The Event table contains all possible events for the tenant. Events include additions, updates, deletions, actions, etc. An event might include information such as:

  • When something changed state (e.g. when a server was added)
  • When an action succeeded or failed (e.g. a password rotation)
  • Things that happened within a specific period of time (e.g. all the servers accessed by Alice last month)

The columns of the Event table contain the properties available for any particular event and vary depending on the type of the event indicated by the EventType column. The various enumerations for the EventType column are categorized and documented further down on this page. Each event has columns for the Common Properties listed below as well as additional properties specific to an event type. The event types and their properties are documented further down in this document.

Common Properties

The following properties apply to all event types for CyberArk Identity .

ColumnTypeDescription
AuthMethodStringAuthentication method used by the user of the request that generated the event (if applicable).
AzDeploymentIdStringCloud version identifier (internal use).
AzRoleIdStringCloud role identifier (internal use).
AzRoleNameStringCloud role name (internal use).
DirectoryServiceUuidStringUnique ID of the user's directory service.
DirectoryServicePartnerNameStringPartner name for federated directory services (may be null).
EntityNameStringName of associated entity of the event (may be null).
EntityTypeStringType of associated entity of the event (may be null)
EntityUuidStringUUID of associated entity of the event (may be null)
EventTypeStringType of the event.

The following are the categories of event types:
Applications Event Types
Devices Event Types
* Core Event Types

The specific values that this field can be set to are documented in each category below.
FromIPAddressStringOriginating IP address of the request that generated the event (if applicable).
LevelStringThe logging level of the event: Error, Warning, Info. Default value is Error.
IDStringEvent's UUID (primary key).
ImpersonatorUuiidStringUUID of impersonating user if applicable (may be null).
InternalSessionIdStringCloud session identifier (internal use).
InternalTrackingIdStringCloud tracking identifier (internal use).
NewEntityStringNew entity associated with the event (if applicable, what the entity looked like before the event). May be null.
NormalizedUserStringApplicable user name (normalized) of the event.
OldEntityStringOld entity associated with the event (if applicable, what the entity looked like before the event). May be null.
RequestDeviceOSStringOperating system of the device that made the request that generated the event (if applicable).
RequestHostNameStringHost name of the request that generated the event (if applicable).
RequestIsMobileDeviceBooleanWhether the request that generated the event originate from a mobile device (if applicable).
TenantStringID of the current tenant.
ThreadTypeStringEvent thread type; one of: Unknown, RestCall, Web, Worker, Roc, Job, or Hub.
UserGuidStringApplicable user UUid of the event.
WhenLoggedDateTimeDate/time the event was logged.
WhenOccurredDateTimeDate/time that the event occurred.

Application Event Types and Properties


The following table lists the event type values that can be set in the EventType column for Application Events. The items listed under Additional Properties are the additional columns available in the Event table for the specified event type.

Cloud.Saas.Application.AppLaunch

Event Description: App launched.
Additional Properties: ApplicationType, ApplicationName, ApplicationID, TemplateName

Cloud.Saas.Application.GatewayAppLaunch

Event Description: Gateway app launched.
Additional Properties: ApplicationType, ApplicationName, ApplicationID

Cloud.Saas.Application.SelfServiceAppLaunch

Event Description: Self-service app launched.
Additional Properties: ApplicationType, ApplicationName, ApplicationID

Cloud.Saas.Application.SamlResponseGenerate

Event Description: SAML response generated.
Additional Properties: ApplicationType, ApplicationName, ApplicationID, Version, Subject, Issuer, Thumbprint

Cloud.Saas.Application.WsFedSamlResponseGenerate

Event Description: WsFed SAML response generated.
Additional Properties: ApplicationType, ApplicationName, ApplicationID, Version, Subject, Guid, Issuer, Thumbprint

Cloud.Saas.Application.SelfServiceAppAdd

Event Description: Self-service app added.
Additional Properties: ApplicationType, ApplicationName, ApplicationID

Cloud.Saas.Application.AppModify

Event Description: App modified.
Additional Properties: ApplicationType, ApplicationName, ApplicationID, MobileAppType

Cloud.Saas.Application.AppPublish

Event Description: App deployed.
Additional Properties: ApplicationType, ApplicationName, ApplicationID, RoleId, RoleName, MobileAppType

Cloud.Saas.Application.SelfServiceAppDelete

Event Description: Self-service app deleted.
Additional Properties: ApplicationType, ApplicationName, ApplicationID

Cloud.Saas.Application.AppAdd

Event Description: App added.
Additional Properties: ApplicationType, ApplicationName,
ApplicationID

Cloud.Saas.Application.AppUnpublish

Event Description: App un-deployed.
Additional Properties: ApplicationType, ApplicationName, ApplicationID, RoleId, RoleName, MobileAppType

Cloud.Saas.Application.AppClone

Event Description: App cloned.
Additional Properties: ApplicationType, ApplicationName, ApplicationID

Cloud.Saas.Application.AppExport

Event Description: App exported.
Additional Properties: ApplicationType, ApplicationName, ApplicationID

Cloud.Saas.Application.AppImport

Event Description: App imported.
Additional Properties: ApplicationType, ApplicationName, ApplicationID

Cloud.Saas.Application.AppProvModify

Event Description: App provisioning settings modified.
Additional Properties: ApplicationType, ApplicationName, ApplicationID, Filename

Cloud.Saas.Application.AppDelete

Event Description: App deleted.
Additional Properties: ApplicationType, ApplicationName, ApplicationID, MobileAppPrice, MobileAppType, MobileAppPackageID

Cloud.Saas.Application.AppDenied

Event Description: App access denied because of the lock policy.
Additional Properties: ApplicationType, ApplicationName

Cloud.Saas.Application.AppUpdate

Event Description: App updated to latest.
Additional Properties: ApplicationType, ApplicationName, ApplicationID

Cloud.Provisioning.SyncJobStarted

Event Description: Sync job started.
Additional Properties: AppId, AppName, AppDisplayName, JobUniqueId, SyncType, IsPreview, IsForceSync, ElapsedSeconds, WorkItemCount

Cloud.Provisioning.SyncJobCompleted

Event Description: Sync job completed.
Additional Properties: AppId, AppName, AppDisplayName, JobUniqueId, SyncType, IsPreview, IsForceSync, ElapsedSeconds, WorkItemCount

Cloud.Provisioning.UserAppSyncCompleted

Event Description: User sync completed.
Additional Properties: AppId, AppName, AppDisplayName, JobUniqueId, SyncType, IsPreview, IsForceSync, ElapsedSeconds, WorkItemCount, SourceUpn, DestUpn, SyncAction, SyncActionReason, SyncResult, SyncResultReason

Cloud.GatewayDiagnostic.GatewayDiagnosticPageLoad

Event Description: Gateway diagnostic page load data stored.
Additional Properties: SessionId, AppKey, AppName, ShadowAppKey, GatewayPodName, RoleInstanceId, TunneledUri, TunneledUriScheme, TunneledUriHostname, TunneledUriPort, TunneledUriPathAndQuery, ContentLength, ContentType, ResponseElapsedMs, HttpStatus, HttpStatusCode

Cloud.GatewayDiagnostic.GatewayDiagnosticHostname

Event Description: Gateway diagnostic hostname data stored.
Additional Properties: SessionId, AppKey, AppName, ShadowAppKey, GatewayPodName, RoleInstanceId, TunneledUri, Hostname, CloudDnsResolvable, UriCount

Cloud.Core.WorkflowJob

Event Description: Workflow job started/completed/deleted.
Additional Properties: JobId, Action, ActionPrincipalName, ActionPrincipalID, TemplateName, State, Initiator, InitiatorID, CreatedDate, CompletedDate, StateUpdatedDate, PendingTaskId, TargetPrincipalID, TargetPrincipalName, TargetPrincipalNotes, TargetPrincipalAction, PrincipalType, BlessAs, StepArgs, Description, InitiatorNotes, History, ErrorMessage

Cloud.Core.WorkflowJobEvent

Event Description: Workflow job event stored.
Additional Properties: JobId, Action, ActionPrincipalName, ActionPrincipalID, TemplateName, State, Initiator, InitiatorID, CreatedDate, CompletedDate, StateUpdatedDate, PendingTaskId, TargetPrincipalID, TargetPrincipalName, TargetPrincipalNotes, TargetPrincipalAction, PrincipalType, BlessAs, StepArgs, Description, InitiatorNotes, History, ErrorMessage, EventName, EventPrincipalUUID, EventPrincipalUserName, EventPrincipalMail

Cloud.Core.SharedAppPermissionChange

Event Description: Audit history of updates to password permissions for shared applications.
Additional Properties: AppKey, ActionType, Principal, PrincipalType, OwnerUuid, ActorUuid, WhenOccurred, AppName, OwnerName, ActorName, ChangedFields

Cloud.Core.SharedAppOwnershipTransfer

Event Description: Audit history of shared application ownership transfers.
Additional Properties: OldAppKey, NewAppKey, OldOwnerUuid, NewOwnerUuid, WhenOccurred, OldOwnerName, NewOwnerName, AppName, Reason

Cloud.Core.AppCredentialsChange

Event Description: Audit history of updates to credentials for shared applications.
Additional properties: AppKey, ActionType, VaultType, OwnerUuid, ActorUuid, WhenOccurred, AppName, OwnerName, ActorName, ChangedFields

Devices Event Types and Properties


The following table lists the event type values that can be set in the EventType column for Devices Events. The items listed under Additional Properties are the additional columns available in the Event table for the specified event type.

Cloud.Mobile.GpChangeDetected

Event Description: Active Directory device policy set has changed.
Additional Properties: OU

Cloud.Mobile.GlobalMdmPolicyChanged

Event Description: Use of CyberArk Identity for mobile device management flag has changed.
Additional Properties: Policy, IsNew

Cloud.Mobile.ProvisionEnrollProfileDownload

Event Description: OSX MDM profile downloaded for provisioned enrollment. Only applies to MAC devices.
Additional Properties: FromIPAddress, DeviceID, EnrollProfileUser, LocalAccountUuid

Cloud.Mobile.Device.Enroll

Event Description: Device enrollment success event.
Additional Properties: DeviceID, DeviceName, FromIPAddress

Cloud.Mobile.Device.EnrollFail

Event Description: Device enrollment failure event.
Additional Properties: DeviceID, DeviceName, FromIPAddress, FailureReason, FailureMessage

Cloud.Mobile.Device.StateChange

Event Description: Device state change event.
Additional Properties: DeviceID, DeviceName, From, Reason, To

Cloud.Mobile.Device.AppChange

Event Description: Application install status on device.
Additional Properties: DeviceID, DeviceName, Application, Change

Cloud.Mobile.Device.AppInstallFailed

Event Description: MDM install failure on Apple device.
Additional Properties: DeviceName, Application, Description

Cloud.Mobile.Device.DeviceAppAction

Event Description: Action initiated to application installed on a device. (Only if the SDK is being used).
Additional Properties: DeviceID, DeviceName, AppPackageId, AppActionName, AppActionGroup, Action

Cloud.Mobile.Device.DeviceAction

Event Description: Action initiated to a device.
Additional Properties: DeviceID, DeviceName, Action, DeleteReason

Cloud.Mobile.Device.DerivedCredsProvision

Event Description: Provision derived credential action status. Does not apply to MAC devices.
Additional Properties: DeviceID, DeviceName, Status

Cloud.Mobile.Device.DerivedCredsRevoked

Event Description: Revoked derived credential for a device. Does not apply to MAC devices.
Additional Properties: DeviceID, DeviceName

Cloud.AfwAppRestrictionsRole.AddRole

Event Description: Add Google Android for Work application restriction settings to role. Only applies to Android devices.
Additional Properties: RoleId

Cloud.AfwAppRestrictionsRole.DeleteRole

Event Description: Delete Google Android for Work application restriction settings from role. Only applies to Android devices.
Additional Properties: RoleId

Cloud.AfwAppRestrictionsRole.ModifyRole

Event Description: Modify Google Android for Work application restriction settings on role. Only applies to Android devices.
Additional Properties: RoleId

Cloud.AfwAppRestrictionsRole.RoleOrder

Event Description: Change role order of Google Android for Work application restriction settings. Only applies to Android devices.
Additional Properties: RoleId

Cloud.AfwEnterprise.Enroll

Event Description: Enrolling a Google Android for Work domain. Only applies to Android devices.
Additional Properties: DeviceID, DeviceName, RoleId

Cloud.AfwEnterprise.Unenroll

Event Description: Unenrolling a Google Android for Work domain. Only applies to Android devices.
Additional Properties: DeviceID, DeviceName, RoleId

Cloud.Core.EmmTenantMigrated

Event Description: Enabling KNOX Express license for tenant. Does not apply to MAC devices.
Additional Properties: DeviceID, DeviceName, RoleId

Cloud.LicenseKey.KnoxLicenseKey.KnoxLicenseKeyAdded

Event Description: Added Samsung license to tenant. Does not apply to MAC devices.
Additional Properties: LicenseType, PartialLicenseKey

Cloud.LicenseKey.KnoxLicenseKey.KnoxLicenseKeyDeleted

Event Description: Deleted Samsung license from tenant. Does not apply to MAC devices.
Additional Properties: LicenseType, PartialLicenseKey

Cloud.LicenseKey.KnoxLicenseKey.KnoxLicenseKeyChanged

Event Description: Changed Samsung license for tenant. Does not apply to MAC devices.
Additional Properties: NewLicenseType, PartialNewLicenseKey, OldLicenseType, PartialOldLicenseKey

Core Event Types and Properties


Core Event types are specific to the CyberArk Identity core system. The following table lists the event type values that can be set in the EventType column for Core Events. The items listed under Additional Properties are the additional columns available in the Event table for the specified event type.

Cloud.ADUserProfileUpdate

Event Description: AD User's profile has changed.
Additional Properties: UpdatedAttributes

Cloud.Core.Access.CheckRightsFailure.Directory

Event Description: User has no permission to access file system directory.
Additional Properties: NumRightsNeeded, Path

Cloud.Core.Access.CheckRightsFailure.File

Event Description: User has no permission to access file system file.
Additional Properties: NumRightsNeeded, Path

Cloud.Core.Access.CheckRightsFailure.Table

Event Description: User has no permission to access table.
Additional Properties: NumRightsNeeded, Table

Cloud.Core.Access.CheckRightsFailure.Table.Row

Event Description: User has no permission to access table row.
Additional Properties: NumRightsNeeded, Table, Row

Cloud.Core.Access.Rights.Change.

Event Description: Permission update.
Additional Properties: ObjectName, ObjectType, Principal, PrincipalType, PrincipalName, NumGrantAdd, NumGrantRemove, NumDenyAdd, NumDenyRemove

Cloud.Core.Access.Rights.Remove

Event Description: Permission removed.
Additional Properties: ObjectName, ObjectType, Principal, PrincipalType, PrincipalName

Cloud.Core.Access.Role.Create

Event Description: Role created.
Additional Properties: RoleId, Role

Cloud.Core.Access.Role.Delete

Event Description: Role deleted.
Additional Properties: RoleId, Role

Cloud.Core.Access.Role.Edit

Event Description: Role principal added or removed.
Additional Properties: RoleId, Role, PrincipalType, PrincipalUuid, PrincipalName, EditType

Cloud.Core.Access.Role.Update

Event Description: Role updated.
Additional Properties: RoleId, Role, PrincipalsJobId

Cloud.Core.AdaptiveMfa.RiskAnalysis

Event Description: Adaptive MFA risk analysis performed.
Additional Properties:

Cloud.Core.ADUserPasswordChange

Event Description: AD User's password has changed.
Additional Properties: Changer, ChangerUuid

Cloud.Core.ADUserPasswordChangeFailed

Event Description: AD User's password change failed.
Additional Properties: Changer, ChangerUuid, FromIPAddress, Result, Exception, EventParm

Cloud.Core.Alias.Add

Event Description: Tenant alias created.
Additional Properties: Alias, ReplaceDomain, Type

Cloud.Core.Alias.Change

Event Description: Tenant alias updated.
Additional Properties: Alias, ReplaceDomain, Type

Cloud.Core.Alias.Delete

Event Description: Tenant alias deleted.
Additional Properties: Alias, ReplaceDomain, Type

Cloud.Core.AuthProfile.AuthProfileChanged

Event Description: Authentication profile updated.
Additional Properties: Id, ProfileName

Cloud.Core.AuthProfile.AuthProfileCreated

Event Description: Authentication profile created.
Additional Properties: Id, ProfileName

Cloud.Core.AuthProfile.AuthProfileDeleted

Event Description: Authentication profile deleted.
Additional Properties: Id

Cloud.Core.Certificate.IssuedUserCertificate

Event Description: Created certificate for user.
Additional Properties: Thumbprint, TargetUserID, TargetUser

Cloud.Core.Certificate.RemovedUserCertificate

Event Description: Removed certificate for user.
Additional Properties: Thumbprint, TargetUserID, TargetUser

Cloud.Core.Collection.Create

Event Description: Collection created.
Additional Properties: ObjectName, UUID

Cloud.Core.Collection.Delete

Event Description: Collection deleted.
Additional Properties: ObjectName, UUID

Cloud.Core.Collection.ModifyCollectionMembers

Event Description: Collection members modified.
Additional Properties: ObjectName, UUID

Cloud.Core.Collection.Update

Event Description: Collection updated.
Additional Properties: ObjectName, UUID

Cloud.Core.Config.Delete

Event Description: Tenant config deleted.
Additional Properties: Key, Value

Cloud.Core.Config.Set

Event Description: Tenant config set.
Additional Properties: Key, Value

Cloud.Core.Config.Update

Event Description: Tenant config updated.
Additional Properties: Key, Value

Cloud.Core.Cus.CusEntity.CusCreateUser

Event Description: CUS user created.
Additional Properties: Changer, ChangerUUID

Cloud.Core.Cus.CusEntity.CusDeleteUser

Event Description: CUS user deleted.
Additional Properties: Changer, ChangerUUID

Cloud.Core.Cus.CusEntity.CusModifyUser

Event Description: CUS user updated.
Additional Properties: Changer, ChangerUUID

Cloud.Core.Cus.CusEntity.CusSetUserState

Event Description: CUS user state change.
Additional Properties: Changer, ChangerUuid, UserState, PreviousUserState

Cloud.Core.Cus.CusEntity.PasswordChange

Event Description: CUS user password change.
Additional Properties: Changer, ChangerUUID

Cloud.Core.Cus.CusEntity.PasswordChangeFailed

Event Description: CUS user password change failed.
Additional Properties: Changer, ChangerUuid, FailedMessage, Exception, EventParm

Cloud.Core.DS.AddDirectoryService

Event Description: Directory service added.
Additional Properties: DSType, DSName, DSUUID

Cloud.Core.DS.RemoveDirectoryService

Event Description: Directory service removed.
Additional Properties: DSType, DSName, DSUUID

Cloud.Core.DSEntityChange

Event Description: Directory service entity, change (users, groups,, etc.).
Additional Properties: NewEntity, Action, Classification, CloudHasSeenUser, CloudHasSeenEntity, DSUuid, DSType, DSName

Cloud.Core.DSEntityLog.DSEntityCreateLog

Event Description: Directory service entity created.
Additional Properties:

Cloud.Core.DSEntityLog.DSEntityDeleteLog

Event Description: Directory service entity deleted.
Additional Properties:

Cloud.Core.DSEntityLog.DSEntityModifyLog

Event Description: Directory service entity updated.
Additional Properties:

Cloud.Core.FinishImpersonate

Event Description: Impersonate user ends.
Additional Properties: ImpersonateTargetUuid, ImpersonateTargetName

Cloud.Core.ForgotUserName

Event Description: Forgot user name request.
Additional Properties: EmailAddress, MatchingUserCount, MatchingUsernames

Cloud.Core.Logout

Event Description: User logged out. Note: Not dependable as users may not logout.
Additional Properties:

Cloud.Core.MfaSummary

Event Description: MFA event occurred.
Additional Properties: AuthenticationAssuranceLevel, Session, ChallengeId, MfaInitiator, MfaResult, MfaReason, FailReason, ProfileId, ProfileName, MfaUnlock, ForgotPassword, EndpointKnown, EndpointOnPremise, Factors, FactorPassword, FactorEmail, FactorSms, FactorPhoneCall, FactorMobileAuthenticator, FactorOathAuthenticator, FactorSecurityQuestion, FactorRadius, FactorOther, DenyByUser

Cloud.Core.MfaUnlock

Event Description. MFA unlock event on the target user.
Additional Properties: TargetUser, TargetUserID

Cloud.Core.O365WsTrustLogin

Event Description: App login using the WS-Trust standard (for example, Office365).
Additional Properties:

Cloud.Core.Policy.AddSet

Event Description: Policy added.
Additional Properties: SetPath

Cloud.Core.Policy.DeleteSet

Event Description: Policy deleted.
Additional Properties: SetPath

Cloud.Core.Policy.ModifySet

Event Description: Policy modified.
Additional Properties: SetPath

Cloud.Core.Policy.PlinkChange

Event Description: Policy links changed.
Additional Properties: SetPath

Cloud.Core.Policy.PlinkOrder

Event Description: Policy links order changed.
Additional Properties: SetPath

Cloud.Core.Proxy.ProxyDeleted

Event Description: Connector removed.
Additional Properties: ProxyId, MachineName, Uuid, Forest

Cloud.Core.Proxy.ProxyRegistration

Event Description: Connector registered.
Additional Properties: ProxyId, MachineName, Customer, Forest

Cloud.Core.Radius.RemoveClient

Event Description: Removed radius client.
Additional Properties: ClientAddress

Cloud.Core.Radius.RemoveConfig

Event Description: Removed radius config for connector.
Additional Properties: ConnectorUUID

Cloud.Core.Radius.RemoveServer

Event Description: Removed radius server.
Additional Properties: HostAddress

Cloud.Core.Radius.SetClient

Event Description: Add/update radius client.
Additional Properties: ClientAddress

Cloud.Core.Radius.SetConfig

Event Description: Radius connector config set.
Additional Properties: ConnectorUuid

Cloud.Core.Radius.SetServer

Event Description: Add/update radius server.
Additional Properties: HostAddress

Cloud.Core.SamlResponseValidate

Event Description: SAML response for user validated.
Additional Properties: UserName, Issuer, ToDate, Uuid, IDP

Cloud.Core.StartImpersonate

Event Description: Impersonate user begins.
Additional Properties: ImpersonateTargetUuid, ImpersonateTargetName

Cloud.Core.StoreUserSetting

Event Description: User setting updated.
Additional Properties: Target, Type, TargetUser, TargetUserID

Cloud.Core.TenantCname.Add

Event Description: Tenant cname added.
Additional Properties: Cname

Cloud.Core.TenantCname.Delete

Event Description: Tenant cname removed.
Additional Properties: Cname

Cloud.Core.TenantStateChange

Event Description: Tenant state changed.
Additional Properties: OldState, NewState, AffectedTenant

Cloud.Core.UserSecurityQuestionSet

Event Description: User set security question.
Additional Properties: