Documentation Index

Fetch the complete documentation index at: https://docs.hunters.ai/llms.txt

Use this file to discover all available pages before exploring further.

📢 Read the latest Release Notes to learn what's new on Hunters! 💡

CyberArk

  • Updated on May 28, 2026
  • Published on May 15, 2023
Prev Next
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

CyberArk Privileged Access Security Logs

✅

✅

cyberark_privileged_access_security

CEF

S3

CyberArk Audit Logs

✅

✅

cyberark_audit_logs

JSON

S3

Overview

imageCyberArk is a cybersecurity company that specializes in privileged access management (PAM) solutions. Privileged access refers to the elevated permissions and credentials that grant users or applications extensive control over critical systems and sensitive data within an organization. CyberArk's solutions focus on securing and managing these privileged accounts to prevent unauthorized access, misuse, or abuse.

Supported data types

CyberArk Privileged Access Security Logs

Table name: cyberark_privileged_access_security

CyberArk Privileged Access Security Logs provide detailed information about privileged account activity and events within an organization's IT environment.
The supported products are:

  • Privileged Threat Analytics (PTA)

  • On-Demand Privileges Manager (OPM)

Expected format

(Anonymized) Logs are expected in CEF format.

2023-01-01T00:01:51Z PRODVAULT CEF:0|Cyber-Ark|Vault|6.0.0430|38|Failure: CPM Verify Password Failed|7|
act=CPM Verify Password Failed 
duser=ServiceAccount 
fname=Root\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXX 
src=192.0.2.15 
cs1Label="Affected User Name" cs1= 
cs2Label="Safe Name" cs2=Privileged Accounts Safe 
cs3Label="Location" cs3= 
cs4Label="Property Name" cs4= 
cs5Label="Target User Name" cs5= 
cn1Label="Request Id" cn1= 
msg=Failure. Failure Description: ERROR_CODE Verifying Password Safe: Privileged Accounts Safe, Folder: Root, Object: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXX failed (try #368). 
Code: 2101, 
Error: Error in verifypass to user SERVER01.1.example.local\adminuser on domain SERVER01.1.example.local(\\SERVER01.1.EXAMPLE.LOCAL). 
Reason: No network provider accepted the given network path. (winRc\=1203). , 
address\=SERVER01.1.example.local;
retriescount\=368;
username\=adminuser;, 
Failure: CPM Verify Password Failed

CyberArk Audit Logs

Table name: cyberark_audit_logs

CyberArk audit logs record events generated by the Conjur Enterprise audit service, including details about audit log structure and event activity. These logs help administrators monitor security-relevant actions, investigate access or secrets-management activity, and support compliance/audit requirements.

Expected format

(Anonymized) Logs are expected in JSON format.

{"host":"EXAMPLE.local","source":"10.10.10.10","uuid":"00000000-0000-0000-0000-000000000001","tenantId":"00000000-0000-0000-0000-000000000002","timestamp":1577836800000,"username":"SYSTEM$","applicationCode":"IDP","auditCode":"IDP1001","auditType":"Info","action":"update-user","userId":"NoUser@unknown_user.com","actionType":"Edit","component":"Identity","serviceName":"Identity","message":"update-user","customData":{"authentication_method":"None","when_occurred":"1/1/2020 12:00:00 AM","tenant_id":"EXAMPLE1234","thread_type":"Rpc","mobile_device":"False","level":"Error","directory_service_uuid":"00000000-0000-0000-0000-000000000003","entity_name":"user1@example.com","entity_uuid":"00000000-0000-0000-0000-000000000004","action":"Update","directory_service_type":"AdProxy","directory_service_name":"AdProxy_example.local","status":"NonExist","old_entity":"null","new_entity":"{\"codepage\":\"0\",\"logoncount\":\"0\",\"name\":\" user1\",\"mail\":\"user1@example.com\",\"EntityUuid\":\"00000000-0000-0000-0000-000000000004\",\"distinguishedname\":\"CN= user1,OU=Mailbox Enabled,OU=Accounts User,OU=_Disabled,DC=example,DC=local\",\"whenchanged\":\"1/1/2020 12:00:00 AM\",\"userprincipalname\":\"user1@example.com\",\"samaccountname\":\"1user\",\"displayname\":\" user1\",\"ObjectType\":\"User\",\"EntityName\":\"user1@example.com\"}","classification":"User","password_change":"False","has_cloud_seen_user":"False","has_cloud_seen_entity":"False"},"cloudProvider":"aws","identityType":"HUMAN"}

Send data to Hunters

Hunters supports the ingestion of CyberArk logs via an intermediary AWS S3 bucket.

To connect CyberArk logs:

  1. Export your logs from CyberArk to an AWS S3 bucket.

  2. Once the export is completed and the logs are collected to S3, follow the steps in this section.