Cortex XSIAM development tenant - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-07-16
Last date published
2024-12-11
Category
Administrator Guide
Abstract

Set up a content management system with a development environment to create and test content before using it in a production environment.

A development tenant is a test environment where you can create and check content before using it live in a production tenant.

Before explaining more about development tenants, it is important to understand what content is.

Content

Content includes integrations, automation scripts, playbooks, and other components that enhance Cortex XSIAM capabilities for incident response and threat intelligence management. There are two types of content:

  • System content - content packs you can download from Marketplace. Packs are groups of components that implement use cases. Content packs are created by Palo Alto Networks, technology partners, consulting companies, MSSPs, customers, and individual contributors. Depending on the use case, each content pack includes a combination of different components, such as integrations, scripts, playbooks, and widgets.

  • Custom or user-defined content - custom components you can develop to meet your business needs.

Development tenants

The development tenant provides a safe environment to develop and test the functionality of content before using it in a production environment.

Important

Development tenants are not intended for performance checks, they cannot access production data, and they are connected to a limited number of endpoints. As a result, all development tenants have fewer resources than the production tenant, including data ingestion capacity and performance and compute capabilities. In a development tenant, extreme demand for resources for data ingestion or compute may affect performance and cause latency issues.

After you develop your content, if you want it to be available as part of a content update for the production tenant or additional development tenants, you must push the content from the development tenant to a remote repository.

Content management using a remote repository

In Cortex XSIAM you can use a content management system with a remote repository to develop and test content. You can choose which type of remote repository you want to use, either the Cortex XSIAM built-in remote repository (default), or you can add any private content repository that is Git-based, including GitHub, GitLab, and Bitbucket. In addition, on-premise repositories are also supported.

The development tenant pushes content to a remote repository and the production tenant or additional development tenants pull content from the remote repository.

Push and pull content between tenants

In a cluster of tenants that includes one production tenant and one or more development tenants, only one development tenant pushes (the push tenant). The production tenant and any other development tenants pull content from the push tenant (pull tenants).

Push and pull system content

Only the development push tenant manages system content and updates. Pull tenants cannot manage system content, meaning they cannot download, install, edit, create, or update system content, they are configured to only pull system content from the push tenant. Only the development push tenant has access to Marketplace, so system content updates from Marketplace are delivered only to the development push tenant. Pull tenants do not have Marketplace, so all system content must first be downloaded and installed on the push tenant, pushed to the remote repository, and then pulled into the pull tenants.

Push and pull custom content

Not all custom content can be pushed/pulled. Content that cannot be pushed/pulled can be developed wherever you prefer - in both the development and production tenants, or copied from the development tenant into the production tenant. For example, content that cannot be pushed/pulled includes dashboards and lists, parsing rules, data modeling rules, and correlation rules.

The following system and user-defined content types are push/pull supported:

  • Alert types and fields

  • Indicator types and fields

  • Alert and indicator layouts

  • Layouts

  • Classifiers

  • Integrations

  • Playbooks

  • Scripts

For custom content that can be push/pulled, when pushing content from the development tenant, the content is pulled into the production or other development pull tenants as content updates. You can decide which updates you want to push from the development push tenant to pull tenants via the remote repository.