Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.wirespeed.co/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Wirespeed connects to CyberArk Identity Security Platform Shared Services (ISPSS) to:
  • Sync users from both CyberArk Privilege Cloud (vault accounts) and CyberArk Identity (federated directory users).
  • Ingest audit events from PAM (Privilege Cloud), IDP (Identity), and ADM (Admin) services as logs, with high-signal events (auth failures, unauthorized access, MFA risk checks) also ingested as detections.
  • Contain users via Privilege Cloud (disable / enable / terminate PSM sessions) and Identity Administration (lock / unlock / terminate SSO sessions), automatically routed based on which population the user came from.
This integration is in Beta. Containment actions are implemented but disabled until the integration is promoted to GA.

Prerequisites

You will need:
  • A CyberArk Identity Security Platform Shared Services (ISPSS) tenant with Privilege Cloud, Identity, and/or Admin services enabled.
  • Permission to create OAuth2 web apps and service users in Identity Administration.
  • Permission to create a SIEM integration entry in the Privilege Cloud Administration space.
CyberArk tenants only allow up to two SIEM integrations at a time. Wirespeed consumes one slot.

Setup

The setup involves four pieces in your CyberArk tenant:
  1. A service user to authenticate as.
  2. Two role assignments for that service user (one for Privilege Cloud, one for Identity Administration).
  3. One OAuth2 Server web app (used only for the audit/SIEM stream).
  4. A SIEM integration entry to mint an API key.
Follow the steps below in order.

Step 1 — Create the service user

  1. Sign in to Identity Administration as an administrator.
  2. Go to Core Services → Users and click Add User.
  3. Fill in the user’s details. Set the username to something memorable, e.g. wirespeed-svc@<your-tenant>. The @<your-tenant> suffix is appended automatically.
  4. Under Status, check:
    • Is Service User
    • Is OAuth confidential client
    • Password never expires
  5. Click Create User. Note the username and password — you will need them later.

Step 2 — Assign roles to the service user

The service user needs two role assignments — one to manage Identity directory operations and one to access Privilege Cloud APIs.

2a. Identity Administration role

  1. Go to Core Services → Roles and click Add Role.
  2. Name it (e.g. Wirespeed Integration).
  3. On the Administrative Rights tab, add:
    • User Management — required for syncing and locking Identity directory users.
    • Report Management — required for the Redrock query that pulls federated directory users (DsUsers).
  4. On the Members tab, add the service user.
  5. Click Save.

2b. Privilege Cloud admin role

  1. In Identity Administration, find the built-in Privilege Cloud Administrators role (or any role that grants the equivalent rights — see CyberArk’s Privilege Cloud roles documentation).
  2. On the Members tab, add the service user.
  3. Click Save.
The Privilege Cloud role assignment is required for the integration to call PasswordVault APIs. Without it, the platform token Wirespeed mints will be rejected with 401 by the PasswordVault endpoints.

Step 3 — Create the audit OAuth2 web app (Server template)

This app is used only for the SIEM Audit API. All other Wirespeed API calls use a generic platform token, which doesn’t require a custom web app.
  1. Go to Apps & Widgets → Web Apps and click Add Web Apps.
  2. On the Custom tab, find OAuth2 Server, click Add, and confirm.
  3. On the Settings tab, set:
    • Application ID: WirespeedAudit (or any URL-safe identifier — note it for later).
    • Application Name: Wirespeed Audit.
  4. On the General Usage tab, set Client ID Type to Confidential.
  5. On the Tokens tab, set:
    • Token Type: JwtRS256.
    • Auth Methods: enable Client Creds.
    • Token Lifetime: at least 15 minutes.
  6. On the Scope tab, click Add and create one scope:
    • Name: isp.audit.events:read
  7. On the Advanced tab, paste this script and Save: 
    setClaim('tenant_id', TenantData.Get("CybrTenantID"));
setClaim('aud', 'cyberark.isp.audit');
  8. On the Permissions tab, add the service user from Step 1 with Run, View, Grant, and Automatically Deploy permissions.
  9. Click Save at the top.

Step 4 — Create the SIEM integration entry

  1. Switch to the Administration space (the tenant-level admin portal).
  2. Go to My environment → Integrations → Export to SIEM.
  3. Click Create → Create SIEM integration.
  4. Give it a name (e.g. Wirespeed) and click Apply.
  5. Note the API key that’s generated — it’s only shown once. The page also displays an API base URL; you generally don’t need to copy it (Wirespeed derives it from the platform token), but keep it handy in case auto-derivation doesn’t work for your tenant.

Step 5 — Connect Wirespeed

  1. In Wirespeed, go to Integrations → Add Integration → CyberArk.
  2. Acknowledge the Beta notice.
  3. Provide:
    FieldValue
    Identity URLYour Identity Admin URL, e.g. https://aab1234.id.cyberark.cloud (copy from the address bar of the Identity Admin portal).
    Audit OAuth2 Server App IDThe Application ID from Step 3 (e.g. WirespeedAudit).
    Service User LoginThe full login from Step 1, including the tenant suffix (e.g. wirespeed-svc@aab1234).
    Service User PasswordThe password from Step 1.
    SIEM API KeyThe API key from Step 4.
  4. Click Add. Wirespeed mints a platform token, derives your Privilege Cloud subdomain from it, and kicks off the first audit + user sync.
The Privilege Cloud subdomain is auto-derived from the platform token on first connect and used to construct both the PasswordVault URL (<sub>.privilegecloud.cyberark.cloud) and the audit URL (<sub>.audit.cyberark.cloud). If your tenant uses a non-standard audit URL (e.g. region-shared hosts like eu.audit.cyberark.cloud), set the Audit API Base URL override manually in the integration’s advanced options.

What gets ingested

Users (daily at 14:00 UTC, plus immediately on connect)

Wirespeed syncs from both CyberArk user populations because they’re distinct sets with different containment paths:
SourcePopulationContainment surface
PasswordVault (pcloud: prefix)Vault accounts that can hold privileged credentials, retrieve passwords, and start PSM sessions.PasswordVault APIs (vault disable/enable, PSM live-session termination).
Identity directory (ds: prefix)Federated AD/LDAP/AzureAD users who authenticate to the tenant via SSO. May or may not be vault users.Identity Administration APIs (UserMgmt lock/unlock, SSO session termination).
Each user’s directoryId is prefixed with the source (pcloud:17, ds:a41ca4c8-…) so the containment actions know which API to call. A single human may appear once under each prefix if they exist in both populations. Component users (CPM, PSM, ENE, etc.) are filtered out of the PCloud sync — only real human and service accounts are surfaced.

Audit logs (every minute)

Wirespeed polls the SIEM Audit API for events under three application codes:
  • PAM — Privilege Cloud (vault auth, credential access, privileged sessions, credential rotation, safe management).
  • IDP — Identity (auth, MFA, logout, SAML, risk checks).
  • ADM — Admin (access control, user management, configuration changes).
On first connection, Wirespeed backfills the last 7 days of events (the audit stream’s retention window). After that, polling resumes from a cursor.

Detections

A subset of high-signal events are also ingested as detections and routed through Wirespeed’s verdict / monitor pipeline:
CyberArk eventOCSF detection classSeverity
PAM auth failure (PAM00004)DetectionFindingMedium
PAM logon failed — disabled / expired (PAM00102-104)DetectionFindingMedium
PAM unauthorized password use (PAM00306-307)DetectionFindingHigh
PAM unauthorized safe operations (PAM00017, 00025-026, 00040-047)DetectionFindingHigh
Identity MFA failure (Cloud.Core.MfaSummary with MfaResult: failure)DetectionFindingMedium
Identity Adaptive MFA risk check (Cloud.Core.AdaptiveMfa.RiskCheck)DetectionFindingMedium
All other events flow as logs only.

Containment

While the integration is in Beta, all containment actions return an error indicating containment is not yet enabled. Once promoted to GA, the following actions become available:
ActionVault user (pcloud:)Directory user (ds:)
Disable UserPOST /PasswordVault/API/Users/{id}/disable/POST /UserMgmt/ChangeUserAttributes with LockedByAdmin: true
Enable UserPOST /PasswordVault/API/Users/{id}/enable/POST /UserMgmt/ChangeUserAttributes with LockedByAdmin: false
Revoke User SessionsLook up username, search LiveSessions, POST .../Terminate/ for each PSM sessionPOST /Security/EndUserSessions (terminates SSO sessions)
The Revoke User Sessions action requires additional Privilege Cloud configuration:
  • AllowPSMNotifications must be set to Yes in PVWA configuration.
  • The service user must be a member of the Terminating Live Sessions Users and Groups group in PVWA.

Limits and caveats

  • Audit stream retention: 7 days. If Wirespeed can’t poll for longer than that (e.g. extended outage), the gap is unrecoverable.
  • Audit stream rate limit: 1 API call per minute per integration. Wirespeed polls on a 1-minute cron and respects this.
  • PasswordVault user list: capped at 6,000 users in a single response. Larger vault tenants would currently be truncated.
  • SIEM integrations per tenant: 2. Wirespeed consumes one.
  • Service user credentials: rotate the service user’s password in Identity Administration, then update it in the Wirespeed integration settings.
  • PSM live-session termination requires AllowPSMNotifications=Yes in PVWA and the service user to be in the Terminating Live Sessions Users and Groups vault config group. Without that, only SSO-side session termination works (still effective for blocking new privileged sessions).

Troubleshooting

If you see authentication errors after setup, the most common causes are:
SymptomLikely cause
invalid_scope on audit token mintThe isp.audit.events:read scope on the audit OAuth app’s Scope tab doesn’t exactly match (case- and punctuation-sensitive).
Audit token mints but audit API calls 401The aud / tenant_id claims script (Step 3.7) wasn’t saved, or the service user is missing Run permission on the audit OAuth app.
Audit calls 401 even with the right tokenThe x-api-key header is missing or wrong.
User sync returns no users / 401The service user is not assigned to a Privilege Cloud admin role (Step 2b), or the auto-derived subdomain is wrong — set pcloudSubdomain manually in the integration’s advanced options.
Audit calls fail with DNS errors / 404Auto-derived audit URL <sub>.audit.cyberark.cloud is wrong for your tenant. Set auditApiBaseUrl manually in advanced options to the URL shown on the SIEM integration page.
Containment actions return “not yet enabled”The integration is still in Beta. Contact your Wirespeed account team to promote to GA.
Revoke Sessions returns 403The service user is not a member of the Terminating Live Sessions Users and Groups group, or AllowPSMNotifications is not enabled.