CyberArk Identity Security Platform
This Integration is part of the CyberArk Pack.#
Supported versions
Available on Cortex XSIAM.
Overview#
The CyberArk Identity Security Platform is a unified solution securing all human and machine identities (workforce, customers, non-human) across hybrid/multi-cloud environments, centered on intelligent privilege controls, AI-driven threat detection (CORA AI), and lifecycle automation to enforce least privilege and Zero Trust, providing a single portal for access management, PAM, and endpoint security.
This integration collects audit events from CyberArk Identity Security Platform for security monitoring and compliance purposes in your Cortex environment.
Authentication#
This integration uses OAuth2 Client Credentials flow combined with API key authentication for secure access to the CyberArk Identity Security Platform Audit API.
Before You Start#
Before configuring the integration, you must complete the following prerequisites in your CyberArk Identity Administration:
Step 1: Create and Configure an OAuth2 Server Web App in Identity Administration#
In Identity Administration, go to Apps & Widgets > Web Apps, and click Add Web Apps.
In the Add Web Apps dialog, click the Custom tab, locate the OAuth2 Server web app, and click Add.
Click Yes to add the web app.
In the Web Apps page, select the OAuth2 Server app that you just added.
In the OAuth2 Server page, configure the following:
Settings tab: In the Application ID field, enter a name for this web app (e.g.,
xsiamapp). This will be your Web App ID.Tokens tab: In the Token Type field, select jwtRS256. Under Auth methods, ensure that the Client Creds authentication method is selected.
Scope tab: Click Add, copy and paste the following text in the Name field, and then click Save:
Advanced tab: Copy and paste the following script:
Step 2: Create a Service User in Identity Administration#
- Go to Core Services > Users, and click Add User.
- In the Create CyberArk Cloud Directory User page, enter the information in the required fields.
- In the Status area, select is OAuth confidential client, and then click Create User.
- In the Users page, select the All Service Users set, and then locate and select the user that you just created.
- In the User details page, select the Application Settings tab and then click Add.
- Locate and select the OAuth2 Server web app, and click Save.
- Enter your user name, and click OK.
Note: The service username (without domain) will be your Client ID, and the service password will be your Client Secret.
Step 3: Set the Service User Permissions in Identity Administration#
- Go to Apps & Widgets > Web Apps, and select the OAuth2 Server web app that you added.
- Select the Permissions tab, locate the service user that you created, and select the following permissions:
- Grant
- View
- Run
- Automatically Deploy
- Click Save.
Step 4: Add a SIEM Integration in the Administration Space#
- Go to the Administration space.
- Select My environment > Integrations > Export to SIEM.
- Click Create, and select Create SIEM integration.
- Enter a name for the SIEM integration and an optional description.
- Click Apply. An API key is created.
- Copy the API key and the API base URL for use in the integration configuration.
Important: You can only have two third-party SIEM integrations. If you want to add an integration, you must delete one of the existing integrations.
Integration Parameters#
| Parameter | Description | Required |
|---|---|---|
| Audit Server URL | The Audit API base URL from the SIEM integration (e.g., https://example-domain.audit.cyberark.cloud\). | True |
| Identity URL | The CyberArk Identity FQDN for OAuth2 authentication (e.g., https://abc1234.id.cyberark.cloud\). | True |
| Web App ID | The Application ID of the OAuth2 Server web app configured in Identity Administration. | True |
| API Key | The API key from the SIEM integration created in the Administration space. | True |
| Client ID | Service username without domain (configured as OAuth confidential client). | True |
| Client Secret | Service user password for OAuth2 authentication. | True |
| Trust any certificate (not secure) | When selected, the integration will not verify SSL certificates. | False |
| Use system proxy settings | When selected, the integration will use the system proxy settings. | False |
| Maximum number of audit events per fetch | Maximum number of events to fetch per cycle (default 10000, based on API paging definition). | False |
| Fetch Assets | When enabled, the integration periodically fetches CyberArk Cloud Directory snapshots (Users, Groups, Roles, Applications) selected in 'Directory Data Collection' below. | False |
| Directory Data Collection | Select which CyberArk Cloud Directory data sources to fetch as snapshots. Each selected source produces its own dataset (cyberark_users_raw, cyberark_groups_raw, cyberark_roles_raw, cyberark_applications_raw). Has no effect unless 'Fetch Assets' is enabled. | False |
| Maximum number of records per Redrock page | Maximum number of records to request per page from the Redrock API (default 10000). Snapshots are paginated automatically across multiple invocations within a fetch cycle when needed. | False |
Commands#
You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
cyberark-isp-get-events#
Gets audit events from CyberArk Identity Security Platform. This command is used for developing/debugging and is to be used with caution, as it can create events, leading to events duplication and API request limitation exceeding.
Note: This command is not supported in XSOAR.
Base Command#
cyberark-isp-get-events
Input#
| Argument Name | Description | Required |
|---|---|---|
| date_from | The start date/time to fetch events from (format: YYYY-MM-DD HH:MM:SS). Supports relative time (e.g., "3 days ago", "2 hours ago") or specific absolute dates (e.g., "2025-09-15 17:10:00"). Default is "1 minute ago". | Optional |
| date_to | The end date/time to fetch events until (format: YYYY-MM-DD HH:MM:SS). Supports relative time (e.g., "1 hour ago", "now") or specific absolute dates (e.g., "2025-09-15 17:11:00"). If not specified, fetches until now. | Optional |
| limit | Maximum number of events to retrieve. Default is 50. | Optional |
| should_push_events | Set to true to push events to XSIAM (use with caution to avoid duplicates), false to only return them in the War Room. Default is false. Possible values are: true, false. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CyberArkISP.Event.uuid | String | Unique identifier of the audit event. |
| CyberArkISP.Event.tenantId | String | Tenant identifier. |
| CyberArkISP.Event.timestamp | Number | Event timestamp (Unix milliseconds). |
| CyberArkISP.Event.username | String | Username associated with the event. |
| CyberArkISP.Event.applicationCode | String | Application code (e.g., IDP). |
| CyberArkISP.Event.auditCode | String | Audit code identifier. |
| CyberArkISP.Event.auditType | String | Type of audit event (e.g., Info, Warning, Error). |
| CyberArkISP.Event.action | String | Action performed. |
| CyberArkISP.Event.userId | String | User ID associated with the event. |
| CyberArkISP.Event.source | String | Source IP address. |
| CyberArkISP.Event.actionType | String | Type of action (e.g., Start, End). |
| CyberArkISP.Event.component | String | Component name. |
| CyberArkISP.Event.serviceName | String | Service name. |
| CyberArkISP.Event.message | String | Event message. |
| CyberArkISP.Event.customData | Unknown | Custom event data. |
| CyberArkISP.Event.cloudProvider | String | Cloud provider (e.g., aws). |
| CyberArkISP.Event.identityType | String | Identity type (e.g., NON_HUMAN, HUMAN). |
| CyberArkISP.Event.originRegion | String | Origin region. |
Command Example#
Additional Resources#
For more information about CyberArk Identity Security Platform integration, refer to the official CyberArk documentation:
- Integrate Audit with third-party SIEM applications
- SIEM Integration API
- Integrate the CyberArk Identity client credentials flow
cyberark-isp-get-users#
Manually fetches CyberArk Cloud Directory user snapshots via the Redrock Query API. For developing/debugging only. Use with caution if 'should_push_assets' is set to true, as it may interfere with the scheduled fetch cycle's snapshot sealing.
Base Command#
cyberark-isp-get-users
Input#
| Argument Name | Description | Required |
|---|---|---|
| limit | Maximum number of user records to retrieve. Default is 50. | Optional |
| should_push_assets | Set to true to push the retrieved users to XSIAM as a snapshot in the cyberark_users_raw dataset. Possible values are: true, false. Default is false. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CyberArkISP.User.ID | String | Unique identifier of the CyberArk Cloud Directory user. |
| CyberArkISP.User.Username | String | Username (login name) of the user. |
| CyberArkISP.User.DisplayName | String | Display name of the user. |
| CyberArkISP.User.Email | String | Email address of the user. |
| CyberArkISP.User.LastLogin | Date | Timestamp of the user's last login. |
cyberark-isp-get-roles#
Manually fetches CyberArk Cloud Directory role snapshots via the Redrock Query API. For developing/debugging only.
Base Command#
cyberark-isp-get-roles
Input#
| Argument Name | Description | Required |
|---|---|---|
| limit | Maximum number of role records to retrieve. Default is 50. | Optional |
| should_push_assets | Set to true to push the retrieved roles to XSIAM as a snapshot in the cyberark_roles_raw dataset. Possible values are: true, false. Default is false. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CyberArkISP.Role.ID | String | Unique identifier of the role. |
| CyberArkISP.Role.Name | String | Name of the role. |
| CyberArkISP.Role.Description | String | Description of the role. |
cyberark-isp-get-groups#
Manually fetches CyberArk Cloud Directory group snapshots via the Redrock Query API. For developing/debugging only.
Base Command#
cyberark-isp-get-groups
Input#
| Argument Name | Description | Required |
|---|---|---|
| limit | Maximum number of group records to retrieve. Default is 50. | Optional |
| should_push_assets | Set to true to push the retrieved groups to XSIAM as a snapshot in the cyberark_groups_raw dataset. Possible values are: true, false. Default is false. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CyberArkISP.Group.ID | String | Unique identifier of the group. |
| CyberArkISP.Group.Name | String | Name of the group. |
cyberark-isp-get-applications#
Manually fetches CyberArk Cloud Directory application snapshots via the Redrock Query API. For developing/debugging only.
Base Command#
cyberark-isp-get-applications
Input#
| Argument Name | Description | Required |
|---|---|---|
| limit | Maximum number of application records to retrieve. Default is 50. | Optional |
| should_push_assets | Set to true to push the retrieved applications to XSIAM as a snapshot in the cyberark_applications_raw dataset. Possible values are: true, false. Default is false. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CyberArkISP.Application.ID | String | Unique identifier of the application. |
| CyberArkISP.Application.Name | String | Name of the application. |
| CyberArkISP.Application.AppType | String | Type of the application. |