> For the complete documentation index, see [llms.txt](https://docs.onum.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.onum.com/the-workspace/listeners/listener-integrations/pull-data-from-http-endpoints/collect-data-from-cyberark.md).
# Collect data from CyberArk
## Overview
Get a list of CyberArk events through the [CyberArk's REST API](https://docs.cyberark.com/pam-self-hosted/latest/en/content/webservices/implementing%20privileged%20account%20security%20web%20services%20.htm) using the **HTTP Pull** Listener.
## HTTP Pull Listener configuration
In Falcon Onum, go to the **Listeners** area and click **New Listener > HTTP Pull**. Give a name to your new Listener and enter the following data:
### Parameters
N/A
### Secrets
You must define these credentials in Onum:
* `auh_token` will reference your CyberArk authentication token.
* `api_key` will reference your CyberArk API Key.
To do it, click **Add element** and enter a **Name** for the secret (in this case, `auth_token`). Then, click the **Value** field and select **New secret** to create a new one:
* Give the secret a **Name**.
* Turn off the **Expiration date** option.
* Click **Add new value** and paste the secret corresponding to the value.
* Click **Save**.
You can now select the secret you just created in the **Value** field list. Repeat the process for the `api_key`.
{% hint style="info" %}
Learn more about secrets in Onum in [this article](/administration/global-settings/organization-settings/secrets-management.md).
{% endhint %}
### Setup
After entering the required parameters and secrets, you can choose to manually enter the rest of configuration fields, or simply paste the given YAML:
{% tabs %}
{% tab title="Config as YAML" %}
Toggle this **ON** to enable a free text field where you can paste your **Tenable** YAML.
```yaml
withTemporalWindow: true
temporalWindow:
duration: 1m
offset: 1m
tz: UTC
format: RFC3339
withAuthentication: true
authentication:
type: token
token:
request:
method: POST
url: https://abd4962.id.cyberark.cloud/OAuth2/Token/OnumCrowdStrike
headers:
- name: Accept
value: application/json
- name: Authorization
value: Basic ${secrets.auth_token}
- name: Content-Type
value: application/x-www-form-urlencoded
queryParams: []
bodyType: urlEncoded
bodyParams:
- name: grant_type
value: client_credentials
- name: scope
value: isp.audit.events:read
tokenPath: ".access_token"
authInjection:
in: header
name: Authorization
prefix: 'Bearer '
suffix: ''
withEnumerationPhase: true
enumerationPhase:
paginationType: none
request:
responseType: json
method: POST
url: https://cmpc.audit.cyberark.cloud/api/audits/stream/createQuery
headers:
- name: Accept
value: application/json
- name: Accept-Encoding
value: gzip, deflate
- name: Content-Type
value: application/json
- name: x-api-key
value: ${secrets.apikey}
bodyType: raw
bodyRaw: |
{
"query": {
"pageSize": 500,
"selectedFields": [
"tenant_id",
"custom_data",
"arrival_timestamp",
"checksum",
"application_code",
"audit_code",
"timestamp",
"user_id",
"session_id",
"source",
"action_type",
"audit_type",
"component",
"target",
"command",
"message",
"username",
"action",
"uuid",
"service_name",
"cloud_roles",
"cloud_workspaces",
"cloud_workspaces_and_roles",
"cloud_assets",
"cloud_identities",
"vaulted_accounts",
"cloud_provider",
"account_name",
"target_platform",
"safe",
"target_account",
"identity_type",
"access_method",
"account_id",
"correlation_id"
],
"filterModel": {
"date": {
"dateFrom": "${temporalWindow.from}",
"dateTo": "${temporalWindow.to}"
}
}
}
}
output:
select: "."
map: "."
outputMode: element
collectionPhase:
variables:
- source: input
name: cursorRef
expression: ".cursorRef"
format: ''
paginationType: cursor
cursorSelector: ".paging.cursor.cursorRef"
initialRequest:
method: POST
url: https://cmpc.audit.cyberark.cloud/api/audits/stream/results
headers:
- name: Accept
value: application/json
- name: Accept-Encoding
value: gzip, deflate
- name: Content-Type
value: application/json
- name: x-api-key
value: ${secrets.apikey}
bodyType: raw
bodyRaw: |
{
"cursorRef": "${inputs.cursorRef}"
}
nextRequest:
method: POST
url: https://cmpc.audit.cyberark.cloud/api/audits/stream/results
headers:
- name: Accept
value: application/json
- name: Accept-Encoding
value: gzip, deflate
- name: Content-Type
value: application/json
- name: x-api-key
value: ${secrets.apikey}
bodyType: raw
bodyRaw: |
{
"cursorRef": "${pagination.cursor}"
}
output:
select: ".data"
filter: "."
map: "."
outputMode: element
```
{% endtab %}
{% tab title="Manually configure" %}
**Temporal Window**
Toggle **ON** to add a temporal window for events. This repeatedly shifts the time window over which data is collected.
* **Duration** - `1m`
* **Offset** - `1m`
* **Format** - `RFC3339`
**Authentication**
Toggle **ON** and configure these parameters:
* **Type****\*** - `Token`
* **Token Retrieve Based Authentication**
* **Request**
* **Method****\*** - `POST`
* **URL****\*** - `https://abd4962.id.cyberark.cloud/OAuth2/Token/OnumCrowdStrike`
* **Headers**
* **Name** - `Accept`
* **Value** - `application/json`
* **Name** - `Authorization`
* **Value** - `Basic ${secrets.auth_token}`
* **Name** - `Content-Type`
* **Value** - `application/x-www-form-urlencoded`
* **Body Type****\***** -** `URLEncoded`
* **Body Params**
* **Name** - `grant_type`
* **Value** - `client_credentials`
* **Name** - `scope`
* **Value** - `isp.audit.events:read`
* **Token path****\*** - `.access_token`
* **Auth Injection**
* **In****\*** - `Header`
* **Name****\*** - `Authorization`
* **Prefix** - `'Bearer '`
* **Suffix** - `''`
**Enumeration Phase**
Toggle **ON** and configure these parameters:
* **Pagination Type****\*** - `None`
* **Request**
* **Response Type****\*** - `JSON`
* **Method****\*** - `POST`
* **URL****\*** - `https://cmpc.audit.cyberark.cloud/api/audits/stream/createQuery`
* **Headers**
* **Name** - `Accept`
* **Value** - `application/json`
* **Name** - `Accept-Encoding`
* **Value** - `gzip, deflate`
* **Name** - `Content-Type`
* **Value** - `aplication/json`
* **Name** - `x-api-key`
* **Value** - `${secrets.apikey}`
* **Body Type****\*** - `Raw`
* **Body Content** -
```
{
"query": {
"pageSize": 500,
"selectedFields": [
"tenant_id",
"custom_data",
"arrival_timestamp",
"checksum",
"application_code",
"audit_code",
"timestamp",
"user_id",
"session_id",
"source",
"action_type",
"audit_type",
"component",
"target",
"command",
"message",
"username",
"action",
"uuid",
"service_name",
"cloud_roles",
"cloud_workspaces",
"cloud_workspaces_and_roles",
"cloud_assets",
"cloud_identities",
"vaulted_accounts",
"cloud_provider",
"account_name",
"target_platform",
"safe",
"target_account",
"identity_type",
"access_method",
"account_id",
"correlation_id"
],
"filterModel": {
"date": {
"dateFrom": "${temporalWindow.from}",
"dateTo": "${temporalWindow.to}"
}
}
}
}
```
* **Output**
* **Select****\*** - `.`
* **Map** - `.`
* **Output Mode****\*** - `element`
**Collection Phase**
* **Name** - `cursorRef`
* **Expression** - `.cursorRef`
* **Format** - `''`
* **Pagination Type****\*** - `Cursor`
* **Cursor Selector****\*** - `.paging.cursor.cursorRef`
* **Initial Request**
* **Response Type****\*** - `JSON`
* **Method****\*** - `POST`
* **URL****\*** - `https://cmpc.audit.cyberark.cloud/api/audits/stream/results`
* **Headers**
* **Name** - `Accept`
* **Value** - `application/json`
* **Name** - `Accept-Encoding`
* **Value** - `gzip, deflate`
* **Name** - `Content-Type`
* **Value** - `application/json`
* **Name** - `x-api-key`
* **Value** - `${secrets.apikey}`
* **Body Type****\*** - `Raw`
* **Body Content****\*** -
```
{
"cursorRef": "${pagination.cursor}"
}
```
* **Next Request**
* **Response Type****\*** - `JSON`
* **Method****\*** - `POST`
* **URL****\*** - `https://cmpc.audit.cyberark.cloud/api/audits/stream/results`
* **Headers**
* **Name** - `Accept`
* **Value** - `application/json`
* **Name** - `Accept-Encoding`
* **Value** - `gzip, deflate`
* **Name** - `Content-Type`
* **Value** - `application/json`
* **Name** - `x-api-key`
* **Value** - `${secrets.apikey}`
* **Body Type****\*** - `Raw`
* **Body Content****\*** -
```
{
"cursorRef": "${pagination.cursor}"
}
```
* **Output**
* **Select****\*** - `.data`
* **Filter** - `.`
* **Map** - `.`
* **Output Mode****\*** - `element`
{% endtab %}
{% endtabs %}
When you're done, click **Create labels** to move on to the next step and define the required [Labels](/the-workspace/listeners/labels.md) if needed.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.onum.com/the-workspace/listeners/listener-integrations/pull-data-from-http-endpoints/collect-data-from-cyberark.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.