As seen here, it is possible to integrate with 3rd party credential vaults for Cortex XSOAR to use when authenticating with integrations. This article provides an example of such integration.
In order to fetch credentials to the Cortex XSOAR credentials store, the integration needs to be able to retrieve credential objects in the format of a username and password (key:value).
For this example we are going to look at the HashiCorp Vault integration. The first thing you need to do is add a boolean parameter with the name:
isFetchCredentials(You can give it a different display name). When this parameter is set to true, Cortex XSOAR will fetch credentials from the integration.
It would look like something like this:
When Cortex XSOAR tries to fetch credentials from the integrations, it will call a command called
This is where you should implement the credentials retrieving logic:
fetch_credentials function, you should retrieve the credentials from the vault and create new JSON objects in the format:
In the end you should have a credentials list that contains the above objects.
When you're done creating the credentials objects, send them to the credentials store by using:
When an integration instance is configured with credentials from a vault, each time credentials are needed Cortex XSOAR
will query the vault integration with an
identifier for the relevant integration as an argument to the
fetch_credentials command (accessible via the
identifier reflects the
name property of the credentials object.
It is important to use it to return only one set of credentials for the relevant integration,
because in this case, if multiple credentials sets are returned, the process will fail and an error will be thrown.
If everything went well you should be able to see the credentials in the Cortex XSOAR credentials store:
Note that these credentials cannot be edited or deleted, they reflect what's in the vault. You can stop fetching credentials by unticking the
Fetch Credentials checkbox in the integration settings.
In case of an error during the process, you can debug your code by adding a test command that calls the
Make sure you send a credentials list in the right format and as a valid JSON.