The Event table contains all possible events for the tenant. Events include additions, updates, deletions, actions, etc. An event might include information such as:

  • When something changed state (e.g. when a server was added)
  • When an action succeeded or failed (e.g. a password rotation)
  • Things that happened within a specific period of time (e.g. all the servers accessed by Alice last month)

The columns of the Event table contain the properties available for any particular event and vary depending on the type of the event indicated by the EventType column. The various enumerations for the EventType column are categorized and documented further down on this page. Each event has columns for the Common Properties listed below as well as additional properties specific to an event type. The event types and their properties are documented further down in this document.

Common Properties

The following properties apply to all event types for CyberArk Identity .

Column

Type

Description

AuthMethod

String

Authentication method used by the user of the request that generated the event (if applicable).

AzDeploymentId

String

Cloud version identifier (internal use).

AzRoleId

String

Cloud role identifier (internal use).

AzRoleName

String

Cloud role name (internal use).

DirectoryServiceUuid

String

Unique ID of the user's directory service.

DirectoryServicePartnerName

String

Partner name for federated directory services (may be null).

EntityName

String

Name of associated entity of the event (may be null).

EntityType

String

Type of associated entity of the event (may be null)

EntityUuid

String

UUID of associated entity of the event (may be null)

EventType

String

Type of the event.

The following are the categories of event types:

The specific values that this field can be set to are documented in each category below.

FromIPAddress

String

Originating IP address of the request that generated the event (if applicable).

Level

String

The logging level of the event: Error, Warning, Info. Default value is Error.

ID

String

Event's UUID (primary key).

ImpersonatorUuiid

String

UUID of impersonating user if applicable (may be null).

InternalSessionId

String

Cloud session identifier (internal use).

InternalTrackingId

String

Cloud tracking identifier (internal use).

NewEntity

String

New entity associated with the event (if applicable, what the entity looked like before the event). May be null.

NormalizedUser

String

Applicable user name (normalized) of the event.

OldEntity

String

Old entity associated with the event (if applicable, what the entity looked like before the event). May be null.

RequestDeviceOS

String

Operating system of the device that made the request that generated the event (if applicable).

RequestHostName

String

Host name of the request that generated the event (if applicable).

RequestIsMobileDevice

Boolean

Whether the request that generated the event originate from a mobile device (if applicable).

Tenant

String

ID of the current tenant.

ThreadType

String

Event thread type; one of: Unknown, RestCall, Web, Worker, Roc, Job, or Hub.

UserGuid

String

Applicable user UUid of the event.

WhenLogged

DateTime

Date/time the event was logged.

WhenOccurred

DateTime

Date/time that the event occurred.

Application Event Types and Properties


The following table lists the event type values that can be set in the EventType column for Application Events. The items listed under Additional Properties are the additional columns available in the Event table for the specified event type.

Cloud.Saas.Application.AppLaunch

Event Description: App launched.
Additional Properties: ApplicationType, ApplicationName, ApplicationID, TemplateName

Cloud.Saas.Application.GatewayAppLaunch

Event Description: Gateway app launched.
Additional Properties: ApplicationType, ApplicationName, ApplicationID

Cloud.Saas.Application.SelfServiceAppLaunch

Event Description: Self-service app launched.
Additional Properties: ApplicationType, ApplicationName, ApplicationID

Cloud.Saas.Application.SamlResponseGenerate

Event Description: SAML response generated.
Additional Properties: ApplicationType, ApplicationName, ApplicationID, Version, Subject, Issuer, Thumbprint

Cloud.Saas.Application.WsFedSamlResponseGenerate

Event Description: WsFed SAML response generated.
Additional Properties: ApplicationType, ApplicationName, ApplicationID, Version, Subject, Guid, Issuer, Thumbprint

Cloud.Saas.Application.SelfServiceAppAdd

Event Description: Self-service app added.
Additional Properties: ApplicationType, ApplicationName, ApplicationID

Cloud.Saas.Application.AppModify

Event Description: App modified.
Additional Properties: ApplicationType, ApplicationName, ApplicationID, MobileAppType

Cloud.Saas.Application.AppPublish

Event Description: App deployed.
Additional Properties: ApplicationType, ApplicationName, ApplicationID, RoleId, RoleName, MobileAppType

Cloud.Saas.Application.SelfServiceAppDelete

Event Description: Self-service app deleted.
Additional Properties: ApplicationType, ApplicationName, ApplicationID

Cloud.Saas.Application.AppAdd

Event Description: App added.
Additional Properties: ApplicationType, ApplicationName,
ApplicationID

Cloud.Saas.Application.AppUnpublish

Event Description: App un-deployed.
Additional Properties: ApplicationType, ApplicationName, ApplicationID, RoleId, RoleName, MobileAppType

Cloud.Saas.Application.AppClone

Event Description: App cloned.
Additional Properties: ApplicationType, ApplicationName, ApplicationID

Cloud.Saas.Application.AppExport

Event Description: App exported.
Additional Properties: ApplicationType, ApplicationName, ApplicationID

Cloud.Saas.Application.AppImport

Event Description: App imported.
Additional Properties: ApplicationType, ApplicationName, ApplicationID

Cloud.Saas.Application.AppProvModify

Event Description: App provisioning settings modified.
Additional Properties: ApplicationType, ApplicationName, ApplicationID, Filename

Cloud.Saas.Application.AppDelete

Event Description: App deleted.
Additional Properties: ApplicationType, ApplicationName, ApplicationID, MobileAppPrice, MobileAppType, MobileAppPackageID

Cloud.Saas.Application.AppDenied

Event Description: App access denied because of the lock policy.
Additional Properties: ApplicationType, ApplicationName

Cloud.Saas.Application.AppUpdate

Event Description: App updated to latest.
Additional Properties: ApplicationType, ApplicationName, ApplicationID

Cloud.Provisioning.SyncJobStarted

Event Description: Sync job started.
Additional Properties: AppId, AppName, AppDisplayName, JobUniqueId, SyncType, IsPreview, IsForceSync, ElapsedSeconds, WorkItemCount

Cloud.Provisioning.SyncJobCompleted

Event Description: Sync job completed.
Additional Properties: AppId, AppName, AppDisplayName, JobUniqueId, SyncType, IsPreview, IsForceSync, ElapsedSeconds, WorkItemCount

Cloud.Provisioning.UserAppSyncCompleted

Event Description: User sync completed.
Additional Properties: AppId, AppName, AppDisplayName, JobUniqueId, SyncType, IsPreview, IsForceSync, ElapsedSeconds, WorkItemCount, SourceUpn, DestUpn, SyncAction, SyncActionReason, SyncResult, SyncResultReason

Cloud.GatewayDiagnostic.GatewayDiagnosticPageLoad

Event Description: Gateway diagnostic page load data stored.
Additional Properties: SessionId, AppKey, AppName, ShadowAppKey, GatewayPodName, RoleInstanceId, TunneledUri, TunneledUriScheme, TunneledUriHostname, TunneledUriPort, TunneledUriPathAndQuery, ContentLength, ContentType, ResponseElapsedMs, HttpStatus, HttpStatusCode

Cloud.GatewayDiagnostic.GatewayDiagnosticHostname

Event Description: Gateway diagnostic hostname data stored.
Additional Properties: SessionId, AppKey, AppName, ShadowAppKey, GatewayPodName, RoleInstanceId, TunneledUri, Hostname, CloudDnsResolvable, UriCount

Cloud.Core.WorkflowJob

Event Description: Workflow job started/completed/deleted.
Additional Properties: JobId, Action, ActionPrincipalName, ActionPrincipalID, TemplateName, State, Initiator, InitiatorID, CreatedDate, CompletedDate, StateUpdatedDate, PendingTaskId, TargetPrincipalID, TargetPrincipalName, TargetPrincipalNotes, TargetPrincipalAction, PrincipalType, BlessAs, StepArgs, Description, InitiatorNotes, History, ErrorMessage

Cloud.Core.WorkflowJobEvent

Event Description: Workflow job event stored.
Additional Properties: JobId, Action, ActionPrincipalName, ActionPrincipalID, TemplateName, State, Initiator, InitiatorID, CreatedDate, CompletedDate, StateUpdatedDate, PendingTaskId, TargetPrincipalID, TargetPrincipalName, TargetPrincipalNotes, TargetPrincipalAction, PrincipalType, BlessAs, StepArgs, Description, InitiatorNotes, History, ErrorMessage, EventName, EventPrincipalUUID, EventPrincipalUserName, EventPrincipalMail

Devices Event Types and Properties


The following table lists the event type values that can be set in the EventType column for Devices Events. The items listed under Additional Properties are the additional columns available in the Event table for the specified event type.

Cloud.Mobile.GpChangeDetected

Event Description: Active Directory device policy set has changed.
Additional Properties: OU

Cloud.Mobile.GlobalMdmPolicyChanged

Event Description: Use of CyberArk Identity for mobile device management flag has changed.
Additional Properties: Policy, IsNew

Cloud.Mobile.ProvisionEnrollProfileDownload

Event Description: OSX MDM profile downloaded for provisioned enrollment. Only applies to MAC devices.
Additional Properties: FromIPAddress, DeviceID, EnrollProfileUser, LocalAccountUuid

Cloud.Mobile.Device.Enroll

Event Description: Device enrollment success event.
Additional Properties: DeviceID, DeviceName, FromIPAddress

Cloud.Mobile.Device.EnrollFail

Event Description: Device enrollment failure event.
Additional Properties: DeviceID, DeviceName, FromIPAddress, FailureReason, FailureMessage

Cloud.Mobile.Device.StateChange

Event Description: Device state change event.
Additional Properties: DeviceID, DeviceName, From, Reason, To

Cloud.Mobile.Device.AppChange

Event Description: Application install status on device.
Additional Properties: DeviceID, DeviceName, Application, Change

Cloud.Mobile.Device.AppInstallFailed

Event Description: MDM install failure on Apple device.
Additional Properties: DeviceName, Application, Description

Cloud.Mobile.Device.DeviceAppAction

Event Description: Action initiated to application installed on a device. (Only if the SDK is being used).
Additional Properties: DeviceID, DeviceName, AppPackageId, AppActionName, AppActionGroup, Action

Cloud.Mobile.Device.DeviceAction

Event Description: Action initiated to a device.
Additional Properties: DeviceID, DeviceName, Action, DeleteReason

Cloud.Mobile.Device.DerivedCredsProvision

Event Description: Provision derived credential action status. Does not apply to MAC devices.
Additional Properties: DeviceID, DeviceName, Status

Cloud.Mobile.Device.DerivedCredsRevoked

Event Description: Revoked derived credential for a device. Does not apply to MAC devices.
Additional Properties: DeviceID, DeviceName

Cloud.AfwAppRestrictionsRole.AddRole

Event Description: Add Google Android for Work application restriction settings to role. Only applies to Android devices.
Additional Properties: RoleId

Cloud.AfwAppRestrictionsRole.DeleteRole

Event Description: Delete Google Android for Work application restriction settings from role. Only applies to Android devices.
Additional Properties: RoleId

Cloud.AfwAppRestrictionsRole.ModifyRole

Event Description: Modify Google Android for Work application restriction settings on role. Only applies to Android devices.
Additional Properties: RoleId

Cloud.AfwAppRestrictionsRole.RoleOrder

Event Description: Change role order of Google Android for Work application restriction settings. Only applies to Android devices.
Additional Properties: RoleId

Cloud.AfwEnterprise.Enroll

Event Description: Enrolling a Google Android for Work domain. Only applies to Android devices.
Additional Properties: DeviceID, DeviceName, RoleId

Cloud.AfwEnterprise.Unenroll

Event Description: Unenrolling a Google Android for Work domain. Only applies to Android devices.
Additional Properties: DeviceID, DeviceName, RoleId

Cloud.Core.EmmTenantMigrated

Event Description: Enabling KNOX Express license for tenant. Does not apply to MAC devices.
Additional Properties: DeviceID, DeviceName, RoleId

Cloud.LicenseKey.KnoxLicenseKey.KnoxLicenseKeyAdded

Event Description: Added Samsung license to tenant. Does not apply to MAC devices.
Additional Properties: LicenseType, PartialLicenseKey

Cloud.LicenseKey.KnoxLicenseKey.KnoxLicenseKeyDeleted

Event Description: Deleted Samsung license from tenant. Does not apply to MAC devices.
Additional Properties: LicenseType, PartialLicenseKey

Cloud.LicenseKey.KnoxLicenseKey.KnoxLicenseKeyChanged

Event Description: Changed Samsung license for tenant. Does not apply to MAC devices.
Additional Properties: NewLicenseType, PartialNewLicenseKey, OldLicenseType, PartialOldLicenseKey

Core Event Types and Properties


Core Event types are specific to the CyberArk Identity core system. The following table lists the event type values that can be set in the EventType column for Core Events. The items listed under Additional Properties are the additional columns available in the Event table for the specified event type.

Cloud.ADUserProfileUpdate

Event Description: AD User's profile has changed.
Additional Properties: UpdatedAttributes

Cloud.Core.Access.CheckRightsFailure.Directory

Event Description: User has no permission to access file system directory.
Additional Properties: NumRightsNeeded, Path

Cloud.Core.Access.CheckRightsFailure.File

Event Description: User has no permission to access file system file.
Additional Properties: NumRightsNeeded, Path

Cloud.Core.Access.CheckRightsFailure.Table

Event Description: User has no permission to access table.
Additional Properties: NumRightsNeeded, Table

Cloud.Core.Access.CheckRightsFailure.Table.Row

Event Description: User has no permission to access table row.
Additional Properties: NumRightsNeeded, Table, Row

Cloud.Core.Access.Rights.Change.

Event Description: Permission update.
Additional Properties: ObjectName, ObjectType, Principal, PrincipalType, PrincipalName, NumGrantAdd, NumGrantRemove, NumDenyAdd, NumDenyRemove

Cloud.Core.Access.Rights.Remove

Event Description: Permission removed.
Additional Properties: ObjectName, ObjectType, Principal, PrincipalType, PrincipalName

Cloud.Core.Access.Role.Create

Event Description: Role created.
Additional Properties: RoleId, Role

Cloud.Core.Access.Role.Delete

Event Description: Role deleted.
Additional Properties: RoleId, Role

Cloud.Core.Access.Role.Edit

Event Description: Role principal added or removed.
Additional Properties: RoleId, Role, PrincipalType, PrincipalUuid, PrincipalName, EditType

Cloud.Core.Access.Role.Update

Event Description: Role updated.
Additional Properties: RoleId, Role, PrincipalsJobId

Cloud.Core.AdaptiveMfa.RiskAnalysis

Event Description: Adaptive MFA risk analysis performed.
Additional Properties:

Cloud.Core.ADUserPasswordChange

Event Description: AD User's password has changed.
Additional Properties: Changer, ChangerUuid

Cloud.Core.ADUserPasswordChangeFailed

Event Description: AD User's password change failed.
Additional Properties: Changer, ChangerUuid, FromIPAddress, Result, Exception, EventParm

Cloud.Core.Alias.Add

Event Description: Tenant alias created.
Additional Properties: Alias, ReplaceDomain, Type

Cloud.Core.Alias.Change

Event Description: Tenant alias updated.
Additional Properties: Alias, ReplaceDomain, Type

Cloud.Core.Alias.Delete

Event Description: Tenant alias deleted.
Additional Properties: Alias, ReplaceDomain, Type

Cloud.Core.AuthProfile.AuthProfileChanged

Event Description: Authentication profile updated.
Additional Properties: Id, ProfileName

Cloud.Core.AuthProfile.AuthProfileCreated

Event Description: Authentication profile created.
Additional Properties: Id, ProfileName

Cloud.Core.AuthProfile.AuthProfileDeleted

Event Description: Authentication profile deleted.
Additional Properties: Id

Cloud.Core.Certificate.IssuedUserCertificate

Event Description: Created certificate for user.
Additional Properties: Thumbprint, TargetUserID, TargetUser

Cloud.Core.Certificate.RemovedUserCertificate

Event Description: Removed certificate for user.
Additional Properties: Thumbprint, TargetUserID, TargetUser

Cloud.Core.Collection.Create

Event Description: Collection created.
Additional Properties: ObjectName, UUID

Cloud.Core.Collection.Delete

Event Description: Collection deleted.
Additional Properties: ObjectName, UUID

Cloud.Core.Collection.ModifyCollectionMembers

Event Description: Collection members modified.
Additional Properties: ObjectName, UUID

Cloud.Core.Collection.Update

Event Description: Collection updated.
Additional Properties: ObjectName, UUID

Cloud.Core.Config.Delete

Event Description: Tenant config deleted.
Additional Properties: Key, Value

Cloud.Core.Config.Set

Event Description: Tenant config set.
Additional Properties: Key, Value

Cloud.Core.Config.Update

Event Description: Tenant config updated.
Additional Properties: Key, Value

Cloud.Core.Cus.CusEntity.CusCreateUser

Event Description: CUS user created.
Additional Properties: Changer, ChangerUUID

Cloud.Core.Cus.CusEntity.CusDeleteUser

Event Description: CUS user deleted.
Additional Properties: Changer, ChangerUUID

Cloud.Core.Cus.CusEntity.CusModifyUser

Event Description: CUS user updated.
Additional Properties: Changer, ChangerUUID

Cloud.Core.Cus.CusEntity.CusSetUserState

Event Description: CUS user state change.
Additional Properties: Changer, ChangerUuid, UserState, PreviousUserState

Cloud.Core.Cus.CusEntity.PasswordChange

Event Description: CUS user password change.
Additional Properties: Changer, ChangerUUID

Cloud.Core.Cus.CusEntity.PasswordChangeFailed

Event Description: CUS user password change failed.
Additional Properties: Changer, ChangerUuid, FailedMessage, Exception, EventParm

Cloud.Core.DS.AddDirectoryService

Event Description: Directory service added.
Additional Properties: DSType, DSName, DSUUID

Cloud.Core.DS.RemoveDirectoryService

Event Description: Directory service removed.
Additional Properties: DSType, DSName, DSUUID

Cloud.Core.DSEntityChange

Event Description: Directory service entity, change (users, groups,, etc.).
Additional Properties: NewEntity, Action, Classification, CloudHasSeenUser, CloudHasSeenEntity, DSUuid, DSType, DSName

Cloud.Core.DSEntityLog.DSEntityCreateLog

Event Description: Directory service entity created.
Additional Properties:

Cloud.Core.DSEntityLog.DSEntityDeleteLog

Event Description: Directory service entity deleted.
Additional Properties:

Cloud.Core.DSEntityLog.DSEntityModifyLog

Event Description: Directory service entity updated.
Additional Properties:

Cloud.Core.FinishImpersonate

Event Description: Impersonate user ends.
Additional Properties: ImpersonateTargetUuid, ImpersonateTargetName

Cloud.Core.ForgotUserName

Event Description: Forgot user name request.
Additional Properties: EmailAddress, MatchingUserCount, MatchingUsernames

Cloud.Core.Logout

Event Description: User logged out. Note: Not dependable as users may not logout.
Additional Properties:

Cloud.Core.MfaSummary

Event Description: MFA event occurred.
Additional Properties: AuthenticationAssuranceLevel, Session, ChallengeId, MfaInitiator, MfaResult, MfaReason, FailReason, ProfileId, ProfileName, MfaUnlock, ForgotPassword, EndpointKnown, EndpointOnPremise, Factors, FactorPassword, FactorEmail, FactorSms, FactorPhoneCall, FactorMobileAuthenticator, FactorOathAuthenticator, FactorSecurityQuestion, FactorRadius, FactorOther, DenyByUser

Cloud.Core.MfaUnlock

Event Description. MFA unlock event on the target user.
Additional Properties: TargetUser, TargetUserID

Cloud.Core.O365WsTrustLogin

Event Description: App login using the WS-Trust standard (for example, Office365).
Additional Properties:

Cloud.Core.Policy.AddSet

Event Description: Policy added.
Additional Properties: SetPath

Cloud.Core.Policy.DeleteSet

Event Description: Policy deleted.
Additional Properties: SetPath

Cloud.Core.Policy.ModifySet

Event Description: Policy modified.
Additional Properties: SetPath

Cloud.Core.Policy.PlinkChange

Event Description: Policy links changed.
Additional Properties: SetPath

Cloud.Core.Policy.PlinkOrder

Event Description: Policy links order changed.
Additional Properties: SetPath

Cloud.Core.Proxy.ProxyDeleted

Event Description: Connector removed.
Additional Properties: ProxyId, MachineName, Uuid, Forest

Cloud.Core.Proxy.ProxyRegistration

Event Description: Connector registered.
Additional Properties: ProxyId, MachineName, Customer, Forest

Cloud.Core.Radius.RemoveClient

Event Description: Removed radius client.
Additional Properties: ClientAddress

Cloud.Core.Radius.RemoveConfig

Event Description: Removed radius config for connector.
Additional Properties: ConnectorUUID

Cloud.Core.Radius.RemoveServer

Event Description: Removed radius server.
Additional Properties: HostAddress

Cloud.Core.Radius.SetClient

Event Description: Add/update radius client.
Additional Properties: ClientAddress

Cloud.Core.Radius.SetConfig

Event Description: Radius connector config set.
Additional Properties: ConnectorUuid

Cloud.Core.Radius.SetServer

Event Description: Add/update radius server.
Additional Properties: HostAddress

Cloud.Core.SamlResponseValidate

Event Description: SAML response for user validated.
Additional Properties: UserName, Issuer, ToDate, Uuid, IDP

Cloud.Core.StartImpersonate

Event Description: Impersonate user begins.
Additional Properties: ImpersonateTargetUuid, ImpersonateTargetName

Cloud.Core.StoreUserSetting

Event Description: User setting updated.
Additional Properties: Target, Type, TargetUser, TargetUserID

Cloud.Core.TenantCname.Add

Event Description: Tenant cname added.
Additional Properties: Cname

Cloud.Core.TenantCname.Delete

Event Description: Tenant cname removed.
Additional Properties: Cname

Cloud.Core.TenantStateChange

Event Description: Tenant state changed.
Additional Properties: OldState, NewState, AffectedTenant

Cloud.Core.UserSecurityQuestionSet

Event Description: User set security question.
Additional Properties: