Reference - Python Development Quick Start Guide - 6.x - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Python Development Quick Start Guide
Product
Cortex XSOAR
Version
6.x
Creation date
2023-03-22
Last date published
2023-08-31
Category
Python Development Quick Start Guide

Visual Studio Code Cortex XSOAR Extension

The Cortex XSOAR extension for Visual Studio Code enables you to design and author scripts and integrations for Cortex XSOAR directly from VSCode. The extension adds a set of commands, as a sidebar with Automation and Integration Settings, just like the Settings sidebar in the Cortex XSOAR script editor. When writing code, the plugin provides you with auto-completion of Cortex XSOAR and Python functions. The extension also provides an easy-to-use set of demisto-sdk commands to format your packs, lint, and validate. The extension provides an easy virtual environment setup for Cortex XSOAR integrations and scripts.

These instructions cover configuring Visual Studio Code on Mac OS Big Sur (11.6) and creating a test Cortex XSOAR automation with Python 3.9 with Demisto-SDK 1.5.2 to verify the configuration.

Prerequisites

  • Visual Studio Code installed on Mac

  • GitHub account

  • Cortex XSOAR server installed

Review the following Cortex XSOAR development articles:

Installation and Configuration

  1. In GitHub, create your content repository and personal access token.

    1. Fork the public demisto/content to your repository, <your git user root>/content.

    2. Create a personal access token in GitHub.

  2. In the Mac finder or Terminal shell, create a Python environment.

    1. Install a Docker desktop on Mac using the downloaded .DMG and verify its installation by running the following command.

      docker run --rm hello-world

    2. Install Homebrew from a Terminal shell.

      /bin/bash -c "$(curl -fsSL

      https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

    3. Install Python 3.9.7 and Pyenv with Homebrew by running the following commands.

      brew update

      brew install pyenv

      pyenv install 3.9.7

    4. Create a Cortex XSOAR content development directory from a Terminal shell (follow Set up Your Dev Environment).

    5. Install virtualenv.

      pip3 install virtualenv

    6. Create a folder on your Mac (in this example, xsoarpython) by running the following commands.

      mkdir ../xsoarpython

      cd xsoarpython

  3. In the Mac Terminal shell, create a local Cortex XSOAR content repository.

    1. Clone your private GitHub Cortex XSOAR content repository to your local system by running the following commands.

      git clone https://github.com/<git user>/content.git

      cd content

      pyenv local 3.9.7

    2. Install the Demisto SDK and update to the latest version by running the following commands.

      .hooks/bootstrap

      source ./venv/bin/activate

      pip3 install --upgrade demisto-sdk

    3. Edit .zshrc (or whatever shell RC file in use) and add the following lines.

      export DEMISTO_BASE_URL=https://<xsoar IP or name>:<port>

      export DEMISTO_API_KEY<XSOAR API Key>

      export DEMISTO_SDK_GITHUB_TOKEN<token>

      eval "$(pyenv init -)"

  4. On the Mac in Visual Studio Code install extensions and configure them.

    1. Install the Cortex XSOAR and Python extensions.

    2. In the Cortex XSOAR Visual Studio Code extension settings, add the configuration:

      xsoar > Demisto-sdk: Python Path /<your path>/xsoarpython/content/venv/bin/python

  5. Restart Visual Studio Code.

    1. Use the Select Interpreter command from the Command Palette and select the pyenv version of python (3.9.7) being used with the content repository.

    2. In the Terminal pane at the bottom, verify the configuration.

    3. Run the command env.

    4. Verify the following values:

      • DEMISTO_BASE_URL

      • DEMISTO_API_KEY

      • DEMISTO_SDK_GITHUB_TOKEN

    5. Execute/debug a simple Python file and verify the pyenv Python version is used in the Terminal pane.

    6. Execute this Cortex XSOAR command from the Demisto SDK in the Terminal pane:

      demisto-sdk run --insecure -q 'ip ip="8.8.8.8"'

    7. Verify the Demisto SDK command succeeds and provides expected output.

Create a Test Automation

  1. On the Mac, create a Test Automation pack and script from the terminal shell by running the following commands.

    cd xsoarpython/content

    source ./venv/bin/activate

    git config --global user.email "<your email name>@<email host>"

    git config --global user.name "<your user name>"

    git checkout -b test_automation

    demisto-sdk init -n TestAutomation

    demisto-sdk init --script --id "My Test Automation" -n  TestAutomation -o Packs/TestAutomation/Scripts

  2. From the Cortex XSOAR console IDE and Mac Terminal shell:

    1. Copy CommonServerPython.py from Cortex XSOAR Automations into the Virtual Studio Code workspace (content/Packs/TestAutomation/Scripts).

    2. Copy CommonServerUserPython.py from Cortex XSOAR Automations into the Virtual Studio Code workspace, or create an empty file if not used in Cortex XSOAR.

    3. Copy demistomock.py into Virtual Studio Code workspace (content/demistomock.py at master · demisto/content · GitHub).

  3. In Visual Studio Code:

    1. Use Open Folder..." using the xsoarpython/content folder created.

    2. Edit TestAutomation.py and create a simple automation.

    3. From the Command Palette, run the the XSOAR: Lint command.

    4. Once there are no lint errors, commit the automation to GitHub using the Git:Commit command from the Command Palette or via the Source Control icon from the sidebar.

  4. In GitHub:

    1. Verify the test_automation branch was created.

    2. Verify the TestAutomation.py file is in the branch.

Development Documentation

The following are links to useful documentation resources.

Cortex XSOAR Automation Virtual Tour

Cortex XSOAR Training - Write Your First Automation

Cortex XSOAR Automations

Cortex XSOAR Demisto Class

Cortex XSOAR Common Server Python

Cortex XSOAR Common Scripts Content Pack

Demisto Python Client

Cortex XSOAR Generic Webhook Integration

Cortex XSOAR Custom Filters and Tranformers Operators

Cortex XSOAR Post-Processing Scripts

Add a Script in the Incident Layout

Create a Custom Widget Using an Automation Script

Cortex XSOAR Demisto SDK

Cortex XSOAR IDE

Cortex XSOAR Extension for Visual Studio Code

Cortex XSOAR CI/CD

Cortex XSOAR REST API

Cortex XSOAR Logs Overview

Cortex XSOAR Playbook Debugger

Cortex XSOAR Troubleshooting

Third-Party Tools

The following are links to useful tools for developing scripts and troubleshooting specific issues.

Chrome developer tools for capturing HTTPS request/response traffic

Chrome SAML tracer extension

Online SAML decoder

Online base 64 decoder and encoder

JSON lint

Markdown preview

Regex tester

YAML lint

Postman

Epoch converter