Skip to main content

CyberArk Identity

This integration collects events from the Idaptive Next-Gen Access (INGA) using REST APIs.

CyberArk Identity log event collector integration for Cortex XSIAM.
This integration was integrated and tested with version 22.4 of CyberArk Identity Event Collector.

Configure CyberArk Identity Event Collector on Cortex XSIAM

  1. Navigate to Settings > Configurations > Data Collection > Automation & Feed Integrations.
  2. Search for CyberArk Identity Event Collector.
  3. Click Add instance to create and configure a new integration instance.
Parameter Description Required
Server URL The CyberArk Identity URL to get the logs from. For example, https://{{tenant}} True
App ID The application ID to fetch the logs from. True
User name The user that was created in CyberArk for the XSIAM integration. For example, True
Password The password for the user that was created in CyberArk for the XSIAM integration. True
First fetch time The period to retrieve events for.
Format: <number> <time unit>, for example 12 hours, 1 day, 3 months.
Default is 3 days.
Maximum number of events per fetch The maximum number of items to retrieve per request from CyberArk's API. True
Trust any certificate (not secure) When selected, certificates are not checked. False
Use system proxy settings Runs the integration instance using the proxy server (HTTP or HTTPS) that you defined in the server configuration. False
  1. Click Test to validate the URLs, token, and connection.
  • Pay attention: Timestamp parsing is currently supported for the WhenOccurred field with Epoch string in it.


You can execute these commands from the Cortex XSIAM Alerts War Room as part of an automation, or in a playbook.
After you successfully execute a command, a DBot message appears in the War Room with the command details.


Returns a list of events

Base Command



Argument Name Description Required
should_push_events Set this argument to True to create events, otherwise events will only be displayed. Default is False. Required
limit The maximum number of events per fetch. Default is 1000. Optional
from The first fetch time (<number> <time unit>, for example 12 hours, 1 day, 3 months). Default is 3 days. Optional

Context Output

There is no context output for this command.

Command example

!cyberarkidentity-get-events should_push_events=false limit=10 from="3 days"

Human Readable Output

CyberArkIdentity RedRock records

Auth Method Directory Service Uuid From IP Address ID Level Normalized User Request Device OS Request Host Name Request Is Mobile Device Tenant User Guid When Logged When Occurred _ Table Name
None 123456abcdef.123456.abcdef 123456abcdef.123456.abcdef Info Unknown false AAM4730 123456abcdef.123456.abcdef /Date(1652376432605)/ /Date(1652376432605)/ events
None 123456abcdef.123456.abcdef 123456abcdef.123456.abcdeg Info Unknown false AAM4730 123456abcdef.123456.abcdef /Date(1652376492682)/ /Date(1652376492682)/ events
None 123456abcdef.123456.abcdef 123456abcdef.123456.abcdeh Info Unknown false AAM4730 123456abcdef.123456.abcdef /Date(1652376552546)/ /Date(1652376552546)/ events




Cortex XSIAM


CertificationRead more
Supported ByCortex
CreatedJune 2, 2022
Last ReleaseAugust 27, 2023

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.