> ## Documentation Index
> Fetch the complete documentation index at: https://docs.wirespeed.co/llms.txt
> Use this file to discover all available pages before exploring further.

# CyberArk

> Ingest audit events and sync users from CyberArk Privilege Cloud and Identity

## Overview

Wirespeed connects to CyberArk Identity Security Platform Shared Services (ISPSS) to:

* **Sync users** from both CyberArk Privilege Cloud (vault accounts) and CyberArk Identity (federated directory users).
* **Ingest audit events** from PAM (Privilege Cloud), IDP (Identity), and ADM (Admin) services as logs, with high-signal events (auth failures, unauthorized access, MFA risk checks) also ingested as detections.
* **Contain users** via Privilege Cloud (disable / enable / terminate PSM sessions) and Identity Administration (lock / unlock / terminate SSO sessions), automatically routed based on which population the user came from.

<Warning>
  This integration is in **Beta**. Containment actions are implemented but disabled until the integration is promoted to GA.
</Warning>

## Prerequisites

You will need:

* A **CyberArk Identity Security Platform Shared Services (ISPSS)** tenant with Privilege Cloud, Identity, and/or Admin services enabled.
* Permission to create OAuth2 web apps and service users in **Identity Administration**.
* Permission to create a **SIEM integration entry** in the Privilege Cloud Administration space.

<Info>
  CyberArk tenants only allow up to **two SIEM integrations** at a time. Wirespeed consumes one slot.
</Info>

## Setup

The setup involves four pieces in your CyberArk tenant:

1. A service user to authenticate as.
2. Two role assignments for that service user (one for Privilege Cloud, one for Identity Administration).
3. One OAuth2 Server web app (used only for the audit/SIEM stream).
4. A SIEM integration entry to mint an API key.

Follow the steps below in order.

### Step 1 — Create the service user

1. Sign in to **Identity Administration** as an administrator.
2. Go to **Core Services → Users** and click **Add User**.
3. Fill in the user's details. Set the username to something memorable, e.g. `wirespeed-svc@<your-tenant>`. The `@<your-tenant>` suffix is appended automatically.
4. Under **Status**, check:
   * **Is Service User**
   * **Is OAuth confidential client**
   * **Password never expires**
5. Click **Create User**. Note the username and password — you will need them later.

### Step 2 — Assign roles to the service user

The service user needs two role assignments — one to manage Identity directory operations and one to access Privilege Cloud APIs.

#### 2a. Identity Administration role

1. Go to **Core Services → Roles** and click **Add Role**.
2. Name it (e.g. `Wirespeed Integration`).
3. On the **Administrative Rights** tab, add:
   * **User Management** — required for syncing and locking Identity directory users.
   * **Report Management** — required for the Redrock query that pulls federated directory users (`DsUsers`).
4. On the **Members** tab, add the service user.
5. Click **Save**.

#### 2b. Privilege Cloud admin role

1. In Identity Administration, find the built-in **Privilege Cloud Administrators** role (or any role that grants the equivalent rights — see CyberArk's [Privilege Cloud roles documentation](https://docs.cyberark.com/identity-administration/latest/en/content/coreservices/getstarted/ispss-user-roles.htm)).
2. On the **Members** tab, add the service user.
3. Click **Save**.

<Warning>
  The Privilege Cloud role assignment is **required** for the integration to call PasswordVault APIs. Without it, the platform token Wirespeed mints will be rejected with 401 by the PasswordVault endpoints.
</Warning>

### Step 3 — Create the audit OAuth2 web app (Server template)

This app is used only for the SIEM Audit API. All other Wirespeed API calls use a generic platform token, which doesn't require a custom web app.

1. Go to **Apps & Widgets → Web Apps** and click **Add Web Apps**.
2. On the **Custom** tab, find **OAuth2 Server**, click **Add**, and confirm.
3. On the **Settings** tab, set:
   * **Application ID**: `WirespeedAudit` (or any URL-safe identifier — note it for later).
   * **Application Name**: `Wirespeed Audit`.
4. On the **General Usage** tab, set **Client ID Type** to **Confidential**.
5. On the **Tokens** tab, set:
   * **Token Type**: **JwtRS256**.
   * **Auth Methods**: enable **Client Creds**.
   * **Token Lifetime**: at least 15 minutes.
6. On the **Scope** tab, click **Add** and create one scope:
   * **Name**: `isp.audit.events:read`
7. On the **Advanced** tab, paste this script and **Save**:
   ```js theme={null}
   setClaim('tenant_id', TenantData.Get("CybrTenantID"));
   setClaim('aud', 'cyberark.isp.audit');
   ```
8. On the **Permissions** tab, add the service user from Step 1 with **Run**, **View**, **Grant**, and **Automatically Deploy** permissions.
9. Click **Save** at the top.

### Step 4 — Create the SIEM integration entry

1. Switch to the **Administration** space (the tenant-level admin portal).
2. Go to **My environment → Integrations → Export to SIEM**.
3. Click **Create → Create SIEM integration**.
4. Give it a name (e.g. `Wirespeed`) and click **Apply**.
5. Note the **API key** that's generated — it's only shown once. The page also displays an **API base URL**; you generally don't need to copy it (Wirespeed derives it from the platform token), but keep it handy in case auto-derivation doesn't work for your tenant.

### Step 5 — Connect Wirespeed

1. In Wirespeed, go to **Integrations → Add Integration → CyberArk**.

2. Acknowledge the Beta notice.

3. Provide:

   | Field                          | Value                                                                                                                       |
   | ------------------------------ | --------------------------------------------------------------------------------------------------------------------------- |
   | **Identity URL**               | Your Identity Admin URL, e.g. `https://aab1234.id.cyberark.cloud` (copy from the address bar of the Identity Admin portal). |
   | **Audit OAuth2 Server App ID** | The Application ID from Step 3 (e.g. `WirespeedAudit`).                                                                     |
   | **Service User Login**         | The full login from Step 1, including the tenant suffix (e.g. `wirespeed-svc@aab1234`).                                     |
   | **Service User Password**      | The password from Step 1.                                                                                                   |
   | **SIEM API Key**               | The API key from Step 4.                                                                                                    |

4. Click **Add**. Wirespeed mints a platform token, derives your Privilege Cloud subdomain from it, and kicks off the first audit + user sync.

<Info>
  The **Privilege Cloud subdomain** is auto-derived from the platform token on first connect and used to construct both the PasswordVault URL (`<sub>.privilegecloud.cyberark.cloud`) and the audit URL (`<sub>.audit.cyberark.cloud`). If your tenant uses a non-standard audit URL (e.g. region-shared hosts like `eu.audit.cyberark.cloud`), set the **Audit API Base URL** override manually in the integration's advanced options.
</Info>

## What gets ingested

### Users (daily at 14:00 UTC, plus immediately on connect)

Wirespeed syncs from **both** CyberArk user populations because they're distinct sets with different containment paths:

| Source                                | Population                                                                                             | Containment surface                                                           |
| ------------------------------------- | ------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------- |
| **PasswordVault** (`pcloud:` prefix)  | Vault accounts that can hold privileged credentials, retrieve passwords, and start PSM sessions.       | PasswordVault APIs (vault disable/enable, PSM live-session termination).      |
| **Identity directory** (`ds:` prefix) | Federated AD/LDAP/AzureAD users who authenticate to the tenant via SSO. May or may not be vault users. | Identity Administration APIs (UserMgmt lock/unlock, SSO session termination). |

Each user's `directoryId` is prefixed with the source (`pcloud:17`, `ds:a41ca4c8-…`) so the containment actions know which API to call. A single human may appear once under each prefix if they exist in both populations.

Component users (CPM, PSM, ENE, etc.) are filtered out of the PCloud sync — only real human and service accounts are surfaced.

### Audit logs (every minute)

Wirespeed polls the SIEM Audit API for events under three application codes:

* **PAM** — Privilege Cloud (vault auth, credential access, privileged sessions, credential rotation, safe management).
* **IDP** — Identity (auth, MFA, logout, SAML, risk checks).
* **ADM** — Admin (access control, user management, configuration changes).

On first connection, Wirespeed backfills the **last 7 days** of events (the audit stream's retention window). After that, polling resumes from a cursor.

### Detections

A subset of high-signal events are also ingested as detections and routed through Wirespeed's verdict / monitor pipeline:

| CyberArk event                                                           | OCSF detection class | Severity |
| ------------------------------------------------------------------------ | -------------------- | -------- |
| PAM auth failure (PAM00004)                                              | DetectionFinding     | Medium   |
| PAM logon failed — disabled / expired (PAM00102-104)                     | DetectionFinding     | Medium   |
| PAM unauthorized password use (PAM00306-307)                             | DetectionFinding     | High     |
| PAM unauthorized safe operations (PAM00017, 00025-026, 00040-047)        | DetectionFinding     | High     |
| Identity MFA failure (`Cloud.Core.MfaSummary` with `MfaResult: failure`) | DetectionFinding     | Medium   |
| Identity Adaptive MFA risk check (`Cloud.Core.AdaptiveMfa.RiskCheck`)    | DetectionFinding     | Medium   |

All other events flow as logs only.

## Containment

While the integration is in Beta, all containment actions return an error indicating containment is not yet enabled. Once promoted to GA, the following actions become available:

| Action                   | Vault user (`pcloud:`)                                                              | Directory user (`ds:`)                                            |
| ------------------------ | ----------------------------------------------------------------------------------- | ----------------------------------------------------------------- |
| **Disable User**         | `POST /PasswordVault/API/Users/{id}/disable/`                                       | `POST /UserMgmt/ChangeUserAttributes` with `LockedByAdmin: true`  |
| **Enable User**          | `POST /PasswordVault/API/Users/{id}/enable/`                                        | `POST /UserMgmt/ChangeUserAttributes` with `LockedByAdmin: false` |
| **Revoke User Sessions** | Look up username, search `LiveSessions`, `POST .../Terminate/` for each PSM session | `POST /Security/EndUserSessions` (terminates SSO sessions)        |

<Warning>
  The **Revoke User Sessions** action requires additional Privilege Cloud configuration:

  * `AllowPSMNotifications` must be set to **Yes** in PVWA configuration.
  * The service user must be a member of the **Terminating Live Sessions Users and Groups** group in PVWA.
</Warning>

## Limits and caveats

* **Audit stream retention**: 7 days. If Wirespeed can't poll for longer than that (e.g. extended outage), the gap is unrecoverable.
* **Audit stream rate limit**: 1 API call per minute per integration. Wirespeed polls on a 1-minute cron and respects this.
* **PasswordVault user list**: capped at 6,000 users in a single response. Larger vault tenants would currently be truncated.
* **SIEM integrations per tenant**: 2. Wirespeed consumes one.
* **Service user credentials**: rotate the service user's password in Identity Administration, then update it in the Wirespeed integration settings.
* **PSM live-session termination** requires `AllowPSMNotifications=Yes` in PVWA and the service user to be in the **Terminating Live Sessions Users and Groups** vault config group. Without that, only SSO-side session termination works (still effective for blocking new privileged sessions).

## Troubleshooting

If you see authentication errors after setup, the most common causes are:

| Symptom                                      | Likely cause                                                                                                                                                                               |
| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `invalid_scope` on audit token mint          | The `isp.audit.events:read` scope on the audit OAuth app's Scope tab doesn't exactly match (case- and punctuation-sensitive).                                                              |
| Audit token mints but audit API calls 401    | The `aud` / `tenant_id` claims script (Step 3.7) wasn't saved, or the service user is missing **Run** permission on the audit OAuth app.                                                   |
| Audit calls 401 even with the right token    | The `x-api-key` header is missing or wrong.                                                                                                                                                |
| User sync returns no users / 401             | The service user is not assigned to a Privilege Cloud admin role (Step 2b), or the auto-derived subdomain is wrong — set `pcloudSubdomain` manually in the integration's advanced options. |
| Audit calls fail with DNS errors / 404       | Auto-derived audit URL `<sub>.audit.cyberark.cloud` is wrong for your tenant. Set `auditApiBaseUrl` manually in advanced options to the URL shown on the SIEM integration page.            |
| Containment actions return "not yet enabled" | The integration is still in Beta. Contact your Wirespeed account team to promote to GA.                                                                                                    |
| Revoke Sessions returns 403                  | The service user is not a member of the **Terminating Live Sessions Users and Groups** group, or `AllowPSMNotifications` is not enabled.                                                   |
