Skip to main content

CyberArk Identity Event Collector

This Integration is part of the CyberArk Identity Events Collector Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.8.0 and later.

CyberArk Identity log event collector integration for Cortex XSIAM. This integration was integrated and tested with version 22.4 of CyberArk Identity Event Collector.

Configure CyberArk Identity Event Collector on Cortex XSIAM#

  1. Navigate to Settings > Configurations > Data Collection > Automation & Feed Integrations.

  2. Search for CyberArk Identity Event Collector.

  3. Click Add instance to create and configure a new integration instance.

    Server URLThe CyberArk Identity URL (https://{{tenant}}
    App IDThe application ID to fetch the logs from.True
    User nameThe SIEM user name (for example
    PasswordThe SIEM password.True
    Product nameThe name of the product to name the dataset after.False
    Vendor nameThe name of the vendor to name the dataset after.False
    First fetch timeThe period to retrieve events for.
    format: <number> <time unit>, for example 12 hours, 1 day, 3 months.
    Default is 3 days.
    Maximum number of events per fetchThe number of items to retrieve per request from CyberArk's API.True
    Trust any certificate (not secure)When selected, certificates are not checked.False
    proxyUse system proxy settings.False
  4. Click Test to validate the URLs, token, and connection.


You can execute these commands from the Cortex XSIAM Alerts War Room as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.


Returns a list of events

Base Command#



Argument NameDescriptionRequired
should_push_eventsSet this argument to True to create events, otherwise events will only be displayed. Default is False.Required
limitThe maximum number of events per fetch. Default is 1000.Optional
fromThe first fetch time (<number> <time unit>, for example 12 hours, 1 day, 3 months). Default is 3 days.Optional

Context Output#

There is no context output for this command.

Command example#

!cyberarkidentity-get-events should_push_events=false limit=10 from="3 days"

Human Readable Output#

CyberArkIdentity RedRock records#

Auth MethodDirectory Service UuidFrom IP AddressIDLevelNormalized UserRequest Device OSRequest Host NameRequest Is Mobile DeviceTenantUser GuidWhen LoggedWhen Occurred_ Table Name