Content management in Cortex XSOAR - Administrator Guide - 8.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR On-prem Documentation

Product
Cortex XSOAR
Version
8.5
Creation date
2024-03-10
Last date published
2024-11-28
Category
Administrator Guide
Solution
On-prem
Abstract

Overview of how remote repositories work and how to configure a remote repository in Cortex XSOAR.

You can develop and manage content in Cortex XSOAR manually within the production tenant, using a CI/CD pipeline, or between development and production tenants using a remote repository.

Manual content management

Cortex XSOAR is a self-contained system. The Cortex XSOAR tenant serves as the content repository, content is developed using an IDE and stored locally.

remote-push.png

If you only use a standalone tenant (with no development tenant), you can develop and manage content manually. You can save content versions and manage revisions locally for scripts, playbooks, integrations, etc. using the Save Version button. For all other content types, changes are automatically saved locally. You can also manage content by importing/exporting it in Cortex XSOAR.

CI/CD for Cortex XSOAR

CI/CD pipelines are implemented using the XSOAR CI/CD content pack, which enables complete autonomy for developing, staging, and deploying custom content. This feature is intended for more advanced users who have an understanding of CI/CD concepts, with multiple developers working on different branches on their local machines.

Instead of building and maintaining code in a Cortex XSOAR development environment, you can build content from your private repository, and utilize third-party tools such as CircleCI and Jenkins. You can also use version control, perform code reviews, do linting and validations, use automatic testing, and run tests on development machines.

Content from a development instance is pushed to a Git repository. A CI/CD process runs to generate the required pack artifacts which are then uploaded to an artifact repository. These artifacts are deployed into Cortex XSOAR instances by running the Configuration Setup playbook.

For the complete CI/CD process flow, see XSOAR CI/CD.

Content management using a remote repository

In Cortex XSOAR you can use a content management system with a private remote repository to develop and test content.

The development tenant pushes content to a remote repository and the production tenant or additional development tenants pull content from the remote repository.

If after setting up the remote repository feature you later decide to revert a tenant to standalone, go to Settings & InfoSettingsAdvancedContent Repository and toggle the Content repository slider to off. If you disable the remote repository feature, content on the tenant is not deleted. If you enable the remote repository feature again and the remote repository contains content, you need to choose which content to keep, either the content on the tenant or the content on the remote repository. We recommend backing up any content that you want to keep before enabling again.

The development tenant

The development tenant provides a safe environment to develop and test the functionality of custom content before using it in a production environment.

Note

Development tenants are not intended for performance checks.

After you develop your content, if you want it to be available as part of a content update for the production tenant or additional development tenants, you must push content from a development tenant .

The production tenant

The production tenant is the operational environment for investigating real data. It pulls content as updates that you can install after the development tenant pushes it to the remote repository. For more information, see Install content on a production tenant.

Push and pull content between tenants

In a system with a single production tenant and several development tenants, only one development tenant can push content. The production tenant and any other development tenants pull from the one development tenant that is configured to push content. For example, you can have an additional development tenant for testing that pulls content from the development tenant configured to create and edit content.

All system content, content updates, and custom (user-defined) content are managed (downloaded, installed, edited, created, and updated) only in the development tenant that pushes content. For example, system content updates from Marketplace are only delivered to the development tenant that is configured to push. You cannot create or edit content in a production tenant or additional development tenant, they are configured only to pull content (except for dashboards and lists).

When pushing content from the development tenant, the content is synchronized and pulled into the production or other development tenants as content updates. For more information, see Push content from a development tenant.

You can decide which updates you want to push from the development tenant to pull tenants through the remote repository.