CyberArk AIM v2

The CyberArk Application Identity Manager (AIM) provides a secure safe in which to store your account credentials. Use this integration to retrieve the account credentials in CyberArk AIM. This integration fetches credentials. For more information, see Managing Credentials.

Authentication Options#

The integration uses the Central Credential Provider and supports the following authentication methods:

  • OS User (Windows NTLM Authentication): Set the domain user and password in the credentials field. Make sure your CyberArk Server is configured to support NTLM authentication as documented here. Note that the user option may require specifying full domain\user.
  • Client Certificate Authentication: Enter the Certificate and Private key in the integration instance configuration parameters. Make sure to follow the instructions here to enable the Central Credential Provider to accept client authentication with client certificates.
  • Allowed Machines: Leave all authentication methods empty. Follow CyberArk's instructions here to accept the Cortex XSOAR Server IP for the configured AppID.

Further information is available from CyberArk at:

Configure CyberArkAIM v2 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for CyberArkAIM v2.
  3. Click Add instance to create and configure a new integration instance.
urlServer URL and Port (e.g.,\)True
app_idAppID as configured in AIMFalse
folderFolder to search in safeTrue
safeSafe to search inTrue
credential_namesCredential names - comma-seperated list of credentials names in the safeFalse
cert_textCertificate file as textFalse
key_textKey file as textFalse
isFetchCredentialsFetches credentialsFalse
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
  1. Click Test to validate the URLs, token, and connection.


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.


Lists all credentials available

Base Command#



There are no input arguments for this command.

Context Output#

CyberArkAIM.AccountTypeStringThe type of the account.
CyberArkAIM.AddressStringThe address of the account.
CyberArkAIM.CPMStatusStringThe CMP status of the account.
CyberArkAIM.DomainStringThe domain of the account.
CyberArkAIM.NameStringThe credential name of the account.

Command Example#


Context Example#

"CyberArkAIM": {
"AccountCategory": "True",
"AccountDescription": "Built-in account for administering the computer/domain",
"AccountDiscoveryDate": "1573128798",
"AccountEnabled": "True",
"AccountExpirationDate": "0",
"AccountOSGroups": "Administrators",
"AccountType": "Domain",
"Address": "AIM.COM",
"CPMDisabled": "(CPM)Newly discovered dependency",
"CPMStatus": "success",
"CreationMethod": "AutoDetected",
"DeviceType": "Operating System",
"DiscoveryPlatformType": "Windows Domain",
"Domain": "AIM.COM",
"Folder": "Root",
"LastLogonDate": "1572451901",
"LastPasswordSetDate": "1566376303",
"LastSuccessChange": "1575910475",
"LastSuccessReconciliation": "1583521898",
"LastSuccessVerification": "1583256386",
"LastTask": "ReconcileTask",
"LogonDomain": "domain1",
"MachineOSFamily": "Server",
"Name": "name1",
"OSVersion": "Windows Server 2016 Standard",
"OU": "CN=Users,DC=COM",
"PasswordChangeInProcess": "False",
"PasswordNeverExpires": "True",
"PolicyID": "WinDomain",
"RetriesCount": "-1",
"SID": "sid",
"Safe": "Windows Domain Admins",
"SequenceID": "1",
"Tags": "DAdmin",
"UserName": "username1"

Human Readable Output#


TrueBuilt-in account for administering the computer/domain1573128798True0AdministratorsDomainAIM.COM(CPM)Newly discovered dependencysuccessAutoDetectedOperating SystemWindows DomainAIM.COMRoot15724519011566376303157591047515835218981583256386ReconcileTaskdomain1Servername1Windows Server 2016 StandardCN=Users,DC=COMFalseTrueWinDomain-1sidWindows Domain Admins1DAdminusername1