Demisto Platform - Content Repository
This repo contains content provided by Demisto to automate and orchestrate your Security Operations. Here we will share our ever-growing list of playbooks, automation scripts, report templates and other useful content.
We security folks love to tinker, keep enhancing and sharpening our toolset and we decided to open up everything and make it a collaborative process for the entire security community. We want to create useful knowledge and build flexible, customizable tools, sharing them with each other as we go along.
We invite you to use the playbooks and scripts, modify them to suit your needs and see what works for you, get involved in the community discussion and of course remember to give back and contribute so that others can enjoy and learn from your hard work and build upon it to enhance it even further.
The Demisto Platform includes a visual playbook editor - you can add and modify tasks, create control flow according to answers returned by your queries, and automate everything with your existing security tools, services and products. You can also export your work to a file in the COPS format, and import playbooks shared by your peers who have done the same.
We will be releasing more and more playbooks for interesting scenarios, so stay tuned. If you are working on an interesting playbook of your own, feel free to send us a Pull Request and let's build it together.
The spec for our open playbook format, COPS, can be found here.
You can take your logic and the way you want to work and write your own scripts, allowing for maximum flexibility. The services and products you use can be online Cloud-based or on-premises setups, and we have tools to support more complex topologies such as when the product's subnet is firewalled off.
Creating an Integration
Let's look at Demisto and get started on your first integration.
The Demisto Code Conventions will help you understand how we format our Integrations and some of the tips and tricks we have developed over the years.
Context and Outputs
The Demisto platform relies heavily on collecting data from various endpoints (integrations) and creating a "Context" for them. This allows customers to be able to use the data to perform various tasks they may need to accomplish.
When we are working with data that is generic across all platforms, we format them according to our context standards. This helps integrations work interchangeably inside other playbooks.
In some cases, it will be necessary to create a docker image to enable your integration to run. When this happens, we must create a new docker image using the steps outlined here:
Demisto Platform support flexible reports written in JSON. All of our standard reports calculating various incident statistics and metrics are stored in this repo.
For instructions about adding/modifying playbooks and scripts please see our contributor guide.
For information about content release notes conventions, refer to our release notes documentation.
Copy the pre-commit hook from .hooks to .git/hooks. Run the following command from the repository root:
cp .hooks/* .git/hooks
|Tutorial Video||A step-by-step introduction to creating an integration|
|Getting Started||A brief explanation of the Demisto IDE|
|Code Conventions||Our Code Conventions|
|Context and Outputs||Brief overview of Context and Outputs|
|Context Conventions||Conventions for the Demisto Standard Context|
|Contributing||How to contribute to the Content Repo|
|Creating Playbooks||How to create a Playbook|
|DBot Score||How the DBot Score works|
|Demisto Transform Language (DT)||Understanding Demisto Transform Language (DT)|
|Docker||How to use Docker|
|Fetching Incidents||How to Fetch Incidents|
|Fetching Credentials||How to Fetch Credentials|
|Integration Documentation||How to generate documentation for an integration|
|YAML File||Explanation of the Demisto YAML structure|
|Integration Parameter Types||Description of the various integration parameter types|