1 of 100

Cortex Docs

Explore the new Cortex UI redesign in our overview video:

Accelerate the path to engineering excellence

Cortex Internal Developer Portal makes it easy to ensure ownership, enforce standards, and unlock developer self-service, in weeks — not years.

Cortex Quick Start

Need additional guidance?

To ensure a smooth and successful implementation, most of our customers partner with Cortex Professional Services (PS) for expert guidance and hands-on assistance. If you've already purchased a PS engagement, your dedicated team will be reaching out soon to kick things off.

If you haven’t engaged with PS yet, don’t worry—you can still take advantage of our expertise! Reach out to learn how we can support your implementation and adoption journey so you get the most out of Cortex.

Getting started in Cortex

Step 1: Log in to your workspace

You can access your Cortex workspace using the workspace ID provided to you by your Cortex team. Or, if you are deploying Cortex on-premises, the Cortex team will provide you with access to an installer.

SSO setup

Your initial login will be configured to use Google for Single Sign-On (SSO).

Add users

After accessing your account, you can add users to your Cortex workspace.

We recommend having at least two users with the Admin role configured to ensure redundancy of access.

Go further

We recommend reviewing the following resources:

Step 2: Configure integrations

We recommend configuring at least one integration from each of the following categories:

- Configuring an on-call provider allows you to map services and other entities to the proper on-call rotations and manage alerts.
- Configuring a communication provider allows you to receive timely notifications and collaborate seamlessly with team members.
- Connecting your teams and team members in Cortex allows you to efficiently track ownership of entities.

Go further

It would also be beneficial to configure integrations for categories such as:

Step 3: Import your first entities

After you’ve configured some basic integrations, you can start importing your entities. Connecting your entities to Cortex allows you to easily track ownership and create Scorecards to enforce standards and track progress on related projects.

Step 3.1: Define entities

Before importing entities, consider your data modeling approach.

Identify the key entities that you want to represent in your Cortex catalogs.

Step 3.2: Import entities

Navigate to Catalogs > All entities.
Click Import entities.
Follow the on-screen prompts to import the entities that Cortex discovered from your integrations.

As you integrate additional tools with Cortex, it can also become possible to streamline work during an incident, efficiently track issues, monitor your code for vulnerabilities, and more. See the documentation for a full list of available integrations.

Step 3.3: Import teams and team members

Cortex supports connecting teams from the following integrations:

Go further

Step 4: Create an onboarding Scorecard

When you first start using Cortex, we recommend creating an onboarding Scorecard to ensure that your entities are configured with the basics.

To get started:

From the main nav, click Scorecards.
Click Create Scorecard.
Cortex offers templates to help you get started with common use cases. Click the Onboarding Scorecard.
Review the default integrations, levels, and rules that are included in the template. You’ll get a chance to edit these on the next page. Click Continue.
Configure your Scorecard, making any modifications necessary.
- For in-depth instructions on creating Scorecards, see Creating and editing Scorecards.
When you are finished, click Save Scorecard.

Go further

Step 5: Explore additional resources

Congratulations - you are on the path to achieving engineering excellence with Cortex!

Now that you’ve completed your first steps, we recommend exploring the following topics:

- Reach out to your Customer Success Manager for more information on enabling this feature.
- Reach out to your Customer Success Manager for more information on enabling this feature.

Ingesting data into Cortex

Managing Catalogs

A catalog is a defined selection of entities. You can use catalogs to track and store information about all of the components that make up your infrastructure. This includes everything from services and domains to AWS S3 buckets and RDS, Google Cloud resources, or Azure Resources.

While entities are defined by YAML files, catalogs themselves are not defined by a YAML file and must be created in the Cortex UI. Think of catalogs as a folder containing a collection of entities, with each entity defined by its own YAML file. An entity can belong to multiple catalogs, so you can also think of a catalog as a filter that defines which entity types to group together.

In the example screen shot below, the Services page contains a list of all entities that belong to the Service catalog:

Default catalogs

By default, Cortex comes with four built-in catalogs:

Services contains all service entities.
Infrastructure contains all entities representing your infrastructure assets.
- Cortex pulls in resources directly from AWS, Azure Resources, or Google Cloud, as their corresponding types out of the box. These resources are automatically added to the Infrastructure catalog.
Domains contains all domain entities and displays them in a hierarchical view.
Teams contains all team entities and displays them in a hierarchical view alongside a leaderboard based on Scorecards.

You can choose to rename these catalogs to fit your own taxonomy, but note that the custom names of these default catalogs will not override the references to their default names throughout the app. Instead, you could choose to create additional custom catalogs.

Custom catalogs

To customize your Cortex instance to your organization's needs, you can also define custom catalogs in Cortex to represent your infrastructure. See Create custom catalogs below.

View catalogs

Click Catalogs from the main nav to view your list of catalogs. You must have the View catalogs permission.

The "All entities" page

You can view and manage all entities in your Cortex account under Catalogs > All Entities. You can organize entities into catalogs to make it easier to find and manage them.

On that page you can also create entity types, which determine the types entities you’ll import into Cortex.

Cortex comes with built-in entity types to get you started quickly. These entity types do not have a definition schema, and instead fetch details on demand from the original source. You can also create your own entity types.

To view all entity types, go to Catalogs > All Entities then click the Entity types tab.

Manage all catalogs

On the All catalogs page, you’ll find all pre-defined and custom catalogs in Cortex.

This page will reflect the same list of catalogs you find in the Catalogs dropdown menu in the main nav.

Just like "All entities", "All catalogs" includes a search bar and a sort function, as well as a toggle for displaying or hiding Drafts.

From this page, you can create new catalogs and edit existing ones.

Create custom catalogs

You can create catalogs in the Cortex UI. For each catalog, you set the criteria that determines which entities belong to that catalog. In addition, you can define custom entity types to categorize the entities that live in your catalogs.

Because catalogs are not defined by a YAML file, it is not possible to create them via a GitOps workflow.

To create, edit, and delete catalogs, you must have the Edit catalogs permission.

To create a new catalog:

At the top of the "All catalogs" page, click Create catalog.
Configure the "Create catalog" form:
- Name: Enter a name for the catalog.
- Description: Optionally, enter a description of the catalog.
- Display icon: an icon to appear alongside the catalog throughout the app.
- URL: Enter a unique URL slug.
  - By default, the URL slug will be generated based on the catalog’s name, but you can use the URL field to create a custom slug.
- Add entity types: In this section, you will define the entities that are included in your catalog. All entities that match the criteria defined in this section will be automatically included in the catalog. To create a catalog, you need to add at least one entity type. Catalogs can include a combination of any entity types, or can include just one type.
  - Selection type: Choose whether to include or exclude the entity types you select.
  - Entity types: Select from the entity types you've created.
  - Include or Exclude groups: Choose groups to include or exclude.
  - CQL expression: Optionally, enter a specific CQL expression to fine-tune your catalog based on specific criteria.
- Draft: Choose whether to save the catalog as a draft or publish it. Only admins and managers have the ability to view drafts.
Click Save catalog.

Once the catalog is created, you’ll find it under Catalogs > All catalogs, automatically populated with all entities that apply based on the entity types you've created.

Edit catalogs

To edit a catalog:

In Cortex, go to Catalogs > All catalogs. Click into the catalog you want to edit, then click Edit catalog at the top of the page.
- This will bring you back to the catalog creation page, with all the details from your last save.
Make any changes necessary to the catalog.
At the bottom of the page, click Save catalog.

Track catalog changes

You can use the audit log to track changes made to any of your catalogs. Catalog updates will be listed as CATALOG in the Type column, and the updated catalog will be listed under the Entity column.

The Action column will indicate whether a catalog was created, deleted, or updated.

Adding entities to catalogs

After an entity is imported or created, it will automatically belong to a catalog based on the entity type criteria set for each catalog. When you create a custom catalog, you can set the entity type criteria.

For the default catalogs, the entity type criteria is set by default:

The Services catalog contains service entity types
The Domains catalog contains domain entity types
The Teams catalog contains team entity types
The Infrastructure catalog contains any entities that are not the types service, domain, or team.
- By default, any custom entity types you create will belong to the Infrastructure catalog. If you do not want the entity type to belong to this catalog, you can add the entity type to a different catalog.

Configure catalog display

You must have the Configure appearance settings permission to configure the catalog display.

By default, catalogs will appear in alphabetical order, but you can manually adjust the order that the catalogs appear in the main nav.

Navigate to Settings > Workspace > Main sidebar to drag and drop catalogs into your preferred order:

Managing Entities

An entity is an object that represents a software construct. A defined collection of entities is known as a catalog. All entities are represented in YAML, can pull in data from integrations, and can be Scorecarded.

Each entity has its own page that centralizes data related to it, allowing you to quickly access the information you're looking for. Learn more in the Entity details page documentation.

Entity types

You can create your own entity types or use one of the default entity types.

Default entity types

By default, Cortex supports the following entity types:

Services: The default type and the core of your catalog, used for entities such as microservices, libraries, components, etc – essentially any codebase-like module. Learn more in Add services.
Domains: An entity that allows you to group your services, resources, and other domains into hierarchical, logical units. Learn more in Add domains.
Teams: An entity to store all of your team data. Learn more in Add teams.
Cortex also supports pulling in resources directly from AWS, Azure Resources, and Google Cloud as their corresponding types out of the box.

Custom entity types

In addition, you can create custom entity types to fit your organization's needs. Learn more in Add custom entity types.

Defining entities via YAML file

Whether you use the UI or GitOps to manage entities, every entity in your Cortex catalogs is defined by a YAML file called the Cortex entity descriptor, also referred to as an entity's Cortex YAML (stemming from cortex.yaml, the name of the file that powers the GitOps approach.)

Each file is a fully compliant OpenAPI 3 spec file, with our own Cortex-specific extensions.

You can still use Cortex if you don't use OpenAPI/Swagger. We use the OpenAPI spec as a base for entity metadata, since it's an open spec with official support for extensions. That lets us extend it to be an entity descriptor spec with optional usage of actual OpenAPI fields.

Adding metadata to the entity descriptor

Any additional metadata you want to add to your descriptor belongs in the info section. Throughout the docs, you'll see snippets that start with x-cortex-* – make sure to add this to the info section.

Note that it is not currently supported to include comments in YAML files.

Managing entities

Editing in the UI or via GitOps

By default, your account is configured to edit entities through the UI. We recommend starting with the UI editor, which includes a built-in YAML editor, then switching over to GitOps when ready for a wider rollout.

If you want to use GitOps to manage your entity YAML files, you can change this setting:

In Cortex, navigate to Settings > GitOps.
Scroll down to the "Options by entity type" tile.
To only allow editing of entities via GitOps, toggle off the setting next to Enable UI editing for new entity types.
To only allow creation of entities via GitOps, toggle off the setting next to Enable UI importing for new entities.

When using GitOps, you can define any number of entities in any repository.

Domain definitions should live in the .cortex/domains directory in your repository.
Team definitions should live in the .cortex/teams directory in your repository.

You may store all of your entity definitions in a single repository or you can store the YAML in the repository of the corresponding service.

See the single repository example below:

.
└── .cortex
    ├── catalog
    │   ├── database.yml
    │   ├── s3-bucket.yml
    │   ├── auth-service.yml
    │   └── billing-service.yml
    ├── domains
    │   ├── billing-domain.yml
    │   └── health-domain.yml
    ├── teams
    │   ├── eng-team.yml
    │   └── sre-team.yml

Unique identifiers for entities

Entity tag

The entity tag - the value of x-cortex-tag in an entity's YAML file - is a unique identifier that's used throughout Cortex. For example, the entity tag is used to declare dependencies on other entities or look up information using the Cortex Slack Bot.

The entity tag must be globally unique across all entities. It is possible to customize the entity tag.

Cortex ID

A Cortex ID (CID) is a unique, immutable entity ID that can be used outside of Cortex for historical tracking and reporting. It can be used in the API, in CQL queries, in-app, and you can use it with the Cortex Slack Bot. The ID is automatically generated by Cortex and it is 18 characters in length.

In Cortex, the CID for an entity appears in the URL for an entity and at the top of an entity page:

The CID does not appear in an entity's YAML file, as it cannot be modified.

Adding entities to catalogs

For the default catalogs, the entity type criteria is set by default:

The Services catalog contains service entity types
The Domains catalog contains domain entity types
The Teams catalog contains team entity types
The Infrastructure catalog contains any entities that are not the types service, domain, or team.
- By default, any custom entity types you create will belong to the Infrastructure catalog. If you do not want the entity type to belong to this catalog, you can add the entity type to a different catalog.

Managing all entities across catalogs

The All entities page lists all entities that have been imported into Cortex, across all types. This page will open to the Mine tab when a user owns any entities; otherwise, it will default to the All entities tab.

Once you’ve imported entities, you’ll be able to see the entity’s name and tag. In the beginning, you may have just a few dozen entities, but eventually you may have hundreds, if not thousands, of entities across all catalogs.

Search across and filter all entities

There are several ways to search and filter your entities list:

To find specific entities, use the search bar in the upper right corner of the entities list and type to search.
Click Name to select whether you want to sort by name or identifier, and whether to sort ascending or descending.
Click Display to choose whether to show archived entities in the list, and select which columns to display alongside entities. Learn more about the performance indicator columns below.
Click Filter to narrow down your list by AWS account ID or region, domain, entity type, group, team, or user.

Key performance indicators listed for all entities

Click Display to select whether to display the following key performance indicators as columns alongside entities:

Incidents: Displays how many active incidents are associated with a given entity. This information is pulled from FireHydrant, PagerDuty, and Rootly.
Health: When you click into this column in an entity's row, you can view more information on:
- Monitors: Shows how entities are performing against monitors you’ve created in your APM. When an entity is passing all monitors, this cell will display All OK; otherwise, it will display Failing, Warning, or No Data, along with how many monitors the entity is not hitting. This information is pulled from Datadog.
- Error rate: Shows the percentage of transactions that result in a failure during a pre-specified window. This information is pulled from New Relic.

If you have not set up an integration needed to populate a column, that column will not appear on the "All entities" page or on specific catalogs. If an integration is established, but the data and/or configuration for an entity do not exist, the cell will display “None.”

View entity types

To view all entity types, go to Catalogs > All Entities then click the Entity types tab.

A Cortex logo appears next to built-in entity types. When you hover over the logo, you will see a "Powered by Cortex" banner:

The other entity types in the list are custom types.

Understanding the entity types

To learn more about adding each type of entity, see their documentation pages:

Add services
Add domains
Add teams
Add custom entity types

Adding entities

Add services

Services are a default entity type in Cortex, used for entities such as microservices, libraries, components, etc – essentially any codebase-like module.

View services

To view services, click Catalogs > Services from the main nav.

When you open the Services page, you'll see tabs labeled Mine and All, which denote services you own and all services visible to you in your Cortex workspace.

Configure the view of your service list

At the top of your services list, you can choose how the list is displayed:

Name: Click Name, then choose whether to sort by name or identifier, and whether the sort order should be ascending or descending.
Display: Click Display, then choose whether to display hierarchies, whether to show archived, and which columns to display.

Creating services

You can create services:

By importing them from a connected integration
Manually in the Cortex UI

You can import services directly from third-party integrations:

In Cortex, navigate to Catalogs > All entities, then click Import entities.
Select the integration to import from.
- If you have a large volume of entites, click Filter in the upper right corner of the results list to select and apply entity type filters.
At the bottom of the page, click Next step.
Edit the details for the entity:
1. Type: Select Service.
2. Entity name: Enter a human readable name.
3. Identifier: This field is auto-populated based on your entity name. It is a unique identifier for your entity. This is also known as the x-cortex-tag.
4. Description: Enter a description of the entity to help others understand its purpose.
7. Links: Add links to external documentation, such as runbooks, docs, logs, or custom categories.
10. On-call: Configure on-call information.
11. Repository: Select the repository associated with this entity.
Click Confirm import.

To create a service:

In the main nav of Cortex, click Catalogs > Services.
At the top of the Services page, click +Import entities.
Configure the form:
- Type: Select Service.
- Entity name: Enter a human readable name.
- Identifier: This field is auto-populated based on your entity name. It is a unique identifier for your entity. This is also known as the x-cortex-tag.
- Description: Enter a description of the entity to help others understand its purpose.
- Owners: Define ownership for your entity. We recommend selecting team owners to keep your ownership information up-to-date through any future personnel changes.
- Links: Add links to external documentation, such as runbooks, docs, logs, or custom categories.
- On-call: Configure on-call information.
- Repository: Select the repository associated with this entity.
When you are finished, click Confirm import at the bottom of the page.

Service entity descriptor

A barebones spec file has the OpenAPI version, along with an info section that contains some basic details.

Required fields

The only required fields under info are the title, x-cortex-tag, and x-cortex-type. The description is optional, but we highly recommend adding descriptions to all of your entities.

Example cortex.yaml for a service

Edit services

It is possible to edit entities after creating them:

Navigate to the entity's page.
In the upper right corner, click Configure entity.
Make any desired changes.
- Note: The only field you cannot edit is the identifier.
At the bottom of the screen, click Save changes.

Add teams

Teams serve as both an entity representing your organization in Cortex and as owners for different entities in the catalogs. Teams offers a centralized place for the most important information about each group, making it easier for everyone to find what they need.

Teams can be assessed via Scorecards, interact with integrations, and leverage custom data. They can also be configured in a hierarchy.

View teams

To view your teams, navigate to Catalogs > Teams.

When you open the Teams catalog page, you'll see Mine and All, which denote teams you belong to and all teams at your organization, respectively. The teams that appear under "All" will automatically display as a hierarchy, whereas those under "Mine" will be listed individually.

View the teams leaderboard

On the right side of the Teams catalog page, see the Scorecard Leaderboard, which highlights the ten best-performing teams within your organization.

The leaderboard is calculated from the average of Scorecard scores for all entities owned by a team. Change in rank is based on the team's score 7 days ago. You can use the dropdown to select a different Scorecard, allowing you to view the leaderboard based on specific Scorecards.

The leaderboard gamifies entity quality and encourages team members to achieve goals. This creates a culture of accountability, where everyone has visibility into how they're performing.

View an individual team's page

Each team has its own details page, where you can view key details about the team. Click a team from the Teams catalog page to view its details.

At the top of a team details page, you’ll find on-call information, Slack channels, and parent and children teams.

Additional information appears in tabs on the team's details page:

The Overview tab includes:
- On-call information.
- Linked Slack channels.
- Where the selected team belongs within the broader hierarchy.
- How the team is performing across Scorecards. By default, this will show the level that the team’s entities have reached in each Scorecard.
  - On the right, enable the toggle next to Aggregate children scores to include child entities in the Scorecard overview.
- A list of recent events associated with this team, such as alerts from PagerDuty.
The Members tab includes a list of all team members, as well as their contact information. You can also add tags for each user to signify each member’s role on the team. When available, Cortex will also pull in profile photos from your Git provider.
The Entities tab shows a list of all entities that the team owns.
The Dependencies tab shows any incoming or outgoing dependencies associated with this team.

Ownership

Teams not only allow you to collect vital information in a single place, but are also crucial for ownership. Rather than assign an entity to individual team members, you can assign ownership to an entire team. This makes it easy to assign multiple team members to an entity, and it ensures that when a team’s composition changes, ownership is updated accordingly.

Read more in the Ownership documentation.

Creating a team

You can create teams:

By importing them from a connected integration (e.g., Workday, GitHub)
Manually in the Cortex UI
Via the entity descriptor YAML through GitOps
Via the API

Understanding hierarchies

You can configure teams to reflect the actual hierarchy at your organization while creating or importing teams in Cortex. A team can be defined as the parent of one or more teams while also being the child of another team.

When you access the Teams catalog, individual teams and parent teams are displayed by default. Parent teams have an arrow next to their name, indicating that you can expand to view children teams.

In the above example, My Company is a parent team with 7 child teams nested under it.

Create a team

See the tabs below for instructions on each method.

Importing a team from an integration

If you have an existing source of truth for your teams and team members, we recommend importing teams. By integrating with your identity provider at this stage, Cortex will automatically sync team pages with your source of truth so you don't have to update information in more than one place when people join or leave teams.

Each integration syncs teams daily.

You can only import entities from integrations that have already been configured.

Supported integrations

Teams from the following integrations can be imported:

Azure DevOps
BambooHR
Entra ID (formerly Azure Active Directory)
GitHub
GitLab
Google
Okta
Opsgenie
ServiceNow
- Before following the import process, you must configure table mappings.
Workday
- For the Workday integration, you can enable automatic import of discovered teams.

Importing teams

After configuring an integration that includes teams, follow these steps to import teams:

In Cortex, navigate to Catalogs > All entities, then click Import entities.
Select the integration to import from.
- If you have a large volume of entites, click Filter in the upper right corner of the results list to select and apply entity type filters.
At the bottom of the page, click Next step.
Edit the details for the entity:
- Type: Select Team.
- Name: Enter a human readable name for your team.
- Identifier: This field is auto-populated based on your entity name. It is a unique identifier for your entity. This is also known as the x-cortex-tag.
- Description: Enter a description of the team to help others understand its purpose.
- Groups: Select groups to segment your entity.
- Members: Select members of your team. Team members will be marked as owners of entities and receive notifications about entities owned by the team if notifications are enabled.
- Links: Add links to external documentation, such as runbooks, docs, logs, or custom categories.
- Slack channels: Link the team's associated Slack channel. If notifications are configured, the team will receive notifications here.
  - You must have the Slack integration configured before linking a channel.
- Parents and Children: Define parent and children teams. This is where you configure the hierarchy for your entity. These can be visualized in the relationship graph.
- On-call: Configure the on-call service associated with this team. When selected, you will see the latest on-call information displayed on the team's details page.
Click Confirm import.

Manually creating teams

If you don’t have an identity provider with updated team information, you can create a team manually within Cortex. Because teams are important for effective ownership, it's recommended that you create teams in Cortex even if you don't have a single source of truth for team information.

In Cortex, navigate to Catalogs > Teams, then click Import teams.
Configure the form:
Configure the team details:
- Type: Select Team.
- Name: Enter a human readable name for your team.
- Identifier: This field is auto-populated based on your entity name. It is a unique identifier for your entity. This is also known as the x-cortex-tag.
- Description: Enter a description of the team to help others understand its purpose.
- Groups: Select groups to segment your entity.
- Members: Select members of your team. Team members will be marked as owners of entities and receive notifications about entities owned by the team if notifications are enabled.
- Links: Add links to external documentation, such as runbooks, docs, logs, or custom categories.
- Slack channels: Link the team's associated Slack channel. If notifications are configured, the team will receive notifications here.
  - You must have the Slack integration configured before linking a channel.
- Parents and Children: Define parent and children teams. This is where you configure the hierarchy for your entity. These can be visualized in the relationship graph.
- On-call: Configure the on-call service associated with this team. When selected, you will see the latest on-call information displayed on the team's details page.
Click Confirm import.

Once you've created a team, you can view it on the Teams page within the hierarchy. If you haven't added parents or children, you can disable View as hierarchy to see the list of all teams.

Adding Cortex-managed teams

You can manually create teams in Cortex and define them in the entity descriptor.

You can also define teams as owners via entity descriptors. See the Ownership documentation for more information.

Team entity descriptor

If your entity is a team, you must specify x-cortex-type as team.

openapi: 3.0.1
info:
  title: Payments Team
  description: This is my cool team.
  x-cortex-tag: payments-team
  x-cortex-type: team

The x-cortex-team tag has two main sections: groups and members.

Adding groups to the team entity descriptor

Use groups to link your team entity with a team on a different platform that you have integrated with Cortex. You can only link one group to a team entity.

For example, you can specify:

openapi: 3.0.1
info:
  title: Example Team
  description: My Cool Team
  x-cortex-type: team
  x-cortex-tag: example-team
  x-cortex-team:
      groups:
      - name: okta-security-team
        provider: OKTA

Under groups, when you specify okta-security-team, your team will contain all the members from your okta-security-team.

Now, if you specify the okta-security-team in your x-cortex-owners on any of your other entities, they will automatically recognize example-team as a team that owns their entity.

Adding team members to the team entity descriptor

members can be used to add individual members to your team when you have a use case for a team entity that doesn't correspond exactly to a team on one of your integrations. Members support roles. For example, the following entity includes a member who has the product-manager role and a member who has both the engineering-manager role and manager role:

openapi: 3.0.1
info:
  title: Example Team
  description: My Cool Team
  x-cortex-type: team
  x-cortex-tag: example-team
  x-cortex-team:
      members:
      - name: Product Manager
        email: product-manager@cortex.io
        notificationsEnabled: true
        roles: 
          - tag: product-manager
      - name: Engineering Manager
        email: engineering-manager@cortex.io
        notificationsEnabled: true
        roles: 
          - tag: engineering-manager
          - tag: manager

After specifying the YAML example above, your team now will contain Product Manager and Engineering Manager. If product-manager@cortex.io or engineering-manager@cortex.io were to correspond with the email of an actual account in Cortex, they would start seeing example-team being displayed as a team that they're a part of (i.e., it would start showing up in their Mine tab in catalogs that contain teams).

Roles must be defined for your workspace in your Entity Settings page, under the "Teams" tab.

The role field in member is optional. In order to be considered valid, a team must have a non-empty group.

Team children

You can define a list of other teams as children, allowing you to represent a hierarchy of how your teams are modeled across your workspace, using the x-cortex-children tag.

openapi: 3.0.1
info:
  title: Payments
  description: This is my cool team.
  x-cortex-tag: payments-team
  x-cortex-type: team
  x-cortex-children:
  - tag: child-team-1
  - tag: child-team-2

This hierarchy is available to look at in the Teams catalog page.

Team parents

Team children allow you to define the team relationship from the top-down, but in some cases it may be easier to define the team hierarchy from the bottom-up. For these cases, x-cortex-parents can be added to any entity's YAML to define its parents.

openapi: 3.0.1
info:
  title: Payments
  description: This is my cool team.
  x-cortex-tag: payments-team
  x-cortex-type: team
  x-cortex-parents:
  - tag: parent-team-1
  - tag: parent-team-2

Example cortex.yaml

Note: the YAML definition for a team entity can take file names other than cortex.yaml or cortex.yml; see the GitOps example repository structure.

openapi: 3.0.1
info:
  title: Chat Team
  description: Chat team.
  x-cortex-tag: chat-team
  x-cortex-type: team
  x-cortex-team:
      groups:
      - name: okta-chat-team
        provider: OKTA
      members:
      - name: Product Manager
        email: product-manager@cortex.io
        notificationsEnabled: true
      - name: Engineering Manager
        email: engineering-manager@cortex.io
        notificationsEnabled: true
  x-cortex-children: # children can be of type team
    - tag: chat-infra-team
    - tag: chat-sre-team
  x-cortex-slack:
    channels:
    - name: chat-team
      notificationsEnabled: true
      description: This is a description for the chat-team Slack channel # optional
  x-cortex-oncall:
    pagerduty:
      id: ASDF2345
      type: SCHEDULE

Creating teams via the API

You can create, update, and delete teams using the Cortex API.

Edit teams

It is possible to edit entities after creating them:

Navigate to the entity's page.
In the upper right corner, click Configure entity.
Make any desired changes.
- Note: The only field you cannot edit is the identifier.
At the bottom of the screen, click Save changes.

Adding team member roles

You can manually create a team member role:

In Cortex, navigate to Settings > Entities > Teams.
Click Add role.
In the "Add role" modal, configure the role:
- Role name: Enter the role's name.
- Tag: The tag - a unique identifier for the role - automatically populates based on the role name.
- Role description: Enter a description of the role.
- Enable notifications by default: If notifications are enabled, members with this role will receive relevant updates on Scorecards, Initiatives, and more.
Click Save.

Apply role to team members

You can apply a role only to manually-created team members. Team members who were imported from an identity integration will retain the role that was imported.

To apply a role:

In Cortex, navigate to Catalogs > Teams.
Click into a team.
In the upper right corner, click Configure entity.
Click Members.
Next to a team member, click the edit icon.
In the side panel, add a new team role.
Click Update.

Adjusting team settings

Under Settings > Entities > Teams, there are several settings relating to teams:

Enable identity providers

In this section, you can select which identity providers will be used to sync team and team memberships into Cortex.

When importing teams, you will see the option to import from the enabled IdPs listed here.

Auto import teams

When enabled, any discovered teams and team relationships from Workday are automatically imported.

In order for teams to be imported, Workday needs to be enabled under the Enabled identity providers section on this settings page. The Workday report must include the managerEmail field in order for team relationships to be auto imported.

Team ownership entity editing

When enabled, entities can only be edited by specific members of the team that own them. Read more about this feature in Team ownership entity editing.

Give edit access to all team members

When enabled, all team members will be granted edit access. You will not be able to turn off edit access for individual members in your teams configuration when this is enabled.

Team member roles tab

Sync team roles from identity providers

When enabled, Cortex will automatically assign roles to team members based on your enabled identity providers. Leave this option disabled to assign team roles manually.

Add roles

This process is described above, under Adding team member roles.

Add custom entity types

Every entity in the catalog is associated with an entity type. Entity type definitions require a type and a JSON schema that outlines the attributes that entities should conform to.

View entity types

A Cortex logo appears next to built-in entity types. When you hover over the logo, you will see a "Powered by Cortex" banner:

The other entity types in the list are custom types.

Create custom entity types

You can create custom entity types:

Manually in the Cortex UI

When creating an entity type, keep in mind that these will ultimately dictate how you import specific entities later on.

To create, edit, and delete entity types, your user or API key must have the Edit entity types permission.

Create entity types in the Cortex UI

In Cortex, navigate to Catalogs > All entities.
Click the Entity types tab, then click Create entity type.
Configure the form:
- Name: Enter a human-readable name that will appear in the catalog for this entity type.
- Type: Enter a unique identifier that corresponds to the entity type. This will be used to specify the type defined in the YAML definitions for imported entities.
- Description: Optionally, enter a description for the entity type.
- Display icon: Select an icon to appear alongside the entity type throughout the app.
- Schema: Define a JSON schema that will be used to validate the x-cortex-validation block of a given entity’s YAML.
  - This is not required to create an entity type, but will be useful if you want to enforce certain attributes about entities, such as a region or version number. Attributes defined in the schema will be required when creating an entity of that type, which can then be validated in Scorecards.
  - In the example screen shot, we’ve created a custom entity called Employee — this is what we’ll use to represent individuals at our organization. In the schema section, you can see that each profile is required to include an employee’s location and their dream vacation. This means every time you create an Employee entity, you’ll define each employee’s location and dream vacation in a schema for that entity.
At the bottom of the page, click Create.

After saving, the entity type will appear in the Entity types tab under Catalogs > All entities, and you will be able to import entities of that type.

Create entity types in the entity descriptor

Example cortex.yaml

Create entity types via the API

Creating custom entities

In the main nav of Cortex, click Catalogs > All entities.
At the top of the Services page, click +Import entities.
Configure the form:
- Type: Select your custom entity type.
- Entity name: Enter a human readable name for your entity.
- Identifier: This field is auto-populated based on your entity name. It is a unique identifier for your entity. This is also known as the x-cortex-tag.
- Description: Enter a description of the entity to help others understand its purpose.
- Links: Add links to external documentation, such as runbooks, docs, logs, or custom categories.
- On-call: Configure on-call information.
- Repository: Select the repository associated with this entity.
When you are finished, click Confirm import at the bottom of the page.

JSON schema for custom entity types

The JSON schema for a custom entity type ensures consistency and validation when creating entities of that type. The attributes listed under required in the schema must be defined for entities of that type according to the outlined properties.

Defining a JSON schema also enables visibility on an entity's detail page. The schema and the defined properties will appear under the Entity Metadata section on the Overview page, making it easy for users to identify key specs.

Edit custom entities

It is possible to edit entities after creating them:

Navigate to the entity's page.
In the upper right corner, click Configure entity.
Make any desired changes.
- Note: The only field you cannot edit is the identifier.
At the bottom of the screen, click Save changes.

Add custom entities to catalogs

Using custom entity types or custom data

In some instances, you may want to use custom data instead of a custom entity type.

It is possible to create an entity type with an empty properties schema:

A schema is ideal for enforcing static properties across all entities, while custom data allows users to augment and update attributes.

Defining dependencies

Incoming dependencies are inferred based the outgoing dependency definitions.

Visualize dependencies in the relationship graph

Automated dependency notifications

When a dependency deprecates its API or makes backwards incompatible changes, Cortex surfaces these issues via these methods:

Cortex attempts to automatically make comments on PRs containing breaking OpenAPI changes that have downstream dependencies that Cortex knows about.
If a breaking change is merged to the default branch, Cortex alerts dependency owners via Slack that a breaking change was merged.

Discovery

Cortex can automatically discover dependencies from your integrations:

How to define dependencies

You can define dependencies manually via an entity's YAML descriptor, via the Cortex UI (if UI editing is enabled), or via the API.

Your user or API key need the Edit entities permission.

Define dependencies in the Cortex UI

Navigate to the entity where you need to define a dependency.
In the upper right corner of the entity details page, click Configure entity.
Click the Hierarchy tab.
In the dropdown menu, choose an entity.
Optionally, select an endpoint.
Click Add.

Set an endpoint for a dependency

Before you can select an endpoint from the dropdown when manually defining a dependency, that endpoint must be defined as a path in the entity's YAML file. See the example below:

Define dependencies in the entity descriptor

The x-cortex-dependency field allows you to define a list of outgoing dependencies. A dependency should be directed towards an outgoing service or resource, or more granularly, to a specific endpoint of that entity.

Define dependencies via the API

YAML is the source of truth. If a dependency has already been set through the cortex.yaml, the API will return an error.

Endpoints are optional. A dependency optionally references an endpoint (method and path) of the callee, and this must already be defined in the callee's cortex.yaml within the paths field. If no endpoint is referenced it is assumed that the caller depends on all endpoints of the callee.

For all requests method or path are optional, however if one is present the other must also be present.

When interacting with an existing dependency, the method and path must be specified correctly to identify it.

Create a dependency

POST /api/v1/catalog//dependencies/?method=&path=

Retrieve a dependency

GET /api/v1/catalog//dependencies/?method=&path=

Update a dependency

PUT /api/v1/catalog//dependencies/?method=&path=

PUT replaces entire object. The request body is considered a modified version of the already existing entity. Leaving a field out of the JSON will be interpreted as null.

Delete a dependency

DELETE /api/v1/catalog//dependencies/?method=&path=

Bulk create or update dependencies

PUT /api/v1/catalog/dependencies

:::caution PUT replaces entire object The request body is considered a modified version of the already existing entity. Leaving a field out of the JSON will be interpreted as null. :::

Sync dependencies

Cortex syncs AWS dependencies every day at 8:00 a.m. UTC. All other dependencies sync at 12:00 a.m. UTC.

If you need to sync dependencies manually:

Navigate to Tools > Relationship graphs.

Entity details page

The entity details page

Each entity has its own page that centralizes data related to the entity, allowing developers to reduce context switching.

While viewing entities in a catalog, or from the Catalogs > All entities page, click an entity name to open that entity's details page.

When you first open an entity, see an overview of relevant information. If there are any active incidents, you will see them at the top of the page, in addition to recent events, on-call, owners, Slack or Microsoft Teams channels, groups, repository, language, and related domains.

During an incident, the entity details page allows you to quickly find the information you need all in one place: the active incident itself, who owns the entity and who is on-call, which Slack channel to communicate in, dependencies that could be affected, and the most recent deploys.

If data is not available for a field on the entity page, it will not appear in the overview. For example, if you do not have the Slack integration configured, then the "Slack channels" field will not be displayed.

Entity details sidebar

In the left sidebar of an entity, drill further into the entity's recent deploys, events, security vulnerabilities, monitoring metrics, and more, giving you the insight you need to solve an incident quickly and efficiently.

In the sidebar, click into each category for more information:

Entity overview categories

API explorer: Pulls from API documentation added to your entity.
Events: Recent events such as deploys and other integration events.
Links & docs: Documentation links you have added to the entity, along with documentation pulled from the related repository.
On-call & incidents: On-call information from Opsgenie, PagerDuty, Splunk On-Call (formerly VictorOps), and xMatters, and incidents pulled from incident.io, PagerDuty, FireHydrant, and Rootly.
Owners: See the teams who own the entity, the related Slack or Microsoft Teams channels, and a list of team members.
- Learn more about how to define entity owners in Defining ownership.
Entity YAML: View the entity YAML that defines this entity.

Cortex features for this entity

Scorecards: A list of any Scorecards that are in progress where this entity is being scored. In additional, see the average score, median score, and a graph showing the entity's scores over time.
Initiatives: A list of all active Initiatives for this entity, including the Scorecard's current level and the due date of the Initiative.
Workflows: A list of Workflows that include this entity. If any Workflows are pending approval and you were designated as an approver when the Workflow was created, you will see the pending approval at the top of this page. This page also includes a list of recently run Workflows and the ability to run any related Workflows.

Connections for this entity

Under the "Connections" header, integration data for the entity is contextually grouped. When you configure integrations, data will be pulled in to the following sections on the entity details page:

CI/CD: Pulls from deploys API, Azure DevOps, Bitbucket, Buildkite, CircleCI, GitHub, and GitLab.
Code & security: Pulls from Checkmarx, Codecov, GitHub, GitLab, Mend, Snyk, SonarQube, Veracode, and Wiz.
Custom data & metrics: Pulls from custom data and Eng Intelligence custom metrics.
Dashboard: Pulls from charts configured in the entity's YAML file for Datadog, Grafana, and New Relic.
Error tracking: Pulls from BugSnag, Rollbar, and Sentry.
Environments: Pulls from AWS and Kubernetes.
Issue tracking: Pulls from Azure DevOps, ClickUp, GitHub, GitLab, and Jira.
Monitoring: Pulls from Coralogix, Datadog, Dynatrace, Google Observability Cloud, Lightstep, New Relic, Prometheus, Splunk Observability Cloud (formerly SignalFX), and Sumo Logic.
Packages: Pulls from the packages API and any packages automatically discovered from your configured git repositories.
Repository: Pulls from Azure DevOps, Bitbucket, GitHub, and GitLab.
Integration settings: This page lists the integrations that are enabled and connected for this entity.

Plugins for this entity

Under the "Plugins" header, see any plugins in your workspace that are relevant to this entity.

More information on entities

Learn more about entities in Manging entities.

Defining ownership

Ownership is a core use case of Cortex, as many organizations seek to establish clear ownership of services, data, and other entities. Entities should be owned within Cortex to ensure appropriate action can be driven using Scorecards and Initiatives.

Ownership can be defined by accepting Cortex's automated recommendations for ownership, pulled in from third-party integrations, or defined manually in the Cortex UI.

Where to view entity owners

When viewing an entity, the owners appear in the metadata bar at the top of the page:

Click into the team name to view the team's entity page, including a list of members and a list of entities owned by that team.

Define owners for entities

You can define owners based on:

A team
- We recommend setting up teams as owners. If you link a group in your YAML file from a different platform (such as Okta), the members of the team will be automatically updated in Cortex if anyone leaves your organization and is removed from your integrated identity provider.
A user email address

Owners can be defined:

By accepting Cortex's automated recommendations for owners, based on repository activity
Automatically if Cortex detects that an entity is owned by a team that does not yet exist in Cortex
- If an entity's YAML references a team, but that team doesn't have a corresponding entry within Cortex, Cortex will automatically create a team. The team will include a label that says Automatically created by Cortex.
Directly in the Cortex UI

Cortex automated recommendations for ownership

This feature is available in private beta. Please reach out to your Cortex Customer Success Manager for access. Note the following considerations:

This feature is supported for entities associated with a repository in GitHub, GitLab, or Azure DevOps. It is not supported for monorepos.
You must have at least one team in Cortex in order for Cortex to provide recommendations.
To accept or reject the recommended owner, the user must have the Edit entities permission.

Cortex analyzes a repository and automatically recommends a team owner for entities that do not have an owner.

Define owners in the Cortex UI

Search for and select the entity whose ownership you want to edit.
In the upper right corner of the entity's page, click Configure entity.
Click the Owners tab, then click +Add next to Teams or Users.
- Add team:
  - Select a team from the dropdown menu, then click Add.
- Add user:
  - Select a user from the dropdown menu, then click Add.
  - You can also add a user who is not listed in Cortex. To do this, enter an email address into the Email address field, then click Add.

Define owners in the entity descriptor

The x-cortex-owners field allows you to define a list of owners of type email or group.

Cortex recognizes groups from the following integrations:

The value of provider is the name of the integration that the group is coming from. The available list is:

ACTIVE_DIRECTORY
AZURE_DEVOPS
BAMBOO_HR
CORTEX: Use when referring to a team defined in Cortex; these teams do not map to identities from a connected integration.
GITHUB
GITLAB
GOOGLE
OKTA
OPSGENIE
SERVICE_NOW
WORKDAY

name is a case-sensitive field that refers to the following:

if your provider is CORTEX, name corresponds to the x-cortex-tag for the Cortex team you want to identify as an owner
otherwise, name corresponds to the upstream identifier of your owner from your integration

Automatic discovery for AWS

You can pull in all resources from AWS, and Cortex syncs those owners automatically based on their tags in AWS, allowing you to easily keep the resource owners up to date.

Cortex syncs ownership from AWS every day at 6 am UTC.

Viewing entity ownership

View your owned entities

View a team's owned entities

You can filter the entity list by owner:

In the upper right corner, click Filter.

View entities owned by all teams within a hierachy

Teams can exist within hierarchies. You can view a list of all entities that are owned by the parent team and all children teams in the hierarchy:

Navigate to the parent team's page in Cortex.
Click the Entities tab.
Click Display, then enable the toggle next to Inherited Children.
Click Done.

The list will now display all entities owned by the parent and its children teams. Note that this setting does not persist when you navigate away from the page.

Ownership settings in Cortex

Grouping entities

Tagging
- Use groups to segment entities.
- For example, you could segment by tiers (tier-0 to indicate high priority), type (backend, frontend, library, API), or language (Python, Java).
Filtering throughout Cortex
- For example, you may want a Scorecard to only apply to Python services or a catalog that only shows tier-0 services.
Reporting
- You could aggregate Scorecard scores by a specific group, such as a tier.
- For example, viewing a Production Readiness Scorecard broken down by tier.

While viewing an entity, its groups are listed at the top of the page:

Click the group name to view a list of all other entities that are tagged with this group.

How to define groups

You can define groups via an entity's YAML, directly in the Cortex UI, or via the API.

Note the following considerations:

If a group has been set in the entity descriptor YAML, an API call will not overwrite the existing value.
Groups created via the API will not appear in the entity descriptor YAML.
Groups created via the API cannot be removed via the Cortex UI.

To create a group in the UI:

Navigate to the entity that you want to apply a group to.
- Click the magnifying glass icon at the bottom of the main nav, or click Catalogs > All entities and search for the entity from that page.
In the upper right corner of the entity page, click Configure entity.
Click into the Groups field.
- To apply an existing group, type to search then click on the group.
- To create a new group, type the group name into the field, then click the group name in the dropdown. The group will be created and applied to the entity.
At the bottom of the page, click Save.

Groups are defined as a list of tags.

Groups may not contain whitespace characters.

FAQ and troubleshooting

To determine whether or not to use groups or custom data, consider whether your use case would be considered "tagging" with a definite enum of values (backend vs frontend), or more freeform metadata availability-zones: [east, west].

Adding external documentation

Cortex is your source of truth to external docs. Instead of digging through wikis and other resources, you can aggregate docs on the relevant entities in Cortex in the following ways:

View links on an entity

Links appear on an entity details page in the Links & docs section:

Add links to an entity

On entities, you can add links to docs, runbooks, tech specs, dashboards, and more.

In Cortex, navigate to an entity.
In the upper right corner of the entity details page, click Configure entity.
Click the Links tab.
Click +Add.
Configure the link:
- - To create a new type, enter the type name then click the name in the dropdown.
- Name: Enter a name for the link.
- URL: Enter the URL.
- Description: Add a description of the link.
Click Add.

In the entity descriptor, add a list of link objects:

name, type, and url are required.

Git-driven markdown docs

Cortex automatically embeds markdown files from the docs folder of your repo or from the root directory. If Cortex detects relevant files, these docs show up under the Links & docs page in an entity's sidebar.

Documentation types

OpenAPI docs

Embed specs from a git repository

If you have specs checked into your git repository, you can embed it by adding it as a relative URL with type openapi. For example:

Relative links in another repo

In addition to providing the ability to link to specs within the service repo, Cortex also allows for links that reference other git repositories that aren't necessarily associated with your entity but still within your organization.

Power users can also specify a branch parameter between the second and the third colon separated group, in the form github:org/repo:branch:path/to/file. If this parameter is omitted, we will use the repository's default branch.

Relative link YAML examples

Adding OpenAPI via the Cortex API

The request body is the following, in JSON format. See API Docs for authentication details.

Converting YAML or JSON to string You can use a lightweight utility like jq to take your yaml/json and generate a string that can be used for your request:

e.g. $(cat my_file.yaml | jq -Rsa)

AsyncAPI docs

If you have specs checked into your Git repository, you can embed it by adding it as a relative URL with type async_api. For example:

Embedded dashboards

The type field is an optional enum of three types: datadog, grafana, or newrelic.
The url field is the src value for the iframe embed generated by your dashboard tool.
- You must use your tool's embed URL for individual charts.

Note that you can embed individual charts, not dashboards.

Embed content from other sources

It is possible to display content from a source other than Datadog, Grafana, or New Relic. To do this, do not specify an option for the type field. The URL you add must be publicly accessible or provide cross-platform authentication for Cortex to view and display the iframe. For example, if the content is accessible via VPN, then you should be able to view it in Cortex while on the VPN.

Accessing docs links via Slack

/slack links <tag-or-id> to list all documentation links for an entity
/slack links [type] <tag-or-id> to list specific types of documentation links for an entity

For example:

To list all documentation links for an entity with ID en29f044598b112345, you could run the following command in Slack: /cortex links en29f044598b112345
To list the OpenAPI specs for an entity with tag plugin-extension, you could run the following command in Slack: /cortex links openapi plugin-extension

Reporting

Add teams

Teams can be assessed via Scorecards, interact with integrations, and leverage custom data. They can also be configured in a hierarchy.

View teams

To view your teams, navigate to Catalogs > Teams.

View the teams leaderboard

On the right side of the Teams catalog page, see the Scorecard Leaderboard, which highlights the ten best-performing teams within your organization.

The leaderboard gamifies entity quality and encourages team members to achieve goals. This creates a culture of accountability, where everyone has visibility into how they're performing.

View an individual team's page

Each team has its own details page, where you can view key details about the team. Click a team from the Teams catalog page to view its details.

At the top of a team details page, you’ll find on-call information, Slack channels, and parent and children teams.

Additional information appears in tabs on the team's details page:

The Overview tab includes:
- On-call information.
- Linked Slack channels.
- Where the selected team belongs within the broader hierarchy.
- How the team is performing across Scorecards. By default, this will show the level that the team’s entities have reached in each Scorecard.
  - On the right, enable the toggle next to Aggregate children scores to include child entities in the Scorecard overview.
- A list of recent events associated with this team, such as alerts from PagerDuty.
The Members tab includes a list of all team members, as well as their contact information. You can also add tags for each user to signify each member’s role on the team. When available, Cortex will also pull in profile photos from your Git provider.
The Entities tab shows a list of all entities that the team owns.
The Dependencies tab shows any incoming or outgoing dependencies associated with this team.

Ownership

Read more in the Ownership documentation.

Creating a team

You can create teams:

By importing them from a connected integration (e.g., Workday, GitHub)
Manually in the Cortex UI
Via the entity descriptor YAML through GitOps
Via the API

Understanding hierarchies

When you access the Teams catalog, individual teams and parent teams are displayed by default. Parent teams have an arrow next to their name, indicating that you can expand to view children teams.

In the above example, My Company is a parent team with 7 child teams nested under it.

Create a team

See the tabs below for instructions on each method.

Importing a team from an integration

Each integration syncs teams daily.

You can only import entities from integrations that have already been configured.

Supported integrations

Teams from the following integrations can be imported:

Azure DevOps
BambooHR
Entra ID (formerly Azure Active Directory)
GitHub
GitLab
Google
Okta
Opsgenie
ServiceNow
- Before following the import process, you must configure table mappings.
Workday
- For the Workday integration, you can enable automatic import of discovered teams.

Importing teams

After configuring an integration that includes teams, follow these steps to import teams:

In Cortex, navigate to Catalogs > All entities, then click Import entities.
Choose Import discovered entities.
Select the integration to import from.
On the following page, after the integration sync is complete, a list of entities from the integration are displayed. Check the boxes next to any entities you want to import.
- If you have a large volume of entites, click Filter in the upper right corner of the results list to select and apply entity type filters.
At the bottom of the page, click Next step.
Edit the details for the entity:
- Type: Select Team.
- Name: Enter a human readable name for your team.
- Identifier: This field is auto-populated based on your entity name. It is a unique identifier for your entity. This is also known as the x-cortex-tag.
- Description: Enter a description of the team to help others understand its purpose.
- Groups: Select groups to segment your entity.
- Members: Select members of your team. Team members will be marked as owners of entities and receive notifications about entities owned by the team if notifications are enabled.
- Links: Add links to external documentation, such as runbooks, docs, logs, or custom categories.
- Slack channels: Link the team's associated Slack channel. If notifications are configured, the team will receive notifications here.
  - You must have the Slack integration configured before linking a channel.
- Parents and Children: Define parent and children teams. This is where you configure the hierarchy for your entity. These can be visualized in the relationship graph.
- On-call: Configure the on-call service associated with this team. When selected, you will see the latest on-call information displayed on the team's details page.
If you selected more than one entity: After the first entity is configured, click the name of the next entity on the right to navigate to the detail editor for that entity.
Click Confirm import.

Manually creating teams

In Cortex, navigate to Catalogs > Teams, then click Import teams.
Choose Create entities manually.
Configure the form:
Configure the team details:
- Type: Select Team.
- Name: Enter a human readable name for your team.
- Identifier: This field is auto-populated based on your entity name. It is a unique identifier for your entity. This is also known as the x-cortex-tag.
- Description: Enter a description of the team to help others understand its purpose.
- Groups: Select groups to segment your entity.
- Members: Select members of your team. Team members will be marked as owners of entities and receive notifications about entities owned by the team if notifications are enabled.
- Links: Add links to external documentation, such as runbooks, docs, logs, or custom categories.
- Slack channels: Link the team's associated Slack channel. If notifications are configured, the team will receive notifications here.
  - You must have the Slack integration configured before linking a channel.
- Parents and Children: Define parent and children teams. This is where you configure the hierarchy for your entity. These can be visualized in the relationship graph.
- On-call: Configure the on-call service associated with this team. When selected, you will see the latest on-call information displayed on the team's details page.
Click Confirm import.

Once you've created a team, you can view it on the Teams page within the hierarchy. If you haven't added parents or children, you can disable View as hierarchy to see the list of all teams.

Adding Cortex-managed teams

You can manually create teams in Cortex and define them in the entity descriptor.

You can also define teams as owners via entity descriptors. See the Ownership documentation for more information.

Team entity descriptor

If your entity is a team, you must specify x-cortex-type as team.

openapi: 3.0.1
info:
  title: Payments Team
  description: This is my cool team.
  x-cortex-tag: payments-team
  x-cortex-type: team

The x-cortex-team tag has two main sections: groups and members.

Adding groups to the team entity descriptor

Use groups to link your team entity with a team on a different platform that you have integrated with Cortex. You can only link one group to a team entity.

For example, you can specify:

openapi: 3.0.1
info:
  title: Example Team
  description: My Cool Team
  x-cortex-type: team
  x-cortex-tag: example-team
  x-cortex-team:
      groups:
      - name: okta-security-team
        provider: OKTA

Under groups, when you specify okta-security-team, your team will contain all the members from your okta-security-team.

Now, if you specify the okta-security-team in your x-cortex-owners on any of your other entities, they will automatically recognize example-team as a team that owns their entity.

Adding team members to the team entity descriptor

openapi: 3.0.1
info:
  title: Example Team
  description: My Cool Team
  x-cortex-type: team
  x-cortex-tag: example-team
  x-cortex-team:
      members:
      - name: Product Manager
        email: product-manager@cortex.io
        notificationsEnabled: true
        roles: 
          - tag: product-manager
      - name: Engineering Manager
        email: engineering-manager@cortex.io
        notificationsEnabled: true
        roles: 
          - tag: engineering-manager
          - tag: manager

Roles must be defined for your workspace in your Entity Settings page, under the "Teams" tab.

The role field in member is optional. In order to be considered valid, a team must have a non-empty group.

Team children

You can define a list of other teams as children, allowing you to represent a hierarchy of how your teams are modeled across your workspace, using the x-cortex-children tag.

openapi: 3.0.1
info:
  title: Payments
  description: This is my cool team.
  x-cortex-tag: payments-team
  x-cortex-type: team
  x-cortex-children:
  - tag: child-team-1
  - tag: child-team-2

This hierarchy is available to look at in the Teams catalog page.

Team parents

openapi: 3.0.1
info:
  title: Payments
  description: This is my cool team.
  x-cortex-tag: payments-team
  x-cortex-type: team
  x-cortex-parents:
  - tag: parent-team-1
  - tag: parent-team-2

Example cortex.yaml

Note: the YAML definition for a team entity can take file names other than cortex.yaml or cortex.yml; see the GitOps example repository structure.

openapi: 3.0.1
info:
  title: Chat Team
  description: Chat team.
  x-cortex-tag: chat-team
  x-cortex-type: team
  x-cortex-team:
      groups:
      - name: okta-chat-team
        provider: OKTA
      members:
      - name: Product Manager
        email: product-manager@cortex.io
        notificationsEnabled: true
      - name: Engineering Manager
        email: engineering-manager@cortex.io
        notificationsEnabled: true
  x-cortex-children: # children can be of type team
    - tag: chat-infra-team
    - tag: chat-sre-team
  x-cortex-slack:
    channels:
    - name: chat-team
      notificationsEnabled: true
      description: This is a description for the chat-team Slack channel # optional
  x-cortex-oncall:
    pagerduty:
      id: ASDF2345
      type: SCHEDULE

Creating teams via the API

You can create, update, and delete teams using the Cortex API.

Edit teams

It is possible to edit entities after creating them:

Navigate to the entity's page.
In the upper right corner, click Configure entity.
Make any desired changes.
- Note: The only field you cannot edit is the identifier.
At the bottom of the screen, click Save changes.

Adding team member roles

You can manually create a team member role:

In Cortex, navigate to Settings > Entities > Teams.
Click Add role.
In the "Add role" modal, configure the role:
- Role name: Enter the role's name.
- Tag: The tag - a unique identifier for the role - automatically populates based on the role name.
- Role description: Enter a description of the role.
- Enable notifications by default: If notifications are enabled, members with this role will receive relevant updates on Scorecards, Initiatives, and more.
Click Save.

Apply role to team members

You can apply a role only to manually-created team members. Team members who were imported from an identity integration will retain the role that was imported.

To apply a role:

In Cortex, navigate to Catalogs > Teams.
Click into a team.
In the upper right corner, click Configure entity.
Click Members.
Next to a team member, click the edit icon.
In the side panel, add a new team role.
Click Update.

Adjusting team settings

Under Settings > Entities > Teams, there are several settings relating to teams:

Enable identity providers

In this section, you can select which identity providers will be used to sync team and team memberships into Cortex.

When importing teams, you will see the option to import from the enabled IdPs listed here.

Auto import teams

When enabled, any discovered teams and team relationships from Workday are automatically imported.

Team ownership entity editing

When enabled, entities can only be edited by specific members of the team that own them. Read more about this feature in Team ownership entity editing.

Give edit access to all team members

When enabled, all team members will be granted edit access. You will not be able to turn off edit access for individual members in your teams configuration when this is enabled.

Team member roles tab

Sync team roles from identity providers

When enabled, Cortex will automatically assign roles to team members based on your enabled identity providers. Leave this option disabled to assign team roles manually.

Add roles

This process is described above, under Adding team member roles.

Azure DevOps

Integrating Cortex with Azure DevOps allows you to:

Automatically discover and track ownership of Azure DevOps entities
Follow a GitOps workflow with Azure DevOps
View information about your Azure DevOps repositories on an entity's details page, including: The repo associated with the entity, recent commits and releases in the event timeline, the most-used language in the files for that entity, the top code contributors, and their number of contributions.
View information about pull requests and work items in the dev homepage
Use Azure DevOps metrics in Eng Intelligence to understand key metrics and gain insight into services, incident response, and more.

How to configure Azure DevOps with Cortex

Prerequisites

Before you get started:

- Analytics: read
- Build: read
- Code: read
  - Code: write
    Code: manage
- Graph & Identity: read
- Work Items: read and write

Configure the integration in Cortex

1. In Cortex, click your avatar in the lower left corner, then click Settings.
2. Under "Integrations", click Azure DevOps.
Click Add configuration.
Configure the Azure DevOps integration form:
- Organization: Enter the slug for your Azure DevOps organization.
- Username: Enter the username for your personal access token.
- Personal access token: Enter your Azure DevOps personal access token.
- Host: Optionally, if you are using a self-managed setup, enter your hostname.
Click Save.

Cortex supports mapping multiple identities for a single user if you have multiple configurations of Azure DevOps. See the Identity mapping documentation for more information.

Enable or disable Azure DevOps work items

How to connect Cortex entities to Azure DevOps

Import entities from Azure DevOps

Editing the entity descriptor

Define a repository

To define an Azure DevOps repository for a given entity, add the x-cortex-git block to the entity's descriptor.

Only one repository can be defined for in a given entity's YAML in the x-cortex-git block.

Define work items

To define Azure DevOps work items for a given entity, add the x-cortex-azure-devops block to the entity's descriptor. If there is no work item registrations, but the entity matches a repository, we will pull in all work items from the repository's project with a tag that matches the Cortex entity name, Cortex entity tag, or the repository name.

Define ownership

Ownership of each entity through Azure DevOps is defined through an owner of type group.

name is a case-sensitive field that corresponds to the upstream identifier of your owner from Azure DevOps.

Define pipelines

You can add Azure DevOps pipelines under the x-cortex-azure-devops block:

Identity mappings for Azure DevOps

Cortex maps users' email addresses to discovered Azure DevOps accounts.

Create a work item from an Initiative issue

Initiatives allow you to set deadlines for specific rules or a set of rules in a given Scorecard and send notifications to users about upcoming due dates.

From the Issues tab of an Initiative, you can automatically create a Azure DevOps work item from a failing rule:

Click Create issue.
In the modal that appears, fill out the form:
- Integration: If you have multiple task tracking tools, select Azure DevOps from the Integration dropdown.
- Name: Enter a name for the configuration.
- Project: Select from the dropdown.
  - Options available in the dropdown are pulled in from the specific Azure DevOps instances configured in Settings.
Choose to include or exclude groups of entities, or define a more advanced filter.

The issue configuration will apply to all entities that meet the filter criteria. Once an entity is passing the rule, Cortex will automatically close the associated ticket.

Expected results

Entity pages

The Azure DevOps integration will populate the Repo detail block on an entity's details page.

In the Recent activity preview, you'll find the recent commits and releases. These will also appear in the event timeline.

These data will appear for entities imported from a Git source or those that have a Git repo defined in their YAMLs.

Events

On an entity's Events page, you can find all of the commits and releases associated with that entity. Each is hyperlinked to the commit or release page in Azure DevOps and includes a timestamp.

CI/CD

From the CI/CD > Azure DevOps page in the entity's sidebar, see a history of pipeline runs.

Repository

You can access more detailed information pulled from Azure DevOps under Repository in the sidebar. At the top of the repository page, you'll find the repo associated with that entity and the most-used language in files for that entity. In the Top contributors block, you'll find the three users who have contributed the most code and the number of their contributions.

In the Commits section, you'll find the 10 most recent commits and metadata about each. Below Commits is the Recent releases section, which includes the 5 most recent releases.

Issue tracking

Dev homepage

Pull requests and work items from Azure DevOps are refreshed every 5 minutes.

Eng Intelligence

Average PR open to close time
Avg time to first review
Avg time to approval
PRs opened
Weekly PRs merged
Avg PRs reviewed/week
Avg commits per PR

Scorecards and CQL

With the Azure DevOps integration, you can create Scorecard rules and write CQL queries based on Azure DevOps work items.

Approvals required to merge

Total number of approval required to merge a pull request into a repository. Defaults to 0 if no approvals are defined.

Definition: git.numOfRequiredApprovals()

Examples

For a security or development maturity Scorecard, you can write a rule to make sure at least one approval is required for a pull request:

By having a rigorous PR process in place for a repo, you can make sure changes aren't made that create vulnerabilities. This kind of rule could also be used in a best practices or project standards Scorecard.

You can also use a similar expression in the Query Builder to find entities lacking approval:

Branches

List all live branches with some basic metadata:

Head
Is protected
Name

Definition: git.branches(): List<GitBranch>

Example

For a development best practices Scorecard, you can make sure that branches associated with an entity match a standard naming convention:

Branch protection details

Find details for a specified branch or default branch if none is specified.

Definition: git.branchProtection(branchName: Text?): GitBranchProtection

Examples

For a security Scorecard, you can write a rule to make sure the default branch is protected:

Or to make sure the main branch is protected:

Because vulnerabilities in the default branch are critical, this rule should be in one of the first couple levels. A higher-level rule might make sure that branch protection checks are set:

You can also use the Query Builder to find entities with unprotected default branches:

Commits

Get the latest commits (to a maximum of 100) for a defined lookback period (defaulting to 7 days).

These results can be filtered based on branch name, using the default branch if no other branch is provided.

Definition: git.commits()

Examples

You can use the git.commits() expression in a security Scorecard to make sure entities have fewer than three commits to a "security-fixes" branch in the last week:

Entities passing this rule will include those that haven't needed three or more security fixes. This can indicate that there aren't vulnerabilities in a given entity's code, but could also suggest that fixes aren't being implemented.

Using this rule in conjunction with one focused on vulnerabilities could provide the extra context needed to gain a better understanding of what's happening.

Default branch

Default branch for the entity's repository or main when null.

Definition: git.defaultBranch()

Examples

If default branches should always be named "main," you can write a rule in a best practices Scorecard to make sure entities are compliant:

File contents

Load the contents of a file from the entity's associated repository.

The contents can be validated by using string comparison operations or parsed by the built-in jq function. The jq function will automatically coerce file contents of JSON or YAML formats.

Definition: git.fileContents(<filename: Text>)

Examples

For a Scorecard focused on development maturity, you could use the git.fileContents() rule to enforce that a CI pipeline exists, and that there is a testing step defined in the pipeline:

A best practices Scorecard, meanwhile, could use this expression for a number of rules:

To make sure node engine version in specified in the package.json file:
To make sure TypeScript projects have a tsconfig.json file checked in:
To make sure projects using yarn do not allow NPM:
And to ensure the yarn version being used is not deprecated:

File exists

Check if file exists from within the entity's associated repository.

Definition: git.fileExists(<filename: Text>)

Examples

For a development best practices Scorecard, this expression can be used for a rule that makes sure developers are checking in lockfiles to ensure repeatable builds:

In the Query builder, you can use this expression with a wildcard to find entities with unit tests enabled:

Or to find entities with an outdated Terraform version:

Has Cortex YAML (GitOps)

When enabling GitOps to manage entity descriptors, Cortex checks for a checked in file ./cortex.yaml at the root directory. This rule can help track migrations from UI editing to GitOps for entity descriptor management.

Definition: git.hasCortexYaml()

Examples

If you're using a Scorecard to track a migration from Cortex UI to GitOps, you can use this rule to make sure entities are set up for GitOps management of entity descriptors:

Git repository set

Check if entity has a registered Git repository.

Definition: git (==/!=) null

Examples

A Scorecard focused on best practices or standards will likely include a rule in its first level making sure a Git repository is set up:

If an entity is failing this rule, it can indicate broader issues with the integration or explain why an entity isn't functioning as expected.

Last commit details

Provides last commit details.

Definition: git.lastCommit()

Examples

Depending on best practices at your organization, you may want to confirm the last commit for a given entity is no older than 3 days:

Confirming whether a service was updated recently can help team members catch outdated code sooner. Plus, if there is a security issue, you can quickly determine which services have or have not been updated to patch the vulnerability.

For a best practices Scorecard, you can also use this expression to make sure the entity's last commit message follows conventional commit guidelines:

List pipelines

List pipelines with metadata, including name, id, url, and project name.

Definition: azureDevops.pipelines()

Examples

You could write a Scorecard rule to ensure that the entity has at least 1 pipeline that scans vulnerabilities:

You could write a Scorecard rule to ensure that the entity has an Azure DevOps pipeline set:

Pipeline build success rate

Percentage of build pipelines that complete successfully.

This is calculated against builds on the default branch for commits in the last 30 days: # successful builds / (# successful + # failed).

Definition: git.percentBuildSuccess()

Examples

This expression can be used in a development maturity Scorecard to write a rule making sure at least 95% of build runs are successful:

Pipeline metrics

List pipelines with metrics. Metrics contains the successRate & averageDuration of a pipeline.

Definition: azureDevops.pipelineMetrics()

Examples

You could write a Scorecard rule to ensure pipelines have a successRate higher than 95%:

Pipeline runs

Get pipelines runs meeting the given filter criteria, which includes results, states. Results include "succeeded", "failed", "canceled", "unknown", states include "completed", "inProgress", "canceling", "unknown".

Definition: azureDevops.pipelineRuns()

Examples

List pipeline runs that are opened and reviewed within 1 day:

Recency of last commit

Calculates the duration of time between Scorecard evaluation and the date of the last commit from the entity's Git repository.

Definition: git.lastCommit().freshness

Examples

One of the first rules you might write for a Scorecard focused on development maturity or security is one validating that the last commit was within the last month:

As counterintuitive as it may seem, services that are committed too infrequently are actually at more risk. People who are familiar with the service may leave a team, institutional knowledge accumulates, and from a technical standpoint, the service may be running outdated versions of your platform tooling.

Reviews

List reviews left during a defined lookback period.

Organization
Repository
Review date
Reviewer

Definition: git.reviews()

Examples

A development maturity Scorecard might use the git.reviews() expression to make sure that there is a rigorous review process in place before changes are implemented:

This rule makes sure that there are more than 25 reviews left in the last week.

Search repository files

Find all instances of code search query from within a repository.

Can filter by path, file name (extension required in file name), or extension. Filters can use * for glob matching. Supplying a query is required.

Definition: git.codeSearch((query = <query: Text>) (, path = <path: Text>) (, fileName = <fileName: Text>) (, fileExtension = <fileExtension: Text>)): List<GitSearchResult>

Examples

You can use the git.codeSearch() expression to query for entities that have certain components, like icons:

Top repository language

Find top used language for a repository, if available.

Definition: git.topLanguage()

Examples

Let's say the primary language developers should be using is Kotlin. You can write a rule to make sure that the top language associated with entities is Kotlin:

You can also use this expression to query for entities that don't have Kotlin as the top language to identify those that need to be updated:

Work items

Number of unresolved work items associated with the entity, where unresolved is defined as the WIQL [System.State] NOT IN ('Closed', 'Done', 'Completed', 'Inactive', 'Removed').

Definition: azureDevops.workItems()

Examples

For a Scorecard measuring entity maturity, you can use this expression to make sure entities have fewer than 10 Azure DevOps work items:

Work items from WIQL query

Number of work items associated with the entity based on arbitrary WIQL query.

Definition: azureDevops.workItems(query: Text | Null)

Examples

For a more specific rule in an entity maturity Scorecard, you can use this expression with a WIQL query to make sure entities have no more than 3 tickets with "Doing" status and highest priority.

Background sync

Cortex conducts a background sync of Azure DevOps identities every day at 10 a.m. UTC. Pull requests and work items are refreshed every 5 minutes.

The following options are available to get assistance from the Cortex Customer Engineering team:

Chat: Available in the Resource Center
Slack: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a :ticket: reaction to a question in Slack, and the team will respond directly.

Don’t have a Slack channel? Talk with your Customer Success Manager.

AWS

Amazon Web Services (AWS) provides on-demand cloud computing platforms and APIs.

Integrating Cortex with AWS allows you to:

Track AWS entities in the catalog
Automatically discover and track ownership of AWS entities and dependencies
- You can also enable auto-import of any discovered entities of known types.
Create Scorecards that track progress and drive alignment on projects involving your AWS resources

If you are on a self-hosted Cortex instance, see the On-premises AWS setup page.

How to configure AWS with Cortex

Step 1: Configure the integration in Cortex

In Cortex, navigate to the AWS settings page:
1. In Cortex, click your avatar in the lower left corner, then click Settings.
2. Under "Integrations", click AWS.
Click Add configuration.
In the modal, the JSON configuration, Cortex AWS account ID, and External ID are displayed. Keep this browser window open, as you will need these in the next steps.

Step 2: Set up an IAM policy in AWS

For each account:

Log in to your AWS Management Console and open the IAM console.
Click Policies, then choose Create policy.
Switch to the JSON editor. Copy the JSON starting policy from Cortex, and paste it into the JSON editor.
- This policy allows Cortex to list all resources, resource types, and resource tags.
- If you are pulling in ECS resources, add the following actions to the JSON policy:
```
"rds:Describe*",
"rds:List*",
"s3:Describe*",
"s3:List*"
```
For each resource type that you want to import into Cortex, add policies for reading that type of AWS resource.
- For example, if you want to import resources of type "AWS::IAM::Role", we'll need to have permission to "iam:ListRoles", "iam:ListAttachedRolePolicies", "iam:GetRole", and "iam:ListRolePolicies". Because this is a dynamic feature, Cortex does not automatically determine this. One option is to start with ReadOnlyAccess permissions and remove sensitive permissions as deemed necessary.
Click Review Policy, enter a name, then click Create Policy.

See the AWS documentation for more information: Create IAM policies.

Step 3: Create a role in AWS

This section is specific to cloud-based Cortex accounts. If you are on a self-hosted Cortex instance, please see the AWS account setup guide for self-hosted Cortex.

In AWS, navigate to Roles > Create Role.
For the trusted entity type, select Another AWS account.
In the Account ID field, enter the Cortex AWS account ID that was displayed in Cortex in the earlier steps.
Click Require External ID, then enter the Cortex external ID that was displayed in Cortex in the earlier steps.
Click Next.
Select your newly created policy, and click Next.
Enter a name for your role. Optionally, configure tags. When you are finished, click Create Role.
Search for your new role in the list and copy its name. You will need this in the next steps.
In the upper right corner of AWS, click your name. In the dropdown that appears, copy your AWS account ID. You will need these in the next steps.

Note that if you use multiple AWS accounts, they will share a common rotatable externalId.

Step 4: Finish the configuration in Cortex

Navigate back to the browser window containing your Cortex AWS settings page.
Configure the AWS integration form:
- Account ID: Enter the AWS account ID you obtained in the previous steps.
- IAM role: Enter the role name you obtained in the previous steps.
Click Save.

Step 5: Resource types setup

Cortex will pull all the types you included in the IAM policy under the Cloud Control types field in the Settings section. If resource types aren't appearing in the list, there is likely a permission issue, and the role isn’t set up to discover Cloud Control types. Make sure that "cloudformation:ListTypes", "cloudformation:ListResources", and "cloudformation:GetResource" are added to the IAM policy, so Cortex can pull the list of all available types from AWS.

To select your cloud control types:

In the Cloud control types field, select the types you want Cortex to discover/import.
Click Save cloud control types.

Some Cloud Control types are not currently supported. If the type you're looking to import is in the list, please reach out to support@cortex.io to submit a feature request.

AWS::ApiGateway::DocumentationVersion
AWS::ApiGateway::Step
AWS::CloudFormation::ResourceVersion
AWS::CustomerProfiles::Integration
AWS::CustomerProfiles::ObjectType
AWS::EC2::TransitGatewayMulticastGroupMember
AWS::EC2::TransitGatewayMulticastGroupSource
AWS::ECS::TaskSet
AWS::ElasticLoadBalancingV2::Listener
AWS::ElasticLoadBalancingV2::ListenerRule
AWS::Glue::Attach::SchemaVersion
AWS::Glue::Attach::SchemaVersionMetadata
AWS::IoTSiteWise::AccessPolicy
AWS::IoTSiteWise::Dashboard
AWS::IoTSiteWise::Project
AWS::Kendra::DataSource
AWS::Kendra::Faq
AWS::MediaConnect::FlowEntitlement
AWS::MediaConnect::FlowOutput
AWS::MediaConnect::FlowSource
AWS::MediaConnect::FlowVpcInterface
AWS::MediaPackage::Asset
AWS::MediaPackage::PackagingConfiguration
AWS::NetworkFirewall::LoggingConfiguration
AWS::QuickSight::Analysis
AWS::QuickSight::Dashboard
AWS::QuickSight::DataSet
AWS::QuickSight::DataSource
AWS::QuickSight::Template
AWS::QuickSight::Theme
AWS::RDS::DBProxyTargetGroup
AWS::S3Outposts::AccessPoint
AWS::S3Outposts::Bucket
AWS::SSO::Assignment
AWS::SSO::InstanceAccessControlAttributeConfiguration
AWS::SSO::PermissionSet

How to connect Cortex entities to AWS

Enable automatic import of AWS entities

You can configure automatic import from AWS:

In Cortex, navigate to the Entities Settings page.
Next to Auto import from AWS, Azure, and/or Google Cloud, click the toggle to enable the import.

If you do not have automatic import enabled, you can manually import.

Limit discovery to specific regions

By default, Cortex will search for resources across all AWS regions, but you can limit that to specific regions in the Cortex AWS settings page.

Import entities from AWS

See the Create services documentation for instructions on importing entities.

Discover dependencies for AWS

Cortex automatically discovers dependencies between your services and resources by scanning for resources with specific AWS tags. By default, a service will have dependencies on any Cortex resource that has a corresponding AWS resource with AWS tag key = "service" and tag value = the service's Cortex tag. In your Cortex settings under the AWS integration section, you can customize the tag key names, or leave them blank to use "service" as the key name.

Cortex syncs AWS tags daily at 8 a.m. UTC. To manually refresh the tags, navigate to the relationship graph in your workspace, click the menu in the upper right corner, then click Sync dependencies.

Use key/value pairs in the entity descriptor for discovery

You can also use explicit tag key/value pairs in the x-cortex-dependency block for AWS dependency discovery. Instead of making a service depend on a resource based on service tags, Cortex will make a service depend on a resource if any of the resource's AWS tags match the explicitly defined key/value pairs in the service's x-cortex-dependency block. For example, the service below will have dependencies on any AWS resource with tag (key = aws:cloudformation:my-key-1, value = arn:aws:cloudformation:my-region:my-value-1) or tag (key = aws:cloudformation:my-key-2, value = arn:aws:cloudformation:my-region:my-value-2).

x-cortex-dependency:
  aws:
    tags:
      - key: my-key-1
        value: my-value-1
      - key: my-key-2
        value: my-value-2
      - key: "aws:cloudformation:my-key-1"
        value: "arn:aws:cloudformation:my-region:my-value-1"
      - key: "aws:cloudformation:my-key-2"
        value: "arn:aws:cloudformation:my-region:my-value-2"

For more information on dependencies, see the Dependencies documentation.

Discover ownership for AWS

Cortex can automatically discover ownership for your AWS resources. To enable this, make sure that your AWS resources have a tag matching the x-cortex-tag of the corresponding Cortex team and enable the “Sync ownership from AWS” toggle in the Settings page. By default, we look for the owner tag. You can also customize the tag key name.

Cortex syncs ownership from AWS every day at 6 am UTC.

Editing the entity descriptor

You can associate a Cortex entity with one or more AWS entities. For certain AWS resource types, Cortex will display those AWS entities' metadata on the Cortex entity page.

x-cortex-infra:
  aws:
    arns:
      - arn:aws:rds:us-east-1:229540587644:cluster:alpha
      - arn:aws:rds:us-east-1:229540587644:cluster:bravo

Multiple ECS services on a single entity

You can associate a Cortex entity with multiple ECS services:

x-cortex-infra:
  aws:
    ecs:
      - clusterArn: abcd
        serviceArn: efgh
      - clusterArn: stuv
        serviceArn: wxyz

The values for clusterArn and serviceArn are defined in ECS.

Discovery audit

Cortex will pull recent changes from your AWS environment into the discovery audit. Here, you can find new entities in AWS that have not been imported into the catalog - these will have the tag New AWS Resource - as well as entities in the catalog that no longer exist in AWS - these will have the tag AWS Resource Not Detected.

Searching AWS entities in Cortex

The following keys are supported when searching for your AWS entities in Cortex under Catalogs > All Entities:

aws-account-id - Account ID number
aws-account-name - Account alias
aws-region - AWS region of the resource
aws-type - AWS type of the resource
aws-name - AWS name of the resource
aws-identifier - The primary identifier of a resource
aws-secondary-identifier - The secondary identifier of a resouce

Example search queries

aws-type:"AWS::EC2" AND aws-region:"us-west": Search for entities of category EC2 in the any of us-west regions
aws-account-id: "234512324": Search for all entities from the account 234512324
aws-name:"aws-identifier-of-resource" AND aws-account-name:"test-account": Search for entity with identifier aws-identifier-of-resource in the account with alias test-account

Scorecards and CQL

With the AWS integration, you can create Scorecard rules and write CQL queries based on AWS resources.

See more examples in the CQL Explorer in Cortex.

AWS details

Get the AWS details for an entity

Definition: aws.details(): Object

Example

In a Scorecard, you can create a rule to verify that an entity of type lamda has a correct function name:

aws.details().resources.filter((resource) => resource.typeName == "AWS::Lambda::Function").length > 0

You could also create a rule to verify that an entity is not using deprecated runtimes:

aws.details().resources.filter((resource) => resource.typeName == "AWS::Lambda::Function" and resource?.metadata?.get("Runtime")?.matchesIn("(python3\\.6|python2\\.7|dotnetcore2\\.1|ruby2\\.5|nodejs12\\.|nodejs10\\.|nodejs8\\.10|nodejs4\\.3|nodejs6\\.10|dotnetcore1\\.0|dotnetcore2\\.0|nodejs4\\.3-edge|nodejs$)")).length == 0