This guide will provide you with some pointers to jumpstart your development journey. After reading it, you’ll have a great background for creating content and integrations for the Demisto platform.
Prerequisites to start development
Please make sure you have completed the following before proceeding:
- Python 3.x programming experience (intermediate level)
- A copy of the Demisto Platform (if you are not a Partner, you can obtain the Community Edition here
- Access to our Support Portal
- Access to the Demisto DFIR Slack Community and join the #demisto-integrations-help channel
- API or SDK access to your product or solution.
If you are a Technology Partner, make sure that you also:
- Read the Become a Technology Partner page and sign up
- Complete the Technical Partnership Agreement
- Work with your Business Development contacts to make sure your use cases has been validated
If you have trouble with any of these items, please contact us via Slack or email.
Setting up & installing Demisto
Note: Requires Support Center login access.
If you need to install Demisto, please read the following Support Center article:Installing Demisto
Learning the Demisto platform
The platform comes with a rich set of features and functionality that allow for a high degree of customization, so we recommend that you familiarize yourself with the different aspects of the platform as listed below.
Note: Requires Support Center login access
- The Demisto CLI - Think of this like an operating system CLI that is built into the product, and connects to every tool that you need. It allows the user to test and run integration commands, run automations, and more.
- Incidents - From third party systems, email, etc., or created manually. Its the combination of a ticket and real time data.
- Integrations - Product integrations (or apps) are mechanisms through which security orchestration platforms communicate with other products. These integrations can be executed through REST APIs, webhooks, and other techniques. An integration can be unidirectional or bidirectional, with the latter allowing both products to execute cross-console actions.
- Playbooks - Playbooks (or runbooks) are task-based graphical workflows that help visualize processes across security products. These playbooks can be fully automated, fully manual, or anywhere in between.
- Automations - Single purpose automations that generally manipulate data in the system, or used to wrap multiple integrations, or develop single purpose tools that are not complete products. Maybe you have some library that is not a full product that you want to utilize, automations are a good use for this.
- Playground - The place you go in order to test integration commands, automations, and other tools from the Demisto CLI.
- The Demisto Context - All of the above are tied together by way of something called the Demisto Context. Every incident and playbook has a place to store data called the Context. The context stores the results from every integration command and every automation script that is run. It is a JSON storage for each incident. Whether you run an integration command from the CLI or from a playbook task, the output result is stored into the JSON context in the incident or the playground. Simply put, if you have a command like
!whois query="cnn.com"it would return the data and store the results into the context.
- Indicators - Indicators are any type of data that you want to match using regular expressions, or add to the system. Indicators can be assigned certain integration commands, and automations in order to determine reputation, take action, enrich, the list goes on here.
- Try the product walkthroughs. You can access these by clicking the ‘Ask DBot’ icon on the bottom-right of the Demisto console screen.
Please read the following guidelines. Following these guidelines will maximize the chances for a fast, easy and effective review process for everyone involved. If something is not clear, please don't hesitate to reach out to us via GitHub, Slack, or email
- Setup a development environment by following the Dev Setup Guide.
- Use the Package Directory Structure for all Python code. If working on existing code, beyond trivial changes, we require converting to this structure as it allows running linting, unit tests and provides a clearer review process.
- Make sure to read and follow code conventions.
- Run and verify that the various linters we support pass as detailed here.
- For Scripts/Integrations written in Python, make sure to create unit tests as documented here
- Create a test playbook as documented here. Note: for simple Scripts that have unit tests, a test playbook is optional.
- Validate that our validation hooks pass. If you used
.hooks/bootstrapas documented in the Dev Setup Guide the validation hook will run automatically upon commit. You can also run the validation hooks manually by running
- Document your integration as detailed here.
- Document your changes in the relevant changelog file as detailed here
At this point you should be ready to submit a Pull Request! For more details, refer to our Contributing page.
Note: if you are a technology partner, make sure you have reviewed the use cases with your Business Development contacts and that you have a Partner ID to associate your Pull Request to.