You may also download a PDF version of this guide.
Product Overview
CyberArk Identity is an Identity and Access Management (IAM) solution that delivers secure access to applications and resources for any user, from any device, anywhere. It provides a comprehensive set of capabilities including Single Sign-On (SSO), adaptive Multi-Factor Authentication (MFA), and user lifecycle management to enforce intelligent, context-aware access policies and protect against identity-based threats. The platform is built on the principles of Zero Trust, verifying every access request to ensure that only authorized users can access sensitive data. By integrating with a wide range of applications, both in the cloud and on-premises, CyberArk Identity helps organizations reduce password-related risks, streamline compliance and auditing, and provide a seamless and secure user experience.
What We Support for CyberArk Identity
To see a comprehensive list of the most up-to-date Expel detection rules, vendor detection rules, opt-in detections, and available DUETs (did you expect this) that we support for CyberArk Identity, you can visit the Detections page in Workbench or ask your Sales or Support rep for the most recent download.
| Supported versions |
|
| Supported event log sources |
|
| CyberArk Identity detection rules support |
No. |
| Detection rules written by Expel | Yes. |
| Auto remediations | No. |
| Investigative support through Workbench |
Yes. We are able to take the following investigative actions to gather data for triage and investigation of events:
|
| Hunting support |
No. Hunting is not currently available for this |
Additional Details and Common Questions
Console Access
A vendor alert does not typically include all of the contextual timeline activity surrounding the event of interest. Because this integration does not allow us to get all necessary data via the API, we will ask you for a certain level of console access during onboarding.
The level of access that we require is meant to support essential triage and research activities, and to help us determine the vector and extent of attacker activity for an identified threat. At minimum, we will ask for visibility into alert data, timeline events recorded, and live response/real time response shell (if applicable).
DUET
A DUET (did you expect this) rule flags certain events as needing an immediate verification or notification, and bypasses the normal internal event triage process. The events subject to DUET rules contain behaviors that are not typically indicative of true security incidents, as they are related to policy violations or potential risk.
There are a number of workflows that a DUET may follow. When enabled, the activity will be flagged for investigation and will be routed to you (rather than to us) to take a specified first action. To see the specific DUET rules currently supported for this integration, visit the Detections page in Workbench.