Get security events

This method returns all PTA Security Events.

URL

Make sure there are no spaces in the URL.

The following characters are not supported in URL values: + & %
If the URL includes a dot (.), add a forward slash (/) at the end of the URL. For example: api/Safes/MySafe/Members/user@cyber.com/

https://<IIS_Server_Ip>/PasswordVault/API/pta/API/Events/

The following (optional) parameters can be used in the query string in the URL:

Parameter	Description
fromUpdateDate	The starting date to get the security events from (calculated by the number of seconds since 1970) Type: Number
status	The status of the security event (open or closed). If you do not use this parameter, the method will return both open and closed security events. Valid values: open or closed Type: Enum
accountID	The unique account identifier of the account that is referred to in the Security Event. The account identifier is the CyberArk PAM - Self-Hosted ID, written in the convention `safeID_accountID`. For example, `3_279`. Type: String

Parameter

Description

fromUpdateDate

The starting date to get the security events from (calculated by the number of seconds since 1970)

Type: Number

status

The status of the security event (open or closed).

If you do not use this parameter, the method will return both open and closed security events.

Valid values: open or closed

Type: Enum

accountID

The unique account identifier of the account that is referred to in the Security Event. The account identifier is the CyberArk PAM - Self-Hosted ID, written in the convention safeID_accountID. For example, 3_279.

Type: String

Resource information

HTTP method	GET
Content type	application/json

Header parameter

Parameter	Authorization
Type	String
Description	The JWT token that identifies the session.
Valid values	A session token that was returned from the “Logon” method.

Body parameters

None

Result

This is an example of the result for an array of events.

[
    {
        "id": "444445e56bbb0b0a063f4444",
        "type": "PSMSuspiciousActivity",
        "score": 70,
        "createTime": 1586134861000,
        "lastUpdateTime": 1586134861000,
        "audits": [
            {
                "id": "5e3045e56bbb0b0a063fbbbb",
                "type": "PSM_SSH_COMMAND",
                "sensorType": "VAULT",
                "action": "PSM Command",
                "psmCommand": "bla",
                "createTime": 1586134861000,
                "vaultUser": "vuser",
                "account": {
                    "accountAsStr": "hi2@example.cyber-ark.co.il",
                    "type": "LOCAL_UNIX",
                    "account": {
                        "mTarget": {
                            "mOriginalAddress": "10.1.8.182",
                            "mResolvedAddress": {
                                "mOriginalAddress": "10.1.8.182",
                                "mAddress": "10.1.8.182",
                                "mHostName": "cyber",
                                "mFqdn": "example.cyber-ark.co.il"
                            }
                        },
                        "mUser": "hi2"
                    }
                },
                "source": {
                    "mOriginalAddress": "1.1.1.1"
                },
                "target": {
                    "mOriginalAddress": "10.1.8.182",
                    "mResolvedAddress": {
                        "mOriginalAddress": "10.1.8.182",
                        "mAddress": "10.1.8.182",
                        "mHostName": "cyber",
                        "mFqdn": "example.cyber-ark.co.il"
                    }
                },
                "cloudData": {}
            }
        ],
        "additionalData": {
            "matchPatterns": "kill(.*)"
        },
        "mStatus": "OPEN"
    },
	{
        "id": "555545e56aaa0b0a063ff555",
        "type": "PSMSuspiciousActivity",
        "score": 70,
        "createTime": 1586134862000,
        "lastUpdateTime": 1586134862000,
        "audits": [
            {
                "id": "5e3045e56bbb0b0a063faaaa",
                "type": "PSM_SSH_COMMAND",
                "sensorType": "VAULT",
                "action": "PSM Command",
                "psmCommand": "bla",
                "createTime": 1586134861000,
                "vaultUser": "vuser",
                "account": {
                    "accountAsStr": "hi2@example.cyber-ark.co.il",
                    "type": "LOCAL_UNIX",
                    "account": {
                        "mTarget": {
                            "mOriginalAddress": "10.1.8.182",
                            "mResolvedAddress": {
                                "mOriginalAddress": "10.1.8.182",
                                "mAddress": "10.1.8.182",
                                "mHostName": "cyber",
                                "mFqdn": "example.cyber-ark.co.il"
                            }
                        },
                        "mUser": "hi2"
                    }
                },
                "source": {
                    "mOriginalAddress": "1.1.1.1"
                },
                "target": {
                    "mOriginalAddress": "10.1.8.182",
                    "mResolvedAddress": {
                        "mOriginalAddress": "10.1.8.182",
                        "mAddress": "10.1.8.182",
                        "mHostName": "cyber",
                        "mFqdn": "example.cyber-ark.co.il"
                    }
                },
                "cloudData": {}
                "accountId": "id_1"
            }
        ],
        "additionalData": {
            "matchPatterns": "kill(.*)"
        },
        "mStatus": "CLOSED"
    }
]

Parameter	id
Type	String
Description	Event ID
Parameter	type
Type	String
Description	Event type
Parameter	score
Type	Integer
Description	Event score
Parameter	createTime
Type	Double
Description	The creation date of the event (represented in milliseconds)
Parameter	lastUpdateTime
Type	Double
Description	The last time the event was updated (represented in milliseconds)
Parameter	audits
Type	Array
Description	Array of audits for the event
audits
Parameter	id
Type	String
Description	Audit ID
Parameter	type
Type	String
Description	Audit type
Parameter	sensorType
Type	String
Description	The type of the sensor that sent the audit
Parameter	action
Type	String
Description	The action of the audit. For example, Vault retrieve password, Vault logon, PSM suspicious activity, and so on
Parameter	psmCommand
Type	String
Description	The suspicious activity
Parameter	createTime
Type	Double
Description	The creation date of the audit
Parameter	vaultUser
Type	String
Description	The Vault user who triggered the session
Parameter	account
Type
Description	The account used in the session
account
Parameter	accountAsStr
Type	String
Description	String representation of the account used in the session
Parameter	type
Description	String
Description	Account type
Parameter	account
Type
Description	Detailed account information
Parameter	mtarget
Type	String
Description	Detailed target account information
mtarget
Parameter	mOriginalAddress
Type	String
Description	The original address of the target machine
Parameter	mResolvedAddress
Type
Description	The resolved address obof the target machineject
mResolvedAddress
Parameter	mAddress
Type	String
Description	The address of the target machine
Parameter	mHostName
Type	String
Description	The host name of the target machine
Parameter	mFqdn
Type	String
Description	The Fqdn of the target machine
account
Parameter	source
Type	String
Description	The source of the audit
source
Parameter	mOriginalAddress
Type	String
Description	The original address that was sent as a source
Parameter	mResolvedAddress
Type
Description	The resolved address object
mResolvedAddress
Parameter	mAddress
Type	String
Description	The original address
Parameter	mHostName
Type	String
Description	The host name representation of the source address
Parameter	mFqdn
Type	String
Description	The Fqdn representation of the source address
account
Parameter	target
Type	String
Description	The target address of the audit
target
Parameter	mOriginalAddress
Type	String
Description	The original target address of the audit
Parameter	mResolvedAddress
Type
Description	The resolved target address as an object
mResolvedAddress
Parameter	mAddress
Type	String
Description	The original target address
Parameter	mHostName
Type	String
Description	The host name of the target address
Parameter	mFqdn
Type	String
Description	The Fqdn representation of the target address
additionalData
Parameter	mitigationAction
Type	String
Description	The mitigation action of the session, either terminate or suspend
Parameter	sessionIsLive
Type	String
Description	True or false indicator of whether the session is live
Parameter	matchPatterns
Type	String
Description	The matching patterns of the suspicious activity audit
Parameter	sessionIDs
Type	Array of strings
Description	The session ID
Parameter	accountID
Type	String
Description	The unique identifier of a managed account
Parameter	mStatus
Type	String
Description	The status of the security event (open or closed)