Configure CyberArk Privilege Cloud for Arctic Wolf monitoring

You can configure CyberArk Privilege Cloud® to send the necessary logs to Arctic Wolf® for security monitoring.

Note:

If you are configuring log monitoring for both CyberArk Privilege Cloud and CyberArk Identity Security Platform, only complete these instructions once.

These resources are required:

  • A user account with the System Administrator role

Create an OAuth2 server web app

  1. Sign in to the Identity Administration portal.
  2. Navigate to Apps & Widgets > Web Apps.
  3. Click Add Web Apps.
  4. In the Add Web Apps dialog, click the Custom tab.
  5. Locate the OAuth2 Server web app, and then click Add.
  6. Click Yes, and then click Close.
  7. If the web app settings page doesn't open automatically, click the OAuth2 Server app that you just created.
  8. On the OAuth2 Server page, configure these settings:
    1. On the Settings tab, in the Application ID field, enter a name for this web app, and then save it in a safe, encrypted location.
      For example, ArcticWolfLogMonitoring.

      You will provide this value to Arctic Wolf later.

    2. Click the Tokens tab.
    3. In the Token Type field, make sure that jwtRS256 is selected.
    4. In the Auth methods section, select Client Creds.
      Auth Code and Implicit are selected by default. Keep these values selected.
    5. Click the Scope tab.
    6. Click Add.
    7. In the Name field, copy and paste this text:
      CODE 
      isp.audit.events:read
    8. Click Save.
    9. Click the Advanced tab.
    10. Remove the sample text, and then copy and paste this text in its place:
      CODE 
      setClaim('tenant_id', TenantData.Get("CybrTenantID"));
setClaim('aud', 'cyberark.isp.audit');
    11. Click Save.

Create a CyberArk service user

  1. In the Identity Administration portal, navigate to Core Services > Users.
  2. Click Add User.
  3. Configure these settings:
    • Login name — Enter a name for the service account name. For example, arctic-wolf-siem-service-user.
    • Email address — Enter a valid email address, and then save it in a safe, encrypted location.

      You will provide this value to Arctic Wolf later.

    • Display name — Enter descriptive name.
  4. In the Password Type section, click Generated.
  5. Copy the password and then save it in a safe, encrypted location.

    You will provide this value to Arctic Wolf later.

  6. In the Status section, select the Is OAuth confidential client checkbox.
  7. Click Create User.

Configure the CyberArk service user

  1. Connect the service user to the server web app:
    1. In the Identity Administration portal, navigate to Core Services > Users.
    2. In the Sets list, click All Service Users.
    3. Locate and select the service user that you created in Create a CyberArk service user.
    4. Click the Application Settings tab.
    5. Click Add.
    6. Select the OAuth2 Server web app that you created in Create an OAuth2 server web app.
    7. Click Save.
    8. Enter your username when prompted, and then click OK.
  2. Configure permissions for the service user:
    1. Navigate to Apps & Widgets > Web Apps.
    2. Select the OAuth2 Server web app that you created in Create an OAuth2 server web app.
    3. Click the Permissions tab.
    4. Click Add.
    5. Locate the service user that you created in Create a CyberArk service user.
      Note: If you can't find the service user, click Add, search for the service user, select the user, and then click Add.
    6. Select these permissions:
      • Grant
      • View
      • Run
      • Automatically Deploy
    7. Click Save.

Add a CyberArk SIEM integration

  1. Click Select a service > Administration to navigate to the Administration space.
  2. Navigate to My environment > Integrations > Export to SIEM.
  3. Click Create > Create SIEM integration.
  4. In the Step 2: Configure the SIEM integration in Audit section, configure these settings:
    • Name — Enter a descriptive name. For example, Arctic Wolf MDR SIEM Integration.
    • Description — (Optional) Enter a description.
  5. Click Apply.
  6. Click the SIEM integration.
  7. In the Step 1: Generate an access token section, copy the CyberArk Identity endpoint value, and then save it in a safe, encrypted location.

    You will provide this value to Arctic Wolf later.

  8. In the Step 2: Run the Audit integration APIs section, copy the API base URL and API key values, and then save them in a safe, encrypted location.

    You will provide these values to Arctic Wolf later.

Provide CyberArk Privilege Cloud credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Data Collection > Cloud Sensors.
  3. Click Add Account +.
  4. On the Add Account page, click CyberArk Privilege Cloud & Identity Security Platform.
  5. Configure these settings:

    • Account Name — Enter a unique and descriptive name for the account.

    • Client ID — Enter the service user email address from Create a CyberArk service user.
    • Client Secret — Enter the service user password from Create a CyberArk service user.
    • CyberArk Identity Endpoint — Enter the CyberArk Identity endpoint value from Add a CyberArk SIEM integration, using this format: https://tenant_id.id.cyberark.cloud.
    • Audit API Endpoint — Enter the API base URL from Add a CyberArk SIEM integration, using this format: https://tenant_name.audit.cyberark.cloud.
    • API KEY — Enter the API key from Add a CyberArk SIEM integration.
    • OAuth2 server web application ID — Enter the application ID from Create an OAuth2 server web app.
    • Audit Data Type — Select which application audit data to that Arctic Wolf should use. If you are configuring:
      • CyberArk Privilege Cloud — Select PAM.
      • CyberArk Privilege Cloud and CyberArk Identity Security Platform — Select Both.

    • Credential Expiry — (Optional) Enter the credential expiration date, if applicable.

  6. Click Test and submit credentials.