1 of 100

Cortex Docs

Cortex Documentation

Ship reliable software, faster, with AI

Cortex is the AI-powered internal developer portal (IDP) that helps engineering teams ship reliable, secure, and efficient software, faster. It uses AI to make sense of your engineering data, figure out the next unlock for your team, and solve it — all in one place.

Get started with Cortex

Get started in minutes with Cortex's .

Cortex video overview

See an overview of Cortex below:

Accelerate the path to Engineering Excellence

We believe the foundation for Engineering Excellence starts with clear ownership and accountability. With ownership in place, drive complete visibility through the catalogs, a culture of continuous improvement using and , and consistent developer experience through self-service .

Learn how organizations drive Engineering Excellence with Cortex:

VELOCITY

Track, standardize, and accelerate developer productivity, maintain high code quality, and keep systems reliable.

Monitor cycle time, PR throughput, code coverage, and velocity trends with Eng Intelligence and dashboards.
Set clear standards and enforce best practices across teams and services with .

EFFICIENCY

Align everyone to the same standards and provide structured ways to meet them.

Use to measure and set standards for consistency, resource utilization, and migrations.
Use to ensure that teams are aligned and migrations are completed.

SECURITY

Continuously check services for security best practice adherence and drive patches with clear ownership and accountability.

Monitor encryption, dependency health, and vulnerability status with customizable Security Compliance templates.
Remediate vulnerabilities and compliance by priority and deadline with clear .

RELIABILITY

Validate that every service meets operational requirements, continuously improve day-to-day operations, and give teams the context and tools to respond quickly when incidents happen.

Automate readiness and operational maturity with customizable templates.
Track DORA metrics and MTTR using dashboards.

Get Started

Connect data

Overview: Ingesting data into Cortex

Getting your data into Cortex is the foundation for data-driven decision making and improved accountability across your teams.

By connecting your services, repositories, teams, infrastructure, and more, Cortex can provide a complete, up-to-date view of your ecosystem. This powers the ability to track ownership of entities, enforce production readiness and other standards via , standardize common developer for entities, and more. It also ensures your developers can find what they need, understand how everything fits together, and make better decisions at every stage of the development lifecycle.

How Cortex handles data modeling

Some internal developer portals start with too much rigidity or too little guidance. A rigid platform prevents you from correctly modeling relationships between key entities in your environment. An overly modular approach requires you to rebuild business logic for each use case, resulting in the same fractured experience you intended to solve for.

YAML linter tool

The Cortex YAML linter validates your cortex.yaml files for both general YAML syntax and Cortex-specific schema requirements, helping prevent ingestion of invalid or incomplete data into the platform.

This page references the built-in tool in the Cortex UI under Tools > YAML Linter. Note that there is also a linter tool built in to the Cortex GitHub app, which runs checks on pull requests when you use GitHub in a .

Using the YAML linter

Adding entities

In this section, learn how to add each of the built-in entity types and dependencies, and how to create a custom entity type and add custom entities:

Grouping entities

Groups are a tagging system that can be used to group a set of together, enabling a variety of use cases including:

Tagging
- Use groups to segment entities.
- For example, you could segment by tiers (tier-0 to indicate high priority), type (backend, frontend, library, API), or language (Python, Java).

Viewing discovered entities

You may have over a hundred repositories in GitHub, and eventually, you will likely import all of them into Cortex. This much information can make it difficult to know at a glance that all repositories are accounted for and all new projects are being imported into and tracked within Cortex.

The discovered entities list (formerly known as the discovery audit) guarantees confidence in your catalogs by listing all changes that Cortex has detected. Cortex compares everything that exists within the system to what it discovers within your git tool, APM tool, Kubernetes cluster, and other crucial integrations, giving you insight into changes happening across your environments.

View the discovered entities

You can view discovered entities under Catalogs > All entities in the Discovered entities tab.

On this page, see a list of recent changes in your environment that aren't yet reflected in Cortex, including newly created repositories, services, and resources discovered from your integrations.

Filter the discovered entities list

The first time you view the discovered entities list, there may be a lot to review. To narrow the scope of your list and start with changes that are the highest priority for you, search or filter the list by integration or entity type.

To search, enter text into the search bar in the upper right corner of the list.
To filter, click Filter in the upper right corner of the list. Select your filtering criteria, then click Apply.

Importing and removing entities

Cortex will tag detected changes to signify whether an entity or repository has been discovered, archived, or deleted.

You can import, delete, or ignore the entities listed in Discovery audit.

Import discovered entities

If Cortex detects a new service or resource, you can import it directly from this page:

Click + in the row containing the new entity:
Configure the entity details.
- For detailed instructions on creating a new entity, see the relevant docs page for the entity type: , , .

Delete discovered entities

If Cortex no longer detects a given entity, you also have the ability to delete that entity or repository directly from this page:

Click the trash can icon in the row containing the entity:\
In the confirmation window, click Delete.
- The confirmation window gives you the opportunity to review all potentially impacted services before deleting, so you don’t unintentionally remove something from Cortex.

Ignore discovered entities

If an event appears within the discovered entities list, but is irrelevant — for example, a test project that doesn’t need to be imported into Cortex — you can ignore it:

Click the hide icon in the row containing the entity:\

The entity will now appear in the Ignored tab. The ignore action is persistent, so the event won’t appear again within the discovered list.

From the ignored list, you can move the entity back to the Discovered tab by clicking the eye icon.

Troubleshooting and FAQ

Why do I not see all of my services from my APM provider in the discovered entities list?

Cortex supports a subset of integrations within the discovered entities list:

Datadog
ECS
Version control (Azure DevOps, Bitbucket, GitHub, GitLab)
Instana

Archiving entities

Archiving an entity allows you to remove it from active use while preserving its history and context.

You can configure Cortex to automatically archive entities when they are no longer detected in your integrations or when their corresponding YAML files are deleted. We recommend enabling this feature to keep your data up-to-date without manual effort. Learn more in Auto archiving entities.

It's also possible to manually archive entities in the Cortex UI or via the Cortex API, as described below.

How to archive and unarchive entities

To archive entities, your user or API key must have the Archive entities permission. To unarchive entities, your user or API key must have the Configure entities permission.

Navigate to an in Cortex.
Click the 3 dots menu at the top of the page, then click Archive entity.
In the confirmation window, click Archive.

To un-archive an entity:

How archived entities are handled in Cortex

Archived entities are not included in the following Cortex features:

and
features, including CQL reports and query builder

The "All entities" and Catalogs pages

By default, archived entities do not appear in the lists on "All entities" or in catalogs, but you can choose to include archived entities in your view.

To include archived entities:

Click Display at the top of the list.
Toggle on the setting for Show archived.

Note that this setting is not persistent when you navigate away from the page.

An entity details page

On an , if a related dependency, child entity, or parent entity has been archived, it will not be displayed under Relationships in the entity's sidebar.

If the entity itself has been archived, you will see an "Archived" flag appear next to its name:

Entity configuration

While configuring an entity, you cannot add an archived team as an owner. You cannot add archived entities as dependencies or as parent or child entities.

The discovered entities list

Cortex will tag detected changes to signify whether an entity or repository has been archived. Learn more in .

Using On-call Assistant for incidents

Cortex’s On-call Assistant leverages the to automatically surface the most vital information about entity health and metadata when an incident is triggered. On-call Assistant notifies the user(s) responsible for an incident via Slack, including information about the affected entity, recent deployments, ownership, and links to get more details, including dependencies, runbooks, and logs.

On-call Assistant helps users respond to incidents in real time, simplifying the incident response process and helping to reduce MTTR. It can also drive adoption and engagement through links to the catalogs and Scorecards.

How On-call Assistant works

Manage entities using Cortex Terraform Provider

The Cortex Terraform Provider acts as a bridge between Terraform and the Cortex platform, allowing you to manage and provision Cortex resources (such as Scorecards, integrations, and entities) using Terraform’s infrastructure-as-code approach. The provider is a wrapper around the public Cortex API and is maintained by the Cortex team, with shared ownership and ongoing support for customers who use it.

Cortex integrates with Terraform in two different ways, depending on whether you want to manage Cortex resources using Terraform, or use Cortex to drive Terraform runs for your infrastructure.

To learn about using Cortex to drive Terraform runs, see Managing Terraform infra in Cortex.

Managing the catalog as code

Many Cortex customers manage their entire service catalog and engineering standards as code using the Cortex Terraform Provider.

Expand the tiles below for examples on how to handle different use cases with this approach.

Service catalog as code

Goal: Any time a new microservice or app is created (via a Terraform module, template repo, or platform workflow), it’s automatically added to the Cortex catalog with the right metadata and ownership. How to do it:

Use the cortex_catalog_entity resource to create and update services, libraries, or other catalog entities from Terraform.

Scorecards and standards as code

Goal: Treat operational standards (SRE, security, compliance, production-readiness gates) as code that lives next to infrastructure, reviewed via PRs and rolled out safely. How to do it:

Define scorecards via the cortex_scorecard resource. It supports:

API contracts and org model as code

Goal: Ensure that API documentation and org metadata are always in sync, accurate, and consistent across environments. How to do it:

Use cortex_catalog_entity_openapi to attach OpenAPI specs (YAML/JSON) to catalog entities in Cortex, keyed by the entity’s tag/ID.
Keep department and ownership structure in Terraform via

Install the Terraform Provider for Cortex

For installation instructions, see the .

Examples

See .

BambooHR

Overview

is a Human Resources Information System (HRIS) solution that allows you to define organizational membership. Integrate Cortex with BambooHR to automatically sync team memberships, giving you insight into entity ownership.

How to configure BambooHR with Cortex

CircleCI

is continuous integration and continuous delivery platform that can be used to implement DevOps best practices.

Integrating CircleCI with Cortex allows you to:

in Cortex
Create that track progress and drive alignment on projects involving your CircleCI data

Coralogix

Overview

Coralogix is an observability and security platform. Integrate Cortex with Coralogix to drive insights into alerts.

After setting up the integration, relevant alerts from Coralogix will appear in your entity pages. While viewing an entity, click Integrations > Coralogix in its sidebar to view the list of alerts.

How to configure Coralogix with Cortex

Prerequisites

Before getting started, generate a .

Step 1: Configure the integration in Cortex

In Cortex, navigate to the
- Click Integrations from the main nav. Search for and select Coralogix.
Click Add configuration.
Configure the Coralogix integration form:

How to connect Cortex entities to Coralogix

Discovery

By default, Cortex will use the entity name or (e.g. my-service) as the "best guess" for the Coralogix alert application name. For example, if your entity name is "My Service" and your Cortex tag is “my-service”, then the corresponding application name in Coralogix should be “My Service” or "my-service".

If your Coralogix application names don’t cleanly match the Cortex tag, you can override this in the Cortex entity descriptor.

Editing the entity descriptor

Coralogix alerts can be listed in the Catalog under the Coralogix section. We support application names in the YAML for pulling Coralogix alerts.

Using the Coralogix integration

Scorecards and CQL

With the Coralogix integration, you can create Scorecard rules and write CQL queries based on Coralogix alerts.

See more examples in the in Cortex.

Check if Coralogix application is set

Check if entity has a registered Coralogix application in its entity descriptor. If no registration exists, we'll try to automatically detect which corresponding Coralogix application is associated with the entity.

Definition: coralogix (==/!=) null: Boolean

Example

You could write a rule that checks whether an entity has a Coralogix application set:

Alerts

List of alerts, filterable on status

Definition: coralogix.alerts(): List

Example

You could write a rule that checks whether an entity has at least 3 alerts:

You could write a rule that checks whether an entity has no alerts and status triggered:

View integration logs

Grafana

Grafana is an open-source observability platform that provides monitoring and visual analytics for application performance. Use Grafana to visualize your data, from bar charts and histograms to pie charts and geomaps.

Integrating Grafana with Cortex allows you to:

View Grafana charts on entity pages in Cortex
Create Scorecards that include rules related to Grafana dashboards

How to configure Grafana with Cortex

Prerequisites

Before getting started:

Your Grafana dashboard must have .
Your OR if you are on a instance, then Cortex and Grafana must be accessible within the same private network (such as a VPN).
- You will need the public embed link provided in the iframe snippet.

Embed the chart in an entity's YAML file

Define the public embed link in the for each entity where you want to embed a chart.

For the entity where you want to embed a chart, open its YAML file.
- You can do this locally if following a approach, or you can edit a YAML file directly in the Cortex UI on the .
Add the x-cortex-dashboards block. Include the type (grafana) and the url

Field

Description

Required

Repeat the steps above for each entity you want to add a Grafana chart to.

Using the Grafana integration

Viewing Grafana charts on an entity

Once you've defined the chart in an entity's YAML, you can view the graphs from an .

In an entity's sidebar, click Dashboard. All charts defined in the entity descriptor will be embedded on this page.

Scorecards and CQL

With the Grafana integration, you can create Scorecard rules and write CQL queries based on Grafana charts.

See more examples in the in Cortex.

Embeds

Query against embeds associated with an entity.

Definition: embeds()

Example

If Grafana charts are a core part of operations at your organization, you can set a Scorecard rule to make sure entities have embedded charts.

View integration logs

Background sync

Grafana charts are updated in real time.

FAQs and troubleshooting

I've correctly added the embed URL, but the graph is showing an error or a blank screen.

You may need to in your Grafana instance.

Still need help?

The following options are available to get assistance from the Cortex Customer Engineering team:

Email: , or open a support ticket in the in app Resource Center
Slack: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a :ticket: reaction to a question in Slack, and the team will respond directly.

Don’t have a Slack channel? Talk with your Customer Success Manager.

Humanitec

Humanitec offers products to build on top of your Internal Developer Portal (IDP) for containerized workloads.

Integrating Humanitec with Cortex allows you to run a Humanitec pipeline directly from Cortex.

How to integrate Humanitec with Cortex

Prerequisites

Before getting started:

You should have an app with a working pipeline configured in Humanitec.
Create a service user in Humanitec, and create an for the service user.

Step 1: Create a Workflow in Cortex

Follow the instructions to and .
Add an HTTP request block to your Workflow. Configure the block:
- Block name: Enter a descriptive name for the block.
- Slug: Enter a unique identifier for the block.

Alternatively, you can also use an Async HTTP request block in your Workflow, using the to call back to Cortex.

Step 2: Run the Workflow

At the top of your Workflow in Cortex, click Run.

In your Humanitec workspace under your app's pipelines, you will see the run listed under the Runs tab:

Example using Cortex with AWS, Humanitec, and Terraform

See the video below where a member of the Humanitec team walks through advanced end-to-end setup on AWS using Cortex, Humanitec as the orchestrator, and Terraform modules deployed via ECS runners. The video demonstrates detecting a policy violation and remediating it.

Instana

Overview

IBM Instana Observability is a tool used for monitoring and performance management. Integrate Instana with Cortex allows you to pull in services from Instana.

How to configure Instana with Cortex

Prerequisite

Before getting started, .

Configure the integration in Cortex

In Cortex, navigate to the :
1. Click Integrations from the main nav. Search for and select Instana.
Click Add configuration.
Configure the Instana integration form:

How to connect Cortex entities to Instana

Import services from Instana

Cortex automatically syncs from Instana APM at 7 a.m. UTC.

See the for instructions on importing entities.

Import Instana services from Discovery audit

Cortex will pull recent changes from Instana into the . Here, you can find new entities in Instana that have not been imported into the catalog.

View integration logs

Still need help?

The following options are available to get assistance from the Cortex Customer Engineering team:

Email: , or open a support ticket in the in app Resource Center
Slack: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a :ticket: reaction to a question in Slack, and the team will respond directly.

Don’t have a Slack channel? Talk with your Customer Success Manager.

Jenkins

is an open source automation server which enables developers to build, test, and deploy software.

Integrating Jenkins with Cortex allows you to:

Send information about Jenkins deploys into Cortex
- This data appears on .
Use

Okta

Overview

Okta is an identity and access management (IAM) platform. Integrate Cortex with Okta to drive insights into authentication and ownership.

After configuring the integration, you can set Okta teams and team members as owners of entities.

For information on configuring Okta SSO or Okta SCIM for logging in to Cortex, see the Okta SSO documentation and Okta SCIM documentation.

How to configure Okta with Cortex

Prerequisites

Before getting started:

An Okta administrator, with at least the permissions, must .
- Grant the following scopes for the API token:
  - okta.groups.read

Configure the integration in Cortex

In Cortex, navigate to the :
- Click Integrations from the main nav. Search for and select Okta.
Click Add configuration.
Configure the Okta integration form:

How to connect Cortex entities to Okta

Import teams from Okta

See the for instructions on importing entities.

Team data syncs from Okta daily at 3 p.m. UTC.

Editing the entity descriptor

The group name is case-sensitive and should be exactly the same as in Okta.

Using the Okta integration

Scorecards and CQL

With the Okta integration, you can create Scorecard rules and write CQL queries based on Okta teams.

See more examples in the in Cortex.

All ownership details

A special built-in type that supports a null check or a count check, used to enforce ownership of entities.

Definition: ownership: Ownership | Null

Example

An initial level in a security Scorecard might include a rule to ensure an entity has at least one team as an owner:

All owner details

List of owners, including team members and individual users, for each entity

Definition: ownership.allOwners()

Example

The Scorecard might include a rule to ensure that entity owners all have an email set:

Team details

List of teams for each entity

Definition: ownership.teams(): List<Team>

Example

The Scorecard might include a rule to ensure that an entity owners all have a description and are not archived:

View integration logs

Background sync

Cortex conducts an ownership sync for Okta teams every day at 3 p.m. UTC.

Troubleshooting and FAQ

I've added an API token but the login is still using Google.

To set up Okta for SSO, use the .

Still need help?

The following options are available to get assistance from the Cortex Customer Engineering team:

Email: , or open a support ticket in the in app Resource Center
Slack: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a :ticket: reaction to a question in Slack, and the team will respond directly.

Don’t have a Slack channel? Talk with your Customer Success Manager.

Sumo Logic

Overview

is a cloud-based observability platform that provides log management and analytics. Integrate Sumo Logic with Cortex to drive insights into service-level objectives (SLOs).

How to configure Sumo Logic with Cortex

Standardize

Scorecards

Use Scorecards to establish best practices, track migration, promote accountability among teams, enforce standardization across entities, or define maturity standards.

Define

First, you create a Scorecard to set rules and define standards.

Learn more: .

Assess

Scorecard rule filters

Rule filters allow you to apply a Scorecard rule only to specific entities. It's helpful to use a rule filter when a rule doesn’t apply to every entity or every group.

You can apply a filter in the Cortex UI while building out your Scorecard rules, or you can write a custom CQL query to filter your rule.

How to set up a Scorecard rule filter

When setting up a rule for a Scorecard, click and expand Restrict rule to specific groups.
Select the relevant groups to include or exclude.
- Or, if you prefer to write a CQL query, click Switch to CQL under the group fields.
Click Save rule.

See the for instructions on the overall process of creating a Scorecard.

You can also edit an existing Scorecard to add a filter to a rule.

Example Scorecard rule filter

For example, let's say that entities in the "billing" group don't need to have SLOs set up properly.

In the rule "Has SLOs set up," apply a filter to exclude the "billing" group:
After saving the rule with the excluded group, view the Scorecard. Any entities in the "billing" group will not be scored against the "Has SLOs set up" rule. The rule will not appear as a passing or a failing rule; it will not be included at all.

View the filter on the Scorecard home page

Once a rule filter has been applied, you can still see it on a Scorecard’s home page. Navigate to the Rules tab and expand the rule to confirm it has been exempted.

Using JQ in Cortex

JQ is a lightweight, flexible command-line JSON processor that allows users to do arbitrary JSON manipulations.

Cortex leverages JQ within CQL to enable complex queries, including queries on YAML files. For instance:

The above query would cycle through the foo object and retrieve the length of all .property components. This type of query is often used on Kubernetes resources.

JQ and datatypes

JQ can provide additional flexibility around data types. For instance, let's say you have a string associated with a numerical value in your Custom Data.

If you wanted to query on the line value as a number rather than string, the following JQ functionality could be used within CQL:

This would result in the respective entity passing this CQL check.

JQ examples

The following examples demonstrate ways you could use JQ in Cortex:

Use JQ to implement conditional logic for selecting file paths dynamically

This checks if custom git data exists, uses the custom dockerfile path if present, or falls back to the default "Dockerfile" path.

Accessing properties with special characters

Use bracket notation to access JSON properties containing dots, slashes, or other special characters:

Handling null values

Prevent errors by checking for null values before accessing properties:

For Scorecard rules, you can use a similar approach:

Wildcard pattern matching

Find packages containing specific strings using the matches() function:

Finding team members by role

Filter team members by role using JQ:

Handling complex YAML structures

When working with complex YAML files like GitLab CI configurations:

Extract the scheme of an AWS load balancer for resource metadata

Or, for nested metadata:

Extracting version from pom.xml file

This query extracts the version number from a Maven pom.xml file. You might use this to automate dependency version checks:

Display a parent entity name in a CQL report

This query would allow you to display a parent entity name value, rather than an array, in a CQL report:

Improve

Dashboards

Eng Intelligence Dashboards provide engineering leaders and teams with real-time visualizations into key metrics, velocity and productivity trends, incident and quality insights, and historical organzation-wide rollups. Dashboards are natively integrated with your Cortex catalog, Scorecards, and Initiatives, allowing you to move from insight to action.

See the documentation linked below to learn more about each dashboard:

: Visualize the four key DORA metrics: Cycle time, deployment frequency, change failure rate, and MTTR.
: Monitor version control metrics such as PR cycle time, PR size, and PR success rate, giving insight into your process efficiency and areas to target for improvement.

Cortex MCP

Cortex MCP is a Model Context Protocol server that provides access to the Cortex API. It uses relevant context from your workspace, ensuring awareness of your system's structure when answering your questions.

You can query information in natural language, powering faster decisions and efficient processes. For example:

Who is the right person to handle an incident with backend-server?
Show me the services that belong to the platform engineering team
Show me the currently active Scorecards and how example-entity is performing. Give me ideas on how I can improve them
We're having an incident with backend-server, give me a summary of information to help handle the incident
What's going on with my Git migration Scorecard?
I want to run an initiative to migrate our company to using GitHub actions. Help me figure out how to do this in Cortex
As someone on the security team, is there anything I should be worried about in my org?

Learn about and see below.

Use Cortex MCP with Devin Cortex MCP is . Cortex MCP identifies the work that needs to be done, and Devin autonomously performs the work — creating PRs, updating documentation, and refactoring code — to bring your services into compliance. .

Cortex MCP demonstration video

See a demonstration of how you can use Cortex MCP to get quick answers without having to switch tools:

How to configure Cortex MCP

You can host the MCP server locally, or you can use a remote implementation.

Prerequisites

Before getting started:

in Cortex.
You should have an MCP-compatible client installed, such as , , or .
- Paid subscriptions to MCP clients generally give you a larger context window, but the free versions of these clients should suffice.
If hosting the MCP server locally, you should also have

Configure the MCP

Step 1: Install Cortex MCP

Run the following command:

Step 2: Configure your MCP client

Looking for IDE-specific setup? Our has detailed configuration steps for Claude Desktop, Cursor, VS Code, and other MCP clients.

Update your MCP client's configuration file. Make sure to include your Cortex access token value for the CORTEX_API_TOKEN argument:

Alternate option: Create and configure the file in terminal

After updating your configuration, restart your MCP client.

Self-managed additional configuration

If you are a , you must also set CORTEX_API_BASE_URL=https:// alongside the CORTEX_API_TOKEN variable.

Self-managed configuration example

Set the CORTEX_API_BASE_URL to your backend host URL.

If you are running a self-hosted instance with CA-signed certificates, you may need to mount them to the container as seen in the example below:

Using Cortex MCP

Start a new chat

In your MCP client, ask a question about your Cortex workspace. The client will use the to provide detailed answers based on your data.

For example:

You might ask what's going on with a specific Scorecard. The MCP client will respond with an overview, Scorecard structure information, a progress summary, and suggestions for next steps.
You could ask about the custom data that an entity has. The MCP client will respond with that entity's custom data and information about when it was created:
You could ask about the dependencies an entity has. The MCP client will respond with a list of incoming and outgoing dependencies:

Available MCP tools

Cortex MCP can use the following endpoints:

Additional tools:

getMyWorkspace: this tool supports the "Mine" capabilities that are available in the Cortex UI. With this tool, you can ask questions like, "Show me my Cortex entities" or "Tell me how my entities are performing against the Production Readiness Scorecard." This tool is enabled by default.

Eng Intelligence metrics in MCP

metrics are also available to Cortex MCP as part of the AI Chief of Staff feature. This brings metric data directly into the Cortex MCP, enabling richer AI-assisted insights, not only into engineering performance, but across your entire Cortex ecosystem. It allows you to be a more proactive leader and enables more data-driven planning sessions.

To query Eng Intelligence metrics in MCP:

Ensure you have the latest Cortex MCP version configured in your environment. Once enabled, the MCP will automatically include endpoints for Eng Intelligence metrics. You can then query Eng Intelligence metrics alongside ownership, Scorecard, and Initiative information. For example:

Evaluate my DORA metric performance in Q3. Highlight where the team is performing well and bring areas of improvement to my attention
Which services have concerning MTTR trends, and what scorecard gaps are contributing?
Recommend initiatives and scorecard changes I could consider to address my upward trend in incidents
Review last quarter’s performance against our goals, identify the top three bottlenecks, and suggest changes to our scorecards to address them

Learn how the AI Chief of Staff helps leaders move from viewing data to acting on it:

Enable and disable provided tools

Before submitting questions or commands, you may want to limit the number of provided tools being used by the MCP provider. For example, you might only want to use the MCP to ask about entities but you do not want to allow questions about Scorecards.

In the settings of your MCP client, it is possible to limit which Cortex tools are being used.

Claude example

For example, in Claude desktop:

Navigate to Settings > Connectors > Cortex > 3 dots icon > Tools and Settings.
Under PROVIDED TOOLS, toggle off the options you don't need.

Crafting effective MCP prompts

Best practices

The Cortex MCP becomes more powerful when using it becomes second nature to your teams. That shift happens when you have developed prompts that fit your specific role, answer your recurring questions, and surface information in the exact moments you need it. Follow these best practices when crafting prompts:

Be specific: Instead of "tell me about services," you could say, "Show me all critical services failing the Production Readiness Scorecard." This will give you more actionable information.
Combine multiple questions when context helps: The MCP handles complex prompts like "Who owns orders-api, when was it last deployed, and are there any open incidents?" You get richer context in response to one question instead of piecing together three separate queries.
Reference your organization's specific constructs: If you've defined custom Scorecards or Initiatives in Cortex, reference them by name. The MCP understands your organization's specific standards and can query against them directly.

MCP Prompt Library

We've collated the most effective prompt patterns we've seen across different roles and workflows to build out a library of prompts for engineers, engineering leaders, platform engineers, and SREs. See for the full list of prompts.

Additional information

For more information, see the .

See the beta pages to learn more about the , which enables the use of Engineering Intelligence metrics in MCP (now available in research preview).

We'd love your feedback! If you've been using the Cortex MCP, we'd love to hear your direct feedback on the configuration process, the tools available, and how you've been using it. Your feedback helps us improve and expand our capabilities, if you are interested in helping guide our MCP direction, please submit the survey .

Troubleshooting and FAQ

When I ask a question in my MCP client, why do I see an error that says I hit the maximum length for this chat?

This can happen if you are on the free plan of your MCP client.

Can I make changes via the Cortex MCP?

No, you cannot make changes or write data via the Cortex MCP. The MCP is strictly read-only—it only handles GET requests and cannot modify or write data.

How do I resolve "unauthorized" errors in the MCP?

Ensure that the value of your Cortex API token is valid in your configuration.

How do I resolve "file not found" errors in the MCP?

Ensure that your OpenAPI spec path is correct when mounting.

How do I resolve connection issues with the MCP?

Verify that your Cortex API endpoint is accessible.

How do I resolve a 403 forbidden error in the remote MCP?

Check that you are setting up the remote MCP with a generated in Cortex. Remote MCP setup requires a PAT, not an API key.

Why might I see an SSL certificate error while using the MCP?

This is most likely caused by an issue within your network. We recommend contacting your organization's infrastructure or security team to troubleshoot.

Managing Catalogs

A catalog is a defined selection of entities. You can use catalogs to track and store information about all of the components that make up your infrastructure. This includes everything from services and domains to AWS S3 buckets and RDS, Google Cloud resources, or Azure Resources.

While entities are defined by YAML files, catalogs themselves are not defined by a YAML file and must be created in the Cortex UI. Think of catalogs as a folder containing a collection of entities, with each entity defined by its own YAML file. An entity can belong to multiple catalogs, so you can also think of a catalog as a filter that defines which entity types to group together.

In the example screen shot below, the Services page contains a list of all entities that belong to the Service catalog:

Want to learn more? Check out the Cortex Academy course on Catalogs, available to all Cortex customers and POVs.

Catalogs and entities overview video

In the video below, see an overview of how Cortex helps you build a unified developer portal and catalog that improves visibility, adoption, and productivity:

Default catalogs

By default, Cortex comes with four built-in catalogs:

Services contains all .
Infrastructure contains all entities representing your infrastructure assets.
- Cortex pulls in resources directly from , , or , as their corresponding types out of the box. These resources are automatically added to the Infrastructure catalog.

You can choose to rename these catalogs to fit your own taxonomy, but note that the custom names of these default catalogs will not override the references to their default names throughout the app. Instead, you could choose to create additional custom catalogs.

Custom catalogs

To customize your Cortex instance to your organization's needs, you can also define custom catalogs in Cortex to represent your infrastructure. See below.

Catalog types

There are two types of catalogs:

Entity type catalogs
- Define entity inclusion criteria through filters for entity type, tags, or groups.
- For example, the built-in "service" catalog is configured to include entities of type service.

View catalogs

Click Catalogs from the main nav to view your list of catalogs. You must have the View catalogs permission.

View a catalog's entity list

When you click into a catalog, you can view all of the entities that belong to that catalog:

Display options for entity relationship catalogs

If a catalog can be configured with a hierarchy (such as domains, teams, or custom catalogs based on ), you can choose what is displayed in the list view:

At the top of the list, click Display.
Configure the display options:
- To include the hierarchy in the list view, enable the toggle next to Display hierarchy.
- To include entities that are not connected to any other entities, enable the toggle next to Show empty

The "All entities" page

All entities

The "All entities" page includes entities across all catalogs and entities of all types, whether the entity is one of the or whether it is a . To access this page, go to Catalogs > All Entities.

All entity types

To view all entity types, go to Catalogs > All Entities then click the .

Learn more about entities in .

Manage all catalogs

On the , you’ll find all pre-defined and custom catalogs in Cortex.

This page will reflect the same list of catalogs you find in the Catalogs dropdown menu in the main nav.

Just like "All entities", "All catalogs" includes a search bar and a sort function, as well as a toggle for displaying or hiding Drafts.

From this page, you can create new catalogs and edit existing ones.

Create custom catalogs

You can create catalogs in the Cortex UI. For each catalog, you set the criteria that determines which entities belong to that catalog. In addition, you can define custom entity types to categorize the entities that live in your catalogs.

Because catalogs are not defined by a YAML file, it is not possible to create them via a GitOps workflow.

To create, edit, and delete catalogs, you must have the Edit catalogs permission.

To create a new catalog:

At the top of the "All catalogs" page, click Create catalog.
Configure the "Create catalog" form:
- Name: Enter a name for the catalog.
- Description: Optionally, enter a description of the catalog.

Once the catalog is created, you’ll find it under Catalogs > All catalogs, automatically populated with all entities that apply based on the entity types you've created. Catalogs with a relationship type filter can be displayed as a hierarchy.

Edit catalogs

You can edit a catalog's name, description, URL, display icon, and catalog filter type.

To edit a catalog:

In Cortex, go to Catalogs > All catalogs. Click into the catalog you want to edit, then click Edit catalog at the top of the page.
- This will bring you back to the catalog creation page, with all the details from your last save.
Make any changes necessary to the catalog.
At the bottom of the page, click

Track catalog changes

You can use the to track changes made to any of your catalogs. Catalog updates will be listed as CATALOG in the Type column, and the updated catalog will be listed under the Entity column.

The Action column will indicate whether a catalog was created, deleted, or updated.

Adding entities to catalogs

After an entity is imported or created, it will automatically belong to a catalog based on the entity type criteria set for each catalog. When you , you can set the entity type criteria.

For the default catalogs, the entity type criteria is set by default:

The Services catalog contains service entity types
The Domains catalog contains domain entity types
The Teams catalog contains team entity types

Configure catalog display

You must have the Configure appearance settings permission to configure the catalog display.

By default, catalogs will appear in alphabetical order, but you can manually adjust the order that the catalogs appear in the main nav.

Navigate to to drag and drop catalogs into your preferred order:

AWS

Amazon Web Services (AWS) provides on-demand cloud computing platforms and APIs.

Integrating Cortex with AWS allows you to:

Track AWS entities in the catalog
Automatically discover and track ownership of AWS entities and dependencies
- You can also enable auto-import of any discovered entities of known types.
Create that track progress and drive alignment on projects involving your AWS resources

If you are on a self-hosted Cortex instance, see the page.

How to configure AWS with Cortex

Step 1: Configure the integration in Cortex

In Cortex, navigate to the .
- Click Integrations from the main nav. Search for and select AWS.
Click Add configuration.
In the modal, the JSON configuration, Cortex AWS account ID, and External ID are displayed. In the configuration side bar instructions, you will also see the option to copy a starting "Read Only Access" JSON policy. Keep this browser window open, as you will need these in the next steps.

Step 2: Set up an IAM policy in AWS

When using Cloud Control, the role Cortex assumes to get access into your account needs to have read access to all the selected types. This access is included by default in the Read Only Access policy in Cortex, or it can be configured manually for each type.

For each account:

Log in to your AWS Management Console and open the .
Click Policies, then choose Create policy.
Switch to the JSON editor. In Cortex while configuring AWS, copy the JSON "Read Only Access" starting policy that appears in the in-app instructions. Paste it into the JSON editor.

See the AWS documentation for more information: .

Step 3: Create a role in AWS

This section is specific to cloud-based Cortex accounts. If you are on a self-hosted Cortex instance, please see the AWS account setup guide for self-hosted Cortex.

In AWS, navigate to Roles > Create Role.
For the trusted entity type, select Another AWS account.
In the Account ID field, enter the Cortex AWS account ID that was displayed in Cortex in the earlier steps.
Click Require External ID, then enter the Cortex external ID that was displayed in Cortex in the earlier steps.

Note that if you use multiple AWS accounts, they will share a common rotatable externalId.

Step 4: Finish the configuration in Cortex

Navigate back to the browser window containing your .
Configure the AWS integration form:
- Account ID: Enter the AWS account ID you obtained in the previous steps.
- IAM role: Enter the role name you obtained in the previous steps.

Step 5: Select AWS resource types

In your in Cortex, Cortex will pull all the types you included in the IAM policy into the Cloud Control types dropdown.

If any resource types do not appear in the list, ensure that cloudformation:ListTypes, cloudformation:ListResources, and cloudformation:GetResource are added to the IAM policy so Cortex can pull the list of all available types from AWS.

To select your cloud control types:

In the Cloud control types field, select the types you want Cortex to discover.
- If is enabled, then these types will automatically be imported into Cortex.
  - If you later need to remove any auto-imported cloud control types, see .

If the type you're looking to import is in the list below, please reach out to to submit a feature request.

The following Cloud Control types are not currently supported:

How to connect Cortex entities to AWS

For AWS, Cortex replaces non-alphanumeric characters in entity names with a space. For example, resource_1 would become resource 1.

For the , Cortex replaces non-alphanumeric characters with - and lowercases the letters. If multiple special characters appear together in a tag, Cortex replaces the group of characters with only one -. For example, mY_e%ntity#$_tag would become my-e-ntity-tag.

Enable automatic import of AWS entities

You can configure automatic import from AWS:

In Cortex, navigate to the .
Next to Auto import from AWS, Azure, and/or Google Cloud, click the toggle to enable the import.\

If you do not have automatic import enabled, you can .

Limit discovery to specific regions

By default, Cortex will search for resources across all AWS regions, but you can limit that to specific regions in the .

Import entities from AWS

See the for instructions on importing entities.

Discover dependencies for AWS

Cortex automatically discovers dependencies between your services and resources by scanning for resources with specific AWS tags. By default, a service will have dependencies on any Cortex resource that has a corresponding AWS resource with key = "service" and tag value = the service's Cortex tag.

Customize AWS tag names

In Cortex under the , you can customize the tag key names. Expand the Dependencies sync from AWS section, then select tags from the dropdown menu. Note that an AND operator is used when you select multiple tags; the resource will need to have all specified tags in order to be recognized by Cortex.

If you do not specify tag names, Cortex will use "service" as the key name.

AWS dependency sync

Cortex syncs AWS tags daily at 8 a.m. UTC. To manually refresh the tags, navigate to the in your workspace, click the menu in the upper right corner, then click Sync dependencies.

Use key/value pairs in the entity descriptor for discovery

You can also use explicit tag key/value pairs in the x-cortex-dependency block for AWS dependency discovery. Instead of making a service depend on a resource based on service tags, Cortex will make a service depend on a resource if any of the resource's AWS tags match the explicitly defined key/value pairs in the service's x-cortex-dependency block. For example, the service below will have dependencies on any AWS resource with tag (key = aws:cloudformation:my-key-1, value = arn:aws:cloudformation:my-region:my-value-1) or tag (key = aws:cloudformation:my-key-2, value = arn:aws:cloudformation:my-region:my-value-2).

For more information on dependencies, see the .

Discover ownership for AWS

Cortex can automatically discover ownership for your AWS resources. To enable this, make sure that your AWS resources have a tag matching the x-cortex-tag of the corresponding Cortex team and enable the “Sync ownership from AWS” toggle in the Settings page. By default, we look for the owner tag. You can also customize the tag key name.

Cortex syncs ownership from AWS every day at 6 am UTC.

Editing the entity descriptor

We recommend for the fastest and most efficient experience connecting your data. If you need to manually edit entity descriptors, see the information below.

You can associate a Cortex entity with one or more AWS entities. For certain AWS resource types, Cortex will display those AWS entities' metadata on the Cortex entity page.

Multiple ECS services on a single entity

You can associate a Cortex entity with multiple ECS services.

If you are using the Cloud Control resource types, use the format below:

If you are not using Cloud Control types or if you imported your entity prior to Cortex supporting Cloud Control types, you can use the format shown below:

The values for clusterArn and serviceArn are defined in .

Discovery audit

Cortex will pull recent changes from your AWS environment into the . Here, you can find new entities in AWS that have not been imported into the catalog - these will have the tag New AWS Resource - as well as entities in the catalog that no longer exist in AWS - these will have the tag AWS Resource Not Detected.

Using the AWS integration

Searching AWS entities in Cortex

The following keys are supported when searching for your AWS entities in Cortex under Catalogs > All Entities:

aws-account-id - Account ID number
aws-account-name - Account alias
aws-region - AWS region of the resource

Example search queries

aws-type:"AWS::EC2" AND aws-region:"us-west": Search for entities of category EC2 in the any of us-west regions
aws-account-id: "234512324": Search for all entities from the account 234512324
aws-name:"aws-identifier-of-resource" AND aws-account-name:"test-account": Search for entity with identifier aws-identifier-of-resource in the account with alias test-account

Scorecards and CQL

With the AWS integration, you can create Scorecard rules and write CQL queries based on AWS resources.

See more examples in the in Cortex.

AWS details

Get the AWS details for an entity

Definition: aws.details(): Object

Example

In a Scorecard, you can create a rule to verify that an entity of type lamda has a correct function name:

You could also create a rule to verify that an entity is not using deprecated runtimes:

View integration logs

Background sync

Cortex conducts the following background syncs for AWS:

Ownership sync daily at 6 a.m. UTC
AWS tag sync (dependencies) daily at 8 a.m. UTC
- You can via the Relationship Graph.
Integration details daily at 10 a.m. UTC

Troubleshooting and FAQ

If I have auto-import enabled, how can I remove cloud control types that I no longer want to be imported?

If you want to remove any of the cloud control types after importing them: Disable the setting, remove the cloud control types from your , then enable . This will cause the removed cloud control types to be archived during the next sync.

Still need help?

The following options are available to get assistance from the Cortex Customer Engineering team:

Email: , or open a support ticket in the in app Resource Center
Slack: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a :ticket: reaction to a question in Slack, and the team will respond directly.

Don’t have a Slack channel? Talk with your Customer Success Manager.

Datadog

Overview

Datadog is an application performance monitoring platform that provides real-time observability into entities, servers, databases, and tools, providing developers with a comprehensive understanding of their infrastructure as well as the ability to identify areas for improvement.

Cortex is uniquely equipped to augment Datadog's tools, providing greater visibility into your entities. In this guide, you'll learn how to set up the Datadog integration to pull in services and metrics for entities:

Monitors
SLOs
Dependencies

How to configure Datadog with Cortex

Prerequisites

Before getting started, make sure you have created the following:

- You can create this in Datadog under Organizational Settings > Applications Key.
- Include the following scopes:
  - monitors_read

Configure the integration in Cortex

In Cortex, navigate to the .
- Click Integrations from the main nav. Search for and select Datadog.
Click Add configuration.
Configure the Datadog integration form:

After saving your configuration, you are redirected to the Datadog integration settings page in Cortex. In the upper right corner of the page, click Test configuration to ensure Datadog was configured properly.

Configure the integration for multiple Datadog accounts

The Datadog integration has multi-account support. You can add a configuration for each additional by repeating the process above.

Each configuration requires an alias, which Cortex uses to correlate the designated with registrations for various entities. Registrations can also use a default configuration without a listed alias. You can edit aliases and default configurations from the Datadog page in your Cortex settings. Select the edit icon next to a given configuration and toggle Set as default on. If you only have one configuration, it will automatically be set as the default.How to connect Cortex entities to Datadog

How to connect Cortex entities to Datadog

Tag discovery

By default, Cortex will use the (e.g. my-entity) as the "best guess" for Datadog tag. For example, if your Cortex tag is my-entity, then the corresponding tag in Datadog should also be my-entity.

If your Datadog tags don’t cleanly match the Cortex tag, you can override this in the Cortex entity descriptor.

Import entities from Datadog

See the for instructions on importing entities.

Editing the entity descriptor

You can use service tags to connect Datadog services to Cortex entities.

Field

Description

Required

These tags are used to "discover" your monitors and SLOs. Cortex will find monitors and SLOs by querying tag:value OR tag:value2 ...

If you want to hard code and/or override discovery, you can define a monitor or SLOs block in the entity descriptor, as described below.

Monitors and SLOs

Adding monitors let you see information about their current status directly from a catalog - via the Monitors column - and under the Operations section of an entity page. You can find your monitors from Datadog's .

The ID of a monitor is found in the URL when you click on a monitor in your Datadog dashboard i.e., https://app.datadoghq.com/monitors/****.

Like monitors, Datadog SLOs can be found in the Operations section of an entity page. You can find the SLOs for your instance on Datadog's .

The ID for the SLO can be found in the URL when you click on an SLO in the Datadog dashboard. For example, https://app.datadoghq.com/slo?slo_id=****&timeframe=7d&tab=status_and_history.

Monitors and SLOs have the same field definitions.

Field

Description

Required

Dependency mapping

Cortex automatically syncs dependencies from Datadog's , using the entity identifier (x-cortex-tag) to map entities found in the Service Map.

The relationships Cortex discovers through the integration will feed directly into the , so you can easily visualize the connections between your entities.

If you have two entities - for example, entity-one and entity-two - that have a dependency edge in Datadog's Service Map, both entities should exist in Cortex with the same identifiers ().

You can override this by where tag = entity and value = entity name in Datadog Service Map.

If the Cortex tag does not exactly match the entity identifier in Datadog, the dependencies will not automatically sync. You can override automatic discovery by defining values in the entity descriptor.

You can connect an APM service for dependency mapping in the entity descriptor:

Using the Datadog integration

View Datadog monitors and SLOs on entity pages

With the Datadog integration, you'll be able to find monitors and SLOs on an entity's home page. High-level information about monitors and SLOs appears in the Overview tab.

Click Monitoring in the entity's sidebar to see more detailed data about both monitors and SLOS. Both sections display tags for Pass, Fail, Warning, and No Data for each monitor or SLO.

The SLOs column shows each SLO, its target(s), the current value for that entity, its status. and the period of time the SLO is being calculated for. For example, if the time listed is "7 days ago," then the SLO is looking at the time range starting 7 days ago to now..
The Monitors column shows the title for each monitor, its query (if available), and its status.

Clicking any block with a nonzero value will open a modal with more detailed information. The monitor modals will list all monitors with the applicable status. The SLO modals will also display targets for each SLO that is passing or failing.

Scorecards and CQL

With the Datadog integration, you can create Scorecard rules and write CQL queries based on Datadog metrics, monitors, and SLOS.

See more examples in the in Cortex.

You can read more about Datadog's and in their docs.

Metrics

from Datadog.

Metric
Timestamp

Definition: datadog.metrics(query: Text, lookback: Duration, alias: Text | Null)

Monitors

Monitors associated with a given entity via ID or tags. You can use these data to check whether an entity has monitors associated with it, or whether an entity has the right types of monitors.

Created at
Creator email

SLOs

SLOs associated with a given entity via ID or tags. You can use these data to check whether an entity has SLOs associated with it and if those SLOs are passing.

History
ID

Discovery audit

Cortex will pull recent changes from your Datadog environment into the . Here, you can find new entities in Datadog that have not been imported into the catalog - these will have the tag New APM Resource - as well as entities in the catalog that no longer exist in Datadog - these will have the tag APM Resource Not Detected.

View integration logs

Background sync

The dependency sync runs automatically each day at 12 a.m. UTC, and can be run manually via the in the .

FAQs and troubleshooting

Can I set a Scorecard rule to monitor Datadog monitors/SLOs based on tags?

Yes, you can that allow Cortex to discover your SLOs and monitors, and use these tags in Scorecard rules.

How does Datadog work with other dependency sources?

When leveraging multiple dependency sources such as Datadog and a catalog entity's YAML, all the sources would be merged together and Cortex will de-duplicate the dependencies.

For example, if an entity YAML indicates X → Y and Datadog indicates X → Y and X → Z, the entity will display two edges presented as X → Y and X → Z.

Add custom entity types

Every entity you add to your workspace is associated with an entity type. Cortex comes with several built-in entity types, but you can create unlimited custom entity types to extend your catalogs.

There are two distinct parts of this process: Creating the entity type itself (via the UI or API), then creating entities of that custom type (via the UI, GitOps, or API).

Want to learn more? Check out the Cortex Academy course on Catalogs, Entities, and Relationships, available to all Cortex customers and POVs.

View entity types

To view all entity types, go to Catalogs > All Entities then click the .

A Cortex logo appears next to built-in entity types. When you hover over the logo, you will see a "Powered by Cortex" banner:

The other entity types in the list are custom types.

Create custom entity types

You can create custom entity types:

Manually in the Cortex UI
Via the

When creating an entity type, keep in mind that these will ultimately dictate how you import specific entities later on. After creating the type itself, you will be able to (via the UI, API, or GitOps).

To create, edit, and delete entity types, your user or API key must have the Edit entity types permission.

Create entity types in the Cortex UI

In Cortex, navigate to Catalogs > All entities.
Click the Entity types tab, then click Create entity type.\
Configure the form:

JSON schema for custom entity types

Entity type definitions require a JSON schema that outlines the attributes that entities should conform to.

Custom entity type definitions are powered by the open-source project.

The JSON schema for a custom entity type ensures consistency and validation when creating entities of that type. The attributes listed under required in the schema must be defined for entities of that type according to the outlined properties.

In the example below, location is required when creating this type of entity, but the schema also includes department as a possible property.

Field

Definition

Required

Adding an entity schema for new custom entities

When creating a new entity of the custom type, if the entity type's JSON schema requires certain attributes, you must include the metadata for those attributes on that entity.

Add attributes via JSON schema

While , you can enter JSON for the entity's schema into the Schema field.

Based on the , the entity schema format would look like the following:

Add attributes via YAML

If you are following a GitOps workflow, or if you are editing the entity's YAML directly in the Cortex UI, you can update the custom entity's metadata in the YAML.

Based on the , the entity YAML would look like the following:

When creating a custom entity, the x-cortex-type (the custom entity type) and the x-cortex-definition are required. Learn more under .

Metadata in the entity details page

Defining a JSON schema enables visibility on an . The schema and the defined properties will appear under the Metadata section on the entity's overview, making it easy for you to identify key specs.

In the example below, the entity "Sally S" displays metadata for the property "location."

Create custom entities

After , you can create entities of that custom type:

in the Cortex UI
in the via
via the

To create custom entities, your user or API key must have the Edit entities permission.

Create custom entities in the Cortex UI

Before creating a custom entity in the UI, make sure you have UI-based editing enabled for this entity type in .

In the main nav of Cortex, click Catalogs > All entities.
At the top of the Services page, click +Import entities.
Choose Create entities manually.

Managing custom entities

Edit custom entities

It is possible to edit entities after creating them:

Navigate to the entity's page.
In the upper right corner, click Configure entity.
Make any desired changes.
- Note: The only field you cannot edit is the identifier.

Add custom entities to catalogs

After an entity is imported or created, it will automatically belong to a catalog based on the entity type criteria set for each catalog. When you , you can set the entity type criteria.

By default, any you create will belong to the Infrastructure catalog. If you do not want the entity type to belong to this catalog, you can add the entity type to a different catalog's definition.

Managing custom entity types

After creating a custom entity type, you can view or edit its schema, view a list of entities of that type, and validate the schema of entities of that type.

View custom entity types

You can view a custom entity type's schema and a list of entities of that type.

Navigate to Catalogs > All entities, then click the .
Click into an entity type.
- The schema is displayed on the entity type page.

Edit custom entity types

Navigate to Catalogs > All entities, then click the .
Click into an entity type.
In the upper right corner, click Edit.
Make changes to your entity type, then at the bottom of the page, click Save.

Validate an entity schema for a custom entity type

Navigate to Catalogs > All entities, then click the .
Click into an entity type.
Click the Schema linter tab.
In the text editor, paste in your entity's JSON schema to verify that it is properly formatted for this entity type.

Using custom entity types or custom data

In some instances, you may want to use custom data instead of a custom entity type. This is recommended if you need more flexibility for these entity types; they may not always require specific metadata.

While a custom entity type's metadata will appear on the overview of an , custom data does not appear there. Instead, it appears in the Custom data sidebar of an entity details page.

It is possible to create an entity type with an empty properties schema:

This entity type will display in the catalogs, but entities of this type won't be validated against certain specs. Such properties can instead be defined using .

A schema is ideal for enforcing static properties across all entities, while custom data allows users to augment and update attributes.

GitLab

GitLab is a Git-based version control system with cloud and self-hosted options.

Integrating GitLab with Cortex allows you to:

Discover and track ownership of entities
Follow a GitOps workflow with GitLab
View commits alongside events and other data on entity pages in Cortex
View information about merge requests in the
Use GitLab metrics in to understand key metrics and gain insight into services, incident response, and more
Create to monitor development maturity relating to GitLab projects

How to configure GitLab with Cortex

There are two options for integrating GitLab: the default configuration method and Cortex Axon Relay, a relay broker allows you to securely connect your on-premises GitLab data.

Prerequisites

Before getting started:

A GitLab user with at least the Maintainer role must create a GitLab or with the read_api scope.
- We recommend that you create the token at the parent group level, as GitLab does not support using a scoped token to read members from a parent group. If you do not create the token at the parent level, then you will need to manually configure groups in your GitLab settings in order for identity mapping and teams to work as expected.
If you're using the Scaffolder for entities in a given GitLab instance, make sure that configuration has the full

Self-hosted prerequisites

If you're using a self-hosted instance of GitLab, you'll need to verify that your Cortex instance is able to reach the GitLab instance. We route our requests through a static IP address. Reach out to support at to receive details about our static IP. If you're unable to directly allowlist our static IP, you can route requests through a secondary proxy in your network that has this IP allowlisted and have that proxy route traffic to your GitLab instance.

Configure the integration in Cortex

In Cortex, navigate to the :
- Click Integrations from the main nav. Search for and select GitLab.
Click Add configuration.

Once you save your configuration, you'll see it listed on the integration's settings page in Cortex. If you’ve set everything up correctly, you’ll see the option to Remove Integration in Settings.

You can also use the Test all configurations button to confirm that the configuration was successful. If your configuration is valid, you’ll see a banner that says “Configuration is valid. If you see issues, please see documentation or reach out to Cortex support.”

Configure the integration for multiple GitLab accounts

The GitLab integration has multi-account support. You can add a configuration for each additional by repeating the process above.

Each configuration requires an alias, which Cortex uses to correlate the designated with registrations for various entities. Registrations can also use a default configuration without a listed alias. You can edit aliases and default configurations from the GitLab page in your Cortex settings. Select the edit icon next to a given configuration and toggle Set as default on. If you only have one configuration, it will automatically be set as the default.

Cortex supports mapping multiple identities for a single user if you have multiple configurations of GitLab. See the for more information.

Enable GitOps for your GitLab integration

Cortex supports a GitOps approach, which allows you to manage entities in Cortex through your version control system. If you would prefer this workflow over the UI for the GitLab integration, you must create a webhook. Please see the for instructions.

How to connect Cortex entities to GitLab

Import entities

Cortex will discover entities for import from your GitLab configuration(s). These will appear in the import entities workflow.

See the for instructions on importing entities manually.

Editing the entity descriptor

Git

By specifying the x-cortex-git field in your Cortex entity descriptor, you'll be able to see Git information in the entity page, including the top language, recent commits, and top contributors.

Field

Description

Required

Only one repository can be defined for in a given entity's YAML in the x-cortex-git block.

Ownership

You can define the following block in your Cortex entity descriptor to add your GitLab groups.

Team name should match the group name in GitLab.

Field

Description

Required

Identity mapping

Cortex maps users' email addresses to discovered GitLab accounts, so you never need to define email ownership in an entity descriptor.

You can confirm users' GitLab accounts are connected from .

If users are not loading in the identity mapping page, make sure that you have created your GitLab personal access token from the parent level as described in the .

Using the GitLab integration

View GitLab data on entity pages in Cortex

Cortex uses the GitLab integration for a significant amount of data that appears on .

The GitLab integration will populate the Repo and Language detail blocks on an entity's details page.

In the Recent activity preview, you'll find the recent commits and releases. These will also appear in the event timeline.

These data will appear for entities imported from a Git source or those that have a Git repo defined in their YAMLs.

Events

On an entity's Events page, you can find all of the commits and releases associated with that entity. Each is hyperlinked to the commit or release page in GitLab and includes a timestamp.

Repository

You can access more detailed information pulled from GitLab in the Repository page in the entity's sidebar. At the top of the page, you'll find the repo associated with that entity and the most-used language in files for that entity. In the Top contributors block, you'll find the three users who have contributed the most code and the number of their contributions.

In the Commits section, you'll find the 10 most recent commits and metadata about each. Below Commits is the Recent releases section, which includes the 5 most recent releases.

Packages

Team pages

When a GitLab team is registered in a team entity descriptor, Cortex will pull GitLab users in to the Members tab. When available, Cortex will pull in the profile picture and email address for each user.

If team members are not appearing as expected, make sure that you have created your GitLab personal access token from the parent level as described in the .

Engineering homepage

The GitLab integration enables Cortex to pull information about merge requests into the . You can find your open merge requests and any merge requests assigned to you for review.

Merge requests from GitLab are refreshed every 2 minutes.

Eng Intelligence

The also uses merge request data from GitLab to generate metrics:

Average MR open to close time
Avg time to first review
Avg time to approval
MRs opened

You can read more about how Eng Intelligence tracks metrics for teams and users in the Eng Intelligence walkthrough.

To add deployments for your GitLab related entity, you can send a deployment event to the .

Scorecards and CQL

With the GitLab integration, you can create Scorecard rules and write CQL queries based on GitLab data.

See more examples in the in Cortex.

Approvals required to merge

Number of approvals required to merge a pull/merge request into a repository. Defaults to 0 if no approvals are defined.

Definition: git.numOfRequiredApprovals()

Examples

For a security or development maturity Scorecard, you can write a rule to make sure at least one approval is required to merge a pull/merge request:

By having a rigorous PR process in place for a repo, you can make sure changes aren't made that create vulnerabilities. This kind of rule could also be used in a best practices or project standards Scorecard.

You can also use a similar expression in the Query Builder to find entities lacking approval:

Git repository set

Check if an entity has a registered Git repository.

Definition: git (==/!=) null: Boolean

Example

In a Scorecard, you can write a rule that detects whether an entity has a Git repository set:

Pipeline build success rate

The percentage of build pipelines that complete successfully. This is calculated against builds on the default branch, for commits in the last 30 days. The calculation is # successful builds / (# successful + # failed).

Definition: git.percentBuildSuccess(): Number

Example

In a Scorecard, you can write a rule that requires at least 90% of build runs to be successful:

Branches

List all live branches with some basic metadata.

Head
Is protected

Branch protection details

Find details for specified branch, or default branch if none is specified.

Branch name
Code owner reviews required

Commits

Get the latest commits (to a maximum of 100) for a defined lookback period (defaulting to 7 days).

Date
Message

Default branch

Default branch for the repository, or main when null.

Definition: git.defaultBranch()

Example

If default branches should always be named "main," you can write a rule to make sure entities follow this practice:

File contents

Load the contents of a file from the entity's associated repository.

The contents can be validated by using string comparison operations or parsed by the built-in jq function. The jq function will automatically coerce file contents of JSON or YAML formats.

Definition: git.fileContents()

Example

For a Scorecard focused on development maturity, you could use the git.fileContents() rule to enforce that a CI pipeline exists, and that there is a testing step defined in the pipeline.

A best practices Scorecard, meanwhile, could use this expression for a number of rules:

File exists

Check if file exists from within the entity's associated repository.

Definition: git.fileExists()

Examples

For a Scorecard focused on best practices, you can make sure that repositories contain a README.md file:

This rule would make sense in the first level because it's so essential.

A higher-level rule in a best practices Scorecard might confirm that developers are checking in lockfiles to ensure consistency in package installs:

And/or a rule that makes sure there are unit tests enabled:

Number of Git vulnerabilities

Check the number of vulnerabilities for an entity's associated repository.

Definition: git.numOfVulnerabilities()

Examples

A security-focused Scorecard will likely include a rule making sure there are no Git vulnerabilities:

You can use Scorecard levels to stratify vulnerabilities by risk. An initial level might make sure there are no critical vulnerabilities:

While a higher level might make sure there are no vulnerability warnings:

List of Git vulnerabilities

Find all vulnerabilities within a repository. Can filter by severity or scan type.

Definition: git.vulnerabilities()

Examples

You could write a Scorecard rule that verifies an entity has fewer than 5 Git vulnerabilities:

You could write a rule to verify that an entity has no critical vulnerabilities:

Has Cortex YAML

Check if a repository has a valid cortex.yaml file checked in at the root directory (when GitOps is enabled).

Definition: git.hasCortexYaml()

Example

If you're using a Scorecard to track a migration from Cortex UI to GitOps, you can use this rule to make sure entities are set up for GitOps management of entity descriptors:

Last commit details

Provides last commit details.

Date
Message

Pull requests

Lists pull requests opened during a defined lookback period.

Approval date
Author

Reviews

List reviews left during a defined lookback period.

Organization
Repository

Workflow runs

Get workflow runs meeting given filter criteria, including conclusions, statuses, and a lookback period.

Conclusion
Name

Ownership CQL

All ownership details

A special built-in type that supports a null check or a count check, used to enforce ownership of entities.

Definition: ownership: Ownership | Null

Example

An initial level in a security Scorecard might include a rule to ensure an entity has at least one team as an owner:

All owner details

List of owners, including team members and individual users, for each entity

Definition: ownership.allOwners()

Example

The Scorecard might include a rule to ensure that entity owners all have an email set:

Team details

List of teams for each entity

Definition: ownership.teams(): List<Team>

Example

The Scorecard might include a rule to ensure that an entity owners all have a description and are not archived:

View integration logs

Background sync

Cortex conducts a background sync of GitLab identities every day at 10 a.m. UTC. Merge requests are refreshed every 2 minutes.

FAQ and Troubleshooting

Why is my CQL query git.branchProtection() returning no results or a 403 error?

This can happen if you do not have the read_api scope set for your access token, or if the GitLab user who generated the token does not have at minimum the Maintainer role.

Still need help?

The following options are available to get assistance from the Cortex Customer Engineering team:

Email: , or open a support ticket in the in app Resource Center
Slack: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a :ticket: reaction to a question in Slack, and the team will respond directly.

Don’t have a Slack channel? Talk with your Customer Success Manager.

## API Spec and Version
openapi: 3.0.0

# Service Descriptors

# Required fields: info, title, x-cortex-tag
info:
  title: <HUMAN_READABLE_SERVICE_NAME>
  x-cortex-tag: <SERVICE_TAG>
   description: <DESCRIPTION>

  # Groups
  # !Groups must contain only alphanumeric characters, and may not contain whitespaces!
  x-cortex-groups:
    - <GROUP_NAME>
    - <GROUP_NAME>
    - <GROUP_NAME>
  
  # Owners
  x-cortex-owners:
    - type: group
      name: my-team
      provider: CORTEX # Use when referring to a team defined in Cortex; these teams do not map to identities from integrations
      description: This is a description for this owner
    - type: email
      email: [email protected]
      description: This is a description for this owner
    - type: group
      name: team-name
      provider: ACTIVE_DIRECTORY | AZURE_DEVOPS | BAMBOO_HR | GITHUB | GITLAB | GOOGLE | OKTA | OPSGENIE | SERVICE_NOW | WORKDAY
  # Also see the team entity example below
  
  # Links
  x-cortex-link:
     - name: <HUMAN_READABLE_NAME>
       type: <TYPE>
       url: <URL_TO_LINK>
       description: <DESCRIPTION>
  ## Note that type of OPENAPI/ASYNC_API will be displayed in the API Explorer tab in the Cortex UI
  ## Links support relative URLs

  # Dashboards
  x-cortex-dashboards:
   embeds:
     - type: <datadog | grafana | newrelic>
       url: <URL>

  # Custom Data
  x-cortex-custom-metadata:
     my-key: the value
     another-key:
       this: is
         an: object
     my-key-2:
       value: the actual value for the key
       description: This is the description
     final-key:
       - also
       - use
       - lists!
       
  # Custom entities
  # You cannot create a custom entity type via GitOps, but after creating the type in the UI or API, you can create custom entities via GitOps.
  title: Sally S
  description: Technical writer
  x-cortex-tag: employee-sally
  x-cortex-type: org-employees
  x-cortex-definition:
    location: San Diego
    department: Engineering

  # Parent and child relationships
  x-cortex-type: team
  x-cortex-children:
  - tag: child-team-1
  - tag: child-team-2
  
  x-cortex-type: domain
  x-cortex-parents:
  - tag: parent-team-1
  - tag: parent-team-2
  
  # Entity relationships
  x-cortex-relationships:
  - type: relationship-type-name
    destinations:
    - tag: destination-entity-1
    - tag: destination-entity-2
  

  # Dependencies
  # Required fields: x-cortex-tag, method (required if path present), path (required if method present)
  x-cortex-dependency:
       - tag: <TAG>
         method: <HTTP_METHOD>
         path: <PATH_FOR_METHOD>
         description: <DESCRIPTION>
         metadata:
           tags:
             - <TAG_1>
             - <TAG_2>
           prod: true
           
 # Team configurations
 title: Eng Team
 x-cortex-tag: eng-team
 x-cortex-type: team
 x-cortex-team:
   groups:
   - name: eng-team
     provider: OKTA
   members:
   - name: Eng Manager
     email: [email protected]
     notificationsEnabled: true 
   - name: Product Manager
     email: [email protected]
     notificationsEnabled: false
  x-cortex-children:
    - tag: infra-team
    - tag: sre-team
 
 # Domain configurations
   x-cortex-type: domain
   x-cortex-owners:
     - type: GROUP
       name: cortexapps/engineering
       provider: GITHUB
       interitance: APPEND | FALLBACK | NONE 
   x-cortex-children:
     - tag: chat-service
       tag: chat-database
       


  # Integrations
  
  # Apiiro
  x-cortex-apiiro:
    repositories:
      - alias: alias-one
        repositoryId: repository-one
      - alias: alias-two
        repositoryId: repository-two
    applications:
      - alias: alias-one
        applicationId: application-one
      - alias: alias-two
        applicationId: application-two
  
  # AWS Cloud Control types
  x-cortex-infra:
    aws:
      cloudControl:
      - type: AWS::RDS::DBInstance
        region: us-west-2
        accountId: "123456123456"
        identifier: rds-example
  
  # AWS ECS
  x-cortex-infra:
    aws:
      ecs:
        - clusterArn: <CLUSTER_ARN>
          serviceArn: <SERVICE_ARN>
        - clusterArn: <CLUSTER_ARN_2>
          serviceArn: <SERVICE_ARN_2>

  # Azure DevOps
  x-cortex-git:
    azure:
      project: <project-name>
      repository: <repository-name>
       
  # Azure Resources
  x-cortex-azure:
    ids:
    - id: /subscriptions/1fbb2da1-2ce7-45e4-b85f-676ab8e12345/resourceGroups/GROUP1/providers/Microsoft.Compute/disks/vm1_disk1_3d9f85717666435e9e87e4883d31a7e9
      alias: my-default-alias # alias is optional and only relevant if you have opted into multi account support
    - id: /subscriptions/1fbb2da1-2ce8-45e4-b85f-676ab8e12345/resourceGroups/GROUP2/providers/Microsoft.Compute/disks/vm1_disk1_3d9f85717666435e9e87e4883d31a7e0
      alias: my-other-alias # alias is optional and only relevant if you have opted into multi account support

  # BambooHR
  x-cortex-owners:
    - type: group
      name: <TEAM_NAME>
      provider: BAMBOO_HR
      description: # optional

  # Bitbucket
  x-cortex-git:
    bitbucket:
      repository: <workspace>/<repo>
   x-cortex-owners:
       - type: group
         name: <TEAM_NAME>
         provider: BITBUCKET
         description: # optional
         
  # Bugsnag
  x-cortex-bugsnag:
    project: <PROJECT_KEY> # projectKey in Bugsnag
     
  # Buildkite
  x-cortex-ci-cd:
    buildkite:
      pipelines:
        - slug: my-buildkite-pipeline-slug-1
        - slug: my-buildkite-pipeline-slug-2
      tags:
        - tag: my-buildkite-tag-1
        - tag: my-buildkite-tag-2

  # Checkmarx
  x-cortex-checkmarx:
    projects:
      - projectName: My Cool Project
      - projectId: 1234
  
  # CircleCI
  x-cortex-circle-ci:
      projects:
      - projectSlug: circleci-projectslug # projectslug in CircleCI
        alias: circleci-alias # alias is optional and only relevant if you have opted into multi account support
  
  # ClickUp
  x-cortex-issues:
    clickup:
      spaces:
      - identifier: 123456789
        identifierType: ID
      folders:
      - identifier: my-folder
        identifierType: NAME
      tags:
      - name: tag a
      - name: tag b
  
  # Codecov
  x-cortex-static-analysis:
    codecov:
      owner: org-name
      repo: my-project
      provider: AZURE_DEVOPS | BITBUCKET | BITBUCKET_SERVER | GITHUB | GITHUB_ENTERPRISE | GITLAB | GITLAB_ENTERPRISE
      flag: flag

  # Coralogix
  x-cortex-coralogix:
    applications:
    - applicationName: my-app # application name tied to alert
      alias: my-alias # alias is optional and only relevant if you have opted into multi account support
  
  # Datadog
  x-cortex-apm:
    datadog:
      serviceTags: # List of tags & values
       - tag: <KEY>
         value: <VALUE>
       - tag: <KEY>
         value: <VALUE>
  .   serviceName: <NAME IN DATADOG>
      monitors:
        - monitor-id
        - monitor-id-2
  x-cortex-slos:
     datadog: # List of SLO ids
       - id: slo-id-1
       - id: slo-id-1

  # Dynatrace
  x-cortex-apm:
    dynatrace:
      entityIds:
        - mock-service-id-1
        - mock-service-id-2
      entityNameMatchers:
        - "foo.*"
  x-cortex-slos:
    dynatrace:
      - id: slo-id-1
      - id: slo-id-2

  # Entra ID (Azure Active Directory)
  x-cortex-owners:
     - type: group
       name: <TEAM_NAME>
       provider: ACTIVE_DIRECTORY
       description: # optional

  # FireHydrant
  x-cortex-firehydrant:
    services:
      - identifier: ASDF1234
        identifierType: ID
      - identifier: service-slug
        identifierType: SLUG

  # GitHub
  x-cortex-git:
    github:
      repository: <org>/<repo>
      basepath: <SERVICE_NAME> # optional
   x-cortex-owners:
     - type: group
       name: <ORGANIZATION>/<TEAM> # Must be of form <org>/<team>
       provider: GITHUB
       description: # optional


  # GitLab
  x-cortex-git:
    gitlab:
      repository: <namespace>/<project>
      basepath: <SERVICE_NAME> # optional
  x-cortex-owners:
    - type: group
      name: Team Name
      provider: GITLAB
      description: This is a description for this owner


  # Google
  x-cortex-owners:
    - type: group
      name: <GROUP_NAME>
      provider: GOOGLE
  x-cortex-dependency:
    gcp:
      labels:
        - key: my-key-1
          value: my-value-1
        - key: my-key-2
          value: my-value-2
  x-cortex-infra:
    Google Cloud:
      resources:
        - resourceName: location/function
          projectId: project1
          resourceType: function
        - resourceName: example-bucket
          projectId: project1
          resourceType: storage
  x-cortex-slos:
    gcp:
      - projectId: cortex-gcp-integration
        serviceId: iLE2e4HvR_iVlxAaBbCc12
      - projectId: cortex-gcp-integration
        serviceId: adfdfdafd

  # Grafana
  x-cortex-dashboards:
    embeds:
      - type: grafana
        url: <embed_url_to_dashboard>
         
  # incident.io
  x-cortex-incident-io:
    customFields:
    - name: Entity
      value: My Entity
      alias: my-default-alias
    - id: Entity_ID
      value: my-second-entity
      alias: my-other-alias

  # Jira
  x-cortex-issues:
    jira:
      labels:
        - <LABEL1>
        - <LABEL2>
      components:
        - <COMPONENT1>
      projects:
        - project1
  # Optional: Override Cortex default Jira query
      defaultJql: 'status = "In Progress"'

  # Kubernetes
  x-cortex-k8s:
    deployment:
      - identifier: namespace/name
        cluster: dev # optional
      - identifier: experiment/scratch
        cluster: dev
      - identifier: default/cortex
        cluster: prod
    argorollout:
      - identifier: namespace/name
        cluster: dev
    statefulset:
      - identifier: namespace/name
        cluster: dev
    cronjob:
       - identifier: namespace/name
         cluster: dev

  # LaunchDarkly
  x-cortex-launch-darkly:
    projects:
      - key: project-key
        environments: # Optional
          - environmentName: prod
          - environmentName: staging
        alias: alias-1 # alias is optional and only relevant if you have opted into multi account support
      - tag: project-tag
        environments: # Optional
          - environmentName: prod
        alias: alias-2 # alias is optional and only relevant if you have opted into multi account support
    feature-flags:
      - tag: feature-flag-tag
        environments: # Optional
          - environmentName: staging
        alias: alias-3 # alias is optional and only relevant if you have opted into multi account support
  
  # Lightstep
  x-cortex-slos:
    lightstep:
      - streamId: <STREAM_ID>
        targets:
        latency:
          - percentile: <PERCENTILE>
            target: <TARGET>
            slo: <SLO>

  # Mend
  x-cortex-static-analysis:
    mend:
      applicationIds:
        - mend_id_1
        - mend_id_2
      projectIds:
        - project_id_1
        - project_id_2
  
  # Microsoft Teams
  x-cortex-microsoft-teams:
    channels:
    - name: team-engineering
      teamName: engineering
      description: This is a description for the engineering channel in Teams.
      notificationsEnabled: true
  
  # New Relic
  x-cortex-apm:
    newrelic:
      applications:
      - applicationId: <APP_ID>
        alias: default-app
      tags:
      - tag: tagKey
        value: tagValue
        alias: default-app
  x-cortex-dashboards:
    embeds:
      - type: newrelic
        url: <FULL_URL_TO_DASHBOARD>

  # Okta
  x-cortex-owners:
    - type: group
      name: <GROUP_NAME> # group name in Okta
      provider: OKTA
      description: # optional

  # OpsGenie
  x-cortex-oncall:
    opsgenie:
      type: SCHEDULE
      id: <SCHEDULE_ID> # Optionally, can use the Rotation UUID instead
  x-cortex-owners:
    - type: group
      name: <GROUP_NAME>
      provider: OPSGENIE
      description: # optional
  x-cortex-alerts:
    - type: opsgenie
      tag: <KEY>
      value: <VALUE>

  # PagerDuty
  x-cortex-oncall:
    pagerduty:
      id: <SERVICE_ID> # Service ID
      type: SERVICE
  x-cortex-oncall:
    pagerduty:
      id: <SCHEDULE_ID> # Schedule ID
      type: SCHEDULE
  x-cortex-oncall:
    pagerduty:
      id: <POLICY_ID> # Escalation Policy ID
      type: ESCALATION_POLICY

  # Prometheus
  x-cortex-slos:
    prometheus:
      - errorQuery: <query>
        totalQuery: <query>
        slo: <slo target number>
        alias: my-prometheus-instance
        name: my-slo-name

  # Rollbar
  x-cortex-rollbar:
    project: <PROJECT_NAME> # projectName in Rollbar
     
  # Rootly
  x-cortex-rootly:
    services:
      - id: ASDF1234
      - slug: service-slug

  # Sentry
  x-cortex-sentry:
    projects:
      - name: my-project # projectName in Sentry
      - name: my-second-project
     
  # Semgrep
  x-cortex-semgrep:
    projects:
    - alias: my_org 
      projectId: 1234567
    - alias: other_org
      projectId: 7654321

  # ServiceNow
  x-cortex-servicenow:
    services:
    - tableName: cortex-services
      id: 1
  x-cortex-owners:
    - type: group
      name: My ServiceNow Team
      provider: SERVICE_NOW
      description: This is a description for this owner # optional

  # Slack
  x-cortex-slack:
    channels:
    - id: ABCDEF123
      notificationsEnabled: true
      description: This is a description for this Slack channel
    - name: team-engineering
      notificationsEnabled: true
      description: A description for this Slack channel.

  # Snyk
  x-cortex-snyk:
    projects:
      - organizationId:<ORGANIZATION_ID>
        projectId: <PROJECT_ID>
        source: CODE

  # SonarQube
  x-cortex-static-analysis:
    sonarqube:
      project: <PROJECT_KEY> # projectKey in SonarQube
      alias: sonarqube-alias

  # Splunk Observability Cloud (SignalFX)
  x-cortex-slos:
    signalfx:
      - query: <FULL_SFX_QUERY>  # Ex. sf_metric:"jvm.memory.max" AND area:"nonheap"
        rollup: <ROLLUP>
        target: <TARGET>
        lookback: <LOOKBACK>
        operation: <OPERATION>
  
  # Splunk On-Call (VictorOps)
  x-cortex-oncall:
    victorops:
      type: SCHEDULE
      id: <SCHEDULE_ID>
       
  # Sumo Logic
  x-cortex-slos:
    sumologic:
      - id: 000000000001234
      - id: 000000000006789
      
  # Veracode
  x-cortex-static-analysis:
    veracode:
      applicationNames:
        - My Application
        - Second Application
      sandboxes:
        - applicationName: My Application
          sandboxName: My Sandbox
        - applicationName: Second Application
          sandboxName: Second Sandbox
          
  # Wiz
  x-cortex-wiz:
    projects:
      - projectId: 01234567-e65f-4b7b-a8b1-5b642894ec37
      
  # Workday
  x-cortex-owners:
    - type: group
      name: workday-team-tag
      provider: CORTEX
      description: This is a description for this owner.
      
  # xMatters
  x-cortex-oncall:
    xmatters:
      id: engineering_group
      type: SERVICE

Google

Overview

Google Workspace is an ownership and cloud resources platform.

Integrating Cortex with Google allows you to:

Automatically discover and track ownership of Google entities
Pull in Service Level Objectives (SLOs) from Google Cloud Observability, and
Create that track progress and drive alignment on projects involving your Google resources and teams

For information on configuring Google SSO for logging in to Cortex, see the .

How to configure Google with Cortex

Prerequisites

Before getting started:

Prerequisite 1: Configure a Google service account and copy its client ID.

Create a .

In the Advanced settings, enable Domain-wide Delegation.
Under the Domain-wide Delegation setting, copy the client ID and store it in a secure location; you will need this in the next steps.

The service account should have the following permissions for each project to enable Google Cloud resources:

Google service account permissions

AI Platform → AI Platform Viewer, Dataform Viewer, Cloud Storage for Firebase Viewer, Data Catalog Viewer, Vision AI Viewer, Notebooks Viewer, Dataflow Viewer
Apigee → Cloud Api Hub Viewer

If you'd like to create a custom role with the minimum permissions required to enable this feature, add the following:

Custom role minimum permissions

Prerequisite 2: Configure Google Admin SDK API

Enable the .

Prerequisite 3: Configure Google Cloud resource project permissions

For Google Cloud resources, in each project, enable the following:

Google Cloud resources project permissions

For each project in Vertex AI, enable the following:

Step 1: Configure the integration in Google

In the , navigate to Security > API Controls > Manage Domain Wide Delegation. Click Add new.
Add the client ID you obtained in , and include the following scopes:
- https://www.googleapis.com/auth/admin.directory.group.readonly

Step 2: Configure the integration in Cortex

In Cortex, navigate to the :
- Click Integrations from the main nav. Search for and select Google.
Click Add configuration.
Configure the Google integration form:

By default, a service will have dependencies on any resource with Google Cloud tag label = "service" and tag value = the service's Cortex tag. After saving your integration, you may customize the tag key name here by entering a new name into the Custom label key field. Leave it blank to use "service" as the key name.

Supported Google entity types

Cortex supports pulling in the following entity types from Google:

Supported Google entity types

Google Cloud Vertex AI Batch Prediction Job
Google Cloud Vertex AI Dataset
Google Cloud Vertex AI Endpoint

How to connect Cortex entities to Google

Enable automatic import of Google entities

You can configure automatic import from Google Cloud. Note that this setting does not include team entities.

In Cortex, navigate to .
Next to Auto import from AWS, Azure, and/or Google Cloud, click the toggle to enable the import.\

Import teams from Google

See the for instructions on importing entities.

Automatic ownership of Google entities

Cortex can use Google Groups as an ownership provider, automatically syncing memberships from any Google Group mailing list.

Automatic Google dependency discovery

By default, Cortex will try to automatically discover dependencies between your entities and Google Cloud resources with a matching label. By default the label key that will be matched is service, however you can customize this key value in the Google Cloud .

If you'd like to explicitly define these Google Cloud dependencies, the x-cortex-dependency field should be a map, defined as follows:

Editing the entity descriptor

Groups

The value for name should be the full group email as defined in Google Groups.

Entities

Cortex uses the resource name and project ID to look up catalog entities in your Google Cloud account. Function resource names should be of the format location/function

SLOs

The serviceID value is the value of the Unique ID listed on the .

Using the Google integration

View Google Cloud Observability data in entity pages

After integrating with Google, you will see data from Google Cloud Observability on :

On an entity's overview page, see an overview of SLOs for the entity.
Click Monitoring > Google in an entity's sidebar to see more information about Google SLOs, including the SLO name, its targets, its status, the current value for that entity, and the period of time the SLO is being calculated for. For example, if the time listed is "7 days ago," then the SLO is looking at the time range starting 7 days ago to now.

Scorecards and CQL

With the Google integration, you can create Scorecard rules and write CQL queries based on GCP details, Google Cloud Observability SLOs, and Google teams.

See more examples in the in Cortex.

GCP details

Get the GCP details for the entity.

Definition: gcp.details()

Examples

A Scorecard might include a rule to verify that an entity has GCP details:

You might include a rule to check whether any labels on the GCP recourse are titled origin:

SLOs

SLOs associated with the entity via ID or tags. You can use this data to check whether an entity has SLOs associated with it, and if those SLOs are passing.

Definition: slos: List<SLO>

Example

In a Scorecard, you can use this expression to make sure an entity is passing its SLOs:

Use this expression to make sure latency Service Level Indicator (SLI) value is above 99.99%:

Ownership CQL

All ownership details

A special built-in type that supports a null check or a count check, used to enforce ownership of entities.

Definition: ownership: Ownership | Null

Example

An initial level in a security Scorecard might include a rule to ensure an entity has at least one team as an owner:

All owner details

List of owners, including team members and individual users, for each entity

Definition: ownership.allOwners()

Example

The Scorecard might include a rule to ensure that entity owners all have an email set:

Team details

List of teams for each entity

Definition: ownership.teams(): List<Team>

Example

The Scorecard might include a rule to ensure that an entity owners all have a description and are not archived:

View integration logs

Background sync

Cortex conducts an ownership sync for Google teams every day at 9 a.m. UTC.

Troubleshooting and FAQ

The GCP integration only supports a single service account. Can I work around this?

By default, GCP service accounts are restricted to the project they were created in. If other projects don’t explicitly allow that service account to access their resources, Cortex can’t collect data from them. To work around this, you can configure a principal service account and associate it with multiple projects in GCP. Once the service account is linked to other projects, Cortex can use that service account to pull data from multiple GCP projects.

After creating a service account that is linked to a project, open your second project in GCP and go to IAM & Admin > IAM > Click +Add. Using the service account ID that you already created, add a principal to the project. Repeat these steps for each project.

Still need help?

The following options are available to get assistance from the Cortex Customer Engineering team:

Email: , or open a support ticket in the in app Resource Center
Slack: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a :ticket: reaction to a question in Slack, and the team will respond directly.

Don’t have a Slack channel? Talk with your Customer Success Manager.