CyberArk extension
- Latest Dynatrace
- Extension
- Published Apr 17, 2026
Ingest CyberArk audit logs and monitor authentication, authorization, and user lifecycle events for security and compliance in Dynatrace.
Get started
Overview
The CyberArk extension integrates your CyberArk audit logs into your Dynatrace environment. Gain real-time visibility into authentications, user events, and configuration changes in your CyberArk environment, all within the Dynatrace platform. Use advanced analytics, dashboards, and alerting to strengthen security and streamline compliance monitoring.
Use cases
- Monitor CyberArk authentication and authorization events for security and compliance.
- Detect suspicious login attempts, MFA challenges, and user lockouts in real time.
- Track user lifecycle events such as provisioning and group membership changes.
- Automate incident response workflows based on CyberArk security events.
Activation and setup
- Find the extension in the Dynatrace Hub and add it to your environment.
- Create a Dynatrace platform token with
storage:files:writeandstorage:files:readscopes. - Follow CyberArk's guide to integrate Audit logs with third-party SIEM applications.
- Create a new monitoring configuration for the extension. Use the Dynatrace platform token and provide the following data from CyberArk:
- CyberArk Identity Endpoint
- Application ID
- Service Account Username/Password
- Audit API Endpoint
- Audit API Key
Details
The extension queries the CyberArk audit log API using the provided credentials and stores the retrieved logs in Dynatrace. You can view the logs in the 
Logs app and in the bundled dashboard.
Feature sets
When activating your extension using monitoring configuration, you can limit monitoring to one of the feature sets. To work properly, the extension has to collect at least one metric after the activation.
In highly segmented networks, feature sets can reflect the segments of your environment. Then, when you create a monitoring configuration, you can select a feature set and a corresponding ActiveGate group that can connect to this particular segment.
All metrics that aren't categorized into any feature set are considered to be the default and are always reported.
A metric inherits the feature set of a subgroup, which in turn inherits the feature set of a group. Also, the feature set defined on the metric level overrides the feature set defined on the subgroup level, which in turn overrides the feature set defined on the group level.
default
| Metric name | Metric key | Description |
|---|---|---|
| Audit Log Connectivity | audit_log.connectivity | — |
