Install an engine - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Install, deploy and configure Cortex XSIAM engines.

When you install the engine, the d1.conf is installed on the engine machine, which contains engine properties such as proxy, log level, and log files. If Docker/Podman is already installed, the python.engine.docker and powershell.engine.docker keys are set to true. If Docker or Podman is not available when the engine is installed, the key is set to false. If so, you need to set the key to true after installing Docker and Podman. Verify that python.engine.docker and powershell.engine.docker configuration keys are present in the d1.conf file.


If you are using DEB, RPM, or Zip installation, install Docker or Podman. To run Docker-dependent integrations and scripts on CentOS v7, install Mirantis Container Runtime.

Cortex XSIAM supports the following file types for installation on the engine machine:

  • Shell: For all Linux deployments, including Ubuntu, and SUSE, except CentOS 7.x. Automatically installs Docker/Podman, downloads Docker/Podman images, enables remote engine upgrade, and allows installation of multiple engines on the same machine.

    The installation file is selected for you. Shell installation supports the purge flag, which by default is false. To uninstall an engine, run the installer with the purge flag enabled.


    When upgrading an engine that was installed using the Shell installation, you can use the Upgrade Engine feature in the Engines page. For CentOS 7 or Amazon Linux 2 type engines, you need to upgrade these engine types using a zip type engine and not use the Upgrade Engine feature.

    If you use the shell installer, Docker/Podman is automatically installed.

  • DEB: For Ubuntu operating systems.

  • RPM: RHEL operating systems.


    Use DEB and RPM installation when shell installation is not available. You need to manually install Docker or Podman and any dependencies. If installing on CentOS v7 you need to install Mirantis Container Runtime (formerly Docker Engine - Enterprise) or Red Hat's Docker distribution to run specific Docker-dependent integrations and scripts.

  • Zip: Used for CentOS 7 and Amazon Linux 2 machines.

  • Configuration: Configuration file for download. When you install one of the other options, this configuration file (d1.conf ) is installed on the engine machine.


For DEB/RPM engines, Python (including 3.x) and the containerization platform (Docker/Podman) must be installed and configured. For Docker or Podman to work correctly on an engine, IPv4 forwarding must be enabled.

  1. Create an engine.

    1. Select SettingsConfigurationsData BrokerEnginesCreate New Engine.

    2. In the Engine Name field, add a meaningful name for the engine.

    3. Select one of the installer types from the list.

    4. (Optional) (Shell only) Select the checkbox to enable multiple engines to run on the same machine.

      If you have an existing engine, and you did not select the checkbox, and now you want to install another engine on the same machine, you need to delete the existing engine.

    5. (Optional) Add any required configuration in JSON format.

    6. Click OK to create the engine.

  2. For shell installation, do the following:


    For Linux systems, we recommend using the shell installer. If using CentOS 7.x, or Amazon Linux 2, use the zip installer (see step 4).

    1. Move the .sh file to the engine machine using a tool such as SSH or PuTTY.

    2. On the engine machine, grant execution permission by running the following command:

      chmod +x /<engine-file-path>

    3. Install the engine by typing one of the following commands:

      With tools: sudo <engine-file-path>

      Without tools: sudo <engine-file-path> -- -tools=false

      If you receive a permissions denied error, it is likely that you do not have permission to access the /tmp directory.

  3. For RPM/DEB installation, do the following:

    1. Move the file to the required machine using a tool such as SSH or PuTTY.

    2. Type one of the following installation commands:

      Machine Type

      Install Command

      RHEL (RPM)

      sudo rpm -Uvh d1-2.5_15418-1.x86_64.rpm

      Ubuntu (DEB)

      sudo dpkg --install d1_xxx_amd64.deb

    3. Start the engine by running one of the following commands:

      Machine Type

      Start Command

      RHEL (RPM)

      sudo systemctl start d1

      Ubuntu (DEB)

      sudo service d1 restart

  4. For Zip installation on CentOS 7.x or Amazon Linux 2, run the following commands:

    1. Create the engine folder.

      mkdir /usr/local/demisto

    2. Unzip the engine files to the folder created in the previous step.

      unzip ./ -d /usr/local/demisto

    3. Allow the process to bind to low numbered ports.

      setcap CAP_NET_BIND_SERVICE=+eip /usr/local/demisto/d1_linux_amd64

    4. Change the owner of /usr/local/demisto to the demisto user.

      chown -R demisto:demisto /usr/local/demisto

    5. In /etc/systemd/system edit the d1.service file las follows (adjust the directory and the name of the binaries file if needed).

      Description=Demisto Engine Service
    6. Give the service execution permissions and change the owner to demisto.

      chmod -x d1.service chown demisto:demisto d1.service

    7. Run the engine process.

      systemctl start d1

    8. Verify that the engine is running.

      systemctl status d1

  5. Verify that the engine you created is connected.

    1. Select SettingsConfigurationsData BrokerEngines.

    2. Locate your engine on the Engines page and check that it is connected.

  6. When the engine is connected, you can add the engine to a load-balancing group by clicking Load-Balancing Group on the Engines page.

    If you want to add the engine to a new group, click Add to new group from the list.

    When the engine is in the load-balancing group, it cannot be used as an individual engine and does not appear when configuring an engine from the list.

  7. (Optional) After installing the engine, you may want to set up a proxy, set up Docker hardening, configure the number of workers for the engine, or perform other related engine configurations. For more information, see the Configure Engines section. You can also configure an integration instance to run on the engine you created.


If the installer fails to start due to a permissions issue, even if running as root, add one of the following two arguments when running the installer:

  • --target <path> - Extracts the installer files into the specified custom path.

  • --keep - Extracts the installer files into the current working directory (without cleaning at the end).

If using installer options such as -- -tools=false, the option should come after the --target or --keep arguments. For example:

sudo ./ --target /some/temp/dir -- -tools=false