Content Dependencies and Propagation - Multi-Tenant Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Multi-Tenant Guide

Product
Cortex XSOAR
Version
8
Creation date
2024-04-17
Last date published
2024-07-02
Category
Multi-Tenant Guide
Solution
Cloud
Abstract

Understand how content that is dependent on other content is propagated to tenants.

To ensure the proper execution of content and overall system stability, content dependencies are propagated to child tenants together with parent content, irrespective of their propagation labels. Such dependencies appear during the sync process even if their propagation labels don’t match that of the tenant, as long as the labels of the parent content do match the tenants.

There are multiple layers of dependency relationships in Cortex XSOAR. For example, a classifier might depend on incidents/indicators, which in turn might depend on layouts, which in turn might depend on fields, which in turn might depend on scripts, and so on.

dependencies-flow-new.png

Note

Content dependencies are calculated recursively, so that if, for example, Playbook A uses Playbook B (dependency), which in turn uses Scripts C and D (dependencies), all of the dependencies (Playbook B and Scripts C and D) will be propagated along with Playbook A.

For a basic example of how content dependencies are propagated, consider the Access Investigation - Generic playbook that contains six scripts.

The scripts are dependencies of the playbook, which needs them to execute properly. You can view playbook dependencies under the Propagation Labels field in the playbook Settings.

Note

For other content items, you can view dependencies in the same location in the relevant settings area.

playbook-dependencies-8.png

The playbook itself has a propagation label of test2, which matches the propagation label of the sample “Dependencies” tenant that it belongs to.

However, the scripts contained within the playbook have a propagation label of test1, which differs from that of the playbook.

script-propagation-label-8.png

Even though the propagation labels of the scripts do not match that of the tenant, they are still be propagated to tenants during the Sync process.

If there is no relevant propagation tag on your content, for example, a script or playbook, but it is a dependency of a package that you do propagate to a tenant, the unlabeled content is still synced to the tenant.