Content pack metadata file - Developer Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Developer Guide

Product
Cortex XSIAM
Creation date
2023-05-01
Last date published
2024-06-04
Category
Developer Guide
Abstract

Information about the pack_metadata.json used to display a description of the content pack in the Marketplace, and apply tags, use cases and categories to a content pack.

Each content pack contains a pack_metadata.json file that contains a short description of the content pack that is displayed in Marketplace. The metadata file also contains tags, categories, and use cases for the content pack.

When displayed in Marketplace, content packs contain the following documentation sections:

  • Description: Displayed in the content pack card when browsing Marketplace and at the top of the Details tab.

    Example: Content pack card

    xsiam-content-pack-description-card.png

    Example: Details tab with Description and README

    xsiam-content-pack-description-and-readme.png
  • Videos: Displayed in the main display area and in the middle of the Details tab.

  • README: The content pack README file, if it exists, is displayed in the main display area and in the bottom of the Details tab.

Pack description

Abstract

Guidelines for writing a pack description file, which provides a short overview of the pack when browsing the Marketplace.

The pack description is the first information users see when they go to your content pack. It's important to give a detailed, thorough description of what the pack contains, use cases, and overall benefits of the pack. The pack description is maintained in the pack_metadata.json file under the description field. Packs should always contain a description, even if a README file is provided with more details. This enables users to get a short overview of the pack when browsing the Marketplace.

General description guidelines
  • Short and to the point

  • Convey gain/benefit for the user

  • If possible - what is unique about this pack (for example, minimal, extended, fast, thorough, streamlined)

  • Use active voice (you, yours, do, use, investigate) where possible

  • Omit redundancy (do not repeat the name of the pack, do not start with "Use this…")

  • Capitalize product names

  • Use present tense consistently (for example, if "engages" than "investigates", not "investigating")

  • Up to 150 chars

  • Up to 4 lines

Examples

Before

After

Turn a "fat" description into a "lean" description

300 chars / 44 words

Use this content pack to investigate and remediate a potential phishing incident. The playbook simultaneously engages with the user that triggered the incident, while investigating the incident itself and enriching the relevant IOCs. The final remediation tasks are always decided by a human analyst.

139 chars / 10 words

Streamline investigation and remediation of Phishing incidents. Playbook engages with users while simultaneously investigates and enriches.

Turn a "passive" description into a "active" description:

Passive and impersonal

Provides data enrichment for domains and IP addresses.

Active and personal

Enrichment for your domains and IP addresses.

Example sentences:

  • "Streamline your ___ process for ___. Optimized for _ and ____ this ___ targeted content pack is ideal for _"

  • "Eliminate ____ by improving your__. Rich with layouts and playbooks, this content pack is right for ____"

  • "Get smarter. This pack utilizes _ and ___for when _ is heavily needed"

Pack Videos

For larger packs that provide at least one end-to-end use case, you are encouraged to create a short video or a few videos for the pack that are displayed in the Details tab of the pack in Marketplace. The videos files should be hosted on YouTube, and they should contain a more detailed overview of the pack compared to the Description section.

Add the video link to the pack_metadata.json file. For example, for the Malware Investigation and Response content pack:

{
    "name": "Malware Investigation and Response",
    "description": "Accelerate the investigation of your endpoint malware alerts and incidents and trigger containment activities quickly.",
    "support": "xsoar",
    "videos": [
        "https://www.youtube.com/watch?v=DtGIefyoTao"
    ],

Pack keywords, tags, use cases, and categories

Abstract

Use content pack tag, category, and keyword metadata elements to identify and find packs more easily.

To classify packs and make them easier to find, you can use the following pack metadata elements in the pack metadata file.

xsiam-pack-metadata.png
Use cases

The use case must be one or more of the approved use cases.

Tags

Tags make it easier to find packs using filters or the search bar, and are visible on the screen to help understand what the pack is and its benefit to users.

Tags must be from the list of approved tags.

Categories

The high level field/subject the pack relates to. Your pack should fall into one of the approved existing categories.

Keywords

Keywords operate like tags to assist in searching for packs, but they aren't displayed in the UI. You can add keywords as needed.

For example, for a pack related to messaging, you may want to add "msg" as a keyword so when a user searches for "msg" they will find the pack, but the word "msg" won't display in the UI.

You can add any keywords you want, the list is not restricted.