Set up a built-in remote repository - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2024-11-04
Category
Administrator Guide
Solution
Cloud
Abstract

Set up the built-in content repository feature for production and development tenants.

The following are typical scenarios for setting up a built-in remote repository for the production and one or more development tenants.

New development tenant and new or existing production tenant

By default, when you activate the Cortex XSOAR tenant, it is a standalone tenant. To set up the remote repository, you need to enable the content repository in the production tenant (as a pull tenant) and activate the development tenant.

Note

It doesn't matter if you activate a new development tenant in Cortex Gateway before enabling the built-in repository in the production tenant.

Once enabled, the first development tenant becomes the push tenant and any additional tenants become pull tenants.

  1. In the production tenant, go to Settings & InfoSettingsAdvancedContent Repository and toggle the Content repository slider to enable the content repository.

    When set to On, the sync direction is Pull.

  2. In the Repository type field, select Built-in, and save the settings.

  1. In Cortex Gateway , locate the Cortex XSOAR production tenant where you enabled the built-in repository in task 1.

  2. Hover over the Cortex XSOAR tenant and click Activate Dev Tenant.

  3. Define the following fields:

    Name

    Details

    DEV TENANT NAME

    Give the Cortex XSOAR development tenant an easily recognizable name. Choose a name that is 59 or fewer characters and is unique across your company account.

    REGION

    Select the region in which you want to set up the Cortex XSOAR development tenant.

    DEV TENANT SUBDOMAIN

    Give your Cortex XSOAR development instance an easy to recognize name that is used to access the tenant directly using the full URL (https://<subdomain>xsoar.<region>.paloaltonetworks.com).

  4. Select ENABLE CONTENT REPOSITORY.

  5. Accept the terms and conditions and activate the tenant.

  6. Repeat this task to activate any additional development tenants in Cortex Gateway. They will automatically be set to pull.

Existing development and production tenants

In this scenario, the production and development tenants were managed in parallel with different sets of content. Since they were already activated in Cortex Gateway, their content repository settings can only be changed within the tenants.

Note

The first tenant that is enabled pushes its content to the remote repository first. For example, these instructions describe enabling the production tenant first, so the remote repository will initially contain production tenant content. You can enable a development tenant first if you want the remote repository to initially contain the content from the development tenant.

  1. In the production tenant, go to Settings & InfoSettingsAdvancedContent Repository and toggle the Content repository slider to enable the content repository.

    When set to On, the sync direction is Pull.

  2. In the Repository type field, select Built-in, and save the settings.

Once enabled, the first development tenant automatically becomes the push tenant.

  1. In the development tenant, go to Settings & InfoSettingsAdvancedContent Repository and toggle the Content repository slider to enable the content repository.

    When set to On, the sync direction for the first development tenant is Push. The sync direction for any additional development tenants is Pull.

  2. In the Repository type field, select Built-in, and save the settings.

  3. Select which content to keep and which to overwrite. If there are any discrepancies between the development tenant and remote repository (which in this example initially contains the production tenant content after it is enabled), the Specified repository is not empty window opens. Options are:

    • Existing content on your tenant: Keeps the existing content on your tenant and replaces the content on the specified repository. Cortex XSOAR checks if any other tenants are using the remote repository. If yes, this option is disabled. In this example, the remote repository was already enabled in the production tenant, so the remote repository holds production content. If you want to keep the content on the development tenant:

      1. Disable the remote repository in any additional enabled tenants. In this case, for the first development tenant, only the production tenant must be disabled.

      2. Select Existing content on your tenant for this tenant.

      3. Complete synchronization.

      4. Re-enable the remote repository in any additional tenants and select Existing content on the specified repository in each additional tenant.

    • Existing content on the specified repository: Deletes the existing content on your tenant and replaces it with content from the specified repository.

  4. Click Continue.