1. Expel Help Center
  2. Connect Your Technology
  3. A-C Integrations
  4. CyberArk

CyberArk Privileged Access Management (PAM) (via SIEM) Setup for Workbench

Setting up this integration requires you to create one security device in Workbench for the SIEM (you will find a link to those instructions in this guide), and a separate security device for the CyberArk integration (that device will reference the SIEM's device). 

Scope and Limitations

When choosing to set up this integration, remember the following:

  1. You must use a supported SIEM to set up this type of connection. This integration's supported SIEMs include:
    • Splunk
  2. Custom detection rules cannot be used for a via SIEM connection.

Quick Links

Setup includes the following steps (select any step for detailed instructions):

  1. Set Up Logging
  2. Set Up the SIEM
  3. Add CyberArk PAM as a Security Device in Workbench

Step 1: Set Up Logging

You must first confirm that your SIEM's data sources are logging properly, and then specify which logs the SIEM should ingest, where they should be stored, and any other data quality information that should be included.

You should work with your SIEM representative or refer to your SIEM's documentation if you need help with this step. The following web resources are also available:

Note

Before continuing to Step 2, note the Splunk index where the logs are located (you will need it in a later step).

Step 2: Set Up the SIEM

You must set up the SIEM as its own security device before you can configure this integration's security device, since you are using it as a connection. Select the link below to go to your SIEM's setup guide, then return to this page when you have completed it:

Important

Be sure to confirm the SIEM's security device in Workbench is connected and logs are flowing before continuing to Step 3 in this guide.

Step 3: Add CyberArk PAM as a Security Device in Workbench

When you set up this device, you will choose the security device you created in Step 2 as the SIEM (this will enable the via SIEM connection). Before you begin, make sure you have the Splunk index where the logs are located.

  1. Log in to Workbench.
  2. In the side menu, navigate to Organization Settings > Security Devices. If you have multiple organizations, you must select the appropriate organization name from the list.
  3. Select Add Security Device.
  4. In the search box, type “CyberArk” and then select the CyberArk Privileged Access Management (PAM) (via SIEM) integration.
  5. Complete the fields as follows:
    • SIEM - select the SIEM's device from Step 2.
    • Name - enter a name that might help you more easily identify this integration, such as “CompanyName PAM”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
    • Location - enter the location of your integration, for example “cloud;” this is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
    • Index - enter the Splunk index where the logs are located.
    • Select Save.
  6. Your device should be created successfully within a few seconds. A few reminders:
    • After your connection is healthy, it will take some time for your device to begin polling and receiving data.
    • To check on the status, select the downward arrow for your device in the first column and choose View details.
    • Polling will happen first; data will be received after that. You must refresh the page to see updates.
    • If your device does not begin polling within 15 minutes, and does not begin receiving data within 30 minutes, contact our support team for help.

To check if alerts are coming through, navigate to Dashboards > Alert Analysis. Scroll to the device you want to check and select the Expel Alerts tab to reveal more alert information. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.

Related articles