Aggregated Scripts

Details
Content
Dependencies
Version History

A pack containing all aggregated scripts.

What does this pack do?

The Aggregated Scripts pack contains scripts that execute multiple commands, significantly streamlining playbook creation and execution.

What does this pack do?

The Aggregated Scripts pack contains scripts that execute multiple commands, significantly streamlining playbook creation and execution.

Automations

Name	Description
cve-enrichment	Enriches CVE indicators with reputation data from multiple integrations and outputs a consolidated CVEEnrichment object. This script exclusively supports indicators of type CVE and will automatically create the indicator in TIM if it is not already exists.
get-endpoint-data	This script gathers endpoint data from multiple integrations and returns an endpoint entity with consolidated information to the context.
ip-enrichment	Enriches IP indicators with reputation data from multiple integrations and outputs a consolidated IPEnrichment object. This script exclusively supports indicators of type IP and will automatically create the indicator in TIM if it is not already exists. Note: If enabled, get-endpoint-data is executed only for internal IP addresses.
domain-enrichment	Enriches Domain indicators with reputation data from multiple integrations and outputs a consolidated DomainEnrichment object. This script exclusively supports indicators of type Domain and will automatically create the indicator in TIM if it is not already exists.
expire-password	This script expires users password for multiple services.
block-external-ip	The script blocks a list of IP addresses in supported integrations.
isolate-endpoint	This script isolates endpoints using multiple integrations and returns a success or failure message.
clear-user-session	This script clears user sessions across multiple integrations for a list of usernames.
get-user-data	This script gathers user data from multiple integrations and returns an Account entity with consolidated information to the context.
quarantine-file	This script executes the 'quarantine-file' command on a specified file via the appropriate agent. This script is used to isolate files identified as suspicious. Currently supported brands are "Cortex XDR - IR", "Cortex Core - IR", and "Microsoft Defender Advanced Threat Protection".
indicator-enrichment	Enriches indicators from a provided list or a block of free text. This script detects the indicator type and runs the correct underlying enrichment script. Currently supports: IP, URL, Domain, CVE, and File.
file-enrichment	Enriches File indicators with reputation data from multiple integrations and outputs a consolidated FileEnrichment object. This script exclusively supports indicators of type File and will automatically create the indicator in TIM if it is not already exists. Note: The script runs core-get-hash-analytics-prevalence on SHA256 values only.
disable-user	This script disables users for multiple services.
url-enrichment	Enriches URL indicators with reputation data from multiple integrations and outputs a consolidated URLEnrichment object. This script exclusively supports indicators of type URL and will automatically create the indicator in TIM if it is not already exists.

Automations

Name	Description
get-user-data	This script gathers user data from multiple integrations and returns an Account entity with consolidated information to the context.
block-external-ip	The script blocks a list of IP addresses in supported integrations.
clear-user-session	This script clears user sessions across multiple integrations for a list of usernames.
disable-user	This script disables users for multiple services.
expire-password	This script expires users password for multiple services.
quarantine-file	This script executes the 'quarantine-file' command on a specified file via the appropriate agent. This script is used to isolate files identified as suspicious. Currently supported brands are "Cortex XDR - IR", "Cortex Core - IR", and "Microsoft Defender Advanced Threat Protection".
cve-enrichment	Enriches CVE indicators with reputation data from multiple integrations and outputs a consolidated CVEEnrichment object. This script exclusively supports indicators of type CVE and will automatically create the indicator in TIM if it is not already exists.
indicator-enrichment	Enriches indicators from a provided list or a block of free text. This script detects the indicator type and runs the correct underlying enrichment script. Currently supports: IP, URL, Domain, CVE, and File.
isolate-endpoint	This script isolates endpoints using multiple integrations and returns a success or failure message.
url-enrichment	Enriches URL indicators with reputation data from multiple integrations and outputs a consolidated URLEnrichment object. This script exclusively supports indicators of type URL and will automatically create the indicator in TIM if it is not already exists.
get-endpoint-data	This script gathers endpoint data from multiple integrations and returns an endpoint entity with consolidated information to the context.
domain-enrichment	Enriches Domain indicators with reputation data from multiple integrations and outputs a consolidated DomainEnrichment object. This script exclusively supports indicators of type Domain and will automatically create the indicator in TIM if it is not already exists.
file-enrichment	Enriches File indicators with reputation data from multiple integrations and outputs a consolidated FileEnrichment object. This script exclusively supports indicators of type File and will automatically create the indicator in TIM if it is not already exists. Note: The script runs core-get-hash-analytics-prevalence on SHA256 values only.
ip-enrichment	Enriches IP indicators with reputation data from multiple integrations and outputs a consolidated IPEnrichment object. This script exclusively supports indicators of type IP and will automatically create the indicator in TIM if it is not already exists. Note: If enabled, get-endpoint-data is executed only for internal IP addresses.

Required Content Packs (1)

Pack Name	Pack By
Base	By: Cortex XSOAR

Optional Content Packs (1)

Pack Name	Pack By
WildFire by Palo Alto Networks	By: Cortex XSOAR

All level dependencies (1)

Pack Name	Pack By
Base	By: Cortex XSOAR

1.3.22 - 6936977 (January 29, 2026)

Scripts

file-enrichment

Added a new output: FileEnrichment.Results.Size

Related pull requests:
- 42378
- 42230
- 42815
- 42788
- 42807
- 42808
- 42818
- 42812
- 42821
- 41995
- 42151
- 42798

Download

1.3.21 - 6920594 (January 28, 2026)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 42439

Download

1.3.20 - 6697957 (January 15, 2026)

Scripts

disable-user

Fixed an issue in the disable-user script where disabling users with the Microsoft Graph User brand failed.

Related pull requests:
- 42660

Download

1.3.19 - 6688262 (January 14, 2026)

Scripts

domain-enrichment

Documentation and metadata improvements.

ip-enrichment

Documentation and metadata improvements.

cve-enrichment

Documentation and metadata improvements.

url-enrichment

Documentation and metadata improvements.

file-enrichment

Documentation and metadata improvements.

Related pull requests:
- 42484

Download

1.3.18 - 6631549 (January 11, 2026)

Scripts

domain-enrichment

Updated the script to support only Cortex XSOAR 8 and XSIAM. Older versions are no longer supported.

file-enrichment

Updated the script to support only Cortex XSOAR 8 and XSIAM. Older versions are no longer supported.

ip-enrichment

Updated the script to support only Cortex XSOAR 8 and XSIAM. Older versions are no longer supported.

cve-enrichment

Updated the script to support only Cortex XSOAR 8 and XSIAM. Older versions are no longer supported.

url-enrichment

Updated the script to support only Cortex XSOAR 8 and XSIAM. Older versions are no longer supported.

Related pull requests:
- 42491

Download

1.3.17 - 6597147 (January 7, 2026)

Scripts

get-endpoint-data

Fixed an issue where the script failed due to an indexing error when no results were returned.
Updated the Docker image to: demisto/python3:3.12.12.6391686.

Related pull requests:
- 42520

Download

1.3.16 - 6580350 (January 6, 2026)

Aggregated Scripts

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 42564

Download

1.3.15 - 6565142 (January 5, 2026)

Scripts

get-user-data

Fixed an issue where integer-only usernames were not supported when provided in the user_name argument.

Related pull requests:
- 42482

Download

1.3.14 - 6456962 (December 28, 2025)

Scripts

indicator-enrichment

Updated the indicator-enrichment script to include TIM Score and CVSS Score in the Human Readable.

ip-enrichment

Updated the file-enrichment script to include TIM Score in the Human Readable.

cve-enrichment

Updated the cve-enrichment script to include TIM CVSS in the Human Readable.

url-enrichment

Updated the url-enrichment script to include TIM Score in the Human Readable.

domain-enrichment

Updated the domain-enrichment script to include TIM Score in the Human Readable.

file-enrichment

Updated the file-enrichment script to include TIM Score in the Human Readable.

Related pull requests:
- 42287

Download

1.3.13 - 6406139 (December 23, 2025)

Scripts

New: expire-password

New: Added the expire-password script that expires users password across multiple services.

Related pull requests:
- 42164

Download

1.3.12 - 6307293 (December 16, 2025)

Scripts

New: indicator-enrichment

New: Added the indicator-enrichment script, which enriches indicators from a provided list or a block of free text. The script detects the indicator type and runs the appropriate enrichment script. Currently supported types: IP, URL, Domain, CVE, and File.

Related pull requests:
- 42070

Download

1.3.11 - 6297667 (December 16, 2025)

Scripts

ip-enrichment

Updated the ip-enrichment script with the following changes:
- Added Context and Human Readable entries for invalid inputs and enrichment failures.
- Running get-endpoint-data only when the IP is internal.
- Treating CIDR and URL/HTTPS inputs as invalid and no longer extracting IPs from them.
Updated the Docker image to: demisto/python3:3.12.12.6204436.

cve-enrichment

Updated the cve-enrichment script to include Context and Human Readable entries for invalid inputs and enrichment failures.
Updated the Docker image to: demisto/python3:3.12.12.6204436.

url-enrichment

Updated the url-enrichment script to include Context and Human Readable entries for invalid inputs and enrichment failures.
Updated the Docker image to: demisto/python3:3.12.12.6204436.

domain-enrichment

Updated the domain-enrichment script to include Context and Human Readable entries for invalid inputs and enrichment failures.
Updated the Docker image to: demisto/python3:3.12.12.6204436.

file-enrichment

Updated the file-enrichment script to include Context and Human Readable entries for invalid inputs and enrichment failures.
Updated the Docker image to: demisto/python3:3.12.12.6204436.

Related pull requests:
- 42046

Download

1.3.10 - 6216498 (December 10, 2025)

Scripts

get-user-data

Added support for the properties argument, allowing retrieval of specific fields for Microsoft users. This is supported only for Microsoft Graph User integration.
Added support for user_sid argument which accepts a list of user security identifiers (SIDs) to retrieve. Supported by Active Directory Query v2 integration only.

Related pull requests:
- 42087

Download

1.3.8 - 6154473 (December 5, 2025)

Scripts

file-enrichment

The file-enrichment script has been refactored to align with the other enrichment scripts. The context output structure and execution flow have been updated. Important: please update the 'Cortex Response and Remediation' pack to ensure that no playbook fails.

ip-enrichment

Metadata and documentation improvements.

cve-enrichment

Metadata and documentation improvements.

url-enrichment

Metadata and documentation improvements.

domain-enrichment

Metadata and documentation improvements.

Related pull requests:
- 41764

Download

1.3.7 - 6112909 (December 3, 2025)

Scripts

file-enrichment

Updated the file-enrichment script with metadata.

Related pull requests:
- 42076

Download

1.3.6 - 6046045 (November 27, 2025)

Scripts

clear-user-session

Added support for the user_id argument, a list of user ids to run a session clearance operation for.
Added the use of the gsuite-user-signout command. This adds the ability to clear user session for GSuiteAdmin users.

Related pull requests:
- 41920

Download

1.3.5 - 6012287 (November 25, 2025)

Scripts

disable-user

Updated the disable-user script to support the Okta v2 commands new outputs.

Related pull requests:
- 41864

Download

1.3.4 - 5818832 (November 11, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41805

Download

1.3.3 - 5801457 (November 10, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41857

Download

1.3.2 - R5740182 (November 5, 2025)

Scripts

disable-user

Updated the Docker image to: demisto/python3:3.12.12.5490952.

file-enrichment

Updated the Docker image to: demisto/python3:3.12.12.5490952.

url-enrichment

Updated the Docker image to: demisto/python3:3.12.12.5490952.

cve-enrichment

Updated the Docker image to: demisto/python3:3.12.12.5490952.

block-external-ip

Updated the Docker image to: demisto/python3:3.12.12.5490952.

get-user-data

Updated the Docker image to: demisto/python3:3.12.12.5490952.

clear-user-session

Updated the Docker image to: demisto/python3:3.12.12.5490952.

domain-enrichment

Updated the Docker image to: demisto/python3:3.12.12.5490952.

Related pull requests:
- 41760

Download

1.3.1 - 5698874 (November 2, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41748

Download

1.3.0 - 5689147 (November 2, 2025)

Scripts

cve-enrichment

New: Added a new script cve-enrichment. This script enriches CVEs using multiple integrations and returns consolidated results under CVEEnrichment context path.

Related pull requests:
- 41298

Download

1.2.6 - 5620515 (October 28, 2025)

Scripts

get-endpoint-data

Documentation and metadata improvements.

Related pull requests:
- 41206

Download

1.2.5 - 5610417 (October 28, 2025)

Scripts

clear-user-session

Support for the 'Preference Center' feature was added to the command.

disable-user

Support for the 'Preference Center' feature was added to the command.

quarantine-file

Support for the 'Preference Center' feature was added to the command.
Updated the Docker image to: demisto/python3:3.12.12.5490952.

isolate-endpoint

Support for the 'Preference Center' feature was added to the command.
Updated the Docker image to: demisto/python3:3.12.12.5490952.

block-external-ip

Support for the 'Preference Center' feature was added to the command.

Related pull requests:
- 41633

Download

1.2.4 - 5538136 (October 23, 2025)

Aggregated Scripts

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41627

Download

1.2.3 - 5423932 (October 17, 2025)

Scripts

quarantine-file

Added support for the Microsoft Defender Advanced Threat Protection integration.
Updated the script to no longer use integration context for poll arguments.

Related pull requests:
- 41183

Download

1.2.2 - 5392573 (October 15, 2025)

Scripts

block-external-ip

Fixed an issue where running the block-external-ip script also triggered the unsupported integration CheckPointFirewall_v2, causing an error.

Related pull requests:
- 41512

Download

1.2.1 - 5208238 (September 30, 2025)

Aggregated Scripts

Documentation and metadata improvements.

Related pull requests:
- 41444

Download

1.2.0 - 5200479 (September 30, 2025)

Scripts

url-enrichment

New: Added a new script url-enrichment. This script enriches URLs using multiple integrations and returns consolidated results under URLEnrichment context path.

ip-enrichment

New: Added a new script ip-enrichment. This script enriches IP addresses using multiple integrations and returns consolidated results under IPEnrichment context path.

domain-enrichment

New: Added a new script domain-enrichment. This script enriches domains using multiple integrations and returns consolidated results under DomainEnrichment context path.

Related pull requests:
- 41293
- 41295

Download

1.1.15 - 4915660 (September 17, 2025)

Scripts

block-external-ip

Fixed an issue where the default value of the brands argument was too long and caused the hint option to be hidden.

Related pull requests:
- 41329

Download

1.1.14 - 4895854 (September 15, 2025)

Scripts

get-user-data

Fixed the get-user-data script to search Active Directory using the username argument instead of the name argument.

Related pull requests:
- 41213

Download

1.1.13 - 4881695 (September 14, 2025)

Scripts

file-enrichment

Documentation and metadata improvements.

Related pull requests:
- 41214

Download

1.1.12 - 4874171 (September 14, 2025)

Scripts

get-user-data

Added the option to search for a user by email using the Okta v2 integration.

Related pull requests:
- 41171

Download

1.1.11 - 4832662 (September 10, 2025)

Scripts

isolate-endpoint

Updated the isolate-endpoint script to return a success message if the endpoint is already isolated.

Related pull requests:
- 41226

Download

1.1.10 - 4811097 (September 8, 2025)

Scripts

get-user-data

Added support for list_non_risky_users argument that decides whether to return only risky users from core/xdr brands or all given users. if set to true, the execution might take some time.
Added support for Core/XDR list-user command.

Related pull requests:
- 41152

Download

1.1.9 - 4796908 (September 7, 2025)

Scripts

get-endpoint-data

Fixed an issue where the script was missing data for endpoints from the Cortex XDR and Cortex Core integrations due to duplicated host names.

isolate-endpoint

Fixed an issue where the script would fail to appear in the playground due to malformed structure.

disable-user

Fixed an issue where the script would fail to appear in the playground due to malformed structure.

quarantine-file

Fixed an issue where the script would fail to appear in the playground due to malformed structure.

clear-user-session

Fixed an issue where the script would fail to appear in the playground due to malformed structure.

Related pull requests:
- 41194

Download

1.1.7 - 4791557 (September 7, 2025)

Scripts

file-enrichment

Updated the file-enrichment script to not fail when encountering an unknown file hash.

clear-user-session

Documentation and metadata improvements.

disable-user

Documentation and metadata improvements.

isolate-endpoint

Documentation and metadata improvements.

quarantine-file

Documentation and metadata improvements.

block-external-ip

Fixed an issue where disabled instances will keep running when polling.
Updated the Docker image to: demisto/python3:3.12.11.4508456.

Related pull requests:
- 41162
- 41194
- 41175

Download

1.1.5 - 4739218 (September 2, 2025)

Scripts

get-user-data

Fixed an issue where the Username key in the context output for Active Directory users would hold the display name instead of the username.

Related pull requests:
- 41136

Download

1.1.4 - 4726203 (September 1, 2025)

Scripts

get-user-data

Fixed an issue where calling ad-get-user with username didn't work.

Related pull requests:
- 41125

Download

1.1.3 - 4712962 (August 31, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41118

Download

1.1.2 - 4683517 (August 28, 2025)

Scripts

disable-user

Documentation and metadata improvements.

get-user-data

Documentation and metadata improvements.

clear-user-session

Fixed an issue where the script was not returning the correct output.

Related pull requests:
- 41048

Download

1.1.1 - 4669908 (August 27, 2025)

Aggregated Scripts

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41087

Download

1.1.0 - 4661576 (August 26, 2025)

Scripts

New: isolate-endpoint

New: Added a new script isolate-endpoint. This script isolates endpoints using multiple integrations and returns a success or failure message.

Related pull requests:
- 40792

Download

1.0.21 - 4647015 (August 25, 2025)

Scripts

New: quarantine-file

Added the quarantine-file script, which executes the quarantine-file command on a specified file via the appropriate agent.
This script is used to isolate files identified as suspicious. The integration used to perform the quarantine action is selected either by user input (the brands argument) or based on the available configured instances.

Related pull requests:
- 40779

Download

1.0.20 - 4608444 (August 21, 2025)

Scripts

disable-user

Fixed an issue where disabling users with identical email addresses would only create one context entry.

Related pull requests:
- 41017

Download

1.0.19 - 4595408 (August 20, 2025)

Scripts

get-endpoint-data

Fixed an issue where the script output schema was incorrect.

Related pull requests:
- 41006

Download

1.0.18 - 4583601 (August 20, 2025)

Scripts

file-enrichment

Updated the script to ensure it uses commands from the Cortex XSOAR - IR and Palo Alto Networks WildFire integrations for file analysis when available.
Updated the "enrichment_brands" argument name to "brands" for consistency with other Aggregated Scripts conventions.
Updated the Docker image to: demisto/python3:3.12.11.4417419.

Related pull requests:
- 40852

Download

1.0.17 - 4555709 (August 17, 2025)

Scripts

get-user-data

Updated the get-user-data script to return details about the user's manager for the Microsoft User Graph integration.

Related pull requests:
- 40958

Download

1.0.16 - 4548978 (August 17, 2025)

Scripts

get-endpoint-data

Fixed an issue where the script would fail when attempting to run with generic command brands.

Related pull requests:
- 40954

Download

1.0.15 - 4527668 (August 14, 2025)

Scripts

New: disable-user

New: Added a new script disable-user that disables users for multiple services.
(Available from Cortex XSOAR 6.10.0).

get-user-data

Added new context outputs to the get-user-data script: UserData.Source and UserData.Instance.
Updated the Docker image to: demisto/python3:3.12.11.4508456

Related pull requests:
- 40768

Download

1.0.14 - 4519710 (August 13, 2025)

Scripts

get-endpoint-data

Fixed an issue where core-list-risky-hosts command was not running as a part of the get-endpoint-data script.
Added the RiskLevel context path to the output for list-risky-hosts command.
Fixed an issue where the script would return duplicated entries for the same brand and endpoint.
Fixed an issue where the script didn't support multiple hostnames for core-list-risky-hosts command.

Related pull requests:
- 40873

Download

1.0.13 - 4492991 (August 11, 2025)

Scripts

get-endpoint-data

Added the using-brand argument in the endpoint command. The script now runs from the default list of brands in the documentation and brands not from the list with endpoint command.
Fixed an issue where the script returned duplicate results for brands that contain the endpoint command.

Related pull requests:
- 40797

Download

1.0.12 - 4486728 (August 11, 2025)

Documentation and metadata improvements.

Related pull requests:
- 40883

Download

1.0.11 - 4443508 (August 6, 2025)

Scripts

get-endpoint-data

Fixed an issue where the get-endpoint-data script would fail when running with debug-mode=true in XSIAM.
Updated the Docker image to: demisto/python3:3.12.11.4417419.

Related pull requests:
- 40836

Download

1.0.10 - 4431069 (August 5, 2025)

Scripts

clear-user-session

Fixed an issue where the script failed to clear user sessions for Microsoft Graph User.
Updated the Docker image to: demisto/python3:3.12.11.4417419.

Related pull requests:
- 40825

Download

1.0.9 - 4261213 (July 22, 2025)

Scripts

get-endpoint-data

Updated the inputs from agent_id, agent_ip and agent_hostname to endpoint_id, endpoint_ip and endpoint_hostname.
Updated the output structure.
Updated the brand support:
- Removed support for 'Cylance Protect v2', 'VMware Carbon Black EDR v2' and 'ExtraHop v2'.
- Added support for 'FireEyeHX v2'.
Updated the brands argument to support free-text input for multiple brands instead of limiting it to predefined values.

Related pull requests:
- 40691

Download

1.0.7 - 4180042 (July 15, 2025)

Aggregated Scripts

Documentation and Metadata improvements.

Related pull requests:
- 40581

Download

1.0.6 - 4166662 (July 14, 2025)

Scripts

get-user-data

Updated the get-user-data script to support retrieving users from Active Directory when providing a user with a domain.

Related pull requests:
- 40588

Download

1.0.5 - 4130170 (July 10, 2025)

Aggregated Scripts

Documentation and Metadata improvements.

Related pull requests:
- 40577

Download

1.0.4 - 4126849 (July 10, 2025)

Aggregated Scripts

Documentation and metadata improvements.

Related pull requests:
- 39712
- 40179

Download

1.0.3 - 4049458 (July 3, 2025)

Aggregated Scripts

Documentation and metadata improvements.

Related pull requests:
- 40478

Download

1.0.2 - 4029801 (July 1, 2025)

Scripts

block-external-ip

block-external-ip moved from CommonScripts.

get-endpoint-data

get-endpoint-data moved from CommonScripts.

clear-user-session

clear-user-session moved from CommonScripts.

Related pull requests:
- 40431

Download

1.0.1 - 4023265 (July 1, 2025)

Scripts

get-user-data

get-user-data moved from CommonScripts.
Added the additional_fields argument to control whether supplementary fields are included in the script's output. Set it to true to include them.
Documentation and metadata improvements.

Related pull requests:
- 40180

Download

1.0.0 - 3980324 (June 18, 2025)

A pack containing all aggregated scripts.

Download

1.3.22 - 6936977 (January 29, 2026)

Scripts

file-enrichment

Added a new output: FileEnrichment.Results.Size

Related pull requests:
- 42378
- 42230
- 42815
- 42788
- 42807
- 42808
- 42818
- 42812
- 42821
- 41995
- 42151
- 42798

Download

1.3.21 - 6920581 (January 28, 2026)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 42439

Download

1.3.20 - 6697957 (January 15, 2026)

Scripts

disable-user

Fixed an issue in the disable-user script where disabling users with the Microsoft Graph User brand failed.

Related pull requests:
- 42660

Download

1.3.19 - 6688262 (January 14, 2026)

Scripts

domain-enrichment

Documentation and metadata improvements.

ip-enrichment

Documentation and metadata improvements.

cve-enrichment

Documentation and metadata improvements.

url-enrichment

Documentation and metadata improvements.

file-enrichment

Documentation and metadata improvements.

Related pull requests:
- 42484

Download

1.3.18 - 6631549 (January 11, 2026)

Scripts

domain-enrichment

Updated the script to support only Cortex XSOAR 8 and XSIAM. Older versions are no longer supported.

file-enrichment

Updated the script to support only Cortex XSOAR 8 and XSIAM. Older versions are no longer supported.

ip-enrichment

Updated the script to support only Cortex XSOAR 8 and XSIAM. Older versions are no longer supported.

cve-enrichment

Updated the script to support only Cortex XSOAR 8 and XSIAM. Older versions are no longer supported.

url-enrichment

Updated the script to support only Cortex XSOAR 8 and XSIAM. Older versions are no longer supported.

Related pull requests:
- 42491

Download

1.3.17 - 6609623 (January 8, 2026)

Scripts

get-endpoint-data

Fixed an issue where the script failed due to an indexing error when no results were returned.
Updated the Docker image to: demisto/python3:3.12.12.6391686.

Related pull requests:
- 42520

Download

1.3.16 - 6580350 (January 6, 2026)

Aggregated Scripts

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 42564

Download

1.3.15 - 6565142 (January 5, 2026)

Scripts

get-user-data

Fixed an issue where integer-only usernames were not supported when provided in the user_name argument.

Related pull requests:
- 42482

Download

1.3.14 - 6456962 (December 28, 2025)

Scripts

indicator-enrichment

Updated the indicator-enrichment script to include TIM Score and CVSS Score in the Human Readable.

ip-enrichment

Updated the file-enrichment script to include TIM Score in the Human Readable.

cve-enrichment

Updated the cve-enrichment script to include TIM CVSS in the Human Readable.

url-enrichment

Updated the url-enrichment script to include TIM Score in the Human Readable.

domain-enrichment

Updated the domain-enrichment script to include TIM Score in the Human Readable.

file-enrichment

Updated the file-enrichment script to include TIM Score in the Human Readable.

Related pull requests:
- 42287

Download

1.3.13 - 6406139 (December 23, 2025)

Scripts

New: expire-password

New: Added the expire-password script that expires users password across multiple services.

Related pull requests:
- 42164

Download

1.3.12 - 6307293 (December 16, 2025)

Scripts

New: indicator-enrichment

New: Added the indicator-enrichment script, which enriches indicators from a provided list or a block of free text. The script detects the indicator type and runs the appropriate enrichment script. Currently supported types: IP, URL, Domain, CVE, and File.

Related pull requests:
- 42070

Download

1.3.11 - 6297667 (December 16, 2025)

Scripts

ip-enrichment

Updated the ip-enrichment script with the following changes:
- Added Context and Human Readable entries for invalid inputs and enrichment failures.
- Running get-endpoint-data only when the IP is internal.
- Treating CIDR and URL/HTTPS inputs as invalid and no longer extracting IPs from them.
Updated the Docker image to: demisto/python3:3.12.12.6204436.

cve-enrichment

Updated the cve-enrichment script to include Context and Human Readable entries for invalid inputs and enrichment failures.
Updated the Docker image to: demisto/python3:3.12.12.6204436.

url-enrichment

Updated the url-enrichment script to include Context and Human Readable entries for invalid inputs and enrichment failures.
Updated the Docker image to: demisto/python3:3.12.12.6204436.

domain-enrichment

Updated the domain-enrichment script to include Context and Human Readable entries for invalid inputs and enrichment failures.
Updated the Docker image to: demisto/python3:3.12.12.6204436.

file-enrichment

Updated the file-enrichment script to include Context and Human Readable entries for invalid inputs and enrichment failures.
Updated the Docker image to: demisto/python3:3.12.12.6204436.

Related pull requests:
- 42046

Download

1.3.10 - 6216498 (December 10, 2025)

Scripts

get-user-data

Added support for the properties argument, allowing retrieval of specific fields for Microsoft users. This is supported only for Microsoft Graph User integration.
Added support for user_sid argument which accepts a list of user security identifiers (SIDs) to retrieve. Supported by Active Directory Query v2 integration only.

Related pull requests:
- 42087

Download

1.3.8 - 6154473 (December 5, 2025)

Scripts

file-enrichment

The file-enrichment script has been refactored to align with the other enrichment scripts. The context output structure and execution flow have been updated. Important: please update the 'Cortex Response and Remediation' pack to ensure that no playbook fails.

ip-enrichment

Metadata and documentation improvements.

cve-enrichment

Metadata and documentation improvements.

url-enrichment

Metadata and documentation improvements.

domain-enrichment

Metadata and documentation improvements.

Related pull requests:
- 41764

Download

1.3.7 - 6112909 (December 3, 2025)

Scripts

file-enrichment

Updated the file-enrichment script with metadata.

Related pull requests:
- 42076

Download

1.3.6 - 6046045 (November 27, 2025)

Scripts

clear-user-session

Added support for the user_id argument, a list of user ids to run a session clearance operation for.
Added the use of the gsuite-user-signout command. This adds the ability to clear user session for GSuiteAdmin users.

Related pull requests:
- 41920

Download

1.3.5 - 6012287 (November 25, 2025)

Scripts

disable-user

Updated the disable-user script to support the Okta v2 commands new outputs.

Related pull requests:
- 41864

Download

1.3.4 - 5818832 (November 11, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41805

Download

1.3.3 - 5801457 (November 10, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41857

Download

1.3.2 - R5740182 (November 5, 2025)

Scripts

disable-user

Updated the Docker image to: demisto/python3:3.12.12.5490952.

file-enrichment

Updated the Docker image to: demisto/python3:3.12.12.5490952.

url-enrichment

Updated the Docker image to: demisto/python3:3.12.12.5490952.

cve-enrichment

Updated the Docker image to: demisto/python3:3.12.12.5490952.

block-external-ip

Updated the Docker image to: demisto/python3:3.12.12.5490952.

get-user-data

Updated the Docker image to: demisto/python3:3.12.12.5490952.

clear-user-session

Updated the Docker image to: demisto/python3:3.12.12.5490952.

domain-enrichment

Updated the Docker image to: demisto/python3:3.12.12.5490952.

Related pull requests:
- 41760

Download

1.3.1 - 5698874 (November 2, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41748

Download

1.3.0 - 5689147 (November 2, 2025)

Scripts

cve-enrichment

New: Added a new script cve-enrichment. This script enriches CVEs using multiple integrations and returns consolidated results under CVEEnrichment context path.

Related pull requests:
- 41298

Download

1.2.6 - 5620515 (October 28, 2025)

Scripts

get-endpoint-data

Documentation and metadata improvements.

Related pull requests:
- 41206

Download

1.2.5 - 5610417 (October 28, 2025)

Scripts

clear-user-session

Support for the 'Preference Center' feature was added to the command.

disable-user

Support for the 'Preference Center' feature was added to the command.

quarantine-file

Support for the 'Preference Center' feature was added to the command.
Updated the Docker image to: demisto/python3:3.12.12.5490952.

isolate-endpoint

Support for the 'Preference Center' feature was added to the command.
Updated the Docker image to: demisto/python3:3.12.12.5490952.

block-external-ip

Support for the 'Preference Center' feature was added to the command.

Related pull requests:
- 41633

Download

1.2.4 - 5538136 (October 23, 2025)

Aggregated Scripts

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41627

Download

1.2.3 - 5423932 (October 17, 2025)

Scripts

quarantine-file

Added support for the Microsoft Defender Advanced Threat Protection integration.
Updated the script to no longer use integration context for poll arguments.

Related pull requests:
- 41183

Download

1.2.2 - 5392573 (October 15, 2025)

Scripts

block-external-ip

Fixed an issue where running the block-external-ip script also triggered the unsupported integration CheckPointFirewall_v2, causing an error.

Related pull requests:
- 41512

Download

1.2.1 - 5212533 (October 1, 2025)

Aggregated Scripts

Documentation and metadata improvements.

Related pull requests:
- 41444

Download

1.2.0 - 5200479 (September 30, 2025)

Scripts

url-enrichment

New: Added a new script url-enrichment. This script enriches URLs using multiple integrations and returns consolidated results under URLEnrichment context path.

ip-enrichment

New: Added a new script ip-enrichment. This script enriches IP addresses using multiple integrations and returns consolidated results under IPEnrichment context path.

domain-enrichment

New: Added a new script domain-enrichment. This script enriches domains using multiple integrations and returns consolidated results under DomainEnrichment context path.

Related pull requests:
- 41293
- 41295

Download

1.1.15 - 4915660 (September 17, 2025)

Scripts

block-external-ip

Fixed an issue where the default value of the brands argument was too long and caused the hint option to be hidden.

Related pull requests:
- 41329

Download

1.1.14 - 4895854 (September 15, 2025)

Scripts

get-user-data

Fixed the get-user-data script to search Active Directory using the username argument instead of the name argument.

Related pull requests:
- 41213

Download

1.1.13 - 4881695 (September 14, 2025)

Scripts

file-enrichment

Documentation and metadata improvements.

Related pull requests:
- 41214

Download

1.1.12 - 4874171 (September 14, 2025)

Scripts

get-user-data

Added the option to search for a user by email using the Okta v2 integration.

Related pull requests:
- 41171

Download

1.1.11 - 4832662 (September 10, 2025)

Scripts

isolate-endpoint

Updated the isolate-endpoint script to return a success message if the endpoint is already isolated.

Related pull requests:
- 41226

Download

1.1.10 - 4811097 (September 8, 2025)

Scripts

get-user-data

Added support for list_non_risky_users argument that decides whether to return only risky users from core/xdr brands or all given users. if set to true, the execution might take some time.
Added support for Core/XDR list-user command.

Related pull requests:
- 41152

Download

1.1.9 - 4796908 (September 7, 2025)

Scripts

file-enrichment

Updated the file-enrichment script to not fail when encountering an unknown file hash.

clear-user-session

Documentation and metadata improvements.
Fixed an issue where the script would fail to appear in the playground due to malformed structure.

disable-user

Documentation and metadata improvements.
Fixed an issue where the script would fail to appear in the playground due to malformed structure.

isolate-endpoint

Documentation and metadata improvements.
Fixed an issue where the script would fail to appear in the playground due to malformed structure.

quarantine-file

Documentation and metadata improvements.
Fixed an issue where the script would fail to appear in the playground due to malformed structure.

block-external-ip

Fixed an issue where disabled instances will keep running when polling.
Updated the Docker image to: demisto/python3:3.12.11.4508456.

get-endpoint-data

Fixed an issue where the script was missing data for endpoints from the Cortex XDR and Cortex Core integrations due to duplicated host names.

Related pull requests:
- 41194

Download

1.1.5 - 4739218 (September 2, 2025)

Scripts

get-user-data

Fixed an issue where the Username key in the context output for Active Directory users would hold the display name instead of the username.

Related pull requests:
- 41136

Download

1.1.4 - 4726203 (September 1, 2025)

Scripts

get-user-data

Fixed an issue where calling ad-get-user with username didn't work.

Related pull requests:
- 41125

Download

1.1.3 - 4712962 (August 31, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41118

Download

1.1.2 - 4683517 (August 28, 2025)

Scripts

disable-user

Documentation and metadata improvements.

get-user-data

Documentation and metadata improvements.

clear-user-session

Fixed an issue where the script was not returning the correct output.

Related pull requests:
- 41048

Download

1.1.1 - 4669908 (August 27, 2025)

Aggregated Scripts

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41087

Download

1.1.0 - 4661576 (August 26, 2025)

Scripts

New: isolate-endpoint

New: Added a new script isolate-endpoint. This script isolates endpoints using multiple integrations and returns a success or failure message.

Related pull requests:
- 40792

Download

1.0.21 - 4647015 (August 25, 2025)

Scripts

New: quarantine-file

Related pull requests:
- 40779

Download

1.0.20 - 4608444 (August 21, 2025)

Scripts

disable-user

Fixed an issue where disabling users with identical email addresses would only create one context entry.

Related pull requests:
- 41017

Download

1.0.19 - 4595408 (August 20, 2025)

Scripts

get-endpoint-data

Fixed an issue where the script output schema was incorrect.

Related pull requests:
- 41006

Download

1.0.18 - 4583601 (August 20, 2025)

Scripts

file-enrichment

Updated the script to ensure it uses commands from the Cortex XSOAR - IR and Palo Alto Networks WildFire integrations for file analysis when available.
Updated the "enrichment_brands" argument name to "brands" for consistency with other Aggregated Scripts conventions.
Updated the Docker image to: demisto/python3:3.12.11.4417419.

Related pull requests:
- 40852

Download

1.0.17 - 4555709 (August 17, 2025)

Scripts

get-user-data

Updated the get-user-data script to return details about the user's manager for the Microsoft User Graph integration.

Related pull requests:
- 40958

Download

1.0.16 - 4548978 (August 17, 2025)

Scripts

get-endpoint-data

Fixed an issue where the script would fail when attempting to run with generic command brands.

Related pull requests:
- 40954

Download

1.0.15 - 4527668 (August 14, 2025)

Scripts

New: disable-user

New: Added a new script disable-user that disables users for multiple services.

get-user-data

Added new context outputs to the get-user-data script: UserData.Source and UserData.Instance.
Updated the Docker image to: demisto/python3:3.12.11.4508456

Related pull requests:
- 40768

Download

1.0.14 - 4524270 (August 14, 2025)

Scripts

get-endpoint-data

Fixed an issue where core-list-risky-hosts command was not running as a part of the get-endpoint-data script.
Added the RiskLevel context path to the output for list-risky-hosts command.
Fixed an issue where the script would return duplicated entries for the same brand and endpoint.
Fixed an issue where the script didn't support multiple hostnames for core-list-risky-hosts command.

Related pull requests:
- 40873

Download

1.0.13 - 4492991 (August 11, 2025)

Scripts

get-endpoint-data

Added the using-brand argument in the endpoint command. The script now runs from the default list of brands in the documentation and brands not from the list with endpoint command.
Fixed an issue where the script returned duplicate results for brands that contain the endpoint command.

Related pull requests:
- 40797

Download

1.0.12 - 4486728 (August 11, 2025)

Documentation and metadata improvements.

Related pull requests:
- 40883

Download

1.0.11 - 4443508 (August 6, 2025)

Scripts

get-endpoint-data

Fixed an issue where the get-endpoint-data script would fail when running with debug-mode=true in XSIAM.
Updated the Docker image to: demisto/python3:3.12.11.4417419.

Related pull requests:
- 40836

Download

1.0.10 - 4431069 (August 5, 2025)

Scripts

clear-user-session

Fixed an issue where the script failed to clear user sessions for Microsoft Graph User.
Updated the Docker image to: demisto/python3:3.12.11.4417419.

Related pull requests:
- 40825

Download

1.0.9 - 4261213 (July 22, 2025)

Scripts

get-endpoint-data

Updated the inputs from agent_id, agent_ip and agent_hostname to endpoint_id, endpoint_ip and endpoint_hostname.
Updated the output structure.
Updated the brand support:
- Removed support for 'Cylance Protect v2', 'VMware Carbon Black EDR v2' and 'ExtraHop v2'.
- Added support for 'FireEyeHX v2'.
Updated the brands argument to support free-text input for multiple brands instead of limiting it to predefined values.

Related pull requests:
- 40691

Download

1.0.7 - 4180042 (July 15, 2025)

Aggregated Scripts

Documentation and Metadata improvements.

Related pull requests:
- 40581

Download

1.0.6 - 4166662 (July 14, 2025)

Scripts

get-user-data

Updated the get-user-data script to support retrieving users from Active Directory when providing a user with a domain.

Related pull requests:
- 40588

Download

1.0.5 - 4130170 (July 10, 2025)

Aggregated Scripts

Documentation and Metadata improvements.

Related pull requests:
- 40577

Download

1.0.4 - 4126849 (July 10, 2025)

Aggregated Scripts

Documentation and metadata improvements.

Related pull requests:
- 39712
- 40179

Download

1.0.3 - 4049458 (July 3, 2025)

Aggregated Scripts

Documentation and metadata improvements.

Related pull requests:
- 40478

Download

1.0.2 - 4029801 (July 1, 2025)

Scripts

block-external-ip

block-external-ip moved from CommonScripts.

get-endpoint-data

get-endpoint-data moved from CommonScripts.

clear-user-session

clear-user-session moved from CommonScripts.

Related pull requests:
- 40431

Download

1.0.1 - 4023265 (July 1, 2025)

Scripts

get-user-data

get-user-data moved from CommonScripts.
Added the additional_fields argument to control whether supplementary fields are included in the script's output. Set it to true to include them.
Documentation and metadata improvements.

Related pull requests:
- 40180

Download

1.0.0 - 3980324 (June 18, 2025)

A pack containing all aggregated scripts.

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	June 18, 2025
Last Release	January 29, 2026

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.