BUYER'S GUIDE | IDENTITY SECURITY
Buyer's GuideUpdated 11 min read

CyberArk PSM Session Recording Search: How to Find the Evidence You Need in an Incident Investigation

90 days
the typical PSM recording retention period in enterprise CyberArk deployments before recordings are archived to cold storage or deleted based on vault storage policy, making rapid session retrieval critical during incident response
0
the number of CyberArk deployments that have OCR text search working for SSH terminal sessions by default: SSH text indexing requires a separate configuration step in the PSM server that most deployments do not complete during initial setup
REST API
the required approach for bulk session metadata retrieval across more than 100 sessions during an investigation: the PVWA interface limits results per page and does not support export without the API
100
the default maximum number of recordings returned per API call to GET /API/Recordings, requiring pagination with Limit and Offset parameters for investigations covering hundreds of sessions across weeks of activity

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

The scenario is standard: an incident was detected, a privileged account is suspected of being involved, and the security team needs to review PSM recordings from the past three weeks to determine what the account actually did during its sessions. The CyberArk deployment has been in production for two years and has a complete recording archive.

The challenge is that PSM recording search has capabilities most teams do not know about and limitations most teams discover at the worst possible moment. This guide covers the search workflow in PVWA, the REST API approach for bulk investigation, and the specific configuration requirements that determine whether text search works against your recording archive.

PVWA session search: navigating to recordings and applying filters

Navigate to the PVWA interface and select the Monitoring menu item. The Session Management sub-menu contains All Sessions, which displays all PSM recordings in the vault that the current user has access to view.

The primary filter options:

  • Vault User: the CyberArk user who initiated the session (the human or service principal that logged into PVWA and launched the session). This is the most reliable filter for investigating a specific administrator.
  • Target Account: the privileged account used in the session (for example, root on server01 or Administrator on sqlserver02).
  • Remote Machine: the target system's hostname or IP address.
  • Date Range: From and To date pickers for the session start time.
  • Safe: limits results to sessions from accounts stored in a specific Safe.

Apply the most restrictive filter first to limit results. If you know the Vault User, start there. If you know the target system, filter by Remote Machine and date range. Combining multiple filters with AND logic narrows large result sets quickly.

For each session result, the list shows: session start time, duration, Vault User, target account, remote machine, and whether a recording file exists. Some sessions may show no recording if the session was initiated through a connection component that does not record, or if PSM storage was temporarily unavailable.

OCR text search: what works, what does not, and why

CyberArk PSM can index recording content and allow text search across sessions, but this capability has specific prerequisites that many deployments do not meet.

For RDP sessions: text indexing is performed by an OCR engine on the PSM server that processes the recorded screen content. This requires: Allow recording and text indexing to be enabled in the Master Policy for the relevant platform, and the PSM server to have sufficient disk space for the index files (index files are approximately 20 to 30 percent of the recording file size). If these are configured, the text search box in the Session Management view allows free-text queries across RDP session content.

For SSH terminal sessions: SSH text indexing uses a separate mechanism because SSH sessions are recorded as text streams rather than screen captures. The PSM for SSH component must have textual session recording enabled in its ini configuration (PSMPServer.ini: EnableAuditLogs = yes). This is a separate configuration from the PSM RDP recording and is not enabled by default. Without it, SSH session text is not searchable even if RDP sessions are.

For sessions recorded before the indexer was configured: OCR indexing is not retroactive. Recordings that were stored before the indexer was configured are not indexed and will not appear in text search results. Only recordings created after indexer configuration are searchable by text content.

The practical implication for incident investigation: if you are investigating an SSH session from before the indexer was configured, you must review the session recording manually by playing it back. For large investigation scopes, this significantly extends the investigation timeline.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

REST API for bulk session metadata retrieval

The PVWA interface returns 25 sessions per page and requires manual navigation for large result sets. For an investigation covering hundreds of sessions across weeks of activity, the REST API is the correct approach.

Authenticate first: POST /PasswordVault/API/auth/CyberArk/Logon with your CyberArk credentials. The response returns a token used in the Authorization header for subsequent calls.

Retrieve session metadata: GET /PasswordVault/API/Recordings?Limit=100&Offset=0&FromTime=[unix_epoch]&ToTime=[unix_epoch]

Additional filter parameters: UserName (Vault User filter), AccountID (specific privileged account), SafeName, RemoteMachine.

The response JSON includes: SessionID, StartTime, EndTime, User, AccountName, AccountAddress, TicketID (if approval workflow was used), Duration, and RecordingFiles (list of recording file references).

Paginate through results by incrementing Offset by the Limit value (Offset=0, then Offset=100, then Offset=200) until the response returns fewer results than the Limit value.

Export the metadata to CSV for triage: parse the JSON response in PowerShell with ConvertFrom-Json and export with Export-Csv. The CSV gives investigators a sortable list of all sessions with their duration and account details, allowing them to prioritize which recordings to review manually based on session duration and account privilege.

Download and review specific recordings

Once the metadata triage identifies high-priority sessions, retrieve the recording files.

From PVWA: click a session in the All Sessions list and use the Play button to stream the recording within the browser, or the Download button to retrieve the file locally. Downloaded recordings play in the CyberArk Privileged Session Player application, which provides frame-by-frame navigation, speed adjustment, and event markers.

From the REST API: the RecordingFiles array in the session metadata contains file references. Use GET /PasswordVault/API/Recordings/{SessionID}/Activities to retrieve the activity log for a session, which lists detected events (mouse clicks, keyboard input markers, command detection results) with timestamps. This activity log allows you to jump to specific timestamps in the recording without watching the full session.

For RDP sessions, the Player application's event marker timeline is the most efficient review tool. If command detection was configured in the PSM settings, specific commands run during the session are marked on the timeline, allowing you to jump directly to the point where a specific command was executed.

For SSH sessions, the text recording (if enabled) can be opened as a plain text file and searched with any text editor, which is faster than video playback for identifying specific command sequences.

The bottom line

CyberArk PSM recording search for incident investigation requires knowing the specific configuration state of your deployment before you start: whether OCR indexing is active, whether SSH text recording is configured, and what the recording retention period is. The REST API is the correct tool for bulk metadata triage when the investigation spans hundreds of sessions. The activity log endpoint lets investigators jump to specific events within recordings without watching from the start. Check the indexer configuration before an incident, not during one.

Frequently asked questions

How do I search CyberArk session recordings for a specific command that was run?

If text indexing is configured for your PSM deployment, use the text search field in PVWA Monitoring > Session Management. Enter the command or keyword and filter by date range and account. Text search works for RDP sessions if the OCR indexer is configured and for SSH sessions if textual session recording is enabled in PSMPServer.ini. If text indexing is not configured, you must review recordings manually in the CyberArk Privileged Session Player, using the activity log timestamps to navigate to relevant points in the session.

How do I retrieve CyberArk PSM session recordings via API?

Use the CyberArk REST API: authenticate with POST /PasswordVault/API/auth/CyberArk/Logon, then query GET /PasswordVault/API/Recordings with filter parameters including FromTime and ToTime as Unix epoch timestamps, UserName for the Vault User, and RemoteMachine for the target system. The response contains session metadata including SessionID, duration, and recording file references. Use pagination with Limit and Offset to retrieve large result sets. The GET /PasswordVault/API/Recordings/{SessionID}/Activities endpoint returns the activity event log for a specific session.

Why are CyberArk session recordings not searchable by text content?

Text search requires the PSM recording indexer to be configured and active at the time the recordings were created. For RDP sessions, the indexer must be enabled in the Master Policy under the relevant platform and the PSM server must have disk space allocated for index storage. For SSH sessions, textual session recording must be enabled in PSMPServer.ini (EnableAuditLogs = yes). Recordings created before the indexer was configured are not indexed retroactively. If text search returns no results for a date range where recordings exist, the indexer was likely not configured at the time those recordings were created.

How do I export CyberArk PSM session recordings for legal hold or external review?

RDP session recordings are stored as .avi files in the PSM server's recording path (default: C:\Program Files (x86)\CyberArk\PSM\Recordings). SSH text recordings are stored as .log files in the same path. For bulk export by account, date range, or target system, use the CyberArk REST API GET /PasswordVault/API/Recordings endpoint with date filters, then download each recording file using its file reference. For legal hold, copy the recording files to immutable storage (Azure Blob with object lock, AWS S3 with object lock) with the metadata export from the API so file names can be matched to accounts and sessions.

How do I audit which privileged accounts have no session recording enabled in CyberArk?

In the PVWA Administration > Platform Management, review each platform's Session Management settings to confirm PSM session recording is required for production platforms. Then query the Safe inventory: for each safe, check whether the platform linked to its accounts has recording enabled. Use the CyberArk REST API: GET /PasswordVault/API/Accounts to enumerate accounts with their platform IDs, then GET /PasswordVault/API/Platforms/{platformID} to check the RequirePrivilegedSessionMonitoringAndIsolation flag. Accounts on platforms without this flag enabled can authenticate without session recording. These represent compliance gaps in most PAM audit requirements.

How long should CyberArk PSM session recordings be retained and where should they be stored?

Retention period depends on your compliance framework: PCI DSS requires 12 months (3 months immediately available, 9 months archivable); SOC 2 auditors typically look for 12 months; HIPAA has no explicit retention period but 6 years is the common standard for access records. Store recordings in two tiers: local PSM vault storage (fast retrieval for investigations) for 90 days, then export to immutable object storage (S3 with Object Lock, Azure Blob with immutability policies) for long-term retention. Enable CyberArk's Privileged Session Manager recording export to export completed sessions to external storage automatically. Protect storage access with separate credentials from the CyberArk vault to ensure recordings survive a vault compromise.

Sources & references

  1. CyberArk Privileged Session Manager Documentation
  2. CyberArk REST API Reference
  3. CyberArk Privilege Cloud Documentation

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.