Intended Audience: Technical Staff, Developers, Content and Integration Authors
This development guide will provide you with some basic information, concepts, and explanations to jumpstart your development journey. After reading it, you’ll have a great background for creating content and integrations for the Demisto platform.
Prerequisites to start development
Note: Please make sure you have completed the following before proceeding. If you have trouble with any of these items, please contact us.
- Read the Get Started page on this site.
- Completed Technical Partnership Agreement
- Python programming experience (you don't need to be an expert)
- A copy of the Demisto Platform
- Login Access to Support Center
- Joined the Demisto Community and added the #demisto-integrations-help channel
- API or SDK access to your product or solution.
Setting up & installing the platform
Note: Requires Support Center login access.
Read the following Support Center article
Key concepts & terminology
The platform comes with a rich set of features and functionality that allow for a high degree of customization, so we recommend that you familiarize yourself with the different aspects of the platform as listed below.
Read about the Architecture Basics
Note: Requires Support Center login access
- The Demisto CLI - Think of this like an operating system CLI that is built into the product, and connects to every tool that you need. It allows the user to test and run integration commands, run automations, and more.
- Incidents - From third party systems, email, etc., or created manually. Its the combination of a ticket and real time data.
- Integrations - Product integrations (or apps) are mechanisms through which security orchestration platforms communicate with other products. These integrations can be executed through REST APIs, webhooks, and other techniques. An integration can be unidirectional or bidirectional, with the latter allowing both products to execute cross-console actions.
- Playbooks - Playbooks (or runbooks) are task-based graphical workflows that help visualize processes across security products. These playbooks can be fully automated, fully manual, or anywhere in between.
- Automations - Single purpose automations that generally manipulate data in the system, or used to wrap multiple integrations, or develop single purpose tools that are not complete products. Maybe you have some library that is not a full product that you want to utilize, automations are a good use for this.
- Playground - The place you go in order to test integration commands, automations, and other tools from the Demisto CLI.
- The Demisto Context - All of the above are tied together by way of something called the Demisto Context. Every incident and playbook has a place to store data called the Context. The context stores the results from every integration command and every automation script that is run. It is a JSON storage for each incident. Whether you run an integration command from the CLI or from a playbook task, the output result is stored into the JSON context in the incident or the playground. Simply put, if you have a command like
!whois query="cnn.com"it would return the data and store the results into the context.
- Indicators - Indicators are any type of data that you want to match using regular expressions, or add to the system. Indicators can be assigned certain integration commands, and automations in order to determine reputation, take action, enrich, the list goes on here.
- Try the product walkthroughs. You can access these by clicking the ‘Ask DBot’ icon on the bottom-right of the Demisto console screen.