Event
The Event table contains all possible events for the tenant. Events include additions, updates, deletions, actions, etc. An event might include information such as:
- When something changed state (e.g. when a server was added)
- When an action succeeded or failed (e.g. a password rotation)
- Things that happened within a specific period of time (e.g. all the servers accessed by Alice last month)
The columns of the Event table contain the properties available for any particular event and vary depending on the type of the event indicated by the EventType column. The various enumerations for the EventType column are categorized and documented further down on this page. Each event has columns for the Common Properties listed below as well as additional properties specific to an event type. The event types and their properties are documented further down in this document.
Common Properties
The following properties apply to all event types for CyberArk Identity .
| Column | Type | Description |
|---|---|---|
| AuthMethod | String | Authentication method used by the user of the request that generated the event (if applicable). |
| AzDeploymentId | String | Cloud version identifier (internal use). |
| AzRoleId | String | Cloud role identifier (internal use). |
| AzRoleName | String | Cloud role name (internal use). |
| DirectoryServiceUuid | String | Unique ID of the user's directory service. |
| DirectoryServicePartnerName | String | Partner name for federated directory services (may be null). |
| EntityName | String | Name of associated entity of the event (may be null). |
| EntityType | String | Type of associated entity of the event (may be null) |
| EntityUuid | String | UUID of associated entity of the event (may be null) |
| EventType | String | Type of the event. The following are the categories of event types: Applications Event Types Devices Event Types * Core Event Types The specific values that this field can be set to are documented in each category below. |
| FromIPAddress | String | Originating IP address of the request that generated the event (if applicable). |
| Level | String | The logging level of the event: Error, Warning, Info. Default value is Error. |
| ID | String | Event's UUID (primary key). |
| ImpersonatorUuiid | String | UUID of impersonating user if applicable (may be null). |
| InternalSessionId | String | Cloud session identifier (internal use). |
| InternalTrackingId | String | Cloud tracking identifier (internal use). |
| NewEntity | String | New entity associated with the event (if applicable, what the entity looked like before the event). May be null. |
| NormalizedUser | String | Applicable user name (normalized) of the event. |
| OldEntity | String | Old entity associated with the event (if applicable, what the entity looked like before the event). May be null. |
| RequestDeviceOS | String | Operating system of the device that made the request that generated the event (if applicable). |
| RequestHostName | String | Host name of the request that generated the event (if applicable). |
| RequestIsMobileDevice | Boolean | Whether the request that generated the event originate from a mobile device (if applicable). |
| Tenant | String | ID of the current tenant. |
| ThreadType | String | Event thread type; one of: Unknown, RestCall, Web, Worker, Roc, Job, or Hub. |
| UserGuid | String | Applicable user UUid of the event. |
| WhenLogged | DateTime | Date/time the event was logged. |
| WhenOccurred | DateTime | Date/time that the event occurred. |
Application Event Types and Properties
The following table lists the event type values that can be set in the EventType column for Application Events. The items listed under Additional Properties are the additional columns available in the Event table for the specified event type.
Cloud.Saas.Application.AppLaunch
Event Description: App launched.
Additional Properties: ApplicationType, ApplicationName, ApplicationID, TemplateName
Cloud.Saas.Application.GatewayAppLaunch
Event Description: Gateway app launched.
Additional Properties: ApplicationType, ApplicationName, ApplicationID
Cloud.Saas.Application.SelfServiceAppLaunch
Event Description: Self-service app launched.
Additional Properties: ApplicationType, ApplicationName, ApplicationID
Cloud.Saas.Application.SamlResponseGenerate
Event Description: SAML response generated.
Additional Properties: ApplicationType, ApplicationName, ApplicationID, Version, Subject, Issuer, Thumbprint
Cloud.Saas.Application.WsFedSamlResponseGenerate
Event Description: WsFed SAML response generated.
Additional Properties: ApplicationType, ApplicationName, ApplicationID, Version, Subject, Guid, Issuer, Thumbprint
Cloud.Saas.Application.SelfServiceAppAdd
Event Description: Self-service app added.
Additional Properties: ApplicationType, ApplicationName, ApplicationID
Cloud.Saas.Application.AppModify
Event Description: App modified.
Additional Properties: ApplicationType, ApplicationName, ApplicationID, MobileAppType
Cloud.Saas.Application.AppPublish
Event Description: App deployed.
Additional Properties: ApplicationType, ApplicationName, ApplicationID, RoleId, RoleName, MobileAppType
Cloud.Saas.Application.SelfServiceAppDelete
Event Description: Self-service app deleted.
Additional Properties: ApplicationType, ApplicationName, ApplicationID
Cloud.Saas.Application.AppAdd
Event Description: App added.
Additional Properties: ApplicationType, ApplicationName,
ApplicationID
Cloud.Saas.Application.AppUnpublish
Event Description: App un-deployed.
Additional Properties: ApplicationType, ApplicationName, ApplicationID, RoleId, RoleName, MobileAppType
Cloud.Saas.Application.AppClone
Event Description: App cloned.
Additional Properties: ApplicationType, ApplicationName, ApplicationID
Cloud.Saas.Application.AppExport
Event Description: App exported.
Additional Properties: ApplicationType, ApplicationName, ApplicationID
Cloud.Saas.Application.AppImport
Event Description: App imported.
Additional Properties: ApplicationType, ApplicationName, ApplicationID
Cloud.Saas.Application.AppProvModify
Event Description: App provisioning settings modified.
Additional Properties: ApplicationType, ApplicationName, ApplicationID, Filename
Cloud.Saas.Application.AppDelete
Event Description: App deleted.
Additional Properties: ApplicationType, ApplicationName, ApplicationID, MobileAppPrice, MobileAppType, MobileAppPackageID
Cloud.Saas.Application.AppDenied
Event Description: App access denied because of the lock policy.
Additional Properties: ApplicationType, ApplicationName
Cloud.Saas.Application.AppUpdate
Event Description: App updated to latest.
Additional Properties: ApplicationType, ApplicationName, ApplicationID
Cloud.Provisioning.SyncJobStarted
Event Description: Sync job started.
Additional Properties: AppId, AppName, AppDisplayName, JobUniqueId, SyncType, IsPreview, IsForceSync, ElapsedSeconds, WorkItemCount
Cloud.Provisioning.SyncJobCompleted
Event Description: Sync job completed.
Additional Properties: AppId, AppName, AppDisplayName, JobUniqueId, SyncType, IsPreview, IsForceSync, ElapsedSeconds, WorkItemCount
Cloud.Provisioning.UserAppSyncCompleted
Event Description: User sync completed.
Additional Properties: AppId, AppName, AppDisplayName, JobUniqueId, SyncType, IsPreview, IsForceSync, ElapsedSeconds, WorkItemCount, SourceUpn, DestUpn, SyncAction, SyncActionReason, SyncResult, SyncResultReason
Cloud.GatewayDiagnostic.GatewayDiagnosticPageLoad
Event Description: Gateway diagnostic page load data stored.
Additional Properties: SessionId, AppKey, AppName, ShadowAppKey, GatewayPodName, RoleInstanceId, TunneledUri, TunneledUriScheme, TunneledUriHostname, TunneledUriPort, TunneledUriPathAndQuery, ContentLength, ContentType, ResponseElapsedMs, HttpStatus, HttpStatusCode
Cloud.GatewayDiagnostic.GatewayDiagnosticHostname
Event Description: Gateway diagnostic hostname data stored.
Additional Properties: SessionId, AppKey, AppName, ShadowAppKey, GatewayPodName, RoleInstanceId, TunneledUri, Hostname, CloudDnsResolvable, UriCount
Cloud.Core.WorkflowJob
Event Description: Workflow job started/completed/deleted.
Additional Properties: JobId, Action, ActionPrincipalName, ActionPrincipalID, TemplateName, State, Initiator, InitiatorID, CreatedDate, CompletedDate, StateUpdatedDate, PendingTaskId, TargetPrincipalID, TargetPrincipalName, TargetPrincipalNotes, TargetPrincipalAction, PrincipalType, BlessAs, StepArgs, Description, InitiatorNotes, History, ErrorMessage
Cloud.Core.WorkflowJobEvent
Event Description: Workflow job event stored.
Additional Properties: JobId, Action, ActionPrincipalName, ActionPrincipalID, TemplateName, State, Initiator, InitiatorID, CreatedDate, CompletedDate, StateUpdatedDate, PendingTaskId, TargetPrincipalID, TargetPrincipalName, TargetPrincipalNotes, TargetPrincipalAction, PrincipalType, BlessAs, StepArgs, Description, InitiatorNotes, History, ErrorMessage, EventName, EventPrincipalUUID, EventPrincipalUserName, EventPrincipalMail
Cloud.Core.SharedAppPermissionChange
Event Description: Audit history of updates to password permissions for shared applications.
Additional Properties: AppKey, ActionType, Principal, PrincipalType, OwnerUuid, ActorUuid, WhenOccurred, AppName, OwnerName, ActorName, ChangedFields
Cloud.Core.SharedAppOwnershipTransfer
Event Description: Audit history of shared application ownership transfers.
Additional Properties: OldAppKey, NewAppKey, OldOwnerUuid, NewOwnerUuid, WhenOccurred, OldOwnerName, NewOwnerName, AppName, Reason
Cloud.Core.AppCredentialsChange
Event Description: Audit history of updates to credentials for shared applications.
Additional properties: AppKey, ActionType, VaultType, OwnerUuid, ActorUuid, WhenOccurred, AppName, OwnerName, ActorName, ChangedFields
Devices Event Types and Properties
The following table lists the event type values that can be set in the EventType column for Devices Events. The items listed under Additional Properties are the additional columns available in the Event table for the specified event type.
Cloud.Mobile.GpChangeDetected
Event Description: Active Directory device policy set has changed.
Additional Properties: OU
Cloud.Mobile.GlobalMdmPolicyChanged
Event Description: Use of CyberArk Identity for mobile device management flag has changed.
Additional Properties: Policy, IsNew
Cloud.Mobile.ProvisionEnrollProfileDownload
Event Description: OSX MDM profile downloaded for provisioned enrollment. Only applies to MAC devices.
Additional Properties: FromIPAddress, DeviceID, EnrollProfileUser, LocalAccountUuid
Cloud.Mobile.Device.Enroll
Event Description: Device enrollment success event.
Additional Properties: DeviceID, DeviceName, FromIPAddress
Cloud.Mobile.Device.EnrollFail
Event Description: Device enrollment failure event.
Additional Properties: DeviceID, DeviceName, FromIPAddress, FailureReason, FailureMessage
Cloud.Mobile.Device.StateChange
Event Description: Device state change event.
Additional Properties: DeviceID, DeviceName, From, Reason, To
Cloud.Mobile.Device.AppChange
Event Description: Application install status on device.
Additional Properties: DeviceID, DeviceName, Application, Change
Cloud.Mobile.Device.AppInstallFailed
Event Description: MDM install failure on Apple device.
Additional Properties: DeviceName, Application, Description
Cloud.Mobile.Device.DeviceAppAction
Event Description: Action initiated to application installed on a device. (Only if the SDK is being used).
Additional Properties: DeviceID, DeviceName, AppPackageId, AppActionName, AppActionGroup, Action
Cloud.Mobile.Device.DeviceAction
Event Description: Action initiated to a device.
Additional Properties: DeviceID, DeviceName, Action, DeleteReason
Cloud.Mobile.Device.DerivedCredsProvision
Event Description: Provision derived credential action status. Does not apply to MAC devices.
Additional Properties: DeviceID, DeviceName, Status
Cloud.Mobile.Device.DerivedCredsRevoked
Event Description: Revoked derived credential for a device. Does not apply to MAC devices.
Additional Properties: DeviceID, DeviceName
Cloud.AfwAppRestrictionsRole.AddRole
Event Description: Add Google Android for Work application restriction settings to role. Only applies to Android devices.
Additional Properties: RoleId
Cloud.AfwAppRestrictionsRole.DeleteRole
Event Description: Delete Google Android for Work application restriction settings from role. Only applies to Android devices.
Additional Properties: RoleId
Cloud.AfwAppRestrictionsRole.ModifyRole
Event Description: Modify Google Android for Work application restriction settings on role. Only applies to Android devices.
Additional Properties: RoleId
Cloud.AfwAppRestrictionsRole.RoleOrder
Event Description: Change role order of Google Android for Work application restriction settings. Only applies to Android devices.
Additional Properties: RoleId
Cloud.AfwEnterprise.Enroll
Event Description: Enrolling a Google Android for Work domain. Only applies to Android devices.
Additional Properties: DeviceID, DeviceName, RoleId
Cloud.AfwEnterprise.Unenroll
Event Description: Unenrolling a Google Android for Work domain. Only applies to Android devices.
Additional Properties: DeviceID, DeviceName, RoleId
Cloud.Core.EmmTenantMigrated
Event Description: Enabling KNOX Express license for tenant. Does not apply to MAC devices.
Additional Properties: DeviceID, DeviceName, RoleId
Cloud.LicenseKey.KnoxLicenseKey.KnoxLicenseKeyAdded
Event Description: Added Samsung license to tenant. Does not apply to MAC devices.
Additional Properties: LicenseType, PartialLicenseKey
Cloud.LicenseKey.KnoxLicenseKey.KnoxLicenseKeyDeleted
Event Description: Deleted Samsung license from tenant. Does not apply to MAC devices.
Additional Properties: LicenseType, PartialLicenseKey
Cloud.LicenseKey.KnoxLicenseKey.KnoxLicenseKeyChanged
Event Description: Changed Samsung license for tenant. Does not apply to MAC devices.
Additional Properties: NewLicenseType, PartialNewLicenseKey, OldLicenseType, PartialOldLicenseKey
Core Event Types and Properties
Core Event types are specific to the CyberArk Identity core system. The following table lists the event type values that can be set in the EventType column for Core Events. The items listed under Additional Properties are the additional columns available in the Event table for the specified event type.
Cloud.ADUserProfileUpdate
Event Description: AD User's profile has changed.
Additional Properties: UpdatedAttributes
Cloud.Core.Access.CheckRightsFailure.Directory
Event Description: User has no permission to access file system directory.
Additional Properties: NumRightsNeeded, Path
Cloud.Core.Access.CheckRightsFailure.File
Event Description: User has no permission to access file system file.
Additional Properties: NumRightsNeeded, Path
Cloud.Core.Access.CheckRightsFailure.Table
Event Description: User has no permission to access table.
Additional Properties: NumRightsNeeded, Table
Cloud.Core.Access.CheckRightsFailure.Table.Row
Event Description: User has no permission to access table row.
Additional Properties: NumRightsNeeded, Table, Row
Cloud.Core.Access.Rights.Change.
Event Description: Permission update.
Additional Properties: ObjectName, ObjectType, Principal, PrincipalType, PrincipalName, NumGrantAdd, NumGrantRemove, NumDenyAdd, NumDenyRemove
Cloud.Core.Access.Rights.Remove
Event Description: Permission removed.
Additional Properties: ObjectName, ObjectType, Principal, PrincipalType, PrincipalName
Cloud.Core.Access.Role.Create
Event Description: Role created.
Additional Properties: RoleId, Role
Cloud.Core.Access.Role.Delete
Event Description: Role deleted.
Additional Properties: RoleId, Role
Cloud.Core.Access.Role.Edit
Event Description: Role principal added or removed.
Additional Properties: RoleId, Role, PrincipalType, PrincipalUuid, PrincipalName, EditType
Cloud.Core.Access.Role.Update
Event Description: Role updated.
Additional Properties: RoleId, Role, PrincipalsJobId
Cloud.Core.AdaptiveMfa.RiskAnalysis
Event Description: Adaptive MFA risk analysis performed.
Additional Properties:
Cloud.Core.ADUserPasswordChange
Event Description: AD User's password has changed.
Additional Properties: Changer, ChangerUuid
Cloud.Core.ADUserPasswordChangeFailed
Event Description: AD User's password change failed.
Additional Properties: Changer, ChangerUuid, FromIPAddress, Result, Exception, EventParm
Cloud.Core.Alias.Add
Event Description: Tenant alias created.
Additional Properties: Alias, ReplaceDomain, Type
Cloud.Core.Alias.Change
Event Description: Tenant alias updated.
Additional Properties: Alias, ReplaceDomain, Type
Cloud.Core.Alias.Delete
Event Description: Tenant alias deleted.
Additional Properties: Alias, ReplaceDomain, Type
Cloud.Core.AuthProfile.AuthProfileChanged
Event Description: Authentication profile updated.
Additional Properties: Id, ProfileName
Cloud.Core.AuthProfile.AuthProfileCreated
Event Description: Authentication profile created.
Additional Properties: Id, ProfileName
Cloud.Core.AuthProfile.AuthProfileDeleted
Event Description: Authentication profile deleted.
Additional Properties: Id
Cloud.Core.Certificate.IssuedUserCertificate
Event Description: Created certificate for user.
Additional Properties: Thumbprint, TargetUserID, TargetUser
Cloud.Core.Certificate.RemovedUserCertificate
Event Description: Removed certificate for user.
Additional Properties: Thumbprint, TargetUserID, TargetUser
Cloud.Core.Collection.Create
Event Description: Collection created.
Additional Properties: ObjectName, UUID
Cloud.Core.Collection.Delete
Event Description: Collection deleted.
Additional Properties: ObjectName, UUID
Cloud.Core.Collection.ModifyCollectionMembers
Event Description: Collection members modified.
Additional Properties: ObjectName, UUID
Cloud.Core.Collection.Update
Event Description: Collection updated.
Additional Properties: ObjectName, UUID
Cloud.Core.Config.Delete
Event Description: Tenant config deleted.
Additional Properties: Key, Value
Cloud.Core.Config.Set
Event Description: Tenant config set.
Additional Properties: Key, Value
Cloud.Core.Config.Update
Event Description: Tenant config updated.
Additional Properties: Key, Value
Cloud.Core.Cus.CusEntity.CusCreateUser
Event Description: CUS user created.
Additional Properties: Changer, ChangerUUID
Cloud.Core.Cus.CusEntity.CusDeleteUser
Event Description: CUS user deleted.
Additional Properties: Changer, ChangerUUID
Cloud.Core.Cus.CusEntity.CusModifyUser
Event Description: CUS user updated.
Additional Properties: Changer, ChangerUUID
Cloud.Core.Cus.CusEntity.CusSetUserState
Event Description: CUS user state change.
Additional Properties: Changer, ChangerUuid, UserState, PreviousUserState
Cloud.Core.Cus.CusEntity.PasswordChange
Event Description: CUS user password change.
Additional Properties: Changer, ChangerUUID
Cloud.Core.Cus.CusEntity.PasswordChangeFailed
Event Description: CUS user password change failed.
Additional Properties: Changer, ChangerUuid, FailedMessage, Exception, EventParm
Cloud.Core.DS.AddDirectoryService
Event Description: Directory service added.
Additional Properties: DSType, DSName, DSUUID
Cloud.Core.DS.RemoveDirectoryService
Event Description: Directory service removed.
Additional Properties: DSType, DSName, DSUUID
Cloud.Core.DSEntityChange
Event Description: Directory service entity, change (users, groups,, etc.).
Additional Properties: NewEntity, Action, Classification, CloudHasSeenUser, CloudHasSeenEntity, DSUuid, DSType, DSName
Cloud.Core.DSEntityLog.DSEntityCreateLog
Event Description: Directory service entity created.
Additional Properties:
Cloud.Core.DSEntityLog.DSEntityDeleteLog
Event Description: Directory service entity deleted.
Additional Properties:
Cloud.Core.DSEntityLog.DSEntityModifyLog
Event Description: Directory service entity updated.
Additional Properties:
Cloud.Core.FinishImpersonate
Event Description: Impersonate user ends.
Additional Properties: ImpersonateTargetUuid, ImpersonateTargetName
Cloud.Core.ForgotUserName
Event Description: Forgot user name request.
Additional Properties: EmailAddress, MatchingUserCount, MatchingUsernames
Cloud.Core.Logout
Event Description: User logged out. Note: Not dependable as users may not logout.
Additional Properties:
Cloud.Core.MfaSummary
Event Description: MFA event occurred.
Additional Properties: AuthenticationAssuranceLevel, Session, ChallengeId, MfaInitiator, MfaResult, MfaReason, FailReason, ProfileId, ProfileName, MfaUnlock, ForgotPassword, EndpointKnown, EndpointOnPremise, Factors, FactorPassword, FactorEmail, FactorSms, FactorPhoneCall, FactorMobileAuthenticator, FactorOathAuthenticator, FactorSecurityQuestion, FactorRadius, FactorOther, DenyByUser
Cloud.Core.MfaUnlock
Event Description. MFA unlock event on the target user.
Additional Properties: TargetUser, TargetUserID
Cloud.Core.O365WsTrustLogin
Event Description: App login using the WS-Trust standard (for example, Office365).
Additional Properties:
Cloud.Core.Policy.AddSet
Event Description: Policy added.
Additional Properties: SetPath
Cloud.Core.Policy.DeleteSet
Event Description: Policy deleted.
Additional Properties: SetPath
Cloud.Core.Policy.ModifySet
Event Description: Policy modified.
Additional Properties: SetPath
Cloud.Core.Policy.PlinkChange
Event Description: Policy links changed.
Additional Properties: SetPath
Cloud.Core.Policy.PlinkOrder
Event Description: Policy links order changed.
Additional Properties: SetPath
Cloud.Core.Proxy.ProxyDeleted
Event Description: Connector removed.
Additional Properties: ProxyId, MachineName, Uuid, Forest
Cloud.Core.Proxy.ProxyRegistration
Event Description: Connector registered.
Additional Properties: ProxyId, MachineName, Customer, Forest
Cloud.Core.Radius.RemoveClient
Event Description: Removed radius client.
Additional Properties: ClientAddress
Cloud.Core.Radius.RemoveConfig
Event Description: Removed radius config for connector.
Additional Properties: ConnectorUUID
Cloud.Core.Radius.RemoveServer
Event Description: Removed radius server.
Additional Properties: HostAddress
Cloud.Core.Radius.SetClient
Event Description: Add/update radius client.
Additional Properties: ClientAddress
Cloud.Core.Radius.SetConfig
Event Description: Radius connector config set.
Additional Properties: ConnectorUuid
Cloud.Core.Radius.SetServer
Event Description: Add/update radius server.
Additional Properties: HostAddress
Cloud.Core.SamlResponseValidate
Event Description: SAML response for user validated.
Additional Properties: UserName, Issuer, ToDate, Uuid, IDP
Cloud.Core.StartImpersonate
Event Description: Impersonate user begins.
Additional Properties: ImpersonateTargetUuid, ImpersonateTargetName
Cloud.Core.StoreUserSetting
Event Description: User setting updated.
Additional Properties: Target, Type, TargetUser, TargetUserID
Cloud.Core.TenantCname.Add
Event Description: Tenant cname added.
Additional Properties: Cname
Cloud.Core.TenantCname.Delete
Event Description: Tenant cname removed.
Additional Properties: Cname
Cloud.Core.TenantStateChange
Event Description: Tenant state changed.
Additional Properties: OldState, NewState, AffectedTenant
Cloud.Core.UserSecurityQuestionSet
Event Description: User set security question.
Additional Properties:
Updated over 1 year ago