📢 Read the latest Release Notes to learn what's new on Hunters! 💡

CyberArk

  • Updated on Feb 28, 2026
  • Published on May 15, 2023
Prev Next
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

CyberArk Privileged Access Security Logs

✅

✅

cyberark_privileged_access_security

CEF

S3

Overview

imageCyberArk is a cybersecurity company that specializes in privileged access management (PAM) solutions. Privileged access refers to the elevated permissions and credentials that grant users or applications extensive control over critical systems and sensitive data within an organization. CyberArk's solutions focus on securing and managing these privileged accounts to prevent unauthorized access, misuse, or abuse.

Supported data types

CyberArk Privileged Access Security Logs

Table name: cyberark_privileged_access_security

CyberArk Privileged Access Security Logs provide detailed information about privileged account activity and events within an organization's IT environment.
The supported products are:

  • Privileged Threat Analytics (PTA)

  • On-Demand Privileges Manager (OPM)

Send data to Hunters

Hunters supports the ingestion of CyberArk logs via an intermediary AWS S3 bucket.

To connect CyberArk logs:

  1. Export your logs from CyberArk to an AWS S3 bucket.

  2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

(Anonymized) Logs are expected in CEF format.

2023-01-01T00:01:51Z PRODVAULT CEF:0|Cyber-Ark|Vault|6.0.0430|38|Failure: CPM Verify Password Failed|7|
act=CPM Verify Password Failed 
duser=ServiceAccount 
fname=Root\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXX 
src=192.0.2.15 
cs1Label="Affected User Name" cs1= 
cs2Label="Safe Name" cs2=Privileged Accounts Safe 
cs3Label="Location" cs3= 
cs4Label="Property Name" cs4= 
cs5Label="Target User Name" cs5= 
cn1Label="Request Id" cn1= 
msg=Failure. Failure Description: ERROR_CODE Verifying Password Safe: Privileged Accounts Safe, Folder: Root, Object: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXX failed (try #368). 
Code: 2101, 
Error: Error in verifypass to user SERVER01.1.example.local\adminuser on domain SERVER01.1.example.local(\\SERVER01.1.EXAMPLE.LOCAL). 
Reason: No network provider accepted the given network path. (winRc\=1203). , 
address\=SERVER01.1.example.local;
retriescount\=368;
username\=adminuser;, 
Failure: CPM Verify Password Failed