Content Management in Multi-Tenant - Multi-Tenant Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Multi-Tenant Guide

Product
Cortex XSOAR
Version
8
Creation date
2024-04-17
Last date published
2024-07-02
Category
Multi-Tenant Guide
Solution
Cloud
Abstract

Content is pushed from the main tenant to child tenants by applying corresponding propagation labels to content and child tenants.

Content, including integrations, can be configured on the main tenant or on child tenants.

In most cases, if the content applies to all child tenants, it should be configured on the main tenant and pushed to the child tenants. In some cases, you may need to configure an integration on the child tenant level. For example, you might have a situation where only the customer has the information needed to configure a specific integration and they do not want that information stored at the main tenant level. In addition, any integration that fetches incidents or indicators (feeds) must be configured on the child tenant level, since incidents are not stored on the main tenant. If an integration has the same settings for multiple child tenants, you have the option, with selective propagation, to configure the integration on the main tenant level and propagate to specific child tenants.

For a content item to be synced to a child tenant, both the content and child tenant must have the same propagation label. For more information about propagation labels for content and tenants including remote repositories, see Content Dependencies and Propagation.

For example, if you want Playbook ABC to sync to Tenant 123, they both need to have the same propagation label, such as Premium.

Note

When using a remote repository with a multi-tenant deployment, the remote repository must be configured and a machine must be set as the development environment, before you can view propagation labels.

If there is no relevant propagation tag on your content, for example, a script or playbook, but it is a dependency of a package that you do propagate to a tenant, the unlabeled content is still synced to the tenant.

There are several types of propagation labels that you can use for syncing content to a child tenant.

  • All: Content items with the label all will be synced to all child tenants, whether or not the child tenants have labels. This is the default label for content items.

  • Custom: You can add custom labels by typing a label name in the Propagation Label field when adding or editing a content item or a child tenant.

  • None: If a content item does not have any labels, it will not be synced to any child tenants. If a child tenant does not have any labels, only content items with the all propagation label will sync to it.

Tip

We recommend that you first apply propagation labels to your child tenants and then add the corresponding labels to the content items that you want to sync to the child tenants.

Note

If you sync a content item from the main tenant to a child tenant, and a content item with that same name already exists on the child tenant, the content on the child tenant is overwritten. This applies to integrations, fields, incident types, and Threat Intel report types.