CyberArk Identity Security Platform

This Integration is part of the CyberArk Pack.

Supported versions

Supported Cortex XSOAR versions: 8.11.0 and later.

Overview

The CyberArk Identity Security Platform is a unified solution securing all human and machine identities (workforce, customers, non-human) across hybrid/multi-cloud environments, centered on intelligent privilege controls, AI-driven threat detection (CORA AI), and lifecycle automation to enforce least privilege and Zero Trust, providing a single portal for access management, PAM, and endpoint security.

This integration collects audit events from CyberArk Identity Security Platform for security monitoring and compliance purposes in your Cortex environment.

Authentication

This integration uses OAuth2 Client Credentials flow combined with API key authentication for secure access to the CyberArk Identity Security Platform Audit API.

Before You Start

Before configuring the integration, you must complete the following prerequisites in your CyberArk Identity Administration:

Step 1: Create and Configure an OAuth2 Server Web App in Identity Administration

1. In Identity Administration, go to Apps & Widgets > Web Apps, and click Add Web Apps.

2. In the Add Web Apps dialog, click the Custom tab, locate the OAuth2 Server web app, and click Add.

3. Click Yes to add the web app.

4. In the Web Apps page, select the OAuth2 Server app that you just added.

5. In the OAuth2 Server page, configure the following:

   • Settings tab: In the Application ID field, enter a name for this web app (e.g., xsiamapp). This will be your Web App ID.

   • Tokens tab: In the Token Type field, select jwtRS256. Under Auth methods, ensure that the Client Creds authentication method is selected.

   • Scope tab: Click Add, copy and paste the following text in the Name field, and then click Save:

     isp.audit.events:read

   • Advanced tab: Copy and paste the following script:

     setClaim('tenant_id', TenantData.Get("CybrTenantID"));

     setClaim('aud', 'cyberark.isp.audit');

Step 2: Create a Service User in Identity Administration

1. Go to Core Services > Users, and click Add User.
2. In the Create CyberArk Cloud Directory User page, enter the information in the required fields.
3. In the Status area, select is OAuth confidential client, and then click Create User.
4. In the Users page, select the All Service Users set, and then locate and select the user that you just created.
5. In the User details page, select the Application Settings tab and then click Add.
6. Locate and select the OAuth2 Server web app, and click Save.
7. Enter your user name, and click OK.

Note: The service username (without domain) will be your Client ID, and the service password will be your Client Secret.

Step 3: Set the Service User Permissions in Identity Administration

1. Go to Apps & Widgets > Web Apps, and select the OAuth2 Server web app that you added.
2. Select the Permissions tab, locate the service user that you created, and select the following permissions:
   • Grant
   • View
   • Run
   • Automatically Deploy
3. Click Save.

Step 4: Add a SIEM Integration in the Administration Space

1. Go to the Administration space.
2. Select My environment > Integrations > Export to SIEM.
3. Click Create, and select Create SIEM integration.
4. Enter a name for the SIEM integration and an optional description.
5. Click Apply. An API key is created.
6. Copy the API key and the API base URL for use in the integration configuration.

Important: You can only have two third-party SIEM integrations. If you want to add an integration, you must delete one of the existing integrations.

Integration Parameters

Parameter	Description	Required
Audit Server URL (Audit API Base URL)	The Audit API base URL from the SIEM integration. Example: https://example-domain.audit.cyberark.cloud Note: This is different from the Identity URL.	True
Identity URL (CyberArk Identity FQDN)	The CyberArk Identity FQDN for OAuth2 authentication. Example: https://abc1234.id.cyberark.cloud Important: This is on a different domain than the Audit Server URL and is required.	True
OAuth2 Web App ID	The Application ID of the OAuth2 Server web app configured in Identity Administration. Example: xsiamapp	True
Client ID (Service User)	Service username without domain (configured as OAuth confidential client). Example: serviceuser	True
Client Secret (Service User Password)	Service user password for OAuth2 authentication.	True
API Key	The API key from the SIEM integration created in the Administration space.	True
Trust any certificate (not secure)	When selected, the integration will not verify SSL certificates.	False
Use system proxy settings	When selected, the integration will use the system proxy settings.	False
Maximum number of audit events per fetch	Maximum number of events to fetch per collection cycle. Default: 10000 Note: The API returns a maximum of 1000 events per page.	False

Commands

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

cyberark-isp-get-events

---

Gets audit events from CyberArk Identity Security Platform. This command is used for developing/debugging and is to be used with caution, as it can create events, leading to events duplication and API request limitation exceeding.

Note: This command is not supported in XSOAR.

Base Command

cyberark-isp-get-events

Input

Argument Name	Description	Required
date_from	The start date/time to fetch events from (format: YYYY-MM-DD HH:MM:SS). Supports relative time (e.g., "3 days ago", "2 hours ago") or specific absolute dates (e.g., "2025-09-15 17:10:00"). Default is "1 minute ago".	Optional
date_to	The end date/time to fetch events until (format: YYYY-MM-DD HH:MM:SS). Supports relative time (e.g., "1 hour ago", "now") or specific absolute dates (e.g., "2025-09-15 17:11:00"). If not specified, fetches until now.	Optional
limit	Maximum number of events to retrieve. Default is 50.	Optional
should_push_events	Set to true to push events to XSIAM (use with caution to avoid duplicates), false to only return them in the War Room. Default is false. Possible values are: true, false.	Optional

Context Output

Path	Type	Description
CyberArkISP.Event.uuid	String	Unique identifier of the audit event.
CyberArkISP.Event.tenantId	String	Tenant identifier.
CyberArkISP.Event.timestamp	Number	Event timestamp (Unix milliseconds).
CyberArkISP.Event.username	String	Username associated with the event.
CyberArkISP.Event.applicationCode	String	Application code (e.g., IDP).
CyberArkISP.Event.auditCode	String	Audit code identifier.
CyberArkISP.Event.auditType	String	Type of audit event (e.g., Info, Warning, Error).
CyberArkISP.Event.action	String	Action performed.
CyberArkISP.Event.userId	String	User ID associated with the event.
CyberArkISP.Event.source	String	Source IP address.
CyberArkISP.Event.actionType	String	Type of action (e.g., Start, End).
CyberArkISP.Event.component	String	Component name.
CyberArkISP.Event.serviceName	String	Service name.
CyberArkISP.Event.message	String	Event message.
CyberArkISP.Event.customData	Unknown	Custom event data.
CyberArkISP.Event.cloudProvider	String	Cloud provider (e.g., aws).
CyberArkISP.Event.identityType	String	Identity type (e.g., NON_HUMAN, HUMAN).
CyberArkISP.Event.originRegion	String	Origin region.

Command Example

!cyberark-isp-get-events date_from="3 days ago" limit=50

!cyberark-isp-get-events date_from="2025-09-15 17:10:00" date_to="2025-09-15 17:11:00" limit=100

!cyberark-isp-get-events date_from="1 hour ago" limit=10 should_push_events=false

Additional Resources

For more information about CyberArk Identity Security Platform integration, refer to the official CyberArk documentation:

• Integrate Audit with third-party SIEM applications
• SIEM Integration API
• Integrate the CyberArk Identity client credentials flow