Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Propagation labels problem

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Propagation labels problem

L3 Networker

Hi everybody, I am really having a hard time syncing content with tenants because propagation labels aren't working properly for me. To give you an example, I create an xsoarcommunity tenant and set the propagation label to carbon_test so that I can't sync cortex xdr content with this tenant by mistake. Palo Alto Networks Cortex XDR - Investigation and Response content pack is already installed and I set the propagation label to xdr_test and xdr_master. In theory this pack shouldn't be syncable with the tenant I just created. Here is what happens, every single component of the content pack is now syncable.

 

EnesOzdemir_0-1657001869742.pngEnesOzdemir_1-1657001968955.png

 

EnesOzdemir_2-1657002019975.pngEnesOzdemir_3-1657002057104.png

 

Another thing to note is that if I set the propagation label to all in this case only the content pack is syncable, not every component.

I upgraded from 6.6 to 6.8 just to check if the latest release fixed the issue but unfortunately it didn't.

 

did I misunderstand how propagation labels work? If not is there anything I can do to fix this?

5 REPLIES 5

L3 Networker

Hello Enes, I see your issue and agree there must be something more to this. I took a look at our documentation and found this note: 

"As of version 6.0, if there is no relevant propagation tag on your content, for example, a script or playbook, but it is a dependency of a package that you do propagate to a tenant, the unlabeled content is still synced to the tenant." You can find the full article here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.8/Cortex-XSOAR-Multi-Tenant-Guide/Manage-C...

 

Maybe this is the reason why the packages are being synced to the tenants even though they shouldn't. I also took a look at this other article that talks about content dependencies and syncing even when the propagation labels don't match so please read this one as well: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.8/Cortex-XSOAR-Multi-Tenant-Guide/Content-...

 

Let me know if any of the above fixes your issue or if you need further assistance. 

Hi, thank you for your reply. Propagation confusion still triggers on a brand new server. After creation of the multi tenant server, a content pack carbon black edr is installed and  a new tenant is created. Even though the propagation label of the content pack and the tenant does not match, contents still propagate to the tenant.

 

Case 02198447

L3 Networker

> but it is a dependency of a package that you do propagate to a tenant, the unlabeled content is still synced to the tenant

 

In my understanding and according to the documentation on a brand new server this should happen only when a builtin component has cb edr as a dependency which is unlikely

 

EnesOzdemir_0-1677076535055.png

1- I created a brand new tenant (not synced in the creation process)

2- Removed the propagation label "all" from all the content packs and set a new one just to see how we are dealing with dependencies.

3- Checked playbooks,integrations and automations to see if any playbooks are being propagated with labels.

4- Searched for incident fields that run a display script or run incident field change scripts.

 

I am stuck at this point, according to the screenshot below only way a playbook is propagated if it is a dependency of another playbook or incident type. There is no incident type in the list and none of the playbooks match the tenants propagation label.

 

EnesOzdemir_2-1677077234087.png

 

 

 

 

 

L3 Networker

This seems like a bug at the very least, I would recommend you keep the case you have open and work with our team that way. 

  • 2446 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!