icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading TA Cyber Ark API
SHA256 checksum (ta-cyber-ark-api_100.tgz) 8aac1e1467517ee2e539f0740abe13162c7b9dd6b517eebdbeecf571ac3e051c
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

TA Cyber Ark API

Splunk AppInspect Passed
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Overview
Details
Technology Add-on (TA) for CyberArk enables current CyberArk customers to ingest data from 3 inputs based on API endpoints CyberArk

.../pimservices.svc/safes/- (Data about Safe Members)
.../api/Accounts - (Data about accounts)
.../api/recordings - (Data about recorded user sessions)

TA CyberArk API Add-on

This addon works with SPLUNK >V7.X and V8.X. TA is used to get data from CyberArk API and to index it in Splunk.

It`s built with Splunk Add-on Builder

  • App 3.0.1
  • App Build 2

OVERVIEW

Technology Add-on (TA) for CyberArk enables current CyberArk customers to ingest data from 3 inputs based on API endpoints CyberArk.

  • .../pimservices.svc/safes/- (Data about Safe Members)
  • .../api/Accounts - (Data about accounts)
  • .../api/recordings - (Data about recorded user sessions)

DETAILS:

  • Creates Index - False
  • OS: Platform independent
  • Heavy Forwarder Required

Compatible with: Splunk Enterprise version: 7.1.x, 7.2.x, 7.3.x, 8.0.x, 8.1.x

DEPLOYMENT

1.In order to successfully ingest event data a valid username and password are required. Based on the username and password , an authentication token is generated and used for each API Call.

(DAP issues a short-lived access token after authenticating a requester. The token is valid for 8 minutes by default. The token is a JSON Web Token (JWT). It is cryptographically signed by a DAP private key (RSA 2048), which includes the host or user id along with the expiration timestamp. DAP uses OpenSSL to generate the RSA key pair, validate, and sign the tokens.)

INSTALLATION

Install the Add-on on Heavy Forwarders or Splunk Enterprise Standalone Instance. Downloading the TA package and follow the instructions below:
1. In the UI navigate to: “Manage Apps”
2. In the top right corner select “Install app from file”
3. Select ‘Choose File’ and select the TA package (.spl or .tar)
4. Select ‘Upload’ and follow the prompts to restart Splunk.

CONFIGURATTION

Configuring CyberArk Account(s)

  1. In Configuration\account navigate to “Add” button in right
  2. Account name - Set name for the account
  3. Username
  4. Password

  5. In Configuration\add-on-settings add the FQDN of CyberArk API, click save.

Configuring CyberArk Input(s)

The inputs should be configured only on heavy-forwarders or Splunk Enterprise standalone instance. There are 4 REST APIs endpoints that are used:
- /PasswordVault/API/auth/LDAP/Logon
- /PasswordVault/webservices/pimservices.svc/safes/
- /PasswordVault/api/recordings
- /PasswordVault/api/Accounts

INFO: In order to authenticate successfully, the add-on needs to use authentication header with each API call. The authentication header provides a token, which originally should be obtained by calling the Logon service via username and password.
  1. Navigate to CyberArk TA Add-on
  2. In the sub-menu select "Inputs”
  3. In the right corner select “Create New Input”
  4. Enter a unique name for the configuration
  5. From the drop down select the appropriate account for the input type
  6. Enter the start date from which to start the data collection (Set initial starting point in time. Only the initial run needs this value. The delta is gathered by checkpoint which the add-on creates on each cycle of data ingestion Format: YYYY-MM-DDTHH:MM:SS
    )
  7. Select the index to store the data.
    NOTE The main index is used by default unless specified otherwise. If data is to be sent to a specific indexer, ensure the outputs.conf file is adjusted with the Indexer’s IP address.

TROUBLESHOOTING

The default LOG level is set to: INFO

Using Searches

The data should be indexed in the index which you selected or the "main" one.

sourcetype=cyberark:api:accounts
sourcetype=cyberark:api:recording
sourcetype=cyberark:api:safes

Additionally you could try to check the internal log:

index=_internal sourcetype="tacyberarkapi:log"

Using Log Files

  • $SPLUNK_HOME\var\log\splunk\ta_cyberark_api_cyberark_session_recordings.log
  • $SPLUNK_HOME\var\log\splunk\ta_cyberark_api_cyberark_api_safes.log
  • $SPLUNK_HOME\var\log\splunk\ta_cyberark_api_cyberark_api_accounts.log

Error codes category regarding REST:

  • 1xx: Informational – Communicates transfer protocol-level information.
  • 2xx: Success – Indicates that the client’s request was accepted successfully.
  • 3xx: Redirection – Indicates that the client must take some additional action in order to complete their request.
  • 4xx: Client Error – This category of error status codes points the finger at clients.
  • 5xx: Server Error – The server takes responsibility for these error status codes.

For reference you can check:

https://docs.cyberark.com/Product-Doc/OnlineHelp/Portal/Docs.html

SUPPORT

Release Notes

Version 1.0.0
Oct. 15, 2020

Initial Release

2
Installs
5
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2020 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.