CyberArk PAM

This document provides guidance on how to integrate CyberArk Privileged Access Manager (PAM) with Google Security Operations SOAR.

Integration version: 4.0

Before you begin

To configure CyberArk PAM to work with the integration you need to create a user for the integration and provide that user with the permissions to access needed CyberArk PAM vaults.

Create a user

Complete the following steps to create a user for the integration:

  1. Sign in to the PrivateArk Client as an administrator.
  2. Go to Tools > Administrative Tools > Users and Groups.
  3. In the Users and Groups dialog, select the user location, click New, and select User.
  4. In the different tabs of the New User dialog, fill in the information as needed. The General and the Authentication tabs are mandatory.

For more information about creating a user, see Add a user to a Vault.

Grant permissions to the created user

Complete the following steps to add access to a vault to a newly created user:

  1. Sign in to the PrivateArk Client as an administrator.
  2. Select the vault you want to provide access to and sign in to it (double-click it).
  3. From the top menu, click Owners.
  4. To add a new user, click Add.
  5. In the dialog, select the user.
  6. In the Authorized to section, select at least the following permissions:
    • Monitor Safe
    • Retrieve files from Safe
    • Store files in Safe
    • Admisiter Safe
  7. To save changes, click OK.
  8. To exit the dialog window, click Close.

Optional: Configure client certificate

You can use existing or make a new client certificate for secure communications between the CyberArk PAM instance and Google SecOps SOAR. For more information about how to configure the client certificate, see Central Credential Provider web service configuration.

Integrate CyberArk PAM and Google SecOps

The integration requires the following parameters:

Parameters Description
API Root Required

The API root URL.

Provide the value in the following format: https://IP_ADDRESS :PORT.

Username Required

The username to connect with.

Password Required

The password to connect with.

Verify SSL Required

If selected, the integration verifies that the SSL certificate for the connection to the CyberArk server is valid.

Selected by default.

CA Certificate Required

The CA certificate to use for validating the secure connection to the API root.

This parameter accepts the CA certificate in a form of the Base64 encoded string.

Client Certificate Optional

If configured for CyberArk PAM, specify the CyberArk client certificate to use for establishing a connection to the API root. Provide the certificate as the PFX file (in the PKCS #12 format).

Client Certificate Passphrase Optional

The passphrase required for the client certificate.

For more information about how to configure the integration in Google SecOps SOAR, see Configure integrations.

Actions

The CyberArk PAM integration includes the following actions:

Get Account Password Value

Use the Get Account Password Value action to get the account password value from CyberArk.

With this action, you can retrieve both the password and SSH key.

This action doesn't run on Google SecOps entities.

Action inputs

The Get Account Password Value action requires the following parameters:

Parameters Description
API Root Required

The API root URL.

Provide the value in the following format: https://IP_ADDRESS :PORT.

Action outputs

The Get Account Password Value action provides the following outputs:

Action output type Availability
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
JSON result Available
Output messages Available
Script result Available
JSON result

The following example describes the JSON result output received when using the Get Account Password Value action:

{
 "content": "PASSWORD_VALUE"
}
Output messages

The Get Account Password Value action provides the following output messages:

Output message Message description
Successfully fetched password value for account ID ACCOUNT_ID

Password value for account with ID ACCOUNT_ID and supplied version VERSION was not found in the CyberArk PAM.

Action succeeded.
Error executing action "Get Account Password Value". Reason: ERROR_REASON

Action failed.

Check the connection to the server, the input parameters, or the credentials.

Script result

The following table describes the values for the script result output when using the Get Account Password Value action:

Script result name Value
is_success True or False

List Accounts

Use the List Accounts action to list accounts available in CyberArk PAM based on the criteria provided.

This action doesn't run on Google SecOps SOAR entities.

Action inputs

The List Accounts action requires the following parameters:

Parameters Description
Search Query Required

The search query to use.

Search operator Required

The search operator to use for running a search based on the provided search query.

Possible values are as follows:
  • contains
  • startswith
.

The default value is contains.

Max Records To Return Required

The number of records to return. If you provide no value, the action returns 50 records (API default).

Records Offset Required

The offset for the action to return the values.

Filter Query Required

The filter query to use. You can base the filter on the safeName or modificationTime parameters.

Saved Filter Required

The saved filter query to use.

This parameter takes priority over the Filter Query parameter.

Action outputs

The List Accounts action provides the following outputs:

Action output type Availability
Case wall attachment Not available
Case wall link Not available
Case wall table Available
Enrichment table Not available
JSON result Available
Output messages Available
Script result Available
Case wall Table

On a Case Wall, the List Accounts action provides the following table:

Table name: Available PAM Accounts

Table columns:

  • ID
  • Safe Name
  • User Name
  • Secret Type
JSON result

The following example describes the JSON result output received when using the List Accounts action:

{
   "value": [
       {
           "categoryModificationTime": 1672051160,
           "platformId": "WinDomain",
           "safeName": "UserTestSafe",
           "id": "33_3",
           "name": "user@example.com",
           "address": "user@example.com",
           "userName": "user",
           "secretType": "password",
           "platformAccountProperties": {},
           "secretManagement": {
               "automaticManagementEnabled": true,
               "lastModifiedTime": 1672051160
           },
           "createdTime": 1672051160
       }
   ],
   "count": 1
}
Output messages

The List Accounts action provides the following output messages:

Output message Message description

Successfully found accounts for the criteria provided in CyberArk PAM.

No accounts were found for the criteria provided in CyberArk PAM.

Both the Filter Query and Saved Filter parameters are provided, Saved Filter takes priority.

Action succeeded.
Error executing action "List Accounts". Reason: ERROR_REASON

Action failed.

Check the connection to the server, the input parameters, or the credentials.

Script result

The following table describes the values for the script result output when using the List Accounts action:

Script result name Value
is_success True or False

Ping

Use the *Ping action to test connectivity to CyberArk.

This action doesn't run on Google SecOps entities.

Integration inputs

None.

Action outputs

The Ping action provides the following outputs:

Action output type Availability
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
JSON result Not available
Output messages Available
Script result Available
Output messages

The Ping action provides the following output messages:

Output message Message description
Successfully connected to the CyberArk PAM installation with the provided connection parameters! Action succeeded.
Failed to connect to the CyberArk PAM installation! Error is ERROR_REASON

Action failed.

Check the connection to the server, the input parameters, or the credentials.

Script result

The following table describes the values for the script result output when using the Ping action:

Script result name Value
is_success True or False