CyberArk Idaptive
Visualize CyberArk Idaptive Devices, Users, Applications, Roles, Accounts and monitor changes through queries and alerts.
- Installation
- Data Model
Development
This integration focuses on ingesting devices, users, accounts and applications from the CyberArk Idaptive REST API. There are two components of interest:
- The CyberArk Idaptive tenant (available at
https://<tenant-id>.id.cyberark.cloud). You will need a username and password to log in to the tenant. - The CyberArk Idaptive REST API reference
Installation
You will have to create a service user and a client application to generate access token and use this access token to make REST API calls to fetch data from CyberArk Idaptive. To do this:
Using a web browser, go to your CyberArk idaptive tenant (e.g.
https://my-tenant.id.cyberark.cloud/) and log in with your credentials.Go to the Admin portal
Go to Core Services -> Users. Fill in all required fields. Check password never expires, Is service user and Is OAuth Credential Client in status as show in the below image and click on create user
In Admin Portal, click on Apps & Widgets -> Web Apps. Select Add Web Apps on top right corner
Click on custom and choose OAuth2 Client from the list as shown in the image
Select the Organization from the dropdown and click on Add (this prompt may not show up)
On the settings page, Give an ID for the application, It can be any name. Save it somewhere, It is required while configuring the integration in JupiterOne
Click on General Usage in the sidebar and select Confidential and check Must be OAuth Client
Go to Tokens in the side bar and select client credentials and choose validity of access token. Choose a period greater than 10 minutes as it was advised in the CyberArk Idaptive documentation and enable refresh tokens.
Select scope in the sidebar and click on Add, give it the name
alland in the regex addCDirectoryService/GetUsers|redrock/query|Roles/GetRoleMembers|SysInfo/About|UPRest/GetResultantAppsForUser|Acl/GetRowAces
Select the permissions in the side bar, search for the service account you have created previously and click on add
Grant the
Runpermission to the service account. Click SaveGo to Roles -> System Administrator
Go to members and add Service account as the member
Entities
The following entities are created:
| Resources | Entity _type | Entity _class |
|---|---|---|
| Account | cyberark_idaptive_account | Account |
| Application | cyberark_idaptive_application | Application |
| Device | cyberark_idaptive_device | Device |
| Role | cyberark_idaptive_role | AccessRole |
| Service | cyberark_idaptive | Service |
| User | cyberark_idaptive_user | User |
Relationships
The following relationships are created:
Source Entity _type | Relationship _class | Target Entity _type |
|---|---|---|
cyberark_idaptive_account | HAS | cyberark_idaptive_user |
cyberark_idaptive_account | HAS | cyberark_idaptive_application |
cyberark_idaptive_account | PROVIDES | cyberark_idaptive |
cyberark_idaptive_role | ASSIGNED | cyberark_idaptive_application |
cyberark_idaptive_user | HAS | cyberark_idaptive_device |
cyberark_idaptive_user | ASSIGNED | cyberark_idaptive_role |
cyberark_idaptive_user | ASSIGNED | cyberark_idaptive_application |
Mapped Relationships
The following mapped relationships are created:
Source Entity _type | Relationship _class | Target Entity _type | Direction |
|---|---|---|---|
cyberark_idaptive_user | IS | Person | FORWARD |