CyberArk PAM
Integration version: 3.0
Configure product permission
To configure CyberArk PAM to work with the integration you need to create a user for the integration and provide that user with the permissions to access needed CyberArk PAM vaults.
Create a user
Complete the following steps to create a user for the integration:
- Log in to the PrivateArk Client as an administrator.
- Go to Tools > Administrative Tools > Users and Groups.
- In the Users and Groups dialog, select the Location where the user will be, and click New. Then select User.
In the different tabs of the New User dialog, fill in the information as needed. The General and the Authentication tabs are mandatory while the other tabs are optional.
- For this example, we select the User type as BasicUser on the General tab.
- Authentication method as Password on the Authentication tab.
For more information about creating a user, see Add a user to a Vault.
Grant permissions to the created user
Complete the following steps to add access to a vault to a newly created user:
- Log in to the PrivateArk Client as an administrator.
- Select the vault you want to provide access to and log in to it (double-click it).
- From the top menu click Owners.
- To add a new user click Add.
- In the dialog, select the desired user and provide the following minimum permissions:
Once the permissions are granted, the user should be able to operate with accounts stored in the vault.
Optional: Configure client certificate
It is possible to use existing or make a new client certificate for secure communications between the CyberArk PAM instance and Google SecOps SOAR. For more information about how to configure the client certificate, see Central Credential Provider web service configuration.
Configure the integration in Google SecOps SOAR
For more information about how to configure the integration in Google SecOps SOAR, see Configure integrations.
Integration configuration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| API Root | String | https://x.x.x.x:port | Yes | Specify the API root URL. |
| Username | String | N/A | Yes | Specify the username to use to connect with. |
| Password | Password | N/A | Yes | Specify the password to use to connect with. |
| Verify SSL | Checkbox | Checked | Yes | If enabled, the certificate configured for the API root is validated. |
| CA Certificate | String | N/A | Yes | Specify the CA certificate to use to validate the secure connection to the API root. Parameter accepts the CA certificate in a form of the Base64 encoded string. |
| Client Certificate | String | N/A | Yes | Optional, if configured for CyberArk PAM, specify the CyberArk client certificate to use to establish connection to the API root. Certificate should be provided in the .p12 format. The parameter expects certificate as the Base64 encoded string. |
| Client Certificate Passphrase | Password | N/A | Yes | Optional, if the client certificate is requiring a passphrase, specify it for this parameter. |
Actions
Get Account Password Value
Description
Get account password value from CyberArk PAM.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| API Root | String | https://x.x.x.x:port | Yes | Specify the API root URL. |
Run on
This action doesn't run on entities.
Playbook use case example
Fetch an account password value from CyberArk PAM.
Action results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
{
"content": <password value>
}
Case wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If data is available (is_success=true): "Successfully fetched password value for account id {0}".format(account_id) If data is not available (is_success=false): "Password value for account with id {account_id} and supplied version {version} was not found in the CyberArk PAM." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "{action name}". Reason: {0}''.format(error.Stacktrace) |
General |
List Accounts
Description
List accounts available in CyberArk PAM based on the provided criteria.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Search Query | String | N/A | Yes | Specify the search query to use in the action. |
| Search operator | Drop-down list | contains Available values:
|
Yes | Specify the search operator that the action should use to search based on the provided search query. |
| Max Records To Return | Integer | 50 | Yes | Specify the number of records to return. If nothing is provided, the action returns 50 records (API default). |
| Records Offset | Integer | 0 | Yes | Specify the offset that the action should use to return the values. |
| Filter Query | String | N/A | Yes | Specify the filter query that the action should use. Filter can be based on the safeName or modificationTime parameters. |
| Saved Filter | String | N/A | Yes | Specify the saved filter query that the action should use. This parameter takes priority over the Filter Query parameter. |
Run on
This action doesn't run on entities.
Action results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
{
"value": [
{
"categoryModificationTime": 1672051160,
"platformId": "WinDomain",
"safeName": "UserTestSafe",
"id": "33_3",
"name": "Operating System-WinDomain-user@example.com-user",
"address": "user@example.com",
"userName": "user",
"secretType": "password",
"platformAccountProperties": {},
"secretManagement": {
"automaticManagementEnabled": true,
"lastModifiedTime": 1672051160
},
"createdTime": 1672051160
}
],
"count": 1
}
Case wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If data is available (is_success=true): "Successfully found accounts for the provided criteria in CyberArk PAM". If data is not available (is_success=false): "No accounts were found for the provided criteria in CyberArk PAM". If both the Filter Query and Saved Filter parameters are provided: "Both the Filter Query and Saved Filter parameters are provided, Saved Filter takes priority" The action should fail and stop a playbook execution: If an invalid value is provided for the Max Records to Return parameter: Error executing action "{action name}". Reason: "Invalid value was provided for "Max Records to Return": If an invalid value is provided for the Records Offset to Return parameter: Error executing action "{action name}". Reason: "Invalid value was provided for "Records Offset to Return": If a fatal error, like wrong credentials, no connection to the server, or other is reported: "Error executing action "{action name}". Reason: {0}''.format(error.Stacktrace) |
General |
| Case Wall Table | Table Name: Available PAM Accounts Table Column:
|
Entity |
Ping
Description
Test connectivity to the CyberArk PAM installation with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Parameters
N/A
Run on
This action doesn't run on entities.
Action results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: "Successfully connected to the CyberArk PAM installation with the provided connection parameters!" The action should fail and stop a playbook execution: If a critical error, like wrong credentials or lost connectivity is reported: "Failed to connect to the CyberArk PAM installation! Error is {0}".format(exception.stacktrace) | General |