{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/cortex-xsoar-integration-manifest-schema.json",
  "title": "Cortex XSOAR Integration Manifest",
  "description": "Schema for the integration YAML manifest file used by Cortex XSOAR (formerly Demisto) and Cortex XSIAM content packs. The manifest defines the integration identity, configuration parameters, commands, arguments, outputs, and execution runtime settings. Integration packs are published to the Cortex Marketplace and can be developed using the demisto-sdk CLI toolchain. Each integration enables XSOAR playbooks and automation scripts to interact with third-party security products and services.",
  "type": "object",
  "required": ["name", "display", "category", "description", "configuration", "script"],
  "properties": {
    "name": {
      "type": "string",
      "description": "Internal name of the integration used as a unique identifier within the content pack. Must match the filename of the integration Python or JavaScript file and be consistent across all related pack files."
    },
    "display": {
      "type": "string",
      "description": "Human-readable display name shown in the XSOAR UI integration list, War Room context, and Cortex Marketplace listing. Should clearly identify the product or service the integration connects to."
    },
    "category": {
      "type": "string",
      "description": "Integration category used for Cortex Marketplace classification, filtering, and discovery. Determines which Marketplace category page the integration appears under.",
      "enum": [
        "Analytics & SIEM",
        "Authentication & Identity Management",
        "Case Management",
        "Data Enrichment & Threat Intelligence",
        "Database",
        "Deception & Breach Simulation",
        "Email",
        "Endpoint",
        "Forensics & Malware Analysis",
        "IT Services",
        "Messaging and Conferencing",
        "Network Security",
        "Utilities",
        "Vulnerability Management"
      ]
    },
    "description": {
      "type": "string",
      "description": "Short description of the integration's purpose and primary capabilities. Displayed in the integration list and Marketplace search results. Should summarize what the integration does and which product it integrates with."
    },
    "detaileddescription": {
      "type": "string",
      "description": "Detailed markdown-formatted description displayed on the Cortex Marketplace product page. Should include prerequisites, authentication setup instructions, API version compatibility, and notable limitations."
    },
    "image": {
      "type": "string",
      "description": "Base64-encoded PNG image used as the integration icon in the XSOAR UI and Marketplace. Should be a square image, typically 120x120 pixels, representing the integrated product or vendor logo."
    },
    "type": {
      "type": "string",
      "description": "Execution runtime type for the integration script. 'python2' uses Python 2.7 (deprecated). 'python3' uses Python 3.x in a Docker container. 'javascript' runs natively in the XSOAR engine without Docker. 'powershell' uses PowerShell 7 in a Docker container.",
      "enum": ["python2", "python3", "javascript", "powershell"]
    },
    "configuration": {
      "type": "array",
      "description": "List of instance configuration parameters displayed in the XSOAR integration settings UI. Each parameter corresponds to a field the user must fill in when configuring an integration instance, such as API keys, server URLs, or authentication credentials.",
      "items": {
        "$ref": "#/$defs/ConfigurationParameter"
      }
    },
    "script": {
      "$ref": "#/$defs/Script",
      "description": "Script execution settings, runtime configuration, and command definitions exposed by this integration. Defines the integration's behavioral capabilities and available actions."
    },
    "fromversion": {
      "type": "string",
      "description": "Minimum XSOAR or XSIAM platform version required to use this integration (e.g., '6.0.0', '8.4.0'). The integration will not be available on older platform versions.",
      "pattern": "^\\d+\\.\\d+\\.\\d+$"
    },
    "toversion": {
      "type": "string",
      "description": "Maximum XSOAR or XSIAM platform version this integration is compatible with. Used to deprecate integrations that are superseded by newer versions targeting later platforms.",
      "pattern": "^\\d+\\.\\d+\\.\\d+$"
    }
  },
  "$defs": {
    "ConfigurationParameter": {
      "type": "object",
      "description": "A single instance configuration parameter presented in the XSOAR integration settings form. Parameters collect authentication credentials, connection details, and behavioral settings needed to establish and operate the integration connection.",
      "required": ["display", "name", "type", "required"],
      "properties": {
        "name": {
          "type": "string",
          "description": "Parameter key name used to retrieve the value in integration code via demisto.params().get('name'). Must be a valid Python identifier, using lowercase with underscores."
        },
        "display": {
          "type": "string",
          "description": "Human-readable label shown next to the input field in the XSOAR integration configuration UI."
        },
        "required": {
          "type": "boolean",
          "description": "Whether the user must provide a value for this parameter before the integration instance can be saved and tested."
        },
        "defaultvalue": {
          "type": "string",
          "description": "Default value pre-populated in the configuration field. Used to provide common defaults such as API endpoint URLs, default port numbers, or boolean flag defaults."
        },
        "type": {
          "type": "integer",
          "description": "Parameter input type controlling the UI widget rendered. 0=short text input. 1=encrypted/password field. 4=boolean checkbox. 8=multi-line text area. 9=single-select dropdown. 12=auth credentials selector. 13=incident type selector. 14=file upload. 15=long text. 16=timer configuration. 17=HTML body editor.",
          "enum": [0, 1, 4, 8, 9, 12, 13, 14, 15, 16, 17]
        },
        "options": {
          "type": "array",
          "description": "List of selectable string values for single-select or multi-select dropdown parameters (type 9). Each string appears as an option in the dropdown menu.",
          "items": {
            "type": "string",
            "description": "A selectable option value displayed in the dropdown input."
          }
        },
        "section": {
          "type": "string",
          "description": "UI section grouping for the parameter, controlling which collapsible section of the configuration form the parameter appears under.",
          "enum": ["Connect", "Collect"]
        }
      }
    },
    "Script": {
      "type": "object",
      "description": "Script execution configuration and command definitions for the integration. Specifies the runtime environment, capability flags, and the full list of commands the integration exposes to XSOAR playbooks and automation scripts.",
      "required": ["type", "commands"],
      "properties": {
        "script": {
          "type": "string",
          "description": "Inline script content for the integration. For file-based integrations this is typically '-' to indicate the script is loaded from a separate file. For simple inline integrations the full code can be embedded here."
        },
        "type": {
          "type": "string",
          "description": "Script language runtime for executing the integration code.",
          "enum": ["python2", "python3", "javascript", "powershell"]
        },
        "commands": {
          "type": "array",
          "description": "List of commands exposed by this integration. Each command is callable from XSOAR playbooks, automation scripts, and the War Room CLI, and corresponds to a function in the integration code.",
          "items": {
            "$ref": "#/$defs/Command"
          }
        },
        "runonce": {
          "type": "boolean",
          "default": false,
          "description": "Whether the integration should execute its main function only once rather than remaining available as a persistent service. Used for one-shot integrations that perform a single task during playbook execution."
        },
        "feed": {
          "type": "boolean",
          "default": false,
          "description": "Whether the integration is a threat intelligence feed that ingests indicators into the XSOAR Threat Intelligence Management module."
        },
        "isfetch": {
          "type": "boolean",
          "default": false,
          "description": "Whether the integration fetches incidents from a remote source on a scheduled basis. When true the integration must implement a fetch-incidents function and a Last Run mechanism."
        },
        "longRunning": {
          "type": "boolean",
          "default": false,
          "description": "Whether the integration runs as a long-lived background process rather than executing on demand. Used for integrations that maintain persistent connections or run continuous polling loops."
        },
        "longRunningPort": {
          "type": "boolean",
          "default": false,
          "description": "Whether the long-running integration exposes an HTTP listener port. Used for integrations that act as webhook receivers, receiving inbound events from external systems."
        }
      }
    },
    "Command": {
      "type": "object",
      "description": "A command exposed by the integration and callable from XSOAR playbooks, automation scripts, and the War Room CLI. Each command maps to a handler function in the integration code and produces structured context data as output.",
      "required": ["name", "description"],
      "properties": {
        "name": {
          "type": "string",
          "description": "Command name used to invoke the command in playbooks and War Room. Should follow the kebab-case vendor-action-noun naming convention (e.g., 'vendor-get-alerts', 'vendor-close-incident').",
          "pattern": "^[a-z][a-z0-9-]*$"
        },
        "description": {
          "type": "string",
          "description": "Clear description of what the command does, what inputs it requires, and what data it returns. Displayed in the command reference documentation and War Room help."
        },
        "arguments": {
          "type": "array",
          "description": "List of input arguments accepted by this command. Arguments correspond to parameters passed to the command in playbook tasks or War Room invocations.",
          "items": {
            "$ref": "#/$defs/Argument"
          }
        },
        "outputs": {
          "type": "array",
          "description": "List of context output keys produced by this command when executed. Output paths define how results are stored in the XSOAR incident context for use by subsequent playbook tasks.",
          "items": {
            "$ref": "#/$defs/Output"
          }
        }
      }
    },
    "Argument": {
      "type": "object",
      "description": "An input argument for an integration command. Arguments map to parameters in the command handler function and appear as input fields in the XSOAR playbook task editor.",
      "required": ["name", "description"],
      "properties": {
        "name": {
          "type": "string",
          "description": "Argument name used as the parameter key in command invocations and accessed in code via demisto.args().get('name')."
        },
        "description": {
          "type": "string",
          "description": "Clear description of what this argument represents, its expected format, and any valid value constraints. Displayed in the playbook task editor and command reference."
        },
        "required": {
          "type": "boolean",
          "default": false,
          "description": "Whether this argument must be provided when invoking the command. Required arguments without a default value will cause an error if omitted."
        },
        "defaultValue": {
          "type": "string",
          "description": "Default value used for this argument when it is not explicitly provided in the command invocation."
        },
        "options": {
          "type": "array",
          "description": "List of predefined allowed values for this argument, rendered as a dropdown in the playbook task editor. When specified only these values are accepted.",
          "items": {
            "type": "string",
            "description": "A predefined valid option value for this argument."
          }
        },
        "isArray": {
          "type": "boolean",
          "default": false,
          "description": "Whether this argument accepts a comma-separated list of values, enabling bulk operations on multiple items in a single command invocation."
        }
      }
    },
    "Output": {
      "type": "object",
      "description": "A context output path produced by an integration command. Defines how command results are stored in the XSOAR incident context and makes data available to downstream playbook tasks via context path references.",
      "required": ["contextPath", "description", "type"],
      "properties": {
        "contextPath": {
          "type": "string",
          "description": "Dot-notation context path where the output value is stored in the XSOAR incident context (e.g., 'Vendor.Alert.ID', 'IP.Address', 'File.SHA256'). Should follow XSOAR common output standards where applicable."
        },
        "description": {
          "type": "string",
          "description": "Description of the output value explaining what data is stored at this context path and how it should be interpreted by downstream playbook tasks."
        },
        "type": {
          "type": "string",
          "description": "Data type of the output value, used for type-aware context handling and display formatting in the XSOAR War Room.",
          "enum": ["String", "Number", "Boolean", "Date", "Unknown"]
        }
      }
    }
  }
}