CyberArk Endpoint Privilege Manager

Endpoint Privilege Manager helps remove local admin rights while improving user experience and optimizing IT operations.

Overview

The CyberArk Endpoint Privilege Manager (EPM) integration with Cortex (XSOAR and XSIAM) enhances security operations by providing SOC teams with enriched context around security incidents related to identities. EPM helps organizations reduce the risk of endpoint attacks by removing local administrator rights and enforcing least privilege policies. It provides application control and privilege management to prevent malware and ransomware attacks, while enabling end-users to perform their tasks without interruption.

What does this pack do?

This new pack enables you with correlation rules for all detections fetched from EPM to XSIAM, mapping them to MITRE ATT&CK techniques and generate alerts. Additionally, it provides EPM commands for XSOAR and XSIAM, allowing you to build integrations using these connectors. You can execute these commands from the Cortex XSIAM Alerts War Room as part of an automation, or in a playbook.

Overview

What does this pack do?

Integrations

Name	Description
CyberArk EPM SOC Response	Use the CyberArk EPM integration to activate and deactivate CyberArk EPM risk plans for specific endpoints.

Playbooks

Name	Description
CyberArk EPM SOC Response	Activates a CyberArk EPM SOC risk plan for a specified endpoint, based on the incident severity. Endpoint name and external IP are taken from the incident to uniquely identify the on EPM
CyberArk Deactivate EPM SOC Response	Deactivates a specific CyberArk EPM SOC risk plan for a specific endpoint. This reverts all security settings to the baseline EPM policies active prior to the SOC response action.

Integrations

Name	Description
CyberArk EPM Event Collector	CyberArk EPM Event Collector fetches events.
CyberArk EPM SOC Response	Use the CyberArk EPM integration to activate and deactivate CyberArk EPM risk plans for specific endpoints.

Modeling Rules

Name	Description
CyberArk EPM Modeling Rule

Playbooks

Name	Description
CyberArk Deactivate EPM SOC Response	Deactivates a specific CyberArk EPM SOC risk plan for a specific endpoint. This reverts all security settings to the baseline EPM policies active prior to the SOC response action.
CyberArk EPM SOC Response	Activates a CyberArk EPM SOC risk plan for a specified endpoint, based on the alert severity. Endpoint name and external IP are taken from the alert to uniquely identify the on EPM

Required Content Packs (2)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

Optional Content Packs (0)

Pack Name	Pack By

All level dependencies (4)

Pack Name	Pack By
Cortex REST API	By: Cortex XSOAR
Aggregated Scripts	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Base	By: Cortex XSOAR

1.2.1 - 8901148 (May 11, 2026)

Integrations

CyberArk EPM SOC Response

Updated the CyberArkEPMSOCResponse integration to output all sets with endpoints found and whether the endpoint was successfully added to the plan group in this set.
Updated the Docker image to: demisto/python3:3.12.13.8428455.

Related pull requests:
- 44245
- 44138

Download

1.2.0 - 8515806 (April 27, 2026)

Integrations

CyberArk EPM SOC Response

Updated the integration to use OAuth2 authentication via CyberArk Identity.
Deprecated the Application ID parameter (no longer used with OAuth2 authentication).
Added the Identity URL parameter, which specifies the CyberArk Identity FQDN for OAuth2 authentication (e.g., https://abc1234.id.cyberark.cloud).
Added the Client ID parameter, which specifies the service username (configured as OAuth confidential client).
Added the Web App ID parameter, which specifies the Application ID of the OAuth2 Server web app configured in Identity Administration.
Updated the cyberarkepm-activate-risk-plan command:
- Deprecated the external_ip argument (replaced by logged_in_user).
- Added the logged_in_user argument, which specifies the logged-in username of the endpoint.
Updated the cyberarkepm-deactivate-risk-plan command:
- Deprecated the external_ip argument (replaced by logged_in_user).
- Added the logged_in_user argument, which specifies the logged-in username of the endpoint.

Playbooks

CyberArk EPM SOC Response

Updated the playbook to use the logged_in_user argument instead of the external_ip argument for endpoint identification.

CyberArk Deactivate EPM SOC Response

Updated the playbook to use the logged_in_user argument instead of the external_ip argument for endpoint identification.

Related pull requests:
- 44013
- 43612

Download

1.1.5 - 8210013 (April 13, 2026)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 43748

Download

1.1.4 - 8195766 (April 12, 2026)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 43735

Download

1.1.3 - 7850318 (March 23, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43567

Download

1.1.2 - 7657193 (March 13, 2026)

Integrations

CyberArk EPM SOC Response (Beta)

Updated the CyberArkEPMSOCResponse integration to support upper and lower cases in search filters.

Related pull requests:
- 43330
- 43348

Download

1.1.1 - 7175321 (February 16, 2026)

Endpoint Privilege Manager helps remove local admin rights while improving user experience and optimizing IT operations.

Related pull requests:
- 42850

Download

1.2.1 - 8901148 (May 11, 2026)

Integrations

CyberArk EPM SOC Response

Updated the CyberArkEPMSOCResponse integration to output all sets with endpoints found and whether the endpoint was successfully added to the plan group in this set.
Updated the Docker image to: demisto/python3:3.12.13.8428455.

Related pull requests:
- 44245
- 44138

Download

1.2.0 - 8542515 (April 28, 2026)

Integrations

CyberArk EPM SOC Response

Updated the integration to use OAuth2 authentication via CyberArk Identity.
Deprecated the Application ID parameter (no longer used with OAuth2 authentication).
Added the Identity URL parameter, which specifies the CyberArk Identity FQDN for OAuth2 authentication (e.g., https://abc1234.id.cyberark.cloud).
Added the Client ID parameter, which specifies the service username (configured as OAuth confidential client).
Added the Web App ID parameter, which specifies the Application ID of the OAuth2 Server web app configured in Identity Administration.
Updated the cyberarkepm-activate-risk-plan command:
- Deprecated the external_ip argument (replaced by logged_in_user).
- Added the logged_in_user argument, which specifies the logged-in username of the endpoint.
Updated the cyberarkepm-deactivate-risk-plan command:
- Deprecated the external_ip argument (replaced by logged_in_user).
- Added the logged_in_user argument, which specifies the logged-in username of the endpoint.

Playbooks

CyberArk EPM SOC Response

Updated the playbook to use the logged_in_user argument instead of the external_ip argument for endpoint identification.

CyberArk Deactivate EPM SOC Response

Updated the playbook to use the logged_in_user argument instead of the external_ip argument for endpoint identification.

Related pull requests:
- 44013
- 43612

Download

1.1.5 - 8210013 (April 13, 2026)

Integrations

CyberArk EPM Event Collector

Documentation and metadata improvements.

Related pull requests:
- 43748

Download

1.1.4 - 8195766 (April 12, 2026)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 43735

Download

1.1.3 - 7850318 (March 23, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43567

Download

1.1.2 - 7657193 (March 13, 2026)

Integrations

CyberArk EPM SOC Response (Beta)

Updated the CyberArkEPMSOCResponse integration to support upper and lower cases in search filters.

Related pull requests:
- 43330
- 43348

Download

1.1.1 - 7178553 (February 16, 2026)

Integrations

CyberArk EPM Event Collector

Fixed an issue where the integration would fetch events from stale set IDs after configuration changes.
Updated the Docker image to: demisto/btfl-soup:1.0.1.6977863.

New: CyberArk EPM SOC Response (Beta)

Added the new CyberArkEPMSOCResponse integration that enables you to activate and deactivate CyberArk EPM risk plans for specific endpoints.
Added the following commands:
- cyberarkepm-activate-risk-plan
- cyberarkepm-deactivate-risk-plan

Playbooks

New: CyberArk Deactivate EPM SOC Response

This playbook deactivates a specific CyberArk EPM SOC risk plan for a specific endpoint. This reverts all security settings to the baseline EPM policies active prior to the SOC response action.

New: CyberArk EPM SOC Response

This playbook activates a CyberArk EPM SOC risk plan for a specific endpoint, based on the incident severity. The endpoint is uniquely identified in EPM using the name and external IP provided by the incident data.

Related pull requests:
- 42850

Download

1.0.10 - 5636304 (October 29, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41629

Download

1.0.9 - R5469292 (October 20, 2025)

Integrations

CyberArk EPM Event Collector

Fixed an issue where the nextCursor pagination token was not being updated when no events were fetched in the fetch-events command, leading to infinite loop and fetch being stuck.

Related pull requests:
- 41505

Download

1.0.8 - 5218623 (October 2, 2025)

Integrations

CyberArk EPM Event Collector

Improved logging for CyberArk EPM Event Collector.
Updated the Docker image to: demisto/btfl-soup:1.0.1.4885491.

Related pull requests:
- 41212

Download

1.0.7 - R4739218 (September 2, 2025)

Integrations

CyberArk EPM Event Collector

Metadata and documentation improvements.

Related pull requests:
- 39142

Download

Certification	Certified	Read more
Supported By	Cortex
Created	February 16, 2026
Last Release	May 11, 2026

CyberArk Endpoint Privilege Manager

Overview

What does this pack do?

Overview

What does this pack do?

Integrations

CyberArk EPM SOC Response

Integrations

CyberArk EPM SOC Response

Playbooks

CyberArk EPM SOC Response

CyberArk Deactivate EPM SOC Response

Integrations

CyberArk EPM SOC Response (Beta)

Integrations

CyberArk EPM SOC Response

Integrations

CyberArk EPM SOC Response

Playbooks

CyberArk EPM SOC Response

CyberArk Deactivate EPM SOC Response

Integrations

CyberArk EPM Event Collector

Integrations

CyberArk EPM SOC Response (Beta)

Integrations

CyberArk EPM Event Collector

New: CyberArk EPM SOC Response (Beta)

Playbooks

New: CyberArk Deactivate EPM SOC Response

New: CyberArk EPM SOC Response

Integrations

CyberArk EPM Event Collector

Integrations

CyberArk EPM Event Collector

Integrations

CyberArk EPM Event Collector

PUBLISHER

PLATFORMS

INFO

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER