CyberArk PAM

This document provides guidance on how to integrate CyberArk Privileged Access Manager (PAM) with Google Security Operations SOAR.

Integration version: 4.0

Before you begin

To configure CyberArk PAM to work with the integration you need to create a user for the integration and provide that user with the permissions to access needed CyberArk PAM vaults.

Create a user

Complete the following steps to create a user for the integration:

Sign in to the PrivateArk Client as an administrator.
Go to Tools > Administrative Tools > Users and Groups.
In the Users and Groups dialog, select the user location, click New, and select User.
In the different tabs of the New User dialog, fill in the information as needed. The General and the Authentication tabs are mandatory.

For more information about creating a user, see Add a user to a Vault.

Grant permissions to the created user

Complete the following steps to add access to a vault to a newly created user:

Sign in to the PrivateArk Client as an administrator.
Select the vault you want to provide access to and sign in to it (double-click it).
From the top menu, click Owners.
To add a new user, click Add.
In the dialog, select the user.
In the Authorized to section, select at least the following permissions:
- Monitor Safe
- Retrieve files from Safe
- Store files in Safe
- Admisiter Safe
To save changes, click OK.
To exit the dialog window, click Close.

Optional: Configure client certificate

You can use existing or make a new client certificate for secure communications between the CyberArk PAM instance and Google SecOps SOAR. For more information about how to configure the client certificate, see Central Credential Provider web service configuration.

Integrate CyberArk PAM and Google SecOps

The integration requires the following parameters:

Parameters	Description
`API Root`	Required The API root URL. Provide the value in the following format: `https://IP_ADDRESS :PORT`.
`Username`	Required The username to connect with.
`Password`	Required The password to connect with.
`Verify SSL`	Required If selected, the integration verifies that the SSL certificate for the connection to the CyberArk server is valid. Selected by default.
`CA Certificate`	Required The CA certificate to use for validating the secure connection to the API root. This parameter accepts the CA certificate in a form of the Base64 encoded string.
`Client Certificate`	Optional If configured for CyberArk PAM, specify the CyberArk client certificate to use for establishing a connection to the API root. Provide the certificate as the PFX file (in the PKCS #12 format).
`Client Certificate Passphrase`	Optional The passphrase required for the client certificate.

For more information about how to configure the integration in Google SecOps SOAR, see Configure integrations.

Actions

The CyberArk PAM integration includes the following actions:

Get Account Password Value
List Accounts
Ping

Get Account Password Value

Use the Get Account Password Value action to get the account password value from CyberArk.

With this action, you can retrieve both the password and SSH key.

This action doesn't run on Google SecOps entities.

Action inputs

The Get Account Password Value action requires the following parameters:

Parameters Description

API Root

Required

The API root URL.

Provide the value in the following format: https://IP_ADDRESS :PORT.

Action outputs

The Get Account Password Value action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Available
Output messages	Available
Script result	Available

JSON result

The following example describes the JSON result output received when using the Get Account Password Value action:

{
 "content": "PASSWORD_VALUE"
}

Output messages

The Get Account Password Value action provides the following output messages:

Output message Message description

Output message	Message description
`Successfully fetched password value for account ID ACCOUNT_ID` `Password value for account with ID ACCOUNT_ID and supplied version VERSION was not found in the CyberArk PAM.`	Action succeeded.
`Error executing action "Get Account Password Value". Reason: ERROR_REASON`	Action failed. Check the connection to the server, the input parameters, or the credentials.

Successfully fetched password value for account ID
      ACCOUNT_ID

Password value for account with ID ACCOUNT_ID and supplied version VERSION was not found in the CyberArk PAM.

Action succeeded.

Error executing action "Get Account Password Value". Reason:
      ERROR_REASON

Action failed.

Check the connection to the server, the input parameters, or the credentials.

Script result

The following table describes the values for the script result output when using the Get Account Password Value action:

Script result name	Value
`is_success`	`True` or `False`

List Accounts

Use the List Accounts action to list accounts available in CyberArk PAM based on the criteria provided.

This action doesn't run on Google SecOps SOAR entities.

Action inputs

The List Accounts action requires the following parameters:

Parameters	Description
`Search Query`	Required The search query to use.
`Search operator`	Required The search operator to use for running a search based on the provided search query. Possible values are as follows: `contains` `startswith` . The default value is `contains`.
`Max Records To Return`	Required The number of records to return. If you provide no value, the action returns 50 records (API default).
`Records Offset`	Required The offset for the action to return the values.
`Filter Query`	Required The filter query to use. You can base the filter on the `safeName` or `modificationTime` parameters.
`Saved Filter`	Required The saved filter query to use. This parameter takes priority over the `Filter Query` parameter.

Action outputs

The List Accounts action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Available
Enrichment table	Not available
JSON result	Available
Output messages	Available
Script result	Available

Case wall Table

On a Case Wall, the List Accounts action provides the following table:

Table name: Available PAM Accounts

Table columns:

ID
Safe Name
User Name
Secret Type

JSON result

The following example describes the JSON result output received when using the List Accounts action:

{
   "value": [
       {
           "categoryModificationTime": 1672051160,
           "platformId": "WinDomain",
           "safeName": "UserTestSafe",
           "id": "33_3",
           "name": "user@example.com",
           "address": "user@example.com",
           "userName": "user",
           "secretType": "password",
           "platformAccountProperties": {},
           "secretManagement": {
               "automaticManagementEnabled": true,
               "lastModifiedTime": 1672051160
           },
           "createdTime": 1672051160
       }
   ],
   "count": 1
}

Output messages

The List Accounts action provides the following output messages:

Output message Message description

Output message	Message description
`Successfully found accounts for the criteria provided in CyberArk PAM.` `No accounts were found for the criteria provided in CyberArk PAM.` `Both the Filter Query and Saved Filter parameters are provided, Saved Filter takes priority.`	Action succeeded.
`Error executing action "List Accounts". Reason: ERROR_REASON`	Action failed. Check the connection to the server, the input parameters, or the credentials.

Successfully found accounts for the criteria provided in CyberArk PAM.

No accounts were found for the criteria provided in CyberArk PAM.

Both the Filter Query and Saved Filter parameters are provided, Saved Filter takes priority.

Action succeeded.

Error executing action "List Accounts". Reason:
      ERROR_REASON

Action failed.

Check the connection to the server, the input parameters, or the credentials.

Script result

The following table describes the values for the script result output when using the List Accounts action:

Script result name	Value
`is_success`	`True` or `False`

Ping

Use the *Ping action to test connectivity to CyberArk.

This action doesn't run on Google SecOps entities.

Integration inputs

None.

Action outputs

The Ping action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Output messages	Available
Script result	Available

Output messages

The Ping action provides the following output messages:

Output message Message description

Successfully connected to the CyberArk PAM installation with the provided connection parameters! Action succeeded.

Output message	Message description
`Successfully connected to the CyberArk PAM installation with the provided connection parameters!`	Action succeeded.
`Failed to connect to the CyberArk PAM installation! Error is ERROR_REASON`	Action failed. Check the connection to the server, the input parameters, or the credentials.

Failed to connect to the CyberArk PAM installation! Error is
      ERROR_REASON

Action failed.

Check the connection to the server, the input parameters, or the credentials.

Script result

The following table describes the values for the script result output when using the Ping action:

Script result name	Value
`is_success`	`True` or `False`