Cortex XSOAR customers love to customize their instances. If a customer decides to customize an integration, they may find the assigned docker image is not configured to handle the additional actions. In events such as these, you may need to consider creating a custom docker image. Before going down this road, however, you do have some considerations to make. First, you should review the XSOAR image repository and confirm there are no existing images available that meet your needs.
Figure 1: xsoar-image-repository_PaloAltoNetworks
Secondly, a missing feature can often be remediated by our content team via a feature request made on our Aha! Portal. It is a good idea to check the Aha! Portal and see if a request already exists for the missing feature (you can upvote existing feature requests to assist in getting them prioritized). If you decide you need to create a custom image, remember, it is not a piece of content that will be supported by Palo Alto Networks, you will be responsible for maintaining it.
If you have experience creating custom docker images in XSOAR 6, you may have tried to create a new custom image following the previous version’s process. In XSOAR 8, the /docker_image_create command is no longer available. In XSOAR 8, in order to use custom docker images, you will need to use a separate image repository to store your custom images.
Figure 2: xsoar6-docker-image-create_PaloAltoNetworks
The default Docker images used for XSOAR are available on the Demisto Docker hub. This is a good place to start if you only have to make a slight change to an existing image rather than creating a whole new one. You can simply download the needed image from the Demisto Docker hub.
Figure 3: demisto-docker-hub_PaloAltoNetworks
If you downloaded a copy of a Docker image from the Demisto Docker hub, use your preferred customization tool to edit the image. Remember, you can always make changes to the image later during testing.
Unlike with XSOAR 6, your custom images can no longer be stored on your XSOAR instance. You will need to use either an on-prem or cloud-based image repository. You should check with your organization and confirm if there are approved private image repositories you should use or other policies you will need to follow in order to use an image repository.
Before configuring the private docker image settings on your XSOAR instance, you should decide if you need to use an engine. For example, if your image repository is located in your company’s data center, you may want to limit access to only internal IP addresses, such as those of your engines.
Another consideration is the amount of resources your image requires. While processes are containerized in XSOAR 8 SaaS, you may want to have more control over the specific resources available to run your image.
You can find the official steps to configure your image to connect to your image repository here on the Cortex XSOAR Cloud Documentation. This document is living and is updated to reflect any system changes/updates. Follow the steps outlined in the document.
Make sure to perform the optional Search for or pull a Docker image (step 3) items. It is important to confirm your engine can reach your repository and see your custom image(s). This will help reduce your troubleshooting efforts if you encounter a problem with pulling your image after you have configured your tenant to use your image repository.
If you are intending to or use a load balancing group for your engines, make sure to perform this check on all of the engines located in the group.
Additional steps may be required to allow your engine(s) or XSOAR 8 instance to connect to your image repository. Check with your Github admin/team and/or networking admin/team to confirm your engine(s) or XSOAR 8 instance will not be blocked by network security tools, rules, or other settings.
Figure 4: xsoar-image-registry-settings_PaloAltoNetworks
The official steps for configuring your tenant to access your image repository are found here. Turn the switch to On, and follow the instructions for either the direct pull or engine pull method. Make sure the correct Connection option is selected.
You can only connect your XSOAR 8 instance to one image registry for custom images (integrations will continue to pull their images from the Demisto image repository). You will also need to specify each image you wish to import. Once the image(s) have been selected, click Save and you are ready to start using your custom images.
There is always a chance that, even if you follow every step to the letter, you may encounter issues with connections or with the chosen image. Below are some items to consider. You can also discuss any issues with your Customer Success team, if you have one available.
Brad Semma is a Senior Customer Success Architect for Cortex XSOAR. Prior to joining Palo Alto Networks, Brad managed SOC and Incident Response teams in the healthcare and financial industries and has experience in Cybersecurity and End User Technology engineering.
