Configure response automation
This topic describes how to configure CyberArk Identity User Behavior Analytics to automatically respond to specified trigger event types. The following table describes available responses.
| Response | Description |
|---|---|
|
Email alerts |
Generate email alerts for trigger events with a specified risk level. For example, you could send email alerts as an automated response to SecurityAlert events with a risk level of medium. |
|
Lock users |
Lock users based on specified trigger events if the risk engine determines the user is risky. CyberArk recommends only locking accounts for security alerts with a risk level of High. In addition, Lock User Webhooks should be used in conjunction with an email alert for the lock event. |
|
Webhooks |
Webhooks allow your tenant to invoke another web service when a security alert or server event occurs. For example, a security alert invokes the webhook when the security threshold is exceeded. |
|
CyberArk Identity Flows |
Invoke a CyberArk flow based on a trigger event. You can use Identity Flows to create low-code webhooks, reset user passwords, remove users from roles, and more. See the Identity Flows documentation for more information. |
Create automated event responses
This section describes how to create the different types of automated event responses that are available in CyberArk Identity User Behavior Analytics.
Trigger events are events generated by CyberArk Identity in response to actions, such as a user's password changing. See CyberArk Identity Events for more information.
Create a webhook
- Go to Settings > Response Automation.
-
Click New, then select Webhook.
- Enter a name and description for your webhook.
-
Select a trigger event category and specific trigger event.
-
Select a risk level from the risk level drop-down menu.
See Adjust risk levels for more information about risk level.
- In the URL field, enter the URL of the webhook for that third-party web service that you want to invoke.
- Select the request method appropriate for the webhook in the Http Method drop-down menu.
-
Select the Content Type appropriate for the webhook.
For example, select
application/jsonif the webhook URL expects a JSON-formatted payload. -
If it's required by the web service, enter the API access token in the Authorization header field.
See the web service documentation for instructions on how to get the API access token.
-
Enter the payload expected by the web service.
The payload format is based on FreeMarker, which allows the payload to be dynamically populated by including variables defined in CyberArk Identity User Behavior Analytics. These variables are substituted at invocation time with values pulled from the datasets defined in CyberArk Identity User Behavior Analytics. Variables can represent system elements or events, and can be built-in (for example, defined by CyberArk) or user-defined.
-
Click OK.
Slack exampleSee https://api.slack.com/incoming-webhooks for more information on the URL to use.
The following images and payload illustrate an example of a Slack webhook.
Payload:
{ "attachments": [ { "author_name" : "Idaptive Analytics", "author_link": "https://${tenant_id}-${system.podscape}.${system.domain}/analytics", "author_icon": "https://${tenant_id}-${system.podscape}.${system.domain}/analytics/ui/favicons/favicon.png", "title": "Security Alert from Idaptive Analytics", "color": "<#if intel_risk_level=='high'>danger<#else>warning</#if>", "fields": [ { "value": "<#if event_name=='Cloud.Core.MfaSummary'>Service Login<#elseif event_name?starts_with('Cloud.Saas.Application')>Launched ${app_name}<#else>${event_name}<#if action?has_content> for command ${action}</#if> on ${target_address}</#if>", "short": false }, { "title": "Who", "value": "${event.user_name}", "short": true }, { "title": "When", "value": "${utils.number_to_datetime_timezone(event_time, 'US/Pacific')}", "short": true }, { "title": "Where", "value": "<#if event_name?starts_with('Cloud')>${city}<#else>${target_address}</#if>", "short": true }, { "title": "Operating System", "value": "${os_type}", "short": true }, { "title": "risk level", "value": "${intel_risk_level?cap_first}", "short": true }, { "title": "Risk Score", "value": "${intel_risk_score}", "short": true } <#if reason?eval.text?has_content> , { "title": "Reason", "value": "${reason?eval.text}", "short": true } </#if> ] }, { "title": "Investigate", "color": "#3AA3E3", "fallback": "Investigate at https://${tenant_id}-${system.podscape}.analytics.idaptive.app/analytics", "actions": [ { "type": "button", "text": "Analytics Portal", "url": "<#if event_name?starts_with('Cloud')>https://${tenant_id}-${system.podscape}.${system.domain}/analytics/ui/#/explore?sql=(%22user_name%22%20IN%20('${event.user_name}'))&start=%24now-90days&end=%24now-0days&categoryval=behavior&drillview=Category%20Alert&ignoresession=true<#else>https://${tenant_id}-${system.podscape}.${system.domain}/analytics/ui/#/explore?sql=(%22user_name%22%20IN%20('${user_name}'))&start=%24now-90days&end=%24now-0days&categoryval=behavior&drillview=Category%20Alert&ignoresession=true</#if>" } ] } ] }Result when the webhook is triggered:
PagerDuty exampleSee https://v2.developer.pagerduty.com/docs/send-an-event-events-api-v2 for more information on the URL to use.
PagerDuty requires an API authentication token in the Header Authorization field. See https://developer.pagerduty.com/docs/rest-api-v2/authentication/ for more information on how to get the PagerDuty API authentication token.The following images and payload illustrate an example of a PagerDuty webhook.
Payload:
PagerDuty requires a value forrouting_keyin the payload. See https://support.pagerduty.com/docs/services-and-integrations#section-events-api-v2 for more information about how to get therouting_keyvalue.{ "payload": { "summary": "${intel_risk_level?cap_first} Risk: <#if event_name=='Cloud.Core.MfaSummary'>Service Login<#elseif event_name?starts_with('Cloud.Saas.Application')>Launched ${app_name}<#else>${event_name}<#if action?has_content> for command ${action}</#if> on ${target_address}</#if> from ${event.user_name} at ${utils.number_to_datetime_timezone(event_time, 'US/Pacific')}", "source": "${event.user_name}", "severity": "warning", "component": "${target_address}", "class": "${event_type}", "custom_details": { "Event Name": "${event_name}", "Event Time": "${utils.number_to_datetime_timezone(event_time, 'US/Pacific')}", "User Name": "${event.user_name}", "Server": "${target_address}", "risk level": "${intel_risk_level?cap_first}", "OS Type": "${os_type}" <#if action?has_content>,"Command": "${action}"</#if> } }, "routing_key": "xxxxxxxxx", "event_action": "trigger", "client": "Idaptive Analytics", "client_url": "<#if event_name?starts_with('Cloud')>https://${tenant_id}-${system.podscape}.${system.domain}/analytics/ui/#/explore?sql=(%22user_name%22%20IN%20('${event.user_name}'))&start=%24now-21days&end=%24now-0days&categoryval=behavior&drillview=Category%20Alert&ignoresession=true<#else>https://${tenant_id}-${system.podscape}.${system.domain}/analytics/ui/#/explore?sql=(%22user_name%22%20IN%20('${event.user_name}'))&start=%24now-21days&end=%24now-0days&categoryval=behavior&drillview=Category%20Alert&ignoresession=true</#if>" }Result when the webhook is triggered:
Create an email alert
- Go to Settings > Response Automation.
-
Click New, then select Email.
The New Email Notification window displays.
-
Complete the fields as needed.
The CyberArk Identity User Behavior Analytics service uses a default SMTP server if you do not specify one under Advanced Configuration.
In the Email Body, you can use ctr+space to autocomplete variables to use for trigger events. For example, type "event.", then press ctr and space to see the list of event variables.
-
Toggle the Active switch to On when you finish, then click OK.
Lock user accounts
Contact CyberArk support to have this feature enabled on your tenant.
We recommend only locking accounts for security alerts with a risk level of high. In addition, webhooks that lock user accounts should be used in conjunction with an email alert for the lock event. You can use the following event for the email alert:
- Trigger Event Category: Cloud.Core.Cus.CusEntity
- Trigger Event: CusSetUserState
- Go to Settings > Response Automation.
-
Click New, then select Lock User.
The New Lock User Webhook window displays.
-
Complete the fields as needed.
For example, to lock user accounts associated with security alerts with a risk level of high, the New Lock User Webhook window would look like the following:
-
Toggle the Active switch to On when you finish, then click OK.
You can reference the MFA Events and MFA Special Events reports to review account locking activity.
Invoke a CyberArk flow
-
Go to Settings > Response Automation.
-
Click New, then select CyberArk Flows.
The Invoke CyberArk Flow window displays.
-
Complete the fields as needed, then click OK.
You have to create the flow in Identity Flows before you can select it in the Invoke CyberArk Flow window. It might take up to five minutes for a newly created flow to display in the drop-down menu.
Manage automated event responses
This section describes management actions available for existing automated event responses.
Export automated responses
- Go to Settings > Response Automation.
-
Click Export on the row for the automated response that you want to export.
The Export window displays.
-
Complete the File Name field, then click OK.
The automated response is saved as a JSON file to your default downloads directory.
Import automated responses
- Go to Settings > Response Automation.
-
Click Import.
-
Select the JSON file representing the automated response that you want to import, then click Open.
Disable or enable an automated event response
- Go to Settings > Response Automation.
-
On the row for the automated response that you want to disable, click Make inactive/Make active.
- Click Yes on the prompt.
Delete automated event responses
- Go to Settings > Response Automation.
-
On the row for the automated response that you want to delete, click Delete.
- Click Yes on the prompt.
