Skip to main content

CyberArk Identity Event Collector

This Integration is part of the CyberArk Identity Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.8.0 and later.

CyberArk Identity log event collector integration for Cortex XSIAM. This integration was integrated and tested with version 22.4 of CyberArk Identity Event Collector.

Configure CyberArk Identity Event Collector on Cortex XSIAM#

  1. Navigate to Settings > Configurations > Data Collection > Automation & Feed Integrations.

  2. Search for CyberArk Identity Event Collector.

  3. Click Add instance to create and configure a new integration instance.

    Server URLThe CyberArk Identity URL to get the logs from. For example, https://{{tenant}}
    App IDThe application ID to fetch the logs from.True
    User nameThe user that was created in CyberArk for the XSIAM integration. For example,
    PasswordThe password for the user that was created in CyberArk for the XSIAM integration.True
    First fetch timeThe period to retrieve events for.
    Format: <number> <time unit>, for example 12 hours, 1 day, 3 months.
    Default is 3 days.
    Maximum number of events per fetchThe maximum number of items to retrieve per request from CyberArk's API.True
    Trust any certificate (not secure)When selected, certificates are not checked.False
    Use system proxy settingsRuns the integration instance using the proxy server (HTTP or HTTPS) that you defined in the server configuration.False
  4. Click Test to validate the URLs, token, and connection.


You can execute these commands from the Cortex XSIAM Alerts War Room as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.


Returns a list of events

Base Command#



Argument NameDescriptionRequired
should_push_eventsSet this argument to True to create events, otherwise events will only be displayed. Default is False.Required
limitThe maximum number of events per fetch. Default is 1000.Optional
fromThe first fetch time (<number> <time unit>, for example 12 hours, 1 day, 3 months). Default is 3 days.Optional

Context Output#

There is no context output for this command.

Command example#

!cyberarkidentity-get-events should_push_events=false limit=10 from="3 days"

Human Readable Output#

CyberArkIdentity RedRock records#

Auth MethodDirectory Service UuidFrom IP AddressIDLevelNormalized UserRequest Device OSRequest Host NameRequest Is Mobile DeviceTenantUser GuidWhen LoggedWhen Occurred_ Table Name