Content Management in Cortex XSOAR - Administrator Guide - 6.10 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.10
Creation date
2022-10-13
Last date published
2024-07-11
End_of_Life
EoL
Category
Administrator Guide
Abstract

Cortex XSOAR offers multiple options for developing content, including a remote repository and CI/CD.

There are three options for developing and managing content in Cortex XSOAR.

  • Manual Development

    With a manual development approach, Cortex XSOAR is a self contained system. Content is developed using an IDE and the built-in playbook editor. The Cortex XSOAR instance serves as the content repository, and content is developed and stored locally. For redundancy, on-prem deployments can have scheduled system backups and hosted service customers can periodically pull content bundle downloads via the API.

    You have the option of deploying separate development and production environments. Content can be manually exported between them using the UI or demisto-sdk download and upload commands.

    content-standalone.png
  • Remote Repository

    The remote repository function built into Cortex XSOAR allows you to sync content between development and production machines using a Git repository. You develop and test all of your content on the development machine. When content is ready to be deployed from the development to production environment each item is selected in the Remote Repository tab. The content files are pushed in the unified YAML format, the same format used when exporting and importing files directly from the UI. The Git repository can have either a single branch or a pre-release branch and a release branch. Code cannot be pushed directly to the Git repository from any other source or client, besides the development Cortex XSOAR instance.

    Unified YAML files are single YAML files which containing the content metadata. In the case of integrations and automations, the YAML files also contain the code as a string assigned to a YAML field. The YAML format is compact and self contained.

    When content is pushed as a unified YAML file from the development instance to a single branch Git repository, it becomes available to the production instance as a content update. A second branch can be introduced which enables you to review the pushed content and run a CI/CD pipeline on the unified files before merging into the main branch assigned to the production instance.

    If you regularly develop your own content, the remote repository feature provides advantages over standalone development. Content can be reviewed and verified before being pushed to production. Git commits are used for each release and can therefore be audited.

    content-remote-repo.png
  • Cortex XSOAR CI/CD

    The XSOAR CI/CD content pack provides a more advanced option for content management. With the CI/CD content pack, you can have complex content development and management using the full functionality of a Git repository. Instead of building and maintaining code on a Cortex XSOAR development environment, you can build content from your own repository, build servers, and utilize third party tools (such as CircleCI, Jenkins, etc.). You can also use version control, undertake code reviews, do lint and validations, use automatic testing, and run tests on development machines.

    Content from a development instance is pushed to a Git repository. A CI/CD process runs to generate the required pack artifacts which are then uploaded to an artifact repository. These artifacts are deployed into Cortex XSOAR instances by running the Configuration Setup playbook.

    The Cortex XSOAR CI/CD content pack is designed for more advanced users who have an understanding of CI/CD concepts and have a number of developers who work on local machines. The remote repository feature in the UI is designed for less complex content development needs and usually works best for one or two developers working on a local machine.

    CI/CD provides several advantages over the standard remote repository feature. Developers can work on different branches, enabling options such as code reviews and pull requests. You can also use tools such as CircleCI and Jenkins, and run automated testing.

    content-ci-cd.png

CI/CD Process and Remote Repository UI Comparison

Capability

CI/CD

Remote Repository

Development over non production environments

check-mark.png
check-mark.png

Control content deployment into production environments

check-mark.png
check-mark.png

Work with Cortex XSOAR UI

X

check-mark.png

Multiple branch development

check-mark.png

X

Support code review and validation process

check-mark.png

X

Support stage environment

check-mark.png

X

Support unit testing and playbook testing

check-mark.png

X

Maintain custom packs version control and rollbacks

check-mark.png

X

Develop, maintain and deploy custom content in content pack structure

check-mark.png

X