Document toolboxDocument toolbox

iam.cyberark

Owned by Former user (Deleted)
Last updated: Apr 08, 2024 by Juan Tomás Alonso Nieto (Deactivated)
2 min read
[ 1 Introduction ] [ 2 Valid tags and data tables  ] [ 3 Table structure ]

Introduction

The tags beginning with iam.cyberark identify events generated by Cyberark.

Valid tags and data tables 

The full tag must have at least three levels. The first two are fixed as iam.cyberark. The third level identifies the type of events sent. The fourth indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Cyberark

iam.cyberark.audit

iam.cyberark.audit

iam.cyberark.identity.event

iam.cyberark.identity.event

iam.cyberark.vault.cef

iam.cyberark.vault

iam.cyberark.vault_leef

iam.cyberark.vault_leef

For more information, read more about Devo tags.

Table structure

These are the fields displayed in these tables:

iam.cyberark.audit

Field

Type

Extra field

Field

Type

Extra field

eventdate

timestamp

 

Hostname

str

 

EventReceivedTime

str

 

SourceModuleName

str

 

SourceModuleType

str

 

SourceName

str

 

Message

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

iam.cyberark.identity.event

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

old_entity

str

 

entity_name

str

 

entity_uuid

str

 

normalized_user

str

 

internal_session_id

str

 

impersonator_uuid

str

 

template_name

str

 

az_deployment_id

str

 

event_type

str

 

application_name

str

 

directory_service_uuid

str

 

internal_tracking_id

str

 

auth_method

str

 

entity_type

str

 

when_occurred

str

 

az_role_id

str

 

when_logged

str

 

table_name

str

 

new_entity

str

 

tenant

str

 

application_id

str

 

thread_type

str

 

from_ip_address

str

 

from_ip_addressv4

ip4

 

from_ip_addressv6

ip6

 

request_device_os

str

 

request_is_mobile_device

bool

 

level2

str

 

directory_service_partner_name

str

 

application_type

str

 

user_guid

str

 

id

str

 

az_role_name

str

 

request_host_name

str

 

request_host_namev4

ip4

 

request_host_namev6

ip6

 

at_devo_pulling_id

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

iam.cyberark.vault

Field

Type

Extra field

Source field name

Field

Type

Extra field

Source field name

eventdate

timestamp

 

 

host

str

 

vhost

act

str

 

 

rt

str

 

 

suser

str

 

 

fname

str

 

 

dvc

ip4

 

 

shost

ip4

 

 

dhost

str

 

 

duser

str

 

 

externalId

str

 

 

app

str

 

 

reason

str

 

 

cs1Label

str

 

 

cs1

str

 

 

cs2Label

str

 

 

cs2

str

 

 

cs3Label

str

 

 

cs3

str

 

 

cs4Label

str

 

 

cs4

str

 

 

cs5Label

str

 

 

cs5

str

 

 

cn1Label

str

 

 

cn1

str

 

 

cn2Label

str

 

 

cn2

str

 

 

msg

str

 

 

hostchain

str

✓

 

tag

str

✓

 

rawMessage

str

 

rawSource

iam.cyberark.vault_leef

Field

Type

Extra Label

Source field name

Field

Type

Extra Label

Source field name

eventdate

timestamp

 

 

host

str

 

vhost

leefVer

str

 

 

vendor

str

 

 

product

str

 

 

version

str

 

 

eventID

str

 

 

sev

int4

 

 

Action

str

 

 

EventMessage

str

 

 

OSUser

str

 

 

usrName

str

 

 

src

ip4

 

 

SourceUser

str

 

 

TargetUser

str

 

 

File

str

 

 

Safe

str

 

 

Location

str

 

 

Category

str

 

 

RequestId

str

 

 

Reason

str

 

 

ExtraDetails

str

 

 

GatewayStation

str

 

 

CAPolicy

str

 

 

hostchain

str

✓

 

tag

str

✓

 

rawMessage

str

 

 

Â