The script development process varies according to whether it is for playbook automations, content packs and integrations, remote applications, or webhook applications.
Playbook Automation Scripts
Scripts for automating playbook tasks are the most common script type created in Cortex XSOAR and can be developed within the Cortex XSOAR console IDE. The high-level steps are:
Review the Demisto class functions.
Review the Common Server Python functions.
Review the Common Scripts.
Author automations in the Cortex XSOAR console IDE.
Execute automations in the Cortex XSOAR playground to test.
Configure automations as playbook tasks and test with playbook debugger.
Fully test the playbook with real incident data, since not all functions execute identically in the playground or debugger.
For additional customization, implement these automations as needed:
Configure automations as field display scripts.
Configure automations as field change triggered scripts.
Configure dynamic section scripts.
Configure widget-based scripts.
Configure post-processing scripts.
Configure filters.
Configure transformers.
If an automation needs to use the Cortex XSOAR REST API, in the Cortex XSOAR console:
Create an API key.
Enable the REST integration instance.
Content Packs and Integrations
You can develop integrations for internal use within the Cortex XSOAR console IDE. If you want to publish content packs with integrations to the Marketplace, you can configure a Cortex XSOAR development environment with Visual Studio Code.
Review the Cortex XSOAR development site Welcome for guidance on developing integrations.
In the Cortex XSOAR console:
Create an API key.
Enable the REST integration instance.
Review the Demisto Class functions.
Review the Common Server Python functions.
If not publishing content packs to the Marketplace or for a simple development environment using the Cortex XSOAR console IDE:
In the Cortex XSOAR console under +, click the +BYOI button and create the integration code.
It uses a copy of the HelloWorld integration as a starting point.
To debug non-Cortex XSOAR python code if needed:
Copy the integration code to a preferred Python IDE.
Stub or mock demisto() calls for test and debug.
Copy the code back to the Cortex XSOAR console IDE.
To publish to Marketplace, perform extensive integration development, or if you prefer a full development environment:
Create a Cortex XSOAR content repository in GitHub.
Install Visual Studio Code.
An example process in the Visual Studio Code XSOAR Extension illustrates configuring Visual Studio Code with the Cortex XSOAR extension and the Demisto SDK.
Create and test the integration. Stub or mock demisto() calls for testing and debugging within Visual Studio Code.
From Cortex XSOAR 6.5 and later, there is a CI/CD process based on the Demisto SDK for heavy development.
Remote Applications
You can create scripts for remote automations not running under Cortex XSOAR that use the Demisto Python Client and HTTPS requests to the Cortex XSOAR REST API.
In the Cortex XSOAR console, create an API key.
In the development system:
Install Python.
Install the preferred Python development environment
Install the Demisto Python client.
Create and test the application.
Webhook Applications
Webhook applications remotely create incidents by posting HTTPS requests to a webhook configured on the Cortex XSOAR server.
In the Cortex XSOAR console:
In the Marketplace, install the Generic Webhooks content pack.
Configure the webhook integration instance.
In the development system:
Install Python.
Install the preferred development environment.
Create and test the webhook application.