CyberArk Plugin for User Risk Exchange
CyberArk Plugin for User Risk Exchange
This document explains how to configure the CyberArk integration with the User Risk Exchange module of the Netskope Cloud Exchange platform.
Prerequisites
To complete this configuration, you need:
- A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
- A Netskope Cloud Exchange tenant with the User Risk Exchange module already configured.
- ACyberArk account containing Identity Administration access.
- Connectivity to the following host: CyberArk login URL.
For example: https://abd4143.id.cyberark.cloud/
CE Version Compatibility
This plugin is compatible with these Netskope CE versions:v4.2.0, v5.0.0
CyberArk Plugin Support
The URE CyberArk plugin is used to add or remove a CyberArk user to the CyberArk Roles. This plugin does not support pulling any risky scores for any users/hosts from CyberArk.
User score pull |
Not Supported |
Host score pull |
Not Supported |
Actions |
|
Mappings
- NA
Permissions
Below are the permissions needed to use the CyberArk plugin.
- System Administrator permission (for platform access).
- Is OAuth confidential client (for plugin configuration).
API Details
List of APIs used
API Endpoint |
Method | Use Case |
/oauth2/platformtoken |
POST | Generate Auth Token |
/RedRock/query |
POST |
Get All Roles |
/RedRock/query | POST |
Find user by username |
/RedRock/query |
POST | Find role by rolename |
/Roles/StoreRole | POST |
Create Role |
/UserMgmt/GetUserInfo |
POST | Get User Info |
/SaasManage/AddUsersAndGroupsToRole | POST |
Add user to role |
/SaasManage/RemoveUsersAndGroupsFromRole | POST |
Remove user from role |
Generate Token
API Endpoint: /oauth2/platformtoken
Method: POST
Data:
grant_type: client_credentials
scope: all
client_id: cyberark_service_user
client_secret: cyberark_service_password
Headers:
Accept: application/json
Content-Type: application/x-www-form-urlencoded
API Request Endpoint:
https://<tenant_url>/oauth2/platformtoken
Sample API Response:
{ "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkRDRTVENUI3MTBEMzc3MEYwNkNCRTUyQzY3RTVGRjY2QTA3MjZFNzUiLCJ4NXQiOiIzT1hWdHhEVGR3OEd5LVVzWi1YX1pxQnliblU*******************************************************************Ef1M6Frjux1pLS4FBFBfb4_IZYbUoA9oNvKN82nL2Wv3ErV7x87gOvmrc63liBYx5-BHH8fXIUN8kA", "token_type": "Bearer", "expires_in": 900, "scope": "all" }
Get All Roles
API Endpoint: /RedRock/query
Method: POST
Data:
{“Script”: “Select ID, Name from Role order by Name”}
Headers:
Authorization: Bearer <bearer token>
API Request Endpoint:
https://<tenant_url>/RedRock/query
Sample API Response:
{ "success": true, "Result": { "IsAggregate": false, "Count": 13, "Columns": [ { "Name": "ID", "IsHidden": false, "DDName": "_ID", "Title": "ID", "DDTitle": "ID", "Description": "Row Identifier (primary key)", "Type": 12, "Format": null, "Width": 0, "TableKey": "Primary", "ForeignKey": null, "TableName": "Role" }, { "Name": "Name", "IsHidden": false, "DDName": "Name", "Title": "Name", "DDTitle": "Name", "Description": null, "Type": 12, "Format": null, "Width": 0, "TableKey": "NotAKey", "ForeignKey": null, "TableName": "Role" } ], "FullCount": 2, "Results": [ { "Entities": [ { "Type": "Role", "Key": "d47336b0_d7bd_4a65_989e_95606e878cb7", "IsForeignKey": false } ], "Row": { "_TableName": "roles", "Name": "Add role to CE users", "ID": "d47336b0_d7bd_4a65_989e_95606e878cb7" } }, { "Entities": [ { "Type": "Role", "Key": "bbf1d29f_7f69_45af_8555_aca99ded577b", "IsForeignKey": false } ], "Row": { "_TableName": "roles", "Name": "testuser", "ID": "bbf1d29f_7f69_45af_8555_aca99ded577b" } } ], "ReturnID": "" }, "Message": null, "MessageID": null, "Exception": null, "ErrorID": null, "ErrorCode": null, "IsSoftError": false, "InnerExceptions": null }
Find User by Username
API Endpoint: /RedRock/query
Method: POST
Data:
{“Script”: “select ID, Username from Users where Username = <user>@<suffix>'”}
Headers:
Authorization: Bearer <bearer token>
API Request Endpoint:
https://<tenant_url>/RedRock/query
Sample API Response:
{ "success": true, "Result": { "IsAggregate": false, "Count": 1, "Columns": [ { "Name": "ID", "IsHidden": false, "DDName": "_ID", "Title": "ID", "DDTitle": "ID", "Description": "Row Identifier (primary key)", "Type": 12, "Format": null, "Width": 0, "TableKey": "Primary", "ForeignKey": null, "TableName": "User" }, { "Name": "Username", "IsHidden": false, "DDName": "Username", "Title": "Username", "DDTitle": "Username", "Description": "User name.", "Type": 12, "Format": null, "Width": 0, "TableKey": "NotAKey", "ForeignKey": null, "TableName": "User" } ], "FullCount": 1, "Results": [ { "Entities": [ { "Type": "User", "Key": "d3530f17-0e7f-4114-aeea-b8fbe678814e", "IsForeignKey": false } ], "Row": { "_TableName": "users", "ID": "d3530f17-0e7f-4114-aeea-b8fbe678814e", "Username": "@" } } ], "ReturnID": "" }, "Message": null, "MessageID": null, "Exception": null, "ErrorID": null, "ErrorCode": null, "IsSoftError": false, "InnerExceptions": null }
Find Role by Rolename
API Endpoint: /RedRock/query
Method: POST
Data:
{“Script”: “select ID, Name from Role where Name = ‘System Administrator'”}
Headers:
Authorization: Bearer <bearer token>
API Request Endpoint:
https://<tenant_url>/RedRock/query
Sample API Response:
{ "success": true, "Result": { "IsAggregate": false, "Count": 1, "Columns": [ { "Name": "ID", "IsHidden": false, "DDName": "_ID", "Title": "ID", "DDTitle": "ID", "Description": "Row Identifier (primary key)", "Type": 12, "Format": null, "Width": 0, "TableKey": "Primary", "ForeignKey": null, "TableName": "Role" }, { "Name": "Name", "IsHidden": false, "DDName": "Name", "Title": "Name", "DDTitle": "Name", "Description": null, "Type": 12, "Format": null, "Width": 0, "TableKey": "NotAKey", "ForeignKey": null, "TableName": "Role" } ], "FullCount": 1, "Results": [ { "Entities": [ { "Type": "Role", "Key": "sysadmin", "IsForeignKey": false } ], "Row": { "_TableName": "roles", "Name": "System Administrator", "ID": "sysadmin" } } ], "ReturnID": "" }, "Message": null, "MessageID": null, "Exception": null, "ErrorID": null, "ErrorCode": null, "IsSoftError": false, "InnerExceptions": null }
Create a Role
API Endpoint: Roles/StoreRole
Method: POST
Data:
{“Description”: “Created From Netskop URE”, “Name”: <Role Name> }
Headers:
Authorization: Bearer <bearer token>
API Request Endpoint:
https://<tenant_url>/Roles/StoreRole
Sample API Response:
{ "success": true, "Result": { "_RowKey": "8a67f7e2_a9f6_4a9a_bfbb_a11f673323b2" }, "Message": null, "MessageID": null, "Exception": null, "ErrorID": null, "ErrorCode": null, "IsSoftError": false, "InnerExceptions": null }
Get User Info
API Endpoint: UserMgmt/GetUserInfo
Method: POST
Data:
NA
Headers:
Authorization: Bearer <bearer token>
API Request Endpoint:
https://<tenant_url>/UserMgmt/GetUserInfo
Sample API Response:
{ "success": true, "Result": { "TenantId": "ABD4143", "Id": "6c32a200-010d-432a-9b72-f1bbf7b66dd7", "ExternalUuid": "6c32a200-010d-432a-9b72-f1bbf7b66dd7", "Name": "tanushree@crest_netskope", "DisplayName": "tansuhree", "EmailAddress": "tanushree.kurup@crestdatasys.com", "MobileNumber": null, "DirectoryServiceType": "CDS", "DirectoryServiceId": "09B9A9B0-6CE8-465F-AB03-65766D33B05E", "DirectoryServiceName": "CDS", "DirectoryServiceLocalizedName": "CyberArk Cloud Directory", "IsSysAdmin": true, "CanChangePassword": true, "PasswordExpDate": "/Date(253402300799999)/", "LastPasswordChangeDate": "/Date(-62135596800000)/", "ThirdPartyOathConfigured": false, "SqEnabled": true, "SecurityQuestion": null, "SecurityQuestionsLastUpdate": null, "PhonePinLastChangeDate": null, "LastLoginDate": "/Date(1701671479876)/", "LastLastLoginDate": "/Date(1701671164189)/", "PasswordChangeSoftDays": 14, "PasswordChangeHardHours": 48, "PasswordResetFlag": 0, "SelfUnlocked": false, "HasPicture": false, "Settings": { "uisection": { "doNotShowIdaptiveWelcomeWizard": true } }, "HasU2fDeviceWithFacetIdMatched": false, "SecurityKeyConfigured": false, "OnDeviceAuthenticatorConfigured": false, "PreferredCulture": null, "PreferredTimeZone": null, "DisplayPreferredCulture": null, "EnablePurchasedLicenseMenu": false, "MfaSetupWizardSettings": { "ShowYubikeyOtpInMfaSetupWizard": false, "ShowMfaSetupWizard": false, "ShowPasskeysInMfaSetupWizard": false, "MobileNumberAttribute": "", "ShowU2fInMfaSetupWizard": false, "ShowSecurityQuestionInMfaSetupWizard": false, "SaveMobileNumberToCloud": false, "RequiredFactorSetupCount": 0, "ShowSmsMessageInMfaSetupWizard": false, "ShowOathPassCodeInMfaSetupWizard": false }, "IsMobileAttributeConfigured": false, "MobileDeviceAuthCapableCount": 0, "SlackAuthEnabled": false, "SlackMemberIdSet": false, "YubikeyOtpConfigured": false, "PasskeyConfigured": false }, "Message": null, "MessageID": null, "Exception": null, "ErrorID": null, "ErrorCode": null, "IsSoftError": false, "InnerExceptions": null }
Add a User to a Role
API Endpoint: /SaasManage/AddUsersAndGroupsToRole
Method: POST
Data:
{“Users”: [“<user_id>”],”Name”: “<role_id>”}
Headers:
Authorization: Bearer <bearer token>
API Request Endpoint:
https://<tenant_url>/SaasManage/AddUsersAndGroupsToRole
Sample API Response:
{ "success": true, "Result": null, "Message": null, "MessageID": null, "Exception": null, "ErrorID": null, "ErrorCode": null, "IsSoftError": false, "InnerExceptions": null }
Remove a User from a Role
API Endpoint: SaasManage/RemoveUsersAndGroupsFromRole
Method: POST
Data:
{“Users”: [“<user_id>”],”Name”: “<role_id>”}
Headers:
Authorization: Bearer <bearer token>
API Request Endpoint:
https://<tenant_url>/SaasManage/RemoveUsersAndGroupsFromRole
Sample API Response:
{ "success": true, "Result": null, "Message": null, "MessageID": null, "Exception": null, "ErrorID": null, "ErrorCode": null, "IsSoftError": false, "InnerExceptions": null }
Performance Matrix
This performance reading is conducted on a Large Stack CE with the below-mentioned VM specifications.
Stack details | Size: Large
RAM: 32 GB CPU: 16 Cores |
Users added/removed from Role | ~ 70 per minute |
User Agent
The user agent added for this plugin is in the following format:
netskope-ce-5.0.0-ure-cyberark-v1.0.0
Workflow
- Add API permissions to CyberArk for a user.
- Configure CyberArk plugin.
- Add a Business Rule.
- Configure SIEM Mappings.
- Validate the plugin.
Click play to watch a video.
Add API Permissions to the User
Follow these steps to add the API permissions needed for a successful integration of the plugin.
- Log in to your CyberArk platform and go to Admin Portal.
- Go to Users and click on All Users from the left panel.
- Click on the user that you will be using to configure the plugin, scroll down to status and provide the “Is OAuth confidential client” permission to the user, click on save.
Configure the CyberArk Plugin
- Log in to Cloud Exchange and go to Settings > Plugins. Search for and select the CyberArk box to configure the plugin.
- Enter these values:
- Configuration Name: Enter a name for the configuration.
- Sync Interval: Enter the time at which the plugin will be synced.
- Click Next.
- Enter these values:
- Tenant URL: URL of your CyberArk platform.
- Username: Username used while logging in to the CyberArk platform.
- Password: Password associated with the CyberArk Username.
- Click Next and then click Save.
Add a Business Rule for CyberArk
Use the Business Rule to filter out the users on which you want to perform actions. Follow these steps to configure a business rule:
- Go to User Risk Exchange > Business Rule and click Create New Group.
- Add the filters based on your requirement and click Save.
Add Actions
Following is the list of available actions for the CyberArk plugin.
Add to a Role
Whenever an action triggers, this action adds users to the Role that has been mentioned while creating the action configuration.
- Go to User Risk Exchange > Actions and click Add Action Configuration.
- Select the Business Rules you added.
- Select the CyberArk Plugin as the Configuration.
- Select Action as Add to Role.
- Select an existing role in the Role Name dropdown to add the user to an existing Role, or select Create new Role.
- Enter a Role Name if you have selected the Create New Role option in the Group parameter.
- Click Save.
Remove from a Role
Whenever an action triggers, this action removes users from the Role that has been mentioned while creating the action configuration.
- Go to User Risk Exchange > Actions and click Add Action Configuration.
- Select a Business Rule.
- Select the CyberArk Plugin as the Configuration.
- Select Action as Remove from the Role.
- Select a role from the Role Name dropdown to remove the users that match the Business Rule from the selected Role.
- Click Save.
No Action
This action will not perform any kind of action on users. You can use this action to generate the UBA alerts in the Netskope Ticket Orchestrator module.
Validation the CyberArk Plugin
In Cloud Exchange
- Go to User Risk Exchange > Logging and search for logs from the CyberArk plugin.
In CyberArk
- Log in to your CyberArk platform and go to Admin Portal.
- Go to Roles under Core Services and select the Role you have used while configuring the action.
- Go to Members and check the users listed in the member based on the action “Add to Role” and “Remove from Role” actions.
Troubleshooting
Unable to fetch Roles while configuring the Add to Role Action
While configuring the plugin no roles are fetched in the Add to Role action, it could be due to one of the below reasons.
- No Roles are available on the CyberArk platform.
- Insufficient permission of the user.
What to do:
For the first point “No Roles are available on the CyberArk platform”, check if the Role is present on the CyberArk or not, by following the below steps:
- Log in to CyberArk and go to Admin Portal.
- Go to Roles under Core Services and check the list of Roles.
If no Roles are listed that means the platform itself has no roles available, so create a new role using Action configuration on CE or directly on the CyberArk platform.
If Role is present on CyberArk and yet not pulled/fetched in the Action configuration it could be because of “Insufficient permission of user”. For that check the user permission needed for the plugin.
Action is skipped on User
Below are the scenarios when the action is not performed.
- Users are not present on CyberArk.
- Roles on CyberArk has ReadOnly access
- Groups on CyberArk has Role as Dynamic
NOTE: It has been noticed that logs for successfully performed action on user is received in CE for adding a user to a Role/Group. But the users aren’t actually added in the groups this might be because the Roles type is Dynamic. The action also won’t be performed if the group has ReadOnly Access.
You will receive an error shown in the below screenshot if the group is Dynamic with ReadOnly access.
Also, CyberArk does not allow to perform action on the below Roles, they will be available on the CyberArk platform and in CE, but action won’t be performed for these Roles even though these are Static and are not ReadOnly.
- CyberArk Remote Access Admin Users
- SWS Admin
- SWS Auditor
What to do: Check the domain of the user from the Users page of CE and verify the suffix added on the CyberArk platform. The CyberArk plugin only performs Add to Role and Remove from Role actions on the users matched in the business rule which is already present on the CyberArk platform. Users are matched based on the username which is a combination of (user + domain). Therefore, users need to make sure that the user creates the same domain (suffix) on CyberArk as their email domain so that the actions are performed.
On CE, go to Risk Exchange > User Risk Exchange > Users.
On the CyberArk platform, click on the user listed under All Users (Core Services > Users > All Users).
Check the suffix and compare the suffix with the domain of the user present on the Netskope CE.
For example: if the user’s email ID fetched in Netskope CE is like abc@netskope.com, and the domain (suffix) created on the Cyber platform should be netskope.com.
If the domain and suffix do not match, the user is not considered to be present on CyberArk and the action will not be performed.