cyberark/pam Dashboards | Integrations | LogScale Documentation

Skip to content

LogScale Documentation Full Library Knowledge Base Release Notes Integrations Query Examples Training API GraphQL API Contacting Support

Reading time: 3 minutes

cyberark/pam Dashboards

CyberArk Core PAS

CyberArk Core PAS

Widget	Description	Type
New Safe Details	Displays a list of new safes and their details, including user, account information, and safe name. Hide Query Show Query logscale `// New Safes #type=cyberark* \|"cef.event_class_id"=185 \|rename(cef.ext.suser, as=user) \|format("A-%s", field=user, as=account) \|rename("cef.label.\"Safe Name\"", as="safeName") \|replace("(\")", with="", field=safeName, as=safeName)`	`Event List`
Incident Details	Displays a table of incident details (name, severity, host, user, PTA link). Hide Query Show Query logscale `\| cef.device.product = PTA \| table([@timestamp, cef.name, cef.severity, cef.ext.shost, cef.ext.suser, cef.label.PTALink])`	`Table`
Incidents	Displays a list of Privileged Threat Analytics (PTA) incidents by external users. Hide Query Show Query logscale `\| cef.device.product = PTA \| count() //\| sankey(source=cef.ext.suser, target=cef.ext.duser)`	`Single Value`
Disabled Safes	Displays the names of disabled safes. Hide Query Show Query logscale `#type=cyberark* \| !in(cef.ext.suser, values=["Backup", "Batch", "DR"]) \| "cef.label.\"Safe Name\""="\"DEL_*" \|count()`	`Single Value`
Failed Login Details	Displays a table of users who had greater than 3 failed login attempts. Hide Query Show Query logscale `// Failed Login Attempts >= 3 #type=cyberark* \| "cef.event_class_id"=4 \| top(cef.ext.suser) \| upper(cef.ext.suser, as=user) \| drop(cef.ext.suser) \| format("A-%s", field=user, as=user) \| rename(field="_count", as="failed logins")`	`Table`
Incident Type	Displays a chart of incident types using privileged threat analytics. Hide Query Show Query logscale `\| cef.device.product = PTA \| timechart(cef.name)`	`Time Chart`
New Safes	Displays the number of new safes by class ID. Hide Query Show Query logscale `// New Safes #type=cyberark* \| "cef.event_class_id"=185 \| count()`	`Single Value`
Disabled Safes Details	Displays a list of disabled safes and their details such as safe name, user, etc. Hide Query Show Query logscale `#type=cyberark* \| !in(cef.ext.suser, values=["Backup", "Batch", "DR"]) \| "cef.label.\"Safe Name\""="\"DEL_*" \|rename("cef.label.\"Safe Name\"", as="safeName") \|replace("(\")", with="", field=safeName, as=safeName) \|upper(cef.ext.suser, as=user) \|drop(cef.ext.suser) \|format("A-%s", field=user, as=user) \|rename(field="safeName", as="safe name")`	`Event List`
PTA Threat Direction	Displays a flowchart of PTA threat direction. Hide Query Show Query logscale `\| cef.device.product = PTA \| sankey(source=cef.ext.suser, target=cef.ext.duser)`	`Sankey`
Incident Severity Timeline	Displays an incident severity timeline chart using CyberArk PTA data. Hide Query Show Query logscale `\| cef.device.product = PTA \| timechart(cef.severity)`	`Time Chart`
User Retrieved Password	Displays CyberArk user-retrieved passwords. Hide Query Show Query logscale `#type=cyberark* \| "cef.event_class_id"=295 \| //in(cef.ext.suser, values=["$lanid$"]) cef.ext.suser !="" \| lower(cef.ext.suser, as=cef.ext.suser) \| !in(cef.ext.suser, values=["admin", "auditor", "backup", "batch", "cyberark", "dr", "master", "notificationengine", "passwordmanager", "psm", "pvwa", "vault"]) \| groupBy(cef.ext.suser, function=count(field=cef.ext.suser, as=_count, distinct=true))\| sum(_count)`	`Single Value`
Vault Activity Timeline	Displays a chart of vault activity in timeline format by safe name. Hide Query Show Query logscale `cef.device.product = * \| timechart("cef.label.\"Safe Name\"")`	`Time Chart`
Failed login attempts >= 3	Displays a list of user's with more than 3 failed login attempts. Hide Query Show Query logscale `// Failed Login Attempts >= 3 #type=cyberark* \| "cef.event_class_id"=4 \| groupBy(cef.ext.suser) \| _count >= 3 \| count()`	`Single Value`
Incident Type	Displays a pie chart of incidents by type. Hide Query Show Query logscale `\| cef.device.product = * \| top(cef.name)`	`Pie Chart`
Total number of retrieved passwords	Displays the total number of retrieved passwords and associated data. Hide Query Show Query logscale `#type=cyberark* \| "cef.event_class_id"=295 \| cef.ext.suser !="" \| lower(cef.ext.suser, as=cef.ext.suser) \| !in(cef.ext.suser, values=["admin", "auditor", "backup", "batch", "cyberark", "dr", "master", "notificationengine", "passwordmanager", "psm", "pvwa", "vault"]) \| count(field=cef.ext.suser)`	`Single Value`
User Retrieved Safes	Displays a list of user retrieved safes by user, time of access, IP address, safe name, and times retrieved by user. Hide Query Show Query logscale #type=cyberark* \|"cef.event_class_id"=295 \|cef.ext.suser !="" \|cef.ext.dvc !="" \|lower(cef.ext.suser, as=cef.ext.suser) \|formattime(format="%Y/%m/%d %H:%M:%S",field="@timestamp", as="time") \|rename(field=cef.ext.suser, as="user") \|SafeName := rename("cef.label.\"Safe Name\"") \|IP := rename(cef.ext.dvc) \|groupBy(field=[time,user, IP, SafeName], function=count(field="user", as="times retrieved per user", distinct=false)) \|sort(field="times retrieved per user") \|replace("(\")", with="", field=SafeName, as=SafeName)	`Table`

Enter search term