BeyondTrust Password Safe

Unified password and session management for seamless accountability and control over privileged accounts.

Each command is assigned a role. Users will not be able to run commands for which they are not assigned to the specific role for a command.

Fetch Incidents

For the fetch incidents function to work properly, you need to create a new asset, managed system, and managed account in BeyondTrust.

  1. In the BeyondTrust platform, create a new asset.
  2. Create a managed system.
    The name of the system should be the name of the integration (service/platform) you want to use, which will make it easier to filter credentials.
  3. In the managed system, create a managed account.
    The name of the managed account will be the username/email (depending on how the instance is configured) and the password will be the password of the integration (when creating an instance).

Create a BeyondTrust API Key

To configure an integration instance, you need your BeyondTrust API key. The API key is generated after you configure an API Registration. For detailed instructions, see the BeyondTrust Password Safe Admin Guide .

Configure BeyondTrust Password Safe on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for BeyondTrust Password Safe.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Server URL (e.g., https://192.168.0.1)
    • Username
    • API Key
    • Trust any certificate (not secure)
    • Use system proxy settings
    • Fetch credentials
    • System Name (optional for fetch credentials)
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

Each command is assigned a role. Users will not be able to run commands for which they are not assigned to the specific role for a command.

  1. Get a list of managed accounts for the current user: beyondtrust-get-managed-accounts
  2. Get a list of managed systems: beyondtrust-get-managed-systems
  3. Create a new credentials release request: beyondtrust-create-release-request
  4. Check in or release a request: beyondtrust-check-in-credentials
  5. Get credential for an approved credentials release request: beyondtrust-get-credentials
  6. Update credentials for a managed account: beyondtrust-change-credentials

1. Get a list of managed accounts for the current user


Returns a list of managed accounts that the current user has permissions to request.

Base Command

beyondtrust-get-managed-accounts

Input

There are no inputs for this command.

Context Output
Path Type Description
BeyondTrust.Account.PlatformID Number ID of the managed system platform.
BeyondTrust.Account.SystemID Number ID of the managed system.
BeyondTrust.Account.SystemName String Name of the managed system.
BeyondTrust.Account.DomainName Number ID of the managed account.
BeyondTrust.Account.AccountName String Name of the managed account.
BeyondTrust.Account.InstanceName String Database instance name of a database-type managed system.
BeyondTrust.Account.DefualtReleaseDuration Number Default release duration.
BeyondTrust.Account.MaximumReleaseDuration Number Maximum release duration.
BeyondTrust.Account.LastChangeDate Date The date and time of the last password change.
BeyondTrust.Account.NexeChangeDate Date The date and time of the next scheduled password change.
BeyondTrust.Account.IsChanging Boolean True if the account credentials are in the process of changing, otherwise false.
BeyondTrust.Account.IsISAAccess Boolean True if the account is for Information Systems Administrator (ISA) access, otherwise false.
BeyondTrust.Account.AccountID Number ID of the managed account.

Command Example
!beyondtrust-get-managed-accounts
Human Readable Output

BeyondTrust Managed Accounts

AccountName AccountID AssetName AssetID LastChangeDate NextChangeDate
demisto 1 Demisto-lab-server 1 2019-05-30T07:30:48.16 2019-07-01T21:00:00,
Test 2 Demisto-lab-server 1 2019-05-30T12:05:06.683 2019-07-01T21:00:00,
shelly 3 shelly-test 2 2019-05-30T12:59:12.313

2. Get a list of managed systems


Returns a list of managed systems.

Base Command

beyondtrust-get-managed-systems

Input

There are no inputs for this command.

Context Output
Path Type Description
BeyondTrust.System.Port Number The port used to connect to the host. If null and the related Platform.PortFlag is true, Password Safe uses Platform.DefaultPort for communication.
BeyondTrust.System.Timeout String Connection timeout – Length of time in seconds before a slow or unresponsive connection to the system fails.
BeyondTrust.System.ResetPasswordOnMismatchFlag Boolean True to queue a password change when scheduled password test fails, otherwise false.
BeyondTrust.System.ChangeFrequencyDays Number When ChangeFrequencyType is “xdays”, the frequency with which the password changes (between 1-90 days).
BeyondTrust.System.ISAReleaseDuration Number Default Information Systems Administrator (ISA) release duration.
BeyondTrust.System.FunctionalAccountID Number ID of the functional account used for local Managed Account password changes.
BeyondTrust.System.ChangeFrequencyType String The change frequency for scheduled password changes: "first"– Changes are scheduled for the first day of the month; "last"– Changes are scheduled for the last day of the month; "xdays"– Changes are scheduled every "x" days (see ChangeFrequencyDays)
BeyondTrust.System.DirectoryID Number ID of the directory. Is set if the Managed System is a Directory.
BeyondTrust.System.ManagedAssetID Number ID of the Managed System.
BeyondTrust.System.AssetID Number ID of the asset. Is set if the Managed System is an Asset or a Database.
BeyondTrust.System.PlatformID Number ID of the Managed System Platform.
BeyondTrust.System.ElevationCommand String Elevation command to use (sudo, pbrun, or pmrun).
BeyondTrust.System.CheckPasswordFlag Boolean True to enable password testing, otherwise false.
BeyondTrust.System.CloudID Number ID of the Cloud System. Is set if the Managed System is a Cloud System.
BeyondTrust.System.DSSKeyRuleID Number ID of the default DSS Key Rule assigned to Managed Accounts that were created under this Managed System.
BeyondTrust.System.PasswordRuleID Number ID of the default Password Rule assigned to Managed Accounts that were created under this Managed System.
BeyondTrust.System.NetBiosName String Domain NetBIOS name. Setting this value will allow Password Safe to fall back to the NetBIOS name, if needed.
BeyondTrust.System.DatabaseID Number ID of the database. Is set if the Managed System is a Database.
BeyondTrust.System.MaxReleaseDuration Number Default maximum release duration.
BeyondTrust.System.ChangePasswordAfterAnyReleaseFlag Boolean True to change passwords on release of a request, otherwise false.
BeyondTrust.System.SystemName String Name of the related entity (Asset, Directory, Database, or Cloud).
BeyondTrust.System.ReleaseDuration Number Default release duration.
BeyondTrust.System.ContactEmail String Email address of the user that manages the system.
BeyondTrust.System.Description String The description of the system.
BeyondTrust.System.ChangeTime String Time (UTC) that password changes are scheduled to occur.
BeyondTrust.System.AutoManagementFlag Boolean True if password auto-management is enabled, otherwise false.
BeyondTrust.System.LoginAccountID Number ID of the Functional Account used for SSH session logins.

Command Example
!beyondtrust-get-managed-systems
Human Readable Output

BeyondTrust Managed Accounts

ManagedAssetID ChangeFrequencyDays AssetID AssetName PlatformID Port
1 30 2 Demisto-lab-server 2 22,
2 30 3 shelly-test 2 22,
3 30 4 integration-test 2 22,
4 30 5 Cybereason 2 22

3. Create a new credentials release request


Creates a new credentials release request. This command gets the credentials (password) of the account for which the request was made. The outputs will show the credentials that were created for the account requested as plain text in the War Room,  so we recommend that after you run this command, you also run the beyondtrust-change-credentials command.

Base Command

beyondtrust-create-release-request

Input
Argument Name Description Required
access_type The type of access requested (View, RDP, SSH). Defualt is "View". Optional
system_id ID of the Managed System to request. Get the ID from get-managed accounts command Required
account_id ID of the Managed Account to request. Get the ID from get-managed accounts command Required
duration_minutes The request duration (in minutes). Required
reason The reason for the request. Optional
conflict_option The conflict resolution option to use if an existing request is found for the same user, system and account ("reuse" or "renew"). Optional
Context Output
Path Type Description
BeyondTrust.Request.Credentials String The credentials for the requested ID.
BeyondTrust.Request.RequestID Number The request ID.

Command Example
!beyondtrust-create-release-request account_id=8 duration_minutes=2 system_id=3\
Human Readable Output

4. Check in or release a request


Checks-in/releases a request before it expires.

Base Command

beyondtrust-check-in-credentials

Input
Argument Name Description Required
request_id ID of the request to release. Required
reason A reason or comment why the request is being released. Optional

Context Output

There is no context output for this command.

Command Example
!beyondtrust-check-in-credentials request_id=295\
Human Readable Output

The release was successfully checked-in/released

5. Get credential for an approved credentials release request


Retrieves the credentials for an approved and active (not expired) credentials release request.

Base Command

beyondtrust-get-credentials

Input
Argument Name Description Required
request_id ID of the Request for which to retrieve the credentials Required

Context Output

There is no context output for this command.

Command Example
!beyondtrust-get-credentials request_id=294\
Human Readable Output

The credentials for BeyondTrust request: shelly

6. Update credentials for a managed account


Updates the credentials for a Managed Account, optionally applying the change to the Managed System.

Base Command

beyondtrust-change-credentials

Input
Argument Name Description Required
account_id ID of the account for which to set the credentials. Required
password The new password to set. If not given, generates a new, random password. Optional
public_key The new public key to set on the host. This is required if PrivateKey is given and updateSystem=true. Optional
private_key The private key to set (provide Passphrase if encrypted). Optional
pass_phrase The passphrase to use for an encrypted private key. Optional
update_system Whether to update the credentials on the referenced system. Optional

Context Output

There is no context output for this command.

Command Example
!beyondtrust-change-credentials account_id=8
Human Readable Output

The password has been changed