Content pack structure - Developer Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Developer Guide

Product
Cortex XSIAM
Creation date
2023-05-01
Last date published
2024-06-04
Category
Developer Guide
Abstract

File structure for files included in the Cortex XSIAM content pack.

For better separation between content artifacts from different use cases and partners, we use a directory structure called content packs. Each content pack behaves like a mini content repo. It contains all relevant content items within its directory.

For example, the Cortex XDR pack can be seen in the content repository Packs/CortexXDR.

To generate a new pack, use demisto-sdk init --pack.

Directories

The directories within the pack represent all the possible content entities. Each pack is located in the Content repo under Packs/<Pack Name>.

- Integrations
- Scripts
- Playbooks
- Reports
- Dashboards
- IncidentTypes
- IncidentFields
- Layouts
- Classifiers
- IncidatorTypes
- IndicatorFields
- Connections
- TestPlaybooks
- ParsingRules
- ModelingRules
- CorrelationRules
- ReleaseNotes
- Triggers
- XSIAMDashboards

Pack files

The pack directory contains multiple configuration files used for metadata and documentation.

Note

All ofthe following files are created using the demisto-sdk init --pack command, and some of them need to be manually populated.

pack_metadata.json

This file contains all the relevant metadata about the pack.

The following fields are populated in the pack metadata.

Field Name

Field Type

Field Description

name

String

The pack name, usually the name of the integration the pack contains (for example Cortex XDR) or the use case implemented in it.

description

String

A short overview of the pack.

support

String

Should be one of the following:

xsoar - Supported by Cortex XSIAM.

partner - Supported by a Cortex XSIAM partner.

developer - Supported by an independent developer/organization.

community - Not officially supported, but available for the community to use.

Note

For partner and developer, either email address or URL fields must be filled out.

currentVersion

String

The pack version, in the format of x.x.x. For the initial release, this should be set to "1.0.0". See Content Pack Versioning.

author

String

The name of the organization (for partners) or developer (for individual contributions) that developed the integration.

url

String

The URL users should refer to for support regarding the pack. Usually, it is the organization support URL or the developer GitHub repository. If left empty the default support site presented to users is the Live Community site.

videos

String

The pack Youtube video link.

email

String

The email address users should reach out to for support regarding the pack.

categories

List

The use case categories that are implemented in the pack, usually set by the integration. See the category list.

tags

List

Tags to be attached to the pack in the Marketplace.

created

String

Pack creation time in ISO 8601 format - YYYY-MM-DDTHH:mm:ssZ. For example 2020-01-25T10:00:00Z.

useCases

List

Use cases implemented by the pack.

keywords

List

List of strings by which the pack can be found in Marketplace.

marketplaces

List

The Marketplace(s) in which the pack can be found.

  • For Cortex XSIAM: marketplacev2

  • For Cortex XSOAR 6 and 8: xsoar

  • For Cortex XSOAR 6: xsoar_on_prem

  • For Cortex XSOAR 8 (Cloud and On-prem): xsoar_saas

hidden

Boolean

(Optional) Whether to hide the pack from Marketplace. If hidden, updates to this pack will not be published to the Marketplace and the pack cannot be installed.

dependencies

Dictionary

(Optional) The content packs that the pack is dependent on. Should be empty on pack creation, as it is calculated by Cortex XSIAM content infrastructure.

displayedImages

List

(Optional) Images to be displayed in Marketplace. Should be empty on pack creation, as it is calculated by Cortex XSIAM content infrastructure.

githubUser

List

(Optional) List of Github usernames to receive notification in the PR in case pack files were modified.

devEmail

List

(Optional) List of emails to receive notification in case contributed pack files were modified.

certification

String

(Optional) If the pack is certified the value of this field should be certified. The possible values are certified and verified.

itemPrefix

String

(Optional) String to overwrite pack fields prefix. You can specify an alternative string instead of the default pack name enforced by the validation process.

Content pack versioning

Pack versions have the format MAJOR.MINOR.REVISION:

Revision when you make backward compatible bug fixes.

Minor when you add functionality in a backward compatible manner.

Major when you make incompatible API changes or revamp the pack by adding significant new backward compatible functionality.

README.md

This file contains a general explanation for the pack. You can add any information relevant for the pack. For more details see the Content Pack README.Content Pack README

.secrets-ignore

This file is used while running demisto-sdk secrets as an allow list of approved words for the PR.

Note

We use demisto-sdk secrets as part of our pre-commit hook to check that possible secrets in the PR aren't exposed to a public repository.

.pack-ignore

This file allows ignoring linter errors while lint checking and ignoring tests in the test collection.

To add ignored tests/linter errors in a file:

  1. Add the file name to the .pack-ignore in the format [file:integration-to-ignore.yml]

  2. On the following line add ignore= flag, with one or more comma-separated values:

    • auto-test - Ignore the test file in the build test collection.

    • linter code - For example, IN126, ignore linter error codes.

By default, script/integration unit tests run without a Docker network.

If one of the integrations/scripts inside a pack needs a network during the unit tests run, use this format:

[tests_require_network]
integration-id-1
script-id-1

Example: .pack-ignore

[file:playbook-Special-Test-Not-To-Run-Directly.yml]
ignore=auto-test

[file:integration-to-ignore.yml]
ignore=IN126,PA116

[tests_require_network]
integration-id-1
script-id-1

Author_image.png

You can add an author image (logo of the contributing company) which is displayed on the Marketplace page for the content pack, under the the PUBLISHER section. The image should be saved in the root directory of the content pack, for example content/packs/MyPackName, and be named Author_image.png). Make sure to use this exact file name for the image to appear. The image size should be up to 4 KB and dimensions of 120x50 pixels.

For Partners, this image is mandatory and is validated as part of the build process. If the file is missing, the build fails with the following validationerror:

- Issues with unique files in pack: $PACK_NAME
  Packs/$PACK_NAME/Author_image.png: [IM109] - Partners must provide a non-empty author image under the path Packs/$PACK_NAME/Author_image.png

If the file Author_image.png does not exist, the name of the author is displayed in the PUBLISHER section instead.

CONTRIBUTORS.json

If you are contributing to an existing pack, you can add a CONTRIBUTORS.json file to the root of the pack if one does not already exist. The file should contain a list of strings including your name.

Example: CONTRIBUTORS.json file

[
    "Jane Doe",
    "John Smith"
]

Once your contribution is merged, pack details shows the following:

xsiam-pack-contributors.png