Integrating PrivX with XSOAR
To integrate PrivX with Cortex XSOAR by Palo Alto Networks, do the following:
- Install XSOAR
- Install PrivX content pack.
- Create a new PrivX role. Grant the role with connections-authorize permissions:
-
Create a new API Client in PrivX UI at Administration→Deployment→Integrate with PrivX Using API Clients.
Grant the previously created role to the API client so the API client receives connections-authorize permissions.
Also ensure that it has a role needed to access the desired account on the target host.
See API-Client Integration for more info.
-
Create an SSH key pair for which the ephemeral certificates are created. This is an example, you can use existing public key as well:
% ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (~/.ssh/id_rsa): id_rsa_test
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_rsa_test
Your public key has been saved in id_rsa_test.pub
% cat id_rsa_test.pub
ssh-rsa AAAAB3NzaC1yc2EA....GSCjSzEHDclQ== user@host -
Configure PrivX content pack with the following attributes:
Name Name for this integration Your PrivX server address (FQDN or IP) Your PrivX server instance address. If you are using a load balancer in front of your PrivX instances, this is the load balancer address. Your PrivX server HTTPS port HTTPS port of your PrivX endpoint. Default is 443. OAuth client ID PrivX API Client OAuth client ID. For the default installations, this should be always set to "privx-external", which identifies the client as API client. OAuth client secret PrivX API Client OAuth client secret. API client ID PrivX API Client ID API client secret PrivX API Client secret PrivX CA certificate TLS Trust Anchor from PrivX API Clients page. This is used to verify the identity of the PrivX server HTTPS endpoint. User's public key (optional) Public key is required for fetching SSH short term certificates with privx-get-cert command via PrivX API.
Copy the contents of the previously generated public key file id_rsa_test.pub here.
The public key can be configured here, or it can alternatively be passed as command line argument to privx-get-cert command. -
Click "Test" button in XSOAR integration page, you should receive "Success" message:
-
Now you're ready for testing the XSOAR commands:
!privx-get-cert username=xsoar hostname=10.1.12.15
!privx-get-cert username=xsoar hostname=10.1.12.15 service=SSH role-id=b4a9749e-bc9b-5e96-4c63-9bfd58b74e7b
!privx-get-secret name=the-secret
!privx-get-secret name=another-secret