hydden.docs

# This article provides detailed steps to set up a CyberArk data source for discovery of CyberArk User, Service, and Vaulted accounts and vaults for that user within the organization.

With the CyberArk integration all credentials needed for the discovery process of any data collection can safely be stored in a safe/vault outside of Hydden and utilized when needed only.

Prerequisites

A CyberArk instance with configured and active Identity Administration Core Services in place. Including a suitable service account with the appropriate permissions configured for the integrations to be used. Hydden can work with CyberArk SMEs to ensure a least privilege model is followed for service account access.

Permissions

The following shows the minimum permissions required to discover CyberArk accounts, to use the CyberArk Discovery Workflow, and to vault discovered accounts in a CyberArk Safe.

[!note] You will need to make the following adjustments below to what appears to be out of box role configurations in CyberArk to achieve the list above:

• On the Risk Management Admin role, remove Privilege Cloud Administrators from members.
• On the Global Auditor role, remove TDR Administrator and TDR Read-Only from members.
• On the Privilege Cloud Session Admin role, remove Privilege Cloud Administrators from members.
• On the TDR Administrator role, remove Privilege Cloud Administrators from members.

Care must be taken when making these changes to be certain the changes do not impact other areas of an organization’s CyberArk deployment.

Adding the CyberArk Module to a Client

The CyberArk module needs to be added to a configured Client in Hydden to collect data.

1. Navigate to __Configuration

   Discover__, select the Clients tab.

2. Locate your client for the CyberArk collection, click the Edit button.
3. In the Modules field, add the CyberArk Collector module.
4. Click Update.

Configure Your Hydden CyberArk Data Source

1. Login to your Hydden tenant.

2. To access the data sources page, navigate to __Configuration

   Discover__ and select Data Sources or use the data source URL: https://portal.hydden.com/configuration/data-sources.

3. To add the CyberArk data source, click + Add Data Source.
4. From the configuration wizard, select the CyberArk logo tile.
5. For Name enter an easy-to-identify name for the data source.
6. You may ignore the optional Preset field. When pre-configured data source presets are available for selection from the drop-down, but they can also be added manually via the +.
7. If you already created your credential via the CyberArk Credential topic, select that credential from the Credential drop-down. If you have not yet created the credential, create it now. Follow the instructions in the linked topic, then come back to this page for the remaining steps.
8. You may ignore the optional Schedule field. To specify a Schedule either select from the list of pre-configured collection schedules or manually enter a new schedule via +.
9. Under Site specify the site that your client is installed, it can also be “default” if there is only one client for your organization.
10. Click Add to save the data source. You have an option to manually run the data collection via the Run Now button.

[!note] If custom mapping rules are required, refer to the Advanced Configuration section in the Data Source Overview topic.

At this point, you can run a collection from the Data Sources page and shortly after, you will see your CyberArk accounts listed on the Identity Posture dashboard, in Global Search and the Search Library.