Manage Content Overview - Multi-Tenant Guide - 6.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Multi-Tenant Guide

Product
Cortex XSOAR
Version
6.5
Creation date
2022-09-29
Last date published
2023-02-09
End_of_Life
EoL
Category
Multi-Tenant Guide

Content, including integrations, can be configured on the main account or on tenant accounts.

In most cases, if the content applies to all tenants, it should be configured on the main account and pushed to the tenants. In some cases, you may need to configure an integration on the tenant level. For example, you might have a situation where only the customer has the information needed to configure a specific integration and they do not want that information stored at the main account level. In addition, any integration that fetches incidents or indicators (feeds) must be configured on the tenant level, since incidents are not stored on the main account. If an integration has the same settings for multiple tenants, you have the option, with selective propagation, to configure the integration on the main account level and propagate to specific tenants.

In order for a content item to be synced to a tenant account, both the content and tenant account must have the same propagation label.

For example, if you want Playbook ABC to sync to Tenant 123, they both need to have the same propagation label, such as Premium.

Note

When using a remote repository with a multi-tenant deployment, the remote repository must be configured and a machine must be set as the development environment, before you can view propagation labels.

Note

As of version 6.0, if there is no relevant propagation tag on your content, for example, a script or playbook, but it is a dependency of a package that you do propagate to a tenant, the unlabeled content is still synced to the tenant.

There are several types of propagation labels that you can use for syncing content to tenant accounts.

  • All: Content items with the label all will be synced to all tenants, whether or not the tenants have labels. This is the default label for content items.

  • Custom: You can add custom labels by typing a label name in the Propagation Label field when adding or editing a content item or a tenant.

  • None: If a content item does not have any labels, it will not be synced to any tenants. If a tenant does not have any labels, only content items with the all propagation label will sync to it.

Tip

We recommend that you first apply propagation labels to your tenant accounts and then add the corresponding labels to the content items that you want to sync to the tenants.

Note

If you sync a content item from the main account to a tenant account, and a content item with that same name already exists on the tenant account, the content on the tenant account will be overwritten. This applies to integrations, fields, incident types, and Threat Intel report types.

Note

To remove propagation labels, use the API call DELETE /propagationlabels/<label-name>.