CyberArk PAM

This document provides guidance on how to integrate CyberArk Privileged Access Manager (PAM) with Google Security Operations SOAR.

Integration version: 6.0

Before you begin

To configure CyberArk PAM to work with the integration you need to create a user for the integration and provide that user with the permissions to access needed CyberArk PAM vaults.

Create a user

Complete the following steps to create a user for the integration:

Sign in to the PrivateArk Client as an administrator.
Go to Tools > Administrative Tools > Users and Groups.
In the Users and Groupsdialog, select the user location, click New, and select User.
In the different tabs of the New Userdialog, fill in the information as needed. The Generaland the Authenticationtabs are mandatory.

For more information about creating a user, see Add a user to a Vault .

Grant permissions to the created user

Complete the following steps to add access to a vault to a newly created user:

Sign in to the PrivateArk Client as an administrator.
Select the vault you want to provide access to and sign in to it (double-click it).
From the top menu, click Owners.
To add a new user, click Add.
In the dialog, select the user.
In the Authorized tosection, select at least the following permissions:
- Monitor Safe
- Retrieve files from Safe
- Store files in Safe
- Admisiter Safe
To save changes, click OK.
To exit the dialog window, click Close.

Optional: Configure client certificate

You can use existing or make a new client certificate for secure communications between the CyberArk PAM instance and Google SecOps SOAR. For more information about how to configure the client certificate, see Central Credential Provider web service configuration .

Integrate CyberArk PAM and Google SecOps

The integration requires the following parameters:

Parameters	Description
`API Root`	Required The API root URL. Provide the value in the following format: `https:// IP_ADDRESS : PORT` .
`Username`	Required The username to connect with.
`Password`	Required The password to connect with.
`Verify SSL`	Required If selected, the integration verifies that the SSL certificate for the connection to the CyberArk server is valid. Selected by default.
`CA Certificate`	Required The CA certificate to use for validating the secure connection to the API root. This parameter accepts the CA certificate in a form of the Base64 encoded string.
`Client Certificate`	Optional If configured for CyberArk PAM, specify the CyberArk client certificate to use for establishing a connection to the API root. Provide the certificate as the PFX file (in the PKCS #12 format).
`Client Certificate Passphrase`	Optional The passphrase required for the client certificate.

For more information about how to configure the integration in Google SecOps SOAR, see Configure integrations .

Actions

The CyberArk PAM integration includes the following actions:

Get Account Password Value
List Accounts
Ping

Get Account Password Value

Use the Get Account Password Valueaction to get the account password value from CyberArk.

With this action, you can retrieve both the password and SSH key.

This action doesn't run on Google SecOps entities.

Action inputs

The Get Account Password Valueaction requires the following parameters:

Parameters	Description
`Account`	Required The account ID for which to retrieve the password value. Note: The account ID can be retrieved from the List Accounts action.
`Reason`	Required The reason to access the account password value. The default value is automatically retrieved from Google SecOps SOAR.
`Ticketing System Name`	Optional The name of the ticketing system.
`Ticket ID`	Optional The ticketing system ticket ID.
`Version`	Optional The account password value version to retrieve.

Action outputs

The Get Account Password Valueaction provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Available
Output messages	Available
Script result	Available

JSON result

The following example describes the JSON result output received when using the Get Account Password Valueaction:

  { 
  
 "content" 
 : 
  
 " PASSWORD_VALUE 
" 
 }

Output messages

The Get Account Password Valueaction provides the following output messages:

Output message Message description

Output message	Message description
`Successfully fetched password value for account ID ACCOUNT_ID` `Password value for account with ID ACCOUNT_ID and supplied version VERSION was not found in the CyberArk PAM.`	Action succeeded.
`Error executing action "Get Account Password Value". Reason: ERROR_REASON`	Action failed. Check the connection to the server, the input parameters, or the credentials.

Successfully fetched password value for account ID ACCOUNT_ID

Password value for account with ID ACCOUNT_ID and supplied version VERSION was not found in the CyberArk PAM.

Action succeeded.

Error executing action "Get Account Password Value". Reason: ERROR_REASON

Action failed.

Check the connection to the server, the input parameters, or the credentials.

Script result

The following table describes the values for the script result output when using the Get Account Password Valueaction:

Script result name	Value
`is_success`	`True` or `False`

List Accounts

Use the List Accountsaction to list accounts available in CyberArk PAM based on the criteria provided.

This action doesn't run on Google SecOps SOAR entities.

Action inputs

The List Accountsaction requires the following parameters:

Parameters

Description

Search Query

Required

The search query to use.

Search operator

Required

The search operator to use for running a search based on the provided search query.

Possible values are as follows:

contains
startswith

The default value is contains .

Max Records To Return

Required

The number of records to return. If you provide no value, the action returns 50 records (API default).

Records Offset

Required

The offset for the action to return the values.

Filter Query

Required

The filter query to use. You can base the filter on the safeName or modificationTime parameters.

Saved Filter

Required

The saved filter query to use.

This parameter takes priority over the Filter Query parameter.

Action outputs

The List Accountsaction provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Available
Enrichment table	Not available
JSON result	Available
Output messages	Available
Script result	Available

Case wall Table

On a Case Wall, the List Accountsaction provides the following table:

Table name: Available PAM Accounts

Table columns:

ID
Safe Name
User Name
Secret Type

JSON result

The following example describes the JSON result output received when using the List Accountsaction:

  { 
  
 "value" 
 : 
  
 [ 
  
 { 
  
 "categoryModificationTime" 
 : 
  
 1672051160 
 , 
  
 "platformId" 
 : 
  
 "WinDomain" 
 , 
  
 "safeName" 
 : 
  
 "UserTestSafe" 
 , 
  
 "id" 
 : 
  
 "33_3" 
 , 
  
 "name" 
 : 
  
 "user@example.com" 
 , 
  
 "address" 
 : 
  
 "user@example.com" 
 , 
  
 "userName" 
 : 
  
 "user" 
 , 
  
 "secretType" 
 : 
  
 "password" 
 , 
  
 "platformAccountProperties" 
 : 
  
 {}, 
  
 "secretManagement" 
 : 
  
 { 
  
 "automaticManagementEnabled" 
 : 
  
 true 
 , 
  
 "lastModifiedTime" 
 : 
  
 1672051160 
  
 }, 
  
 "createdTime" 
 : 
  
 1672051160 
  
 } 
  
 ], 
  
 "count" 
 : 
  
 1 
 }

Output messages

The List Accountsaction provides the following output messages:

Output message Message description

Output message	Message description
`Successfully found accounts for the criteria provided in CyberArk PAM.` `No accounts were found for the criteria provided in CyberArk PAM.` `Both the Filter Query and Saved Filter parameters are provided, Saved Filter takes priority.`	Action succeeded.
`Error executing action "List Accounts". Reason: ERROR_REASON`	Action failed. Check the connection to the server, the input parameters, or the credentials.

Successfully found accounts for the criteria provided in CyberArk PAM.

No accounts were found for the criteria provided in CyberArk PAM.

Both the Filter Query and Saved Filter parameters are provided, Saved Filter takes priority.

Action succeeded.

Error executing action "List Accounts". Reason: ERROR_REASON

Action failed.

Check the connection to the server, the input parameters, or the credentials.

Script result

The following table describes the values for the script result output when using the List Accountsaction:

Script result name	Value
`is_success`	`True` or `False`

Ping

Use the * Pingaction to test connectivity to CyberArk.

This action doesn't run on Google SecOps entities.

Integration inputs

None.

Action outputs

The Pingaction provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Output messages	Available
Script result	Available

Output messages

The Pingaction provides the following output messages:

Output message Message description

Successfully connected to the CyberArk PAM installation with the provided connection parameters! Action succeeded.

Output message	Message description
`Successfully connected to the CyberArk PAM installation with the provided connection parameters!`	Action succeeded.
`Failed to connect to the CyberArk PAM installation! Error is ERROR_REASON`	Action failed. Check the connection to the server, the input parameters, or the credentials.

Failed to connect to the CyberArk PAM installation! Error is ERROR_REASON

Action failed.

Check the connection to the server, the input parameters, or the credentials.

Script result

The following table describes the values for the script result output when using the Pingaction:

Script result name	Value
`is_success`	`True` or `False`

Need more help? Get answers from Community members and Google SecOps professionals.