Search the Cortex Marketplace and find content. Search by use cases, integrations, and categories.
Content in Marketplace is organized into content packs to support specific security orchestration use cases. Content packs are created by Palo Alto Networks, technology partners, contributors, and customers.
In Marketplace, content includes the following:
Content | Description |
|---|---|
Actions | Actions wrap diverse capabilities (such as playbooks, scripts, and commands) to make them accessible and executable by an agent. |
Classifiers | Classification determines the type of issue/indicator that is created for events ingested from a specific integration. You create a classifier and define that classifier in an integration. Mappers map the fields from your third-party integration to the fields in your issue/indicator layouts. |
Correlation Rules | Analyzes the correlation of multiple events from multiple sources by using the Cortex Cloud XQL-based engine for creating these correlation (scheduled) rules. Issues can then be triggered based on these rules with a defined time frame and schedule. |
Dashboards | Dashboards consist of visualized data powered by fully customizable widgets, which enable you to analyze data from inside or outside Cortex Cloud, in different formats such as line charts, tables, text, etc. |
Data Model Rules | Data Model rules enable you to normalize logs for out-of-the-box analytics and data enrichment. This allows you to do the following:
Some content packs contain out-of-the-box default Data Model Rules. |
Indicator types and fields | Indicators are categorized by indicator type, which determines the indicator layout and fields that are displayed and which scripts are run on indicators of that type. |
Integrations | You can define the following integrations:
|
Issue types and fields | All issues that are ingested into Cortex Cloud are assigned an issue type when they are classified. After you classify the issue, you can then map the relevant fields to the issue. Issue types contain fields that are relevant to the issue type. |
Layouts and layout rules | Enables you to add rules, which define the layout of issues and notifications, When installed, the layout rules are enabled and added as Default Rules. When deleted, all related layout rules (including all Rule sections) are removed from the Default Rules tab. |
Parsing rules | Enables you to add rules, which remove non-required data for analytics, hunting, or regulation, reduce data storage costs, pre-process all incoming data, etc. When installed, the parsing rules are enabled and added as Default Rules. When deleted, all related parsing rules (including all Rule sections) are removed from the Default Rules tab. |
Playbooks | You can automate many security processes, including handling investigations and managing tickets and security responses that were previously handled manually. When an issue is ingested, the playbook runs and an issue is created. |
Reports | Reports contain statistical data in the form of widgets (from a dashboard), which enable you to analyze data from inside or outside Cortex Cloud, in different formats such as line charts, tables, text from information, etc. |
Scripts | Perform specific actions and are comprised of commands, which are used in playbook tasks and when running commands in the issue War Room. |
Cortex Cloud supports free content packs, which are either Cortex Cloud or partner-supported content packs. You can restrict a user role from managing content packs in Marketplace when defining/editing user roles.
In Marketplace, you can browse all content packs (including installed content) or view only installed content packs.
You can search for content packs by entering text in the search bar and selecting the relevant content pack from the search results.
You can sort content packs by latest update, best match, recommended, number of downloads, and filter according to the following criteria:
Use cases: Filter according to high-level use cases.
Integrations: Filter according to the integration included in the content pack.
Categories: Filter according to content pack categories.
Published: Filter according to whether published by Cortex Cloud or by Cortex Cloud technology partners.
Content Pack Includes: Filter according to the content of the content pack, such as scripts, integrations, playbooks, and actions.
Tags: Filter according to tags, such as Issues, Actions, Network, and Security.
When clicking a content pack you can view detailed information including content that it installs (such as scripts, playbooks, and integrations), dependencies (what content packs are required or optional) and version history (including whether you want to roll back to earlier versions).
You can view Marketplace content packs from within Cortex Cloud (go to → → ) or at Cortex Developer Docs Marketplace.