Configure CyberArk Identity Security Platform for Arctic Wolf Active Response

With the Active Response service, Arctic Wolf® can perform identity-based response actions in your network using CyberArk Identity Security Platform®.

CyberArk Identity Security Platform supports these response actions:
  • Disable/Enable a user

For more information, see Response action descriptions.

Note:

Configure this integration with your primary identity provider in a cloud-based environment. Arctic Wolf does not support hybrid or on-premises environments for identity-based response actions.

These resources are required:

  • A user account with the System Administrator role
  • Contact your CST to validate the Active Response integration. Have an account or environment ready that Arctic Wolf can use to validate the desired response actions without causing interruptions.

Create a CyberArk service user

  1. In the Identity Administration portal, navigate to Core Services > Users.
  2. Click Add User.
  3. Configure these settings:
    • Login name — Enter a name for the service account name. For example, arctic-wolf-siem-service-user.
    • Email address — Enter a valid email address, and then save it in a safe, encrypted location.

      You will provide this value to Arctic Wolf later.

    • Display name — Enter descriptive name.
  4. In the Password Type section, click Generated.
  5. Copy the password and then save it in a safe, encrypted location.

    You will provide this value to Arctic Wolf later.

  6. In the Status section, select the Is OAuth confidential client checkbox.
  7. Click Create User.

Configure CyberArk service user permissions for Active Response

  1. On the left navigation menu, navigate to Core Services > Roles.
  2. Click Add Role.
  3. Configure these settings:
    • Name — Enter a name for the role. For example, Arctic Wolf Active Response.
    • Description — (Optional) Enter a description for the role.
    • Role Type — Make sure that Static is selected.
  4. Click Save.
    The role details page opens.
  5. Click the Members tab.
  6. Click Add.
  7. Search for and select the service account that you created in Create a CyberArk service user.
  8. Click Add.
  9. Click the Administrative Rights tab.
  10. Click Add.
  11. Search for and select the User Management permission.
  12. Click Add.
  13. Click Save.

Provide CyberArk Identity Security Platform Active Response credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Organization Profile > Integrations.
  3. On the Active Response tab, click New Active Response Integration +.
  4. Click CyberArk Identity.
  5. On the New Active Response Integration page, configure these settings:
    • Integration Name — Enter a unique and descriptive name for the integration.
    • Base URL — Enter the base URL of your CyberArk domain. For example, https://<identity-id>.id.cyberark.cloud.
    • Client ID — Enter the service user login value from Create a CyberArk service user .
    • Client Secret — Enter the service user password from Create a CyberArk service user.
  6. Click Save Integration.