CyberArk Identity Event Collector
CyberArk Identity Events Collector Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.8.0 and later.
CyberArk Identity log event collector integration for Cortex XSIAM. This integration was integrated and tested with version 22.4 of CyberArk Identity Event Collector.
#
Configure CyberArk Identity Event Collector on Cortex XSIAMNavigate to Settings > Configurations > Data Collection > Automation & Feed Integrations.
Search for CyberArk Identity Event Collector.
Click Add instance to create and configure a new integration instance.
Parameter Description Required Server URL The CyberArk Identity URL (https://{{tenant}}.my.idaptive.app). True App ID The application ID to fetch the logs from. True User name The SIEM user name (for example admin@example.com
).True Password The SIEM password. True Product name The name of the product to name the dataset after. False Vendor name The name of the vendor to name the dataset after. False First fetch time The period to retrieve events for.
format: <number> <time unit>, for example 12 hours, 1 day, 3 months.
Default is 3 days.True Maximum number of events per fetch The number of items to retrieve per request from CyberArk's API. True Trust any certificate (not secure) When selected, certificates are not checked. False proxy Use system proxy settings. False Click Test to validate the URLs, token, and connection.
#
CommandsYou can execute these commands from the Cortex XSIAM Alerts War Room as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
cyberarkidentity-get-eventsReturns a list of events
#
Base Commandcyberarkidentity-get-events
#
InputArgument Name | Description | Required |
---|---|---|
should_push_events | Set this argument to True to create events, otherwise events will only be displayed. Default is False. | Required |
limit | The maximum number of events per fetch. Default is 1000. | Optional |
from | The first fetch time (<number> <time unit>, for example 12 hours, 1 day, 3 months). Default is 3 days. | Optional |
#
Context OutputThere is no context output for this command.
#
Command example!cyberarkidentity-get-events should_push_events=false limit=10 from="3 days"
#
Human Readable Output#
CyberArkIdentity RedRock records
Auth Method Directory Service Uuid From IP Address ID Level Normalized User Request Device OS Request Host Name Request Is Mobile Device Tenant User Guid When Logged When Occurred _ Table Name None 123456abcdef.123456.abcdef 1.1.1.1 123456abcdef.123456.abcdef Info admin@example.com.11 Unknown 1.1.1.1 false AAM4730 123456abcdef.123456.abcdef /Date(1652376432605)/ /Date(1652376432605)/ events None 123456abcdef.123456.abcdef 1.1.1.1 123456abcdef.123456.abcdeg Info admin@example.com.11 Unknown 1.1.1.1 false AAM4730 123456abcdef.123456.abcdef /Date(1652376492682)/ /Date(1652376492682)/ events None 123456abcdef.123456.abcdef 1.1.1.1 123456abcdef.123456.abcdeh Info admin@example.com.11 Unknown 1.1.1.1 false AAM4730 123456abcdef.123456.abcdef /Date(1652376552546)/ /Date(1652376552546)/ events