01-24-2023 06:55 AM
Hello
I'm looking for an autmoatisation, where I'm able to download the freshly created xdr-distribution-file.
In my Playbook I've created following steps:
xdr-get-distribution-versions
xdr-create-distribution
xdr-get-distribution-url
Now, the last step tells me an URL to download the xdr-file.
I would like to download that file to put it on out internal server for our client developers.
Does anyone have an Idea, how I may get that file?
thanks
roger
01-24-2023 07:33 AM
Hi @r_buchwalder ,
Have you checked XDR API reference documentation - https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-API-Reference/Get-Distribution-URL
If I understand your question all information should be already there.
Just reading the docs it seems the flow should be as follow:
- Make Create distribution API call (Create Distributions • Cortex XDR API Reference • Reader • Palo Alto Networks documentation portal), which will return distribution ID
- Make Get Distribution Status API call providing the ID from previous call. This will tell you if package is ready for download or still creating. You probably need to loop this until status is ready
- Make Get Distribution URL API call providing the same ID. This will return URL from which you can then download the package.
01-24-2023 07:39 AM
Hello @aleksandar.astardzhiev
That is exactly what I did. But now, I would like to download that file in xsoar and put it on an smb share.
The URL I get need a Palo-Login...
Is there an automated way to get that file within xsoar?
tanks
R_buchwalder
01-24-2023 08:19 AM
Hi @r_buchwalder,
The URL provided in the response from the "Get Distribution URL" API is signed and only lasts for a short amount of time. You can download the file by making a GET or POST request directly to that URL with the standard headers (Authorization, x-xdr-auth-id) as you would for any other XDR API call.
For example, here is how you can make such a request with curl to download the installation package from the distribution_url:
curl --location --request POST 'DISTRIBUTION_URL_GOES_HERE' \
--header 'Authorization: API_KEY_GOES_HERE' \
--header 'x-xdr-auth-id: API_KEY_ID_GOES_HERE' \
--output '/path/to/file.msi'
I hope this helps!
Regards,
Tim
07-07-2023 07:28 AM
Hello Tim
If I do that with the curl-trick; I get this as response:
{"reply": {"err_code": 401, "err_msg": "Public API request unauthorized", "err_extra": null}}
The key-ID and keys are all the same.
If I call the URL directly in a Browser, I get also a HTTP 401 error.
regards
rog
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
