For better separation between Content artifacts from different use cases and Partners we use a directory structure called
Content Packs. Each
Content Pack behaves like a mini content repo. It contains all relevant content items within its directory.
For instance a pack for CortexXDR will look as can be seen in the Content Repository Packs/CortexXDR.
To generate a new pack make sure to use:
demisto-sdk init --pack. Detailed command instructions are available here.
Note: The Content repo is going through a transition phase to move all content into packs. During this phase you will see some Content artifacts are still not maintained within Packs. All new Content should be maintained via Packs.
All the directories within the pack are the representation of all the possible entities possible in Content. And the pack will be located in the Content repo under
The pack directory contains numerous configuration files used for metadata and documentation.
Please note that all of the following files will be created using the
demisto-sdk init --pack, and some of them
will have to be filled by you. An explanation for each of them will be provided below.
This file contains all the relevant metadata about the pack.
The following fields are populated in the pack metadata:
|Field Name||Field Type||Field Description|
|name||String||The pack name. Usually it's the name of the integration the pack contains (e.g. CortexXDR) or the use-case implemented in it.|
|description||String||A short overview of the pack.|
|support||String||Should be one of the following:|
1. xsoar - Supported by Cortex XSOAR.
2. partner - Supported by a Cortex XSOAR partner.
3. developer - Supported by an independent developer/organization.
4. community - Not officialy supported, but available for the community to use.
|currentVersion||String||The pack version, in the format of |
|author||String||The name of the organization / developer which developed the integration.|
|url||String||The URL to which users should refer to in case of support needed regarding the pack. Usually is the organization support URL or the developer GitHub repository.|
|String||The email address to which users should reach out to in case of support needed regarding the pack.|
|categories||List||The use-case categories which are implemented in the pack. Usually set by the integration, which included in the pack category. Should be one of the following:|
1. Analytics & SIEM
5. Network Security
6. Vulnerability Management
7. Case Management
8. Forensics & Malware Analysis
9. IT Services
10. Data Enrichment & Threat Intelligence
14. Email Gateway
|tags||List||Tags to be attached to the pack on Cortex XSOAR marketplace.|
|created||String||Pack creation time in ISO 8601 format - YYYY-MM-DDTHH:mm:ssZ, e.g. 2020-01-25T10:00:00Z|
|useCases||List||Use-cases implemented by the pack.|
|keywords||List||List of strings by which the pack can be found in Cortex XSOAR marketplace.|
|dependencies||Dictionary||(Optional) An object that describes the content packs that the pack is dependant on. Should be kept empty on pack creation, as it is calculated by Cortex XSOAR content infrastructure.|
|displayedImages||List||(Optional) Images to be displayed in Cortex XSOAR marketplace. Should be kept empty on pack creation, as it is calculated by Cortex XSOAR content infrastructure.|
|githubUser||List||(Optional) List of Github usernames to receive notification in the PR in case pack files were modified.|
|certification||String||(Optional) If the pack is certifed the value of this fields should be "certified"|
Pack metadata contents for example:
A supported partner pack metadata contents for example:
The file contains a general explanation for the pack and you are free to add any information relevant for the pack. For more details refer to the Pack Documentation page.
This file will be used while running the
demisto-sdk secrets(explanation), we will determine the file and will
use it as a white list of approved words for your PR.
Note: We use
demisto-sdk secrets as part of our pre-commit hook to check that possible secrets in the PR aren't exposed to a public repository.