Development scope - Developer Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Developer Guide

Product
Cortex XSIAM
Creation date
2023-05-01
Last date published
2024-06-04
Category
Developer Guide
Abstract

Determine which content items to create based on your use case design.

Based on your use case, you can determine which content items to create.

You can create individual content items for your own use, or package one or more content items together within a content pack. Contributions are content packs that you create for Marketplace which are submitted to Cortex XSIAM for review and approval. After approval, these content packs are uploaded to Marketplace, and can be installed by other users.

Playbooks

If you have an end-to-end use case in mind, you likely need one or more playbooks. Think about the process that you want to automate and the steps and the decisions during the process. These steps and decisions become the playbook tasks. Check if any or all of these building blocks are already part of Cortex XSIAM by browsing Marketplace.

You can have multiple playbooks in the same content pack, as long as they are related to a similar end-to-end use case. If they are completely separate, consider splitting them in multiple content packs.

Playbooks can use sub-playbooks from the same content pack or other content packs, with dependencies that can be set as mandatory or optional. Select the Skip this branch if this script/playbook is unavailable option in playbook task fields to enable the playbook to continue executing if an instance of the script, playbook, or sub-playbook is not available.

Cortex XSIAM provides a number of generic playbooks that can be used as sub-playbooks.

Integrations

Create an integration if:

  • You have a use case in mind that requires communicating with a third-party system or API, but there is no integration available for it in the Cortex XSIAM Marketplace.

  • You are a vendor and you want Cortex XSIAM to be able to interact with your product or retrieve indicators from your threat intel feed.

Integrations are the building blocks that enable external communications and form the foundations of playbooks.

While you can include multiple integrations within a single content pack, we recommend in most cases including only one integration per content pack. If you are building two separate integrations to interact with two different third-party products, you should create a separate content pack for each product.

Data Model rules, alert fields, layouts, classifiers, mappers, and playbooks

If you are creating an integration that fetches incidents from a third-party system, in many cases additional items are required within the content pack.

  • Data model rules

    You can map your logs into a single, unified data model that provides a consolidated schema and a simpler way to interact with your data, regardless of its source or dataset. Map your data to the data model using data model rules, either by using the default rules that are automatically added when installing content packs from the Marketplace, or by creating user-defined rules.

  • Parsing rules

    Define patterns or regular expressions that specify how to identify and extract specific pieces of information from the incoming data. For example, you can create a parsing rule to extract IP addresses, URLs, or file names.

  • Correlation rules

    Analyze correlations of multi-events from multiple sources by using the Cortex Query Language (XQL) based engine for creating scheduled rules called Correlation Rules. Alerts can then be triggered based on these correlation rules with a defined time frame and set schedule, including every X minutes, once a day, once a week, or a custom time.

  • Alert fields

    Create alert fields for data specific to custom incident types. All of the alert fields should be associated only to the incident type you have created, and their names should be prefixed accordingly to indicate this association.

  • Layouts

    As you create alert fields, they can be added to new alert layouts, making the most relevant information visible to your users.

  • Classifiers

    Create a classifier that determines how incoming alerts are classified (by alert type) in Cortex XSIAM.

  • Mapper

    A mapper determines how the raw data from the incoming alert JSON is mapped to alert fields.

  • Playbooks

    Playbooks can be associated with an alert type and run automatically on incoming alerts of that type. A playbook might enrich indicators within a playbook or perform additional triage of an alert. For an example, see the Handle Hello World Alert playbook.

Scripts (automations)

Scripts work with data already within Cortex XSIAM, while integrations, by contrast, can communicate with external APIs. Scripts are often used to transform data, visualize it, trigger playbooks when certain conditions occur, etc. Often, you do not need to plan exactly which scripts you need early during the design process. As you progress with your content development, it can become clear, for example, that your playbook needs a particular script to transform incident data into a useable form.

Dashboards & widgets

If you want to visualize summarized and aggregated data about anything in Cortex XSIAM (for example, incidents, alerts, and indicators), you can create custom dashboards and widgets. Dashboards are collections of widgets that can be customized and included in content packs.