API & Integrations - CyberArk Identity Protection

Updated

The integration is available in the Integration Hub in the Mimecast Administration Console. To add, edit, or delete the configuration, the user must have one of the following roles:

Prerequisites 

  • Human Risk Command Center (available to Email Security MX customers) and/or Engage Subscription

  • One of the following Administration Console roles:

    • Global Sys Admin       

    • Sys Admin - SD Full      

    • Super Administrator 

    • Full Administrator                 

    • Basic Administrator                

    • Partner Administrator                             

    • Custom role with “Integrations Marketplace” having Read/Write enabled

Overview

The integration is configured in the Integration Hub in the Mimecast Administration Console.

Historical events will not be pulled from CyberArk– only events from the point of integration onward.

Authentication

To authenticate with CyberArk, we require two pieces of information:

  1. The CyberArk base platform URL.

    • The User Interface (UI) will only accept the <your company name> portion of the FQDN.

  2. An API Token. We recommend that the token is from a service user, so the token is not tied to a specific user/email address.

Before you are able to generate both of these in the CyberArk system, users will need to create an Oauth2 Server and a Service User to interact with the server.

OAuth2 Server

Information about creating an OAuth2 Server can be found on the Custom OAuth2 Server page. Here is how we did it:

  1. To authenticate to the CyberArk instance we need to first create an OAuth2 server. The server can be created from Identity Administration | Apps and Widgets | Web apps.

  2. Click “Add Web Apps“ and click “Add“ for Oauth2 Server in the “Custom” tab.

CyberArk 1.png

  1. On the settings page, add and note an application ID (Your choice) in this case.

CyberArk 2.png

  1. On the General usage page, set Client ID type to confidential. Note the Issuer (this will be used as the base URL).

  2. On the Tokens page, set the token type to JwtRS225, and make sure Client Creds is set for the Auth Method. Set the token lifetime according to your organization's standards.

CyberArk 3.png

  1. On the Scope page, add isp.audit.events:read to authorized scopes.

  2. On the Advanced page, add the following to the script:

setClaim('tenant_id', TenantData.Get("CybrTenantID")); setClaim('aud', 'cyberark.isp.audit');

CyberArk 4.png

  1. Save.

Service User

To create a Service User to interact with the Server:

  1. Navigate to Identity Administration | Core Services | Users.

  2. Add user.

  3. Create your service user.

  4. Assure to set the Status to:

  • password never expires.

  • is service account.

  1. Once saved, navigate back to the Server app created. Navigate to its “Permissions“ tab. Add the service user created and make sure the Grant, View, Run, and Automatically Deploy checkmarks are selected.

  2. Save.

To create the SIEM integration

  1. Navigate to Administration | My Environment | integrations | Export to SIEM.

CyberArk 5.png

  1. Configure the name and description, and select “Apply“.

  2. On the following screen, note down the API base URL and API key.

CyberArk 6.png

  1. Enter this into the Human Risk CyberArk integration page.

See Also...

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.