
- On the left panel, go to
Core Services
>Users
-
On the right panel, Select
CyberArk Cloud Directory Users
then clickAdd User
-
In the section
Status
, checkIs service user
andIs OAuth confidential client
- Type a login name, a display name, and a password
-
Click
Create User
-
Click on the user and go to the section
Application Settings
-
Click
Add
-
Select the Web application previous created
-
On the left panel, go to
Apps & Widgets
>Web Apps
- Click on the application previously created
- Go to the section
Permissions
-
Click
Add
-
Look for the user previously created
-
Check it and click
Add
-
Check
Grant
,View
,Manage
, andDelete
for the user -
Click
Save
-
On the
Create SIEM Page
, type the name and the description of the integration and clickApply
Instruction on Sekoia
Configure Your Intake
This section will guide you through creating the intake object in Sekoia, which provides a unique identifier called the "Intake key." The Intake key is essential for later configuration, as it references the Community, Entity, and Parser (Intake Format) used when receiving raw events on Sekoia.
- Go to the Sekoia Intake page.
- Click on the
+ New Intake
button at the top right of the page. - Search for your Intake by the product name in the search bar.
- Give it a Name and associate it with an Entity (and a Community if using multi-tenant mode).
- Click on
Create
.
Note
For more details on how to use the Intake page and to find the Intake key you just created, refer to this documentation.
Raw Events Samples
In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.
{
"uuid": "5fe03d80-98b2-4857-8288-1a0a0ff03e47",
"tenantId": "43de6333-65f1-4626-aeec-2cff238e61ca",
"timestamp": 1739269449904,
"username": "john.doe@cyberark.cloud.xxxxx",
"applicationCode": "IDP",
"auditCode": "IDP2001",
"auditType": "Info",
"action": "add-user",
"userId": "7f93b762-618e-4e6e-b6dd-36ab6fc13e69",
"source": "2a01:e34:ec57:b230:f188:56c5:7089:d987",
"actionType": "Create",
"component": "Identity",
"serviceName": "Identity",
"accessMethod": null,
"accountId": null,
"target": null,
"command": null,
"sessionId": null,
"message": "add-user",
"customData": {
"directory_service_id": "38ca614f-6315-4af6-a4ee-f4ea9d5a747c",
"user_id": "b94d0198-1e2d-4008-9fee-73ce2bd682aa",
"user_name": "example@cyberark.cloud.xxxxx"
},
"cloudProvider": "aws",
"cloudWorkspacesAndRoles": [],
"cloudIdentities": null,
"cloudAssets": null,
"safe": null,
"accountName": null,
"targetPlatform": null,
"targetAccount": null,
"identityType": "HUMAN"
}
{
"uuid": "66f9ee7e-8d2d-4a32-9997-4f5beaeffa98",
"tenantId": "43de6333-65f1-4626-aeec-2cff238e61ca",
"timestamp": 1739156795332,
"username": "CYBERARKACCOUNTSINTEGRATION",
"applicationCode": "IDP",
"auditCode": "IDP2009",
"auditType": "Info",
"action": "cloud.core.oauthtoken.create",
"userId": "9a3416a8-3f8c-49ad-962e-663cc57fd224",
"source": "1.2.3.4",
"actionType": "Create",
"component": "Identity",
"serviceName": "Identity",
"accessMethod": null,
"accountId": null,
"target": null,
"command": null,
"sessionId": null,
"message": "cloud.core.oauthtoken.create",
"customData": {
"start_time": "2/10/2025 3:06:30 AM",
"is_internal_application": true,
"end_time": "2/10/2025 3:21:30 AM",
"client": "__idaptive_cybr_user_oidc",
"user_guid": "9a3416a8-3f8c-49ad-962e-663cc57fd224",
"scopes": "openid api profile",
"token_type": "Id",
"app_id": "__idaptive_cybr_user_oidc"
},
"cloudProvider": "aws",
"cloudWorkspacesAndRoles": [],
"cloudIdentities": null,
"cloudAssets": null,
"safe": null,
"accountName": null,
"targetPlatform": null,
"targetAccount": null,
"identityType": "HUMAN"
}
{
"uuid": "de0c99e4-d692-4b61-96c4-5c5e62639232",
"tenantId": "43de6333-65f1-4626-aeec-2cff238e61ca",
"timestamp": 1739268304920,
"username": "john.doe@cyberark.cloud.xxxxx",
"applicationCode": "IDP",
"auditCode": "IDP6004",
"auditType": "Info",
"action": "cloud.saas.application.appmodify",
"userId": "7f93b762-618e-4e6e-b6dd-36ab6fc13e69",
"source": "2a01:e34:ec57:b230:f188:56c5:7089:d987",
"actionType": "Edit",
"component": "Identity",
"serviceName": "Identity",
"accessMethod": null,
"accountId": null,
"target": null,
"command": null,
"sessionId": null,
"message": "cloud.saas.application.appmodify",
"customData": {
"app_url": "",
"not_self_service": true,
"service_name": "MyAppId",
"geoip_latitude": 48.8717,
"description": "Integration to pull events from CyberArk",
"app_display_name": "MyApp",
"geoip_city_name": "Paris",
"type": "Web",
"web_app_type": "OAuth",
"web_app_type_display_name": "Other Type",
"app_type_display_name": "Web - Other Type",
"on_prem": false,
"auth_method": "OAuth2",
"request_browser_name": "Chrome",
"geoip_country_name": "France",
"request_device_os": "Linux",
"name": "Example",
"id": "5bdc0c20-b605-4972-be9a-6c93794ec987",
"category": "Other",
"geoip_longitude": 2.32075,
"geoip_country_code": "FR"
},
"cloudProvider": "aws",
"cloudWorkspacesAndRoles": [],
"cloudIdentities": null,
"cloudAssets": null,
"safe": null,
"accountName": null,
"targetPlatform": null,
"targetAccount": null,
"identityType": "HUMAN"
}
{
"uuid": "66f9ee7e-8d2d-4a32-9997-4f5beaeffa98",
"tenantId": "43de6333-65f1-4626-aeec-2cff238e61ca",
"timestamp": 1739268337147,
"username": "john.doe@cyberark.cloud.xxxxx",
"applicationCode": "IDP",
"auditCode": "IDP6010",
"auditType": "Info",
"action": "cloud.saas.application.appdelete",
"userId": "7f93b762-618e-4e6e-b6dd-36ab6fc13e69",
"source": "2a01:e34:ec57:b230:f188:56c5:7089:d987",
"actionType": "Delete",
"component": "Identity",
"serviceName": "Identity",
"accessMethod": null,
"accountId": null,
"target": null,
"command": null,
"sessionId": null,
"message": "cloud.saas.application.appdelete",
"customData": {
"not_self_service": false,
"service_name": "",
"geoip_latitude": 48.8717,
"geoip_city_name": "Paris",
"type": "Web",
"web_app_type": "OAuth",
"on_prem": false,
"auth_method": "OAuth2",
"request_browser_name": "Chrome",
"geoip_country_name": "France",
"request_device_os": "Linux",
"name": "Example",
"id": "5bdc0c20-b605-4972-be9a-6c93794ec987",
"geoip_longitude": 2.32075,
"geoip_country_code": "FR"
},
"cloudProvider": "aws",
"cloudWorkspacesAndRoles": [],
"cloudIdentities": null,
"cloudAssets": null,
"safe": null,
"accountName": null,
"targetPlatform": null,
"targetAccount": null,
"identityType": "HUMAN"
}
{
"uuid": "f6397849-56d5-4bb3-b6ed-bdda7f15051f",
"tenantId": "43de6333-65f1-4626-aeec-2cff238e61ca",
"timestamp": 1739363055593,
"username": "john.doe@cyberark.cloud.xxxxx",
"applicationCode": "PAM",
"auditCode": "PAM00032",
"auditType": "Info",
"action": "Add Owner",
"userId": "john.doe@cyberark.cloud.xxxxx",
"source": "PVWA",
"actionType": "Edit",
"component": "Vault",
"serviceName": "Privilege Cloud",
"accessMethod": null,
"accountId": "",
"target": "",
"command": null,
"sessionId": null,
"message": "",
"customData": {
"PAM": {
"new_target": "",
"target": "PVWAGWUser"
}
},
"cloudProvider": null,
"cloudWorkspacesAndRoles": [],
"cloudIdentities": null,
"cloudAssets": null,
"safe": "Integration safe",
"accountName": "",
"targetPlatform": "",
"targetAccount": "",
"identityType": null
}
{
"uuid": "fee8499d-faf4-41bf-bb30-45475d2d1056",
"tenantId": "43de6333-65f1-4626-aeec-2cff238e61ca",
"timestamp": 1739147898151,
"username": "PVWAGWUser",
"applicationCode": "PAM",
"auditCode": "PAM00088",
"auditType": "Info",
"action": "Set Password",
"userId": "PVWAGWUser",
"source": "PVWAAPP",
"actionType": "Password",
"component": "Vault",
"serviceName": "Privilege Cloud",
"accessMethod": null,
"accountId": null,
"target": "",
"command": null,
"sessionId": null,
"message": "",
"customData": {
"PAM": {
"new_target": "",
"target": ""
}
},
"cloudProvider": null,
"cloudWorkspacesAndRoles": [],
"cloudIdentities": null,
"cloudAssets": null,
"safe": "",
"accountName": "",
"targetPlatform": "",
"targetAccount": "",
"identityType": null
}
{
"uuid": "fe2b3e00-d8f9-4942-aa63-5fcaebc489f2",
"tenantId": "43de6333-65f1-4626-aeec-2cff238e61ca",
"timestamp": 1739266337571,
"username": "john.doe@cyberark.cloud.xxxxx",
"applicationCode": "PAM",
"auditCode": "PAM00099",
"auditType": "Info",
"action": "Open File",
"userId": "john.doe@cyberark.cloud.xxxxx",
"source": "PVWA",
"actionType": "Execute",
"component": "Vault",
"serviceName": "Privilege Cloud",
"accessMethod": null,
"accountId": null,
"target": "",
"command": null,
"sessionId": null,
"message": "",
"customData": {
"PAM": {
"new_target": "",
"target": "Root\\PVConfiguration.xml"
}
},
"cloudProvider": null,
"cloudWorkspacesAndRoles": [],
"cloudIdentities": null,
"cloudAssets": null,
"safe": "PVWAConfig",
"accountName": "",
"targetPlatform": "",
"targetAccount": "",
"identityType": null
}
{
"uuid": "b81f8a47-19db-4a7f-ad8b-3f855fcf868d",
"tenantId": "43de6333-65f1-4626-aeec-2cff238e61ca",
"timestamp": 1739363115168,
"username": "john.doe@cyberark.cloud.xxxxx",
"applicationCode": "PAM",
"auditCode": "PAM00105",
"auditType": "Info",
"action": "Add File Category",
"userId": "john.doe@cyberark.cloud.xxxxx",
"source": "PVWA",
"actionType": "Create",
"component": "Vault",
"serviceName": "Privilege Cloud",
"accessMethod": null,
"accountId": "15_3",
"target": "127.0.0.1",
"command": null,
"sessionId": null,
"message": "Value=[PVWA]",
"customData": {
"PAM": {
"new_target": "CreationMethod",
"target": "Root\\Operating System-UnixSSH-127.0.0.1-integrationteam"
}
},
"cloudProvider": null,
"cloudWorkspacesAndRoles": [],
"cloudIdentities": null,
"cloudAssets": null,
"safe": "Integration safe",
"accountName": "Operating System-UnixSSH-127.0.0.1-integrationteam",
"targetPlatform": "UnixSSH",
"targetAccount": "integrationteam",
"identityType": null
}
{
"uuid": "fc32fb82-5321-46f8-811d-4de63e539e5a",
"tenantId": "43de6333-65f1-4626-aeec-2cff238e61ca",
"timestamp": 1739363055534,
"username": "mjohn.doe@cyberark.cloud.xxxxx",
"applicationCode": "PAM",
"auditCode": "PAM00185",
"auditType": "Info",
"action": "Add Safe",
"userId": "john.doe@cyberark.cloud.xxxxx",
"source": "PVWA",
"actionType": "Execute",
"component": "Vault",
"serviceName": "Privilege Cloud",
"accessMethod": null,
"accountId": "",
"target": "",
"command": null,
"sessionId": null,
"message": "",
"customData": {
"PAM": {
"new_target": "",
"target": ""
}
},
"cloudProvider": null,
"cloudWorkspacesAndRoles": [],
"cloudIdentities": null,
"cloudAssets": null,
"safe": "Integration safe",
"accountName": "",
"targetPlatform": "",
"targetAccount": "",
"identityType": null
}
{
"uuid": "f0db2c85-adf5-402d-9adc-f8d35eb49154",
"tenantId": "43de6333-65f1-4626-aeec-2cff238e61ca",
"timestamp": 1739363055693,
"username": "john.doe@cyberark.cloud.xxxxx",
"applicationCode": "PAM",
"auditCode": "PAM00273",
"auditType": "Info",
"action": "Remove Owner",
"userId": "john.doe@cyberark.cloud.xxxxx",
"source": "PVWA",
"actionType": "Edit",
"component": "Vault",
"serviceName": "Privilege Cloud",
"accessMethod": null,
"accountId": "",
"target": "",
"command": null,
"sessionId": null,
"message": "",
"customData": {
"PAM": {
"new_target": "",
"target": "PVWAGWUser"
}
},
"cloudProvider": null,
"cloudWorkspacesAndRoles": [],
"cloudIdentities": null,
"cloudAssets": null,
"safe": "Integration safe",
"accountName": "",
"targetPlatform": "",
"targetAccount": "",
"identityType": null
}
{
"uuid": "09ad5ce5-996b-406c-a6cc-4ef0f3869d4c",
"tenantId": "43de6333-65f1-4626-aeec-2cff238e61ca",
"timestamp": 1739363114854,
"username": "john.doe@cyberark.cloud.xxxxx",
"applicationCode": "PAM",
"auditCode": "PAM00294",
"auditType": "Info",
"action": "Store password",
"userId": "john.doe@cyberark.cloud.xxxxx",
"source": "PVWA",
"actionType": "Password",
"component": "Vault",
"serviceName": "Privilege Cloud",
"accessMethod": null,
"accountId": "15_3",
"target": "",
"command": null,
"sessionId": null,
"message": "",
"customData": {
"PAM": {
"new_target": "",
"target": "Root\\Operating System-UnixSSH-127.0.0.1-integrationteam"
}
},
"cloudProvider": null,
"cloudWorkspacesAndRoles": [],
"cloudIdentities": null,
"cloudAssets": null,
"safe": "Integration safe",
"accountName": "Operating System-UnixSSH-127.0.0.1-integrationteam",
"targetPlatform": "",
"targetAccount": "",
"identityType": null
}
{
"uuid": "6f00a100-43af-4787-a22e-567ca5c9845a",
"tenantId": "43de6333-65f1-4626-aeec-2cff238e61ca",
"timestamp": 1739363136939,
"username": "john.doe@cyberark.cloud.xxxxx",
"applicationCode": "PAM",
"auditCode": "PAM00295",
"auditType": "Info",
"action": "Retrieve password",
"userId": "john.doe@cyberark.cloud.xxxxx",
"source": "PVWA",
"actionType": "Password",
"component": "Vault",
"serviceName": "Privilege Cloud",
"accessMethod": null,
"accountId": "15_3",
"target": "127.0.0.1",
"command": null,
"sessionId": null,
"message": "(Action: Copy Password)access",
"customData": {
"PAM": {
"new_target": "",
"target": "Root\\Operating System-UnixSSH-127.0.0.1-integrationteam"
}
},
"cloudProvider": null,
"cloudWorkspacesAndRoles": [],
"cloudIdentities": null,
"cloudAssets": null,
"safe": "Integration safe",
"accountName": "Operating System-UnixSSH-127.0.0.1-integrationteam",
"targetPlatform": "UnixSSH",
"targetAccount": "integrationteam",
"identityType": null
}
Detection section
The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.
No related built-in rules was found. This message is automatically generated.
Event Categories
The following table lists the data source offered by this integration.
Data Source | Description |
---|---|
Application logs |
None |
Authentication logs |
None |
In details, the following table denotes the type of events produced by this integration.
Name | Values |
---|---|
Kind | `` |
Category | authentication , configuration , iam |
Type | access , change , creation , deletion , info , start |
Transformed Events Samples after Ingestion
This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.
{
"message": "{\"uuid\": \"5fe03d80-98b2-4857-8288-1a0a0ff03e47\", \"tenantId\": \"43de6333-65f1-4626-aeec-2cff238e61ca\", \"timestamp\": 1739269449904, \"username\": \"john.doe@cyberark.cloud.xxxxx\", \"applicationCode\": \"IDP\", \"auditCode\": \"IDP2001\", \"auditType\": \"Info\", \"action\": \"add-user\", \"userId\": \"7f93b762-618e-4e6e-b6dd-36ab6fc13e69\", \"source\": \"2a01:e34:ec57:b230:f188:56c5:7089:d987\", \"actionType\": \"Create\", \"component\": \"Identity\", \"serviceName\": \"Identity\", \"accessMethod\": null, \"accountId\": null, \"target\": null, \"command\": null, \"sessionId\": null, \"message\": \"add-user\", \"customData\": {\"directory_service_id\": \"38ca614f-6315-4af6-a4ee-f4ea9d5a747c\", \"user_id\": \"b94d0198-1e2d-4008-9fee-73ce2bd682aa\", \"user_name\": \"example@cyberark.cloud.xxxxx\"}, \"cloudProvider\": \"aws\", \"cloudWorkspacesAndRoles\": [], \"cloudIdentities\": null, \"cloudAssets\": null, \"safe\": null, \"accountName\": null, \"targetPlatform\": null, \"targetAccount\": null, \"identityType\": \"HUMAN\"}",
"event": {
"action": "add-user",
"category": [
"configuration"
],
"code": "IDP2001",
"dataset": "IDP",
"provider": "Identity",
"reason": "add-user",
"type": [
"creation"
]
},
"@timestamp": "2025-02-11T10:24:09.904000Z",
"cloud": {
"provider": "aws"
},
"cyberark": {
"audit": {
"directory_service_id": "38ca614f-6315-4af6-a4ee-f4ea9d5a747c",
"uuid": "5fe03d80-98b2-4857-8288-1a0a0ff03e47"
}
},
"observer": {
"product": "Identity",
"vendor": "CyberArk"
},
"organization": {
"id": "43de6333-65f1-4626-aeec-2cff238e61ca"
},
"related": {
"ip": [
"2a01:e34:ec57:b230:f188:56c5:7089:d987"
]
},
"source": {
"address": "2a01:e34:ec57:b230:f188:56c5:7089:d987",
"ip": "2a01:e34:ec57:b230:f188:56c5:7089:d987"
},
"user": {
"email": "john.doe@cyberark.cloud.xxxxx",
"id": "7f93b762-618e-4e6e-b6dd-36ab6fc13e69",
"target": {
"email": "example@cyberark.cloud.xxxxx",
"id": "b94d0198-1e2d-4008-9fee-73ce2bd682aa"
}
}
}
{
"message": "{\"uuid\": \"66f9ee7e-8d2d-4a32-9997-4f5beaeffa98\", \"tenantId\": \"43de6333-65f1-4626-aeec-2cff238e61ca\", \"timestamp\": 1739156795332, \"username\": \"CYBERARKACCOUNTSINTEGRATION\", \"applicationCode\": \"IDP\", \"auditCode\": \"IDP2009\", \"auditType\": \"Info\", \"action\": \"cloud.core.oauthtoken.create\", \"userId\": \"9a3416a8-3f8c-49ad-962e-663cc57fd224\", \"source\": \"1.2.3.4\", \"actionType\": \"Create\", \"component\": \"Identity\", \"serviceName\": \"Identity\", \"accessMethod\": null, \"accountId\": null, \"target\": null, \"command\": null, \"sessionId\": null, \"message\": \"cloud.core.oauthtoken.create\", \"customData\": {\"start_time\": \"2/10/2025 3:06:30 AM\", \"is_internal_application\": true, \"end_time\": \"2/10/2025 3:21:30 AM\", \"client\": \"__idaptive_cybr_user_oidc\", \"user_guid\": \"9a3416a8-3f8c-49ad-962e-663cc57fd224\", \"scopes\": \"openid api profile\", \"token_type\": \"Id\", \"app_id\": \"__idaptive_cybr_user_oidc\"}, \"cloudProvider\": \"aws\", \"cloudWorkspacesAndRoles\": [], \"cloudIdentities\": null, \"cloudAssets\": null, \"safe\": null, \"accountName\": null, \"targetPlatform\": null, \"targetAccount\": null, \"identityType\": \"HUMAN\"}",
"event": {
"action": "cloud.core.oauthtoken.create",
"category": [
"authentication"
],
"code": "IDP2009",
"dataset": "IDP",
"provider": "Identity",
"reason": "cloud.core.oauthtoken.create",
"type": [
"start"
]
},
"@timestamp": "2025-02-10T03:06:35.332000Z",
"cloud": {
"provider": "aws"
},
"cyberark": {
"audit": {
"uuid": "66f9ee7e-8d2d-4a32-9997-4f5beaeffa98"
}
},
"observer": {
"product": "Identity",
"vendor": "CyberArk"
},
"organization": {
"id": "43de6333-65f1-4626-aeec-2cff238e61ca"
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"CYBERARKACCOUNTSINTEGRATION"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"user": {
"id": "9a3416a8-3f8c-49ad-962e-663cc57fd224",
"name": "CYBERARKACCOUNTSINTEGRATION"
}
}
{
"message": "{\"uuid\": \"de0c99e4-d692-4b61-96c4-5c5e62639232\", \"tenantId\": \"43de6333-65f1-4626-aeec-2cff238e61ca\", \"timestamp\": 1739268304920, \"username\": \"john.doe@cyberark.cloud.xxxxx\", \"applicationCode\": \"IDP\", \"auditCode\": \"IDP6004\", \"auditType\": \"Info\", \"action\": \"cloud.saas.application.appmodify\", \"userId\": \"7f93b762-618e-4e6e-b6dd-36ab6fc13e69\", \"source\": \"2a01:e34:ec57:b230:f188:56c5:7089:d987\", \"actionType\": \"Edit\", \"component\": \"Identity\", \"serviceName\": \"Identity\", \"accessMethod\": null, \"accountId\": null, \"target\": null, \"command\": null, \"sessionId\": null, \"message\": \"cloud.saas.application.appmodify\", \"customData\": {\"app_url\": \"\", \"not_self_service\": true, \"service_name\": \"MyAppId\", \"geoip_latitude\": 48.8717, \"description\": \"Integration to pull events from CyberArk\", \"app_display_name\": \"MyApp\", \"geoip_city_name\": \"Paris\", \"type\": \"Web\", \"web_app_type\": \"OAuth\", \"web_app_type_display_name\": \"Other Type\", \"app_type_display_name\": \"Web - Other Type\", \"on_prem\": false, \"auth_method\": \"OAuth2\", \"request_browser_name\": \"Chrome\", \"geoip_country_name\": \"France\", \"request_device_os\": \"Linux\", \"name\": \"Example\", \"id\": \"5bdc0c20-b605-4972-be9a-6c93794ec987\", \"category\": \"Other\", \"geoip_longitude\": 2.32075, \"geoip_country_code\": \"FR\"}, \"cloudProvider\": \"aws\", \"cloudWorkspacesAndRoles\": [], \"cloudIdentities\": null, \"cloudAssets\": null, \"safe\": null, \"accountName\": null, \"targetPlatform\": null, \"targetAccount\": null, \"identityType\": \"HUMAN\"}",
"event": {
"action": "cloud.saas.application.appmodify",
"category": [
"configuration"
],
"code": "IDP6004",
"dataset": "IDP",
"provider": "Identity",
"reason": "cloud.saas.application.appmodify",
"type": [
"change"
]
},
"@timestamp": "2025-02-11T10:05:04.920000Z",
"cloud": {
"provider": "aws"
},
"cyberark": {
"audit": {
"application": {
"description": "Integration to pull events from CyberArk",
"display_name": "MyApp",
"id": "5bdc0c20-b605-4972-be9a-6c93794ec987",
"service_name": "MyAppId"
},
"uuid": "de0c99e4-d692-4b61-96c4-5c5e62639232"
}
},
"host": {
"os": {
"platform": "Linux"
}
},
"observer": {
"product": "Identity",
"vendor": "CyberArk"
},
"organization": {
"id": "43de6333-65f1-4626-aeec-2cff238e61ca"
},
"related": {
"ip": [
"2a01:e34:ec57:b230:f188:56c5:7089:d987"
]
},
"source": {
"address": "2a01:e34:ec57:b230:f188:56c5:7089:d987",
"geo": {
"city_name": "Paris",
"country_iso_code": "FR",
"country_name": "France"
},
"ip": "2a01:e34:ec57:b230:f188:56c5:7089:d987"
},
"user": {
"email": "john.doe@cyberark.cloud.xxxxx",
"id": "7f93b762-618e-4e6e-b6dd-36ab6fc13e69"
},
"user_agent": {
"name": "Chrome"
}
}
{
"message": "{\"uuid\": \"66f9ee7e-8d2d-4a32-9997-4f5beaeffa98\", \"tenantId\": \"43de6333-65f1-4626-aeec-2cff238e61ca\", \"timestamp\": 1739268337147, \"username\": \"john.doe@cyberark.cloud.xxxxx\", \"applicationCode\": \"IDP\", \"auditCode\": \"IDP6010\", \"auditType\": \"Info\", \"action\": \"cloud.saas.application.appdelete\", \"userId\": \"7f93b762-618e-4e6e-b6dd-36ab6fc13e69\", \"source\": \"2a01:e34:ec57:b230:f188:56c5:7089:d987\", \"actionType\": \"Delete\", \"component\": \"Identity\", \"serviceName\": \"Identity\", \"accessMethod\": null, \"accountId\": null, \"target\": null, \"command\": null, \"sessionId\": null, \"message\": \"cloud.saas.application.appdelete\", \"customData\": {\"not_self_service\": false, \"service_name\": \"\", \"geoip_latitude\": 48.8717, \"geoip_city_name\": \"Paris\", \"type\": \"Web\", \"web_app_type\": \"OAuth\", \"on_prem\": false, \"auth_method\": \"OAuth2\", \"request_browser_name\": \"Chrome\", \"geoip_country_name\": \"France\", \"request_device_os\": \"Linux\", \"name\": \"Example\", \"id\": \"5bdc0c20-b605-4972-be9a-6c93794ec987\", \"geoip_longitude\": 2.32075, \"geoip_country_code\": \"FR\"}, \"cloudProvider\": \"aws\", \"cloudWorkspacesAndRoles\": [], \"cloudIdentities\": null, \"cloudAssets\": null, \"safe\": null, \"accountName\": null, \"targetPlatform\": null, \"targetAccount\": null, \"identityType\": \"HUMAN\"}",
"event": {
"action": "cloud.saas.application.appdelete",
"category": [
"configuration"
],
"code": "IDP6010",
"dataset": "IDP",
"provider": "Identity",
"reason": "cloud.saas.application.appdelete",
"type": [
"deletion"
]
},
"@timestamp": "2025-02-11T10:05:37.147000Z",
"cloud": {
"provider": "aws"
},
"cyberark": {
"audit": {
"uuid": "66f9ee7e-8d2d-4a32-9997-4f5beaeffa98"
}
},
"host": {
"os": {
"platform": "Linux"
}
},
"observer": {
"product": "Identity",
"vendor": "CyberArk"
},
"organization": {
"id": "43de6333-65f1-4626-aeec-2cff238e61ca"
},
"related": {
"ip": [
"2a01:e34:ec57:b230:f188:56c5:7089:d987"
]
},
"source": {
"address": "2a01:e34:ec57:b230:f188:56c5:7089:d987",
"geo": {
"city_name": "Paris",
"country_iso_code": "FR",
"country_name": "France"
},
"ip": "2a01:e34:ec57:b230:f188:56c5:7089:d987"
},
"user": {
"email": "john.doe@cyberark.cloud.xxxxx",
"id": "7f93b762-618e-4e6e-b6dd-36ab6fc13e69"
},
"user_agent": {
"name": "Chrome"
}
}
{
"message": "{\"uuid\": \"f6397849-56d5-4bb3-b6ed-bdda7f15051f\", \"tenantId\": \"43de6333-65f1-4626-aeec-2cff238e61ca\", \"timestamp\": 1739363055593, \"username\": \"john.doe@cyberark.cloud.xxxxx\", \"applicationCode\": \"PAM\", \"auditCode\": \"PAM00032\", \"auditType\": \"Info\", \"action\": \"Add Owner\", \"userId\": \"john.doe@cyberark.cloud.xxxxx\", \"source\": \"PVWA\", \"actionType\": \"Edit\", \"component\": \"Vault\", \"serviceName\": \"Privilege Cloud\", \"accessMethod\": null, \"accountId\": \"\", \"target\": \"\", \"command\": null, \"sessionId\": null, \"message\": \"\", \"customData\": {\"PAM\": {\"new_target\": \"\", \"target\": \"PVWAGWUser\"}}, \"cloudProvider\": null, \"cloudWorkspacesAndRoles\": [], \"cloudIdentities\": null, \"cloudAssets\": null, \"safe\": \"Integration safe\", \"accountName\": \"\", \"targetPlatform\": \"\", \"targetAccount\": \"\", \"identityType\": null}",
"event": {
"action": "Add Owner",
"category": [
"configuration"
],
"code": "PAM00032",
"dataset": "PAM",
"provider": "Vault",
"type": [
"creation"
]
},
"@timestamp": "2025-02-12T12:24:15.593000Z",
"cyberark": {
"audit": {
"safe": "Integration safe",
"uuid": "f6397849-56d5-4bb3-b6ed-bdda7f15051f"
}
},
"observer": {
"name": "PVWA",
"product": "Privilege Cloud",
"vendor": "CyberArk"
},
"organization": {
"id": "43de6333-65f1-4626-aeec-2cff238e61ca"
},
"user": {
"email": "john.doe@cyberark.cloud.xxxxx",
"id": "john.doe@cyberark.cloud.xxxxx"
}
}
{
"message": "{\"uuid\": \"fee8499d-faf4-41bf-bb30-45475d2d1056\", \"tenantId\": \"43de6333-65f1-4626-aeec-2cff238e61ca\", \"timestamp\": 1739147898151, \"username\": \"PVWAGWUser\", \"applicationCode\": \"PAM\", \"auditCode\": \"PAM00088\", \"auditType\": \"Info\", \"action\": \"Set Password\", \"userId\": \"PVWAGWUser\", \"source\": \"PVWAAPP\", \"actionType\": \"Password\", \"component\": \"Vault\", \"serviceName\": \"Privilege Cloud\", \"accessMethod\": null, \"accountId\": null, \"target\": \"\", \"command\": null, \"sessionId\": null, \"message\": \"\", \"customData\": {\"PAM\": {\"new_target\": \"\", \"target\": \"\"}}, \"cloudProvider\": null, \"cloudWorkspacesAndRoles\": [], \"cloudIdentities\": null, \"cloudAssets\": null, \"safe\": \"\", \"accountName\": \"\", \"targetPlatform\": \"\", \"targetAccount\": \"\", \"identityType\": null}",
"event": {
"action": "Set Password",
"category": [
"configuration"
],
"code": "PAM00088",
"dataset": "PAM",
"provider": "Vault",
"type": [
"change"
]
},
"@timestamp": "2025-02-10T00:38:18.151000Z",
"cyberark": {
"audit": {
"uuid": "fee8499d-faf4-41bf-bb30-45475d2d1056"
}
},
"observer": {
"name": "PVWAAPP",
"product": "Privilege Cloud",
"vendor": "CyberArk"
},
"organization": {
"id": "43de6333-65f1-4626-aeec-2cff238e61ca"
},
"related": {
"user": [
"PVWAGWUser"
]
},
"user": {
"id": "PVWAGWUser",
"name": "PVWAGWUser"
}
}
{
"message": "{\"uuid\": \"fe2b3e00-d8f9-4942-aa63-5fcaebc489f2\", \"tenantId\": \"43de6333-65f1-4626-aeec-2cff238e61ca\", \"timestamp\": 1739266337571, \"username\": \"john.doe@cyberark.cloud.xxxxx\", \"applicationCode\": \"PAM\", \"auditCode\": \"PAM00099\", \"auditType\": \"Info\", \"action\": \"Open File\", \"userId\": \"john.doe@cyberark.cloud.xxxxx\", \"source\": \"PVWA\", \"actionType\": \"Execute\", \"component\": \"Vault\", \"serviceName\": \"Privilege Cloud\", \"accessMethod\": null, \"accountId\": null, \"target\": \"\", \"command\": null, \"sessionId\": null, \"message\": \"\", \"customData\": {\"PAM\": {\"new_target\": \"\", \"target\": \"Root\\\\PVConfiguration.xml\"}}, \"cloudProvider\": null, \"cloudWorkspacesAndRoles\": [], \"cloudIdentities\": null, \"cloudAssets\": null, \"safe\": \"PVWAConfig\", \"accountName\": \"\", \"targetPlatform\": \"\", \"targetAccount\": \"\", \"identityType\": null}",
"event": {
"action": "Open File",
"category": [
"configuration"
],
"code": "PAM00099",
"dataset": "PAM",
"provider": "Vault",
"type": [
"access"
]
},
"@timestamp": "2025-02-11T09:32:17.571000Z",
"cyberark": {
"audit": {
"safe": "PVWAConfig",
"uuid": "fe2b3e00-d8f9-4942-aa63-5fcaebc489f2"
}
},
"file": {
"name": "PVConfiguration.xml",
"path": "Root\\PVConfiguration.xml"
},
"observer": {
"name": "PVWA",
"product": "Privilege Cloud",
"vendor": "CyberArk"
},
"organization": {
"id": "43de6333-65f1-4626-aeec-2cff238e61ca"
},
"user": {
"email": "john.doe@cyberark.cloud.xxxxx",
"id": "john.doe@cyberark.cloud.xxxxx"
}
}
{
"message": "{\"uuid\": \"b81f8a47-19db-4a7f-ad8b-3f855fcf868d\", \"tenantId\": \"43de6333-65f1-4626-aeec-2cff238e61ca\", \"timestamp\": 1739363115168, \"username\": \"john.doe@cyberark.cloud.xxxxx\", \"applicationCode\": \"PAM\", \"auditCode\": \"PAM00105\", \"auditType\": \"Info\", \"action\": \"Add File Category\", \"userId\": \"john.doe@cyberark.cloud.xxxxx\", \"source\": \"PVWA\", \"actionType\": \"Create\", \"component\": \"Vault\", \"serviceName\": \"Privilege Cloud\", \"accessMethod\": null, \"accountId\": \"15_3\", \"target\": \"127.0.0.1\", \"command\": null, \"sessionId\": null, \"message\": \"Value=[PVWA]\", \"customData\": {\"PAM\": {\"new_target\": \"CreationMethod\", \"target\": \"Root\\\\Operating System-UnixSSH-127.0.0.1-integrationteam\"}}, \"cloudProvider\": null, \"cloudWorkspacesAndRoles\": [], \"cloudIdentities\": null, \"cloudAssets\": null, \"safe\": \"Integration safe\", \"accountName\": \"Operating System-UnixSSH-127.0.0.1-integrationteam\", \"targetPlatform\": \"UnixSSH\", \"targetAccount\": \"integrationteam\", \"identityType\": null}",
"event": {
"action": "Add File Category",
"category": [
"configuration"
],
"code": "PAM00105",
"dataset": "PAM",
"provider": "Vault",
"reason": "Value=[PVWA]",
"type": [
"creation"
]
},
"@timestamp": "2025-02-12T12:25:15.168000Z",
"cyberark": {
"audit": {
"account_id": "15_3",
"account_name": "Operating System-UnixSSH-127.0.0.1-integrationteam",
"new_target": "CreationMethod",
"safe": "Integration safe",
"target_platform": "UnixSSH",
"uuid": "b81f8a47-19db-4a7f-ad8b-3f855fcf868d"
}
},
"destination": {
"address": "127.0.0.1",
"ip": "127.0.0.1"
},
"observer": {
"name": "PVWA",
"product": "Privilege Cloud",
"vendor": "CyberArk"
},
"organization": {
"id": "43de6333-65f1-4626-aeec-2cff238e61ca"
},
"related": {
"ip": [
"127.0.0.1"
],
"user": [
"Operating System-UnixSSH-127.0.0.1-integrationteam"
]
},
"user": {
"email": "john.doe@cyberark.cloud.xxxxx",
"id": "john.doe@cyberark.cloud.xxxxx",
"target": {
"domain": "Root",
"name": "Operating System-UnixSSH-127.0.0.1-integrationteam"
}
}
}
{
"message": "{\"uuid\": \"fc32fb82-5321-46f8-811d-4de63e539e5a\", \"tenantId\": \"43de6333-65f1-4626-aeec-2cff238e61ca\", \"timestamp\": 1739363055534, \"username\": \"mjohn.doe@cyberark.cloud.xxxxx\", \"applicationCode\": \"PAM\", \"auditCode\": \"PAM00185\", \"auditType\": \"Info\", \"action\": \"Add Safe\", \"userId\": \"john.doe@cyberark.cloud.xxxxx\", \"source\": \"PVWA\", \"actionType\": \"Execute\", \"component\": \"Vault\", \"serviceName\": \"Privilege Cloud\", \"accessMethod\": null, \"accountId\": \"\", \"target\": \"\", \"command\": null, \"sessionId\": null, \"message\": \"\", \"customData\": {\"PAM\": {\"new_target\": \"\", \"target\": \"\"}}, \"cloudProvider\": null, \"cloudWorkspacesAndRoles\": [], \"cloudIdentities\": null, \"cloudAssets\": null, \"safe\": \"Integration safe\", \"accountName\": \"\", \"targetPlatform\": \"\", \"targetAccount\": \"\", \"identityType\": null}",
"event": {
"action": "Add Safe",
"category": [
"configuration"
],
"code": "PAM00185",
"dataset": "PAM",
"provider": "Vault",
"type": [
"creation"
]
},
"@timestamp": "2025-02-12T12:24:15.534000Z",
"cyberark": {
"audit": {
"safe": "Integration safe",
"uuid": "fc32fb82-5321-46f8-811d-4de63e539e5a"
}
},
"observer": {
"name": "PVWA",
"product": "Privilege Cloud",
"vendor": "CyberArk"
},
"organization": {
"id": "43de6333-65f1-4626-aeec-2cff238e61ca"
},
"user": {
"email": "mjohn.doe@cyberark.cloud.xxxxx",
"id": "john.doe@cyberark.cloud.xxxxx"
}
}
{
"message": "{\"uuid\": \"f0db2c85-adf5-402d-9adc-f8d35eb49154\", \"tenantId\": \"43de6333-65f1-4626-aeec-2cff238e61ca\", \"timestamp\": 1739363055693, \"username\": \"john.doe@cyberark.cloud.xxxxx\", \"applicationCode\": \"PAM\", \"auditCode\": \"PAM00273\", \"auditType\": \"Info\", \"action\": \"Remove Owner\", \"userId\": \"john.doe@cyberark.cloud.xxxxx\", \"source\": \"PVWA\", \"actionType\": \"Edit\", \"component\": \"Vault\", \"serviceName\": \"Privilege Cloud\", \"accessMethod\": null, \"accountId\": \"\", \"target\": \"\", \"command\": null, \"sessionId\": null, \"message\": \"\", \"customData\": {\"PAM\": {\"new_target\": \"\", \"target\": \"PVWAGWUser\"}}, \"cloudProvider\": null, \"cloudWorkspacesAndRoles\": [], \"cloudIdentities\": null, \"cloudAssets\": null, \"safe\": \"Integration safe\", \"accountName\": \"\", \"targetPlatform\": \"\", \"targetAccount\": \"\", \"identityType\": null}",
"event": {
"action": "Remove Owner",
"category": [
"configuration"
],
"code": "PAM00273",
"dataset": "PAM",
"provider": "Vault",
"type": [
"deletion"
]
},
"@timestamp": "2025-02-12T12:24:15.693000Z",
"cyberark": {
"audit": {
"safe": "Integration safe",
"uuid": "f0db2c85-adf5-402d-9adc-f8d35eb49154"
}
},
"observer": {
"name": "PVWA",
"product": "Privilege Cloud",
"vendor": "CyberArk"
},
"organization": {
"id": "43de6333-65f1-4626-aeec-2cff238e61ca"
},
"user": {
"email": "john.doe@cyberark.cloud.xxxxx",
"id": "john.doe@cyberark.cloud.xxxxx"
}
}
{
"message": "{\"uuid\": \"09ad5ce5-996b-406c-a6cc-4ef0f3869d4c\", \"tenantId\": \"43de6333-65f1-4626-aeec-2cff238e61ca\", \"timestamp\": 1739363114854, \"username\": \"john.doe@cyberark.cloud.xxxxx\", \"applicationCode\": \"PAM\", \"auditCode\": \"PAM00294\", \"auditType\": \"Info\", \"action\": \"Store password\", \"userId\": \"john.doe@cyberark.cloud.xxxxx\", \"source\": \"PVWA\", \"actionType\": \"Password\", \"component\": \"Vault\", \"serviceName\": \"Privilege Cloud\", \"accessMethod\": null, \"accountId\": \"15_3\", \"target\": \"\", \"command\": null, \"sessionId\": null, \"message\": \"\", \"customData\": {\"PAM\": {\"new_target\": \"\", \"target\": \"Root\\\\Operating System-UnixSSH-127.0.0.1-integrationteam\"}}, \"cloudProvider\": null, \"cloudWorkspacesAndRoles\": [], \"cloudIdentities\": null, \"cloudAssets\": null, \"safe\": \"Integration safe\", \"accountName\": \"Operating System-UnixSSH-127.0.0.1-integrationteam\", \"targetPlatform\": \"\", \"targetAccount\": \"\", \"identityType\": null}",
"event": {
"action": "Store password",
"category": [
"configuration"
],
"code": "PAM00294",
"dataset": "PAM",
"provider": "Vault",
"type": [
"change"
]
},
"@timestamp": "2025-02-12T12:25:14.854000Z",
"cyberark": {
"audit": {
"account_id": "15_3",
"account_name": "Operating System-UnixSSH-127.0.0.1-integrationteam",
"safe": "Integration safe",
"uuid": "09ad5ce5-996b-406c-a6cc-4ef0f3869d4c"
}
},
"observer": {
"name": "PVWA",
"product": "Privilege Cloud",
"vendor": "CyberArk"
},
"organization": {
"id": "43de6333-65f1-4626-aeec-2cff238e61ca"
},
"related": {
"user": [
"Operating System-UnixSSH-127.0.0.1-integrationteam"
]
},
"user": {
"email": "john.doe@cyberark.cloud.xxxxx",
"id": "john.doe@cyberark.cloud.xxxxx",
"target": {
"domain": "Root",
"name": "Operating System-UnixSSH-127.0.0.1-integrationteam"
}
}
}
{
"message": "{\"uuid\": \"6f00a100-43af-4787-a22e-567ca5c9845a\", \"tenantId\": \"43de6333-65f1-4626-aeec-2cff238e61ca\", \"timestamp\": 1739363136939, \"username\": \"john.doe@cyberark.cloud.xxxxx\", \"applicationCode\": \"PAM\", \"auditCode\": \"PAM00295\", \"auditType\": \"Info\", \"action\": \"Retrieve password\", \"userId\": \"john.doe@cyberark.cloud.xxxxx\", \"source\": \"PVWA\", \"actionType\": \"Password\", \"component\": \"Vault\", \"serviceName\": \"Privilege Cloud\", \"accessMethod\": null, \"accountId\": \"15_3\", \"target\": \"127.0.0.1\", \"command\": null, \"sessionId\": null, \"message\": \"(Action: Copy Password)access\", \"customData\": {\"PAM\": {\"new_target\": \"\", \"target\": \"Root\\\\Operating System-UnixSSH-127.0.0.1-integrationteam\"}}, \"cloudProvider\": null, \"cloudWorkspacesAndRoles\": [], \"cloudIdentities\": null, \"cloudAssets\": null, \"safe\": \"Integration safe\", \"accountName\": \"Operating System-UnixSSH-127.0.0.1-integrationteam\", \"targetPlatform\": \"UnixSSH\", \"targetAccount\": \"integrationteam\", \"identityType\": null}",
"event": {
"action": "Retrieve password",
"category": [
"configuration"
],
"code": "PAM00295",
"dataset": "PAM",
"provider": "Vault",
"reason": "(Action: Copy Password)access",
"type": [
"access"
]
},
"@timestamp": "2025-02-12T12:25:36.939000Z",
"cyberark": {
"audit": {
"account_id": "15_3",
"account_name": "Operating System-UnixSSH-127.0.0.1-integrationteam",
"safe": "Integration safe",
"target_platform": "UnixSSH",
"uuid": "6f00a100-43af-4787-a22e-567ca5c9845a"
}
},
"destination": {
"address": "127.0.0.1",
"ip": "127.0.0.1"
},
"observer": {
"name": "PVWA",
"product": "Privilege Cloud",
"vendor": "CyberArk"
},
"organization": {
"id": "43de6333-65f1-4626-aeec-2cff238e61ca"
},
"related": {
"ip": [
"127.0.0.1"
],
"user": [
"Operating System-UnixSSH-127.0.0.1-integrationteam"
]
},
"user": {
"email": "john.doe@cyberark.cloud.xxxxx",
"id": "john.doe@cyberark.cloud.xxxxx",
"target": {
"domain": "Root",
"name": "Operating System-UnixSSH-127.0.0.1-integrationteam"
}
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
Name | Type | Description |
---|---|---|
@timestamp |
date |
Date/time when the event originated. |
cloud.provider |
keyword |
Name of the cloud provider. |
cyberark.audit.account_id |
keyword |
|
cyberark.audit.account_name |
keyword |
|
cyberark.audit.application.description |
keyword |
|
cyberark.audit.application.display_name |
keyword |
|
cyberark.audit.application.id |
keyword |
|
cyberark.audit.application.service_name |
keyword |
|
cyberark.audit.directory_service_id |
keyword |
|
cyberark.audit.new_target |
keyword |
|
cyberark.audit.safe |
keyword |
|
cyberark.audit.session_id |
keyword |
|
cyberark.audit.target_platform |
keyword |
|
cyberark.audit.uuid |
keyword |
|
destination.ip |
ip |
IP address of the destination. |
event.action |
keyword |
The action captured by the event. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.code |
keyword |
Identification code for this event. |
event.dataset |
keyword |
Name of the dataset. |
event.provider |
keyword |
Source of the event. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
file.name |
keyword |
Name of the file including the extension, without the directory. |
file.path |
keyword |
Full path to the file, including the file name. |
host.os.platform |
keyword |
Operating system platform (such centos, ubuntu, windows). |
observer.name |
keyword |
Custom name of the observer. |
observer.product |
keyword |
The product name of the observer. |
observer.vendor |
keyword |
Vendor name of the observer. |
organization.id |
keyword |
Unique identifier for the organization. |
source.geo.city_name |
keyword |
City name. |
source.geo.country_iso_code |
keyword |
Country ISO code. |
source.geo.country_name |
keyword |
Country name. |
source.ip |
ip |
IP address of the source. |
user.email |
keyword |
User email address. |
user.id |
keyword |
Unique identifier of the user. |
user.name |
keyword |
Short name or login of the user. |
user.target.domain |
keyword |
Name of the directory the user is a member of. |
user.target.email |
keyword |
User email address. |
user.target.id |
keyword |
Unique identifier of the user. |
user.target.name |
keyword |
Short name or login of the user. |
user_agent.name |
keyword |
Name of the user agent. |
For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.