Contribution demo preparation - Developer Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Developer Guide

Product
Cortex XSIAM
Creation date
2023-05-01
Last date published
2024-06-04
Category
Developer Guide
Abstract

How to prepare for a demo and how the demo is conducted as the last stage of the contribution before it is merged into the content internal repo.

A demo is the last stage required before the contribution is merged into the content internal repo. To be as prepared as possible and to avoid post-demo change requests, review all of the steps below.

Note

A contribution demo is not required for community-supported content packs.

General notes

  • The purpose of the demo is to verify the contribution meets Cortex XSIAM standards and to check that features work as expected, while providing a satisfactory user experience.

  • The contributor, the PR reviewer, and in some cases a security reviewer, participate in the the demo.

  • The demo can take up to one hour.

Before the demo

  • Verify the change requests from your code review are fully addressed and fixed.

  • Prepare a Cortex XSIAM tenant that has all recent changes and has the most updated version of your content pack. The demo is performed in this environment.

Demo agenda and workflow

The following may vary based on the size and scope of the contribution.

Section

Description

Product Overview

Short general explanation about the product.

Use Cases Overview

The specific use cases for the customer.

Integration Commands Overview

Review which commands are implemented.

Demo Integration Instance Configuration

  • Verify it's clear how to retrieve required credentials.

  • Verify correct error handling - what happens when credentials are incorrect.

Demo Integration Commands

Verify that commands, arguments, and outputs (including descriptions) are according to standard:

Demo Fetch Incidents (if applicable)

Verify that incidents are fetched and displayed correctly.

Demo Playbooks (if applicable)

Verify that playbooks run as expected.

Review Layouts, Alert and Indicator Types, Alert and Indicator Fields, and Classifiers (if applicable).

  • Verify layout is bound to incident/indicator type.

  • Verify alert/indicator fields are bound to alert/indicator types.

  • Verify classifier is bound to incident type.

  • Verify playbook is bound to an incident type.

After the demo

  • If changes were requested during the demo by the reviewers, make and commit these changes.

  • After all requested changes are made, the PR is merged.