BeyondTrust Password Safe
This Integration is part of the BeyondTrust Password Safe Pack.#
Unified password and session management for seamless accountability and control over privileged accounts.
Each command is assigned a role. Users will not be able to run commands for which they are not assigned to the specific role for a command.
Fetch Credentials
For the fetch credentials function to work properly, you need to create a new asset, managed system, and managed account in BeyondTrust.
- In the BeyondTrust platform, create a new asset.
-
Create a managed system.
The name of the system should be the name of the integration (service/platform) you want to use, which will make it easier to filter credentials. -
In the managed system, create a managed account.
The name of the managed account will be the username/email (depending on how the instance is configured) and the password will be the password of the integration (when creating an instance).
Create a BeyondTrust API Key
To configure an integration instance, you need your BeyondTrust API key. The API key is generated after you configure an API Registration. For detailed instructions, see the BeyondTrust Password Safe Admin Guide .
Configure BeyondTrust Password Safe on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for BeyondTrust Password Safe.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Server URL (e.g., https://192.168.0.1)
- Username
- API Key
- Trust any certificate (not secure)
- Use system proxy settings
- Fetch credentials
- System Name (optional for fetch credentials)
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
Each command is assigned a role. Users will not be able to run commands for which they are not assigned to the specific role for a command.
- Get a list of managed accounts for the current user: beyondtrust-get-managed-accounts
- Get a list of managed systems: beyondtrust-get-managed-systems
- Create a new credentials release request: beyondtrust-create-release-request
- Check in or release a request: beyondtrust-check-in-credentials
- Get credential for an approved credentials release request: beyondtrust-get-credentials
- Update credentials for a managed account: beyondtrust-change-credentials
1. Get a list of managed accounts for the current user
Returns a list of managed accounts that the current user has permissions to request.
Base Command
beyondtrust-get-managed-accounts
Input
There are no inputs for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| BeyondTrust.Account.PlatformID | Number | ID of the managed system platform. |
| BeyondTrust.Account.SystemID | Number | ID of the managed system. |
| BeyondTrust.Account.SystemName | String | Name of the managed system. |
| BeyondTrust.Account.DomainName | Number | ID of the managed account. |
| BeyondTrust.Account.AccountName | String | Name of the managed account. |
| BeyondTrust.Account.InstanceName | String | Database instance name of a database-type managed system. |
| BeyondTrust.Account.DefualtReleaseDuration | Number | Default release duration. |
| BeyondTrust.Account.MaximumReleaseDuration | Number | Maximum release duration. |
| BeyondTrust.Account.LastChangeDate | Date | The date and time of the last password change. |
| BeyondTrust.Account.NexeChangeDate | Date | The date and time of the next scheduled password change. |
| BeyondTrust.Account.IsChanging | Boolean | True if the account credentials are in the process of changing, otherwise false. |
| BeyondTrust.Account.IsISAAccess | Boolean | True if the account is for Information Systems Administrator (ISA) access, otherwise false. |
| BeyondTrust.Account.AccountID | Number | ID of the managed account. |
Command Example
!beyondtrust-get-managed-accounts
Human Readable Output
BeyondTrust Managed Accounts
| AccountName | AccountID | AssetName | AssetID | LastChangeDate | NextChangeDate |
|---|---|---|---|---|---|
| demisto | 1 | Demisto-lab-server | 1 | 2019-05-30T07:30:48.16 | 2019-07-01T21:00:00, |
| Test | 2 | Demisto-lab-server | 1 | 2019-05-30T12:05:06.683 | 2019-07-01T21:00:00, |
| shelly | 3 | shelly-test | 2 | 2019-05-30T12:59:12.313 |
2. Get a list of managed systems
Returns a list of managed systems.
Base Command
beyondtrust-get-managed-systems
Input
There are no inputs for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| BeyondTrust.System.Port | Number | The port used to connect to the host. If null and the related Platform.PortFlag is true, Password Safe uses Platform.DefaultPort for communication. |
| BeyondTrust.System.Timeout | String | Connection timeout – Length of time in seconds before a slow or unresponsive connection to the system fails. |
| BeyondTrust.System.ResetPasswordOnMismatchFlag | Boolean | True to queue a password change when scheduled password test fails, otherwise false. |
| BeyondTrust.System.ChangeFrequencyDays | Number | When ChangeFrequencyType is “xdays”, the frequency with which the password changes (between 1-90 days). |
| BeyondTrust.System.ISAReleaseDuration | Number | Default Information Systems Administrator (ISA) release duration. |
| BeyondTrust.System.FunctionalAccountID | Number | ID of the functional account used for local Managed Account password changes. |
| BeyondTrust.System.ChangeFrequencyType | String | The change frequency for scheduled password changes: "first"– Changes are scheduled for the first day of the month; "last"– Changes are scheduled for the last day of the month; "xdays"– Changes are scheduled every "x" days (see ChangeFrequencyDays) |
| BeyondTrust.System.DirectoryID | Number | ID of the directory. Is set if the Managed System is a Directory. |
| BeyondTrust.System.ManagedAssetID | Number | ID of the Managed System. |
| BeyondTrust.System.AssetID | Number | ID of the asset. Is set if the Managed System is an Asset or a Database. |
| BeyondTrust.System.PlatformID | Number | ID of the Managed System Platform. |
| BeyondTrust.System.ElevationCommand | String | Elevation command to use (sudo, pbrun, or pmrun). |
| BeyondTrust.System.CheckPasswordFlag | Boolean | True to enable password testing, otherwise false. |
| BeyondTrust.System.CloudID | Number | ID of the Cloud System. Is set if the Managed System is a Cloud System. |
| BeyondTrust.System.DSSKeyRuleID | Number | ID of the default DSS Key Rule assigned to Managed Accounts that were created under this Managed System. |
| BeyondTrust.System.PasswordRuleID | Number | ID of the default Password Rule assigned to Managed Accounts that were created under this Managed System. |
| BeyondTrust.System.NetBiosName | String | Domain NetBIOS name. Setting this value will allow Password Safe to fall back to the NetBIOS name, if needed. |
| BeyondTrust.System.DatabaseID | Number | ID of the database. Is set if the Managed System is a Database. |
| BeyondTrust.System.MaxReleaseDuration | Number | Default maximum release duration. |
| BeyondTrust.System.ChangePasswordAfterAnyReleaseFlag | Boolean | True to change passwords on release of a request, otherwise false. |
| BeyondTrust.System.SystemName | String | Name of the related entity (Asset, Directory, Database, or Cloud). |
| BeyondTrust.System.ReleaseDuration | Number | Default release duration. |
| BeyondTrust.System.ContactEmail | String | Email address of the user that manages the system. |
| BeyondTrust.System.Description | String | The description of the system. |
| BeyondTrust.System.ChangeTime | String | Time (UTC) that password changes are scheduled to occur. |
| BeyondTrust.System.AutoManagementFlag | Boolean | True if password auto-management is enabled, otherwise false. |
| BeyondTrust.System.LoginAccountID | Number | ID of the Functional Account used for SSH session logins. |
Command Example
!beyondtrust-get-managed-systems
Human Readable Output
BeyondTrust Managed Accounts
| ManagedAssetID | ChangeFrequencyDays | AssetID | AssetName | PlatformID | Port |
|---|---|---|---|---|---|
| 1 | 30 | 2 | Demisto-lab-server | 2 | 22, |
| 2 | 30 | 3 | shelly-test | 2 | 22, |
| 3 | 30 | 4 | integration-test | 2 | 22, |
| 4 | 30 | 5 | Cybereason | 2 | 22 |
3. Create a new credentials release request
Creates a new credentials release request. This command gets the credentials (password) of the account for which the request was made. The outputs will show the credentials that were created for the account requested as plain text in the War Room, so we recommend that after you run this command, you also run the beyondtrust-change-credentials command.
Base Command
beyondtrust-create-release-request
Input
| Argument Name | Description | Required |
|---|---|---|
| access_type | The type of access requested (View, RDP, SSH). Defualt is "View". | Optional |
| system_id | ID of the Managed System to request. Get the ID from get-managed accounts command | Required |
| account_id | ID of the Managed Account to request. Get the ID from get-managed accounts command | Required |
| duration_minutes | The request duration (in minutes). | Required |
| reason | The reason for the request. | Optional |
| conflict_option | The conflict resolution option to use if an existing request is found for the same user, system and account ("reuse" or "renew"). | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| BeyondTrust.Request.Credentials | String | The credentials for the requested ID. |
| BeyondTrust.Request.RequestID | Number | The request ID. |
Command Example
!beyondtrust-create-release-request account_id=8 duration_minutes=2 system_id=3\
Human Readable Output
4. Check in or release a request
Checks-in/releases a request before it expires.
Base Command
beyondtrust-check-in-credentials
Input
| Argument Name | Description | Required |
|---|---|---|
| request_id | ID of the request to release. | Required |
| reason | A reason or comment why the request is being released. | Optional |
Context Output
There is no context output for this command.
Command Example
!beyondtrust-check-in-credentials request_id=295\
Human Readable Output
The release was successfully checked-in/released
5. Get credential for an approved credentials release request
Retrieves the credentials for an approved and active (not expired) credentials release request.
Base Command
beyondtrust-get-credentials
Input
| Argument Name | Description | Required |
|---|---|---|
| request_id | ID of the Request for which to retrieve the credentials | Required |
Context Output
There is no context output for this command.
Command Example
!beyondtrust-get-credentials request_id=294\
Human Readable Output
The credentials for BeyondTrust request: shelly
6. Update credentials for a managed account
Updates the credentials for a Managed Account, optionally applying the change to the Managed System.
Base Command
beyondtrust-change-credentials
Input
| Argument Name | Description | Required |
|---|---|---|
| account_id | ID of the account for which to set the credentials. | Required |
| password | The new password to set. If not given, generates a new, random password. | Optional |
| public_key | The new public key to set on the host. This is required if PrivateKey is given and updateSystem=true. | Optional |
| private_key | The private key to set (provide Passphrase if encrypted). | Optional |
| pass_phrase | The passphrase to use for an encrypted private key. | Optional |
| update_system | Whether to update the credentials on the referenced system. | Optional |
Context Output
There is no context output for this command.
Command Example
!beyondtrust-change-credentials account_id=8
Human Readable Output
The password has been changed
Base Command
beyondtrust-get-credentials
Input
| Argument Name | Description | Required |
|---|---|---|
| request_id | ID of the Request for which to retrieve the credentials | Required |
Context Output
There is no context output for this command.
Command Example
!beyondtrust-get-credentials request_id=294\
Human Readable Output
The credentials for BeyondTrust request: shelly
6. Update credentials for a managed account
Generates a list of active BeyondTrust requests.
Base Command
beyondtrust-list-release-requests