Aggregated Scripts

Details
Content
Dependencies
Version History

A pack containing all aggregated scripts.

The Aggregated Scripts pack contains scripts that execute multiple commands, significantly streamlining playbook creation and execution.

What does this pack do?

File indicator enrichment using an array file hashes.

The Aggregated Scripts pack contains scripts that execute multiple commands, significantly streamlining playbook creation and execution.

What does this pack do?

File indicator enrichment using an array file hashes.

Automations

Name	Description
get-endpoint-data	This script gathers endpoint data from multiple integrations and returns an endpoint entity with consolidated information to the context.
domain-enrichment	This script enriches Domains data with information from multiple integrations and returns a "DomainEnrichment" object with consolidated information in the context output.
isolate-endpoint	This script isolates endpoints using multiple integrations and returns a success or failure message.
url-enrichment	This script gathers URL reputation data from multiple integrations and returns a "URLEnrichment" object with consolidated information in the context output.
ip-enrichment	This script gathers IP reputation data from multiple integrations and returns an IP entity with consolidated information in the context.
disable-user	This script disables users for multiple services.
file-enrichment	This script gathers file reputation data from multiple integrations and returns a "FileEnrichment" object with consolidated information to the context output.
block-external-ip	The script blocks a list of IP addresses in supported integrations.
get-user-data	This script gathers user data from multiple integrations and returns an Account entity with consolidated information to the context.
clear-user-session	This script clears user sessions across multiple integrations for a list of usernames.
quarantine-file	This script executes the 'quarantine-file' command on a specified file via the appropriate agent. This script is used to isolate files identified as suspicious.

Automations

Name	Description
get-endpoint-data	This script gathers endpoint data from multiple integrations and returns an endpoint entity with consolidated information to the context.
ip-enrichment	This script gathers IP reputation data from multiple integrations and returns an IP entity with consolidated information in the context.
quarantine-file	This script executes the 'quarantine-file' command on a specified file via the appropriate agent. This script is used to isolate files identified as suspicious.
file-enrichment	This script gathers file reputation data from multiple integrations and returns a "FileEnrichment" object with consolidated information to the context output.
clear-user-session	This script clears user sessions across multiple integrations for a list of usernames.
url-enrichment	This script gathers URL reputation data from multiple integrations and returns a "URLEnrichment" object with consolidated information in the context output.
domain-enrichment	This script enriches Domains data with information from multiple integrations and returns a "DomainEnrichment" object with consolidated information in the context output.
get-user-data	This script gathers user data from multiple integrations and returns an Account entity with consolidated information to the context.
isolate-endpoint	This script isolates endpoints using multiple integrations and returns a success or failure message.
disable-user	This script disables users for multiple services.
block-external-ip	The script blocks a list of IP addresses in supported integrations.

Required Content Packs (1)

Pack Name	Pack By
Base	By: Cortex XSOAR

Optional Content Packs (1)

Pack Name	Pack By
WildFire by Palo Alto Networks	By: Cortex XSOAR

All level dependencies (1)

Pack Name	Pack By
Base	By: Cortex XSOAR

1.2.1 - 5208238 (September 30, 2025)

Aggregated Scripts

Documentation and metadata improvements.

Related pull requests:
- 41444

Download

1.2.0 - 5200479 (September 30, 2025)

Scripts

url-enrichment

New: Added a new script url-enrichment. This script enriches URLs using multiple integrations and returns consolidated results under URLEnrichment context path.

ip-enrichment

New: Added a new script ip-enrichment. This script enriches IP addresses using multiple integrations and returns consolidated results under IPEnrichment context path.

domain-enrichment

New: Added a new script domain-enrichment. This script enriches domains using multiple integrations and returns consolidated results under DomainEnrichment context path.

Related pull requests:
- 41293
- 41295

Download

1.1.15 - 4915660 (September 17, 2025)

Scripts

block-external-ip

Fixed an issue where the default value of the brands argument was too long and caused the hint option to be hidden.

Related pull requests:
- 41329

Download

1.1.14 - 4895854 (September 15, 2025)

Scripts

get-user-data

Fixed the get-user-data script to search Active Directory using the username argument instead of the name argument.

Related pull requests:
- 41213

Download

1.1.13 - 4881695 (September 14, 2025)

Scripts

file-enrichment

Documentation and metadata improvements.

Related pull requests:
- 41214

Download

1.1.12 - 4874171 (September 14, 2025)

Scripts

get-user-data

Added the option to search for a user by email using the Okta v2 integration.

Related pull requests:
- 41171

Download

1.1.11 - 4832662 (September 10, 2025)

Scripts

isolate-endpoint

Updated the isolate-endpoint script to return a success message if the endpoint is already isolated.

Related pull requests:
- 41226

Download

1.1.10 - 4811097 (September 8, 2025)

Scripts

get-user-data

Added support for list_non_risky_users argument that decides whether to return only risky users from core/xdr brands or all given users. if set to true, the execution might take some time.
Added support for Core/XDR list-user command.

Related pull requests:
- 41152

Download

1.1.9 - 4796908 (September 7, 2025)

Scripts

get-endpoint-data

Fixed an issue where the script was missing data for endpoints from the Cortex XDR and Cortex Core integrations due to duplicated host names.

isolate-endpoint

Fixed an issue where the script would fail to appear in the playground due to malformed structure.

disable-user

Fixed an issue where the script would fail to appear in the playground due to malformed structure.

quarantine-file

Fixed an issue where the script would fail to appear in the playground due to malformed structure.

clear-user-session

Fixed an issue where the script would fail to appear in the playground due to malformed structure.

Related pull requests:
- 41194

Download

1.1.7 - 4791557 (September 7, 2025)

Scripts

file-enrichment

Updated the file-enrichment script to not fail when encountering an unknown file hash.

clear-user-session

Documentation and metadata improvements.

disable-user

Documentation and metadata improvements.

isolate-endpoint

Documentation and metadata improvements.

quarantine-file

Documentation and metadata improvements.

block-external-ip

Fixed an issue where disabled instances will keep running when polling.
Updated the Docker image to: demisto/python3:3.12.11.4508456.

Related pull requests:
- 41162
- 41194
- 41175

Download

1.1.5 - 4739218 (September 2, 2025)

Scripts

get-user-data

Fixed an issue where the Username key in the context output for Active Directory users would hold the display name instead of the username.

Related pull requests:
- 41136

Download

1.1.4 - 4726203 (September 1, 2025)

Scripts

get-user-data

Fixed an issue where calling ad-get-user with username didn't work.

Related pull requests:
- 41125

Download

1.1.3 - 4712962 (August 31, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41118

Download

1.1.2 - 4683517 (August 28, 2025)

Scripts

disable-user

Documentation and metadata improvements.

get-user-data

Documentation and metadata improvements.

clear-user-session

Fixed an issue where the script was not returning the correct output.

Related pull requests:
- 41048

Download

1.1.1 - 4669908 (August 27, 2025)

Aggregated Scripts

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41087

Download

1.1.0 - 4661576 (August 26, 2025)

Scripts

New: isolate-endpoint

New: Added a new script isolate-endpoint. This script isolates endpoints using multiple integrations and returns a success or failure message.

Related pull requests:
- 40792

Download

1.0.21 - 4647015 (August 25, 2025)

Scripts

New: quarantine-file

Added the quarantine-file script, which executes the quarantine-file command on a specified file via the appropriate agent.
This script is used to isolate files identified as suspicious. The integration used to perform the quarantine action is selected either by user input (the brands argument) or based on the available configured instances.

Related pull requests:
- 40779

Download

1.0.20 - 4608444 (August 21, 2025)

Scripts

disable-user

Fixed an issue where disabling users with identical email addresses would only create one context entry.

Related pull requests:
- 41017

Download

1.0.19 - 4595408 (August 20, 2025)

Scripts

get-endpoint-data

Fixed an issue where the script output schema was incorrect.

Related pull requests:
- 41006

Download

1.0.18 - 4583601 (August 20, 2025)

Scripts

file-enrichment

Updated the script to ensure it uses commands from the Cortex XSOAR - IR and Palo Alto Networks WildFire integrations for file analysis when available.
Updated the "enrichment_brands" argument name to "brands" for consistency with other Aggregated Scripts conventions.
Updated the Docker image to: demisto/python3:3.12.11.4417419.

Related pull requests:
- 40852

Download

1.0.17 - 4555709 (August 17, 2025)

Scripts

get-user-data

Updated the get-user-data script to return details about the user's manager for the Microsoft User Graph integration.

Related pull requests:
- 40958

Download

1.0.16 - 4548978 (August 17, 2025)

Scripts

get-endpoint-data

Fixed an issue where the script would fail when attempting to run with generic command brands.

Related pull requests:
- 40954

Download

1.0.15 - 4527668 (August 14, 2025)

Scripts

New: disable-user

New: Added a new script disable-user that disables users for multiple services.
(Available from Cortex XSOAR 6.10.0).

get-user-data

Added new context outputs to the get-user-data script: UserData.Source and UserData.Instance.
Updated the Docker image to: demisto/python3:3.12.11.4508456

Related pull requests:
- 40768

Download

1.0.14 - 4519710 (August 13, 2025)

Scripts

get-endpoint-data

Fixed an issue where core-list-risky-hosts command was not running as a part of the get-endpoint-data script.
Added the RiskLevel context path to the output for list-risky-hosts command.
Fixed an issue where the script would return duplicated entries for the same brand and endpoint.
Fixed an issue where the script didn't support multiple hostnames for core-list-risky-hosts command.

Related pull requests:
- 40873

Download

1.0.13 - 4492991 (August 11, 2025)

Scripts

get-endpoint-data

Added the using-brand argument in the endpoint command. The script now runs from the default list of brands in the documentation and brands not from the list with endpoint command.
Fixed an issue where the script returned duplicate results for brands that contain the endpoint command.

Related pull requests:
- 40797

Download

1.0.12 - 4486728 (August 11, 2025)

Documentation and metadata improvements.

Related pull requests:
- 40883

Download

1.0.11 - 4443508 (August 6, 2025)

Scripts

get-endpoint-data

Fixed an issue where the get-endpoint-data script would fail when running with debug-mode=true in XSIAM.
Updated the Docker image to: demisto/python3:3.12.11.4417419.

Related pull requests:
- 40836

Download

1.0.10 - 4431069 (August 5, 2025)

Scripts

clear-user-session

Fixed an issue where the script failed to clear user sessions for Microsoft Graph User.
Updated the Docker image to: demisto/python3:3.12.11.4417419.

Related pull requests:
- 40825

Download

1.0.9 - 4261213 (July 22, 2025)

Scripts

get-endpoint-data

Updated the inputs from agent_id, agent_ip and agent_hostname to endpoint_id, endpoint_ip and endpoint_hostname.
Updated the output structure.
Updated the brand support:
- Removed support for 'Cylance Protect v2', 'VMware Carbon Black EDR v2' and 'ExtraHop v2'.
- Added support for 'FireEyeHX v2'.
Updated the brands argument to support free-text input for multiple brands instead of limiting it to predefined values.

Related pull requests:
- 40691

Download

1.0.7 - 4180042 (July 15, 2025)

Aggregated Scripts

Documentation and Metadata improvements.

Related pull requests:
- 40581

Download

1.0.6 - 4166662 (July 14, 2025)

Scripts

get-user-data

Updated the get-user-data script to support retrieving users from Active Directory when providing a user with a domain.

Related pull requests:
- 40588

Download

1.0.5 - 4130170 (July 10, 2025)

Aggregated Scripts

Documentation and Metadata improvements.

Related pull requests:
- 40577

Download

1.0.4 - 4126849 (July 10, 2025)

Aggregated Scripts

Documentation and metadata improvements.

Related pull requests:
- 39712
- 40179

Download

1.0.3 - 4049458 (July 3, 2025)

Aggregated Scripts

Documentation and metadata improvements.

Related pull requests:
- 40478

Download

1.0.2 - 4029801 (July 1, 2025)

Scripts

block-external-ip

block-external-ip moved from CommonScripts.

get-endpoint-data

get-endpoint-data moved from CommonScripts.

clear-user-session

clear-user-session moved from CommonScripts.

Related pull requests:
- 40431

Download

1.0.1 - 4023265 (July 1, 2025)

Scripts

get-user-data

get-user-data moved from CommonScripts.
Added the additional_fields argument to control whether supplementary fields are included in the script's output. Set it to true to include them.
Documentation and metadata improvements.

Related pull requests:
- 40180

Download

1.0.0 - 3980324 (June 18, 2025)

A pack containing all aggregated scripts.

Download

1.2.1 - 5212533 (October 1, 2025)

Aggregated Scripts

Documentation and metadata improvements.

Related pull requests:
- 41444

Download

1.2.0 - 5200479 (September 30, 2025)

Scripts

url-enrichment

New: Added a new script url-enrichment. This script enriches URLs using multiple integrations and returns consolidated results under URLEnrichment context path.

ip-enrichment

New: Added a new script ip-enrichment. This script enriches IP addresses using multiple integrations and returns consolidated results under IPEnrichment context path.

domain-enrichment

New: Added a new script domain-enrichment. This script enriches domains using multiple integrations and returns consolidated results under DomainEnrichment context path.

Related pull requests:
- 41293
- 41295

Download

1.1.15 - 4915660 (September 17, 2025)

Scripts

block-external-ip

Fixed an issue where the default value of the brands argument was too long and caused the hint option to be hidden.

Related pull requests:
- 41329

Download

1.1.14 - 4895854 (September 15, 2025)

Scripts

get-user-data

Fixed the get-user-data script to search Active Directory using the username argument instead of the name argument.

Related pull requests:
- 41213

Download

1.1.13 - 4881695 (September 14, 2025)

Scripts

file-enrichment

Documentation and metadata improvements.

Related pull requests:
- 41214

Download

1.1.12 - 4874171 (September 14, 2025)

Scripts

get-user-data

Added the option to search for a user by email using the Okta v2 integration.

Related pull requests:
- 41171

Download

1.1.11 - 4832662 (September 10, 2025)

Scripts

isolate-endpoint

Updated the isolate-endpoint script to return a success message if the endpoint is already isolated.

Related pull requests:
- 41226

Download

1.1.10 - 4811097 (September 8, 2025)

Scripts

get-user-data

Added support for list_non_risky_users argument that decides whether to return only risky users from core/xdr brands or all given users. if set to true, the execution might take some time.
Added support for Core/XDR list-user command.

Related pull requests:
- 41152

Download

1.1.9 - 4796908 (September 7, 2025)

Scripts

file-enrichment

Updated the file-enrichment script to not fail when encountering an unknown file hash.

clear-user-session

Documentation and metadata improvements.
Fixed an issue where the script would fail to appear in the playground due to malformed structure.

disable-user

Documentation and metadata improvements.
Fixed an issue where the script would fail to appear in the playground due to malformed structure.

isolate-endpoint

Documentation and metadata improvements.
Fixed an issue where the script would fail to appear in the playground due to malformed structure.

quarantine-file

Documentation and metadata improvements.
Fixed an issue where the script would fail to appear in the playground due to malformed structure.

block-external-ip

Fixed an issue where disabled instances will keep running when polling.
Updated the Docker image to: demisto/python3:3.12.11.4508456.

get-endpoint-data

Fixed an issue where the script was missing data for endpoints from the Cortex XDR and Cortex Core integrations due to duplicated host names.

Related pull requests:
- 41194

Download

1.1.5 - 4739218 (September 2, 2025)

Scripts

get-user-data

Fixed an issue where the Username key in the context output for Active Directory users would hold the display name instead of the username.

Related pull requests:
- 41136

Download

1.1.4 - 4726203 (September 1, 2025)

Scripts

get-user-data

Fixed an issue where calling ad-get-user with username didn't work.

Related pull requests:
- 41125

Download

1.1.3 - 4712962 (August 31, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41118

Download

1.1.2 - 4683517 (August 28, 2025)

Scripts

disable-user

Documentation and metadata improvements.

get-user-data

Documentation and metadata improvements.

clear-user-session

Fixed an issue where the script was not returning the correct output.

Related pull requests:
- 41048

Download

1.1.1 - 4669908 (August 27, 2025)

Aggregated Scripts

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41087

Download

1.1.0 - 4661576 (August 26, 2025)

Scripts

New: isolate-endpoint

New: Added a new script isolate-endpoint. This script isolates endpoints using multiple integrations and returns a success or failure message.

Related pull requests:
- 40792

Download

1.0.21 - 4647015 (August 25, 2025)

Scripts

New: quarantine-file

Related pull requests:
- 40779

Download

1.0.20 - 4608444 (August 21, 2025)

Scripts

disable-user

Fixed an issue where disabling users with identical email addresses would only create one context entry.

Related pull requests:
- 41017

Download

1.0.19 - 4595408 (August 20, 2025)

Scripts

get-endpoint-data

Fixed an issue where the script output schema was incorrect.

Related pull requests:
- 41006

Download

1.0.18 - 4583601 (August 20, 2025)

Scripts

file-enrichment

Updated the script to ensure it uses commands from the Cortex XSOAR - IR and Palo Alto Networks WildFire integrations for file analysis when available.
Updated the "enrichment_brands" argument name to "brands" for consistency with other Aggregated Scripts conventions.
Updated the Docker image to: demisto/python3:3.12.11.4417419.

Related pull requests:
- 40852

Download

1.0.17 - 4555709 (August 17, 2025)

Scripts

get-user-data

Updated the get-user-data script to return details about the user's manager for the Microsoft User Graph integration.

Related pull requests:
- 40958

Download

1.0.16 - 4548978 (August 17, 2025)

Scripts

get-endpoint-data

Fixed an issue where the script would fail when attempting to run with generic command brands.

Related pull requests:
- 40954

Download

1.0.15 - 4527668 (August 14, 2025)

Scripts

New: disable-user

New: Added a new script disable-user that disables users for multiple services.

get-user-data

Added new context outputs to the get-user-data script: UserData.Source and UserData.Instance.
Updated the Docker image to: demisto/python3:3.12.11.4508456

Related pull requests:
- 40768

Download

1.0.14 - 4524270 (August 14, 2025)

Scripts

get-endpoint-data

Fixed an issue where core-list-risky-hosts command was not running as a part of the get-endpoint-data script.
Added the RiskLevel context path to the output for list-risky-hosts command.
Fixed an issue where the script would return duplicated entries for the same brand and endpoint.
Fixed an issue where the script didn't support multiple hostnames for core-list-risky-hosts command.

Related pull requests:
- 40873

Download

1.0.13 - 4492991 (August 11, 2025)

Scripts

get-endpoint-data

Added the using-brand argument in the endpoint command. The script now runs from the default list of brands in the documentation and brands not from the list with endpoint command.
Fixed an issue where the script returned duplicate results for brands that contain the endpoint command.

Related pull requests:
- 40797

Download

1.0.12 - 4486728 (August 11, 2025)

Documentation and metadata improvements.

Related pull requests:
- 40883

Download

1.0.11 - 4443508 (August 6, 2025)

Scripts

get-endpoint-data

Fixed an issue where the get-endpoint-data script would fail when running with debug-mode=true in XSIAM.
Updated the Docker image to: demisto/python3:3.12.11.4417419.

Related pull requests:
- 40836

Download

1.0.10 - 4431069 (August 5, 2025)

Scripts

clear-user-session

Fixed an issue where the script failed to clear user sessions for Microsoft Graph User.
Updated the Docker image to: demisto/python3:3.12.11.4417419.

Related pull requests:
- 40825

Download

1.0.9 - 4261213 (July 22, 2025)

Scripts

get-endpoint-data

Updated the inputs from agent_id, agent_ip and agent_hostname to endpoint_id, endpoint_ip and endpoint_hostname.
Updated the output structure.
Updated the brand support:
- Removed support for 'Cylance Protect v2', 'VMware Carbon Black EDR v2' and 'ExtraHop v2'.
- Added support for 'FireEyeHX v2'.
Updated the brands argument to support free-text input for multiple brands instead of limiting it to predefined values.

Related pull requests:
- 40691

Download

1.0.7 - 4180042 (July 15, 2025)

Aggregated Scripts

Documentation and Metadata improvements.

Related pull requests:
- 40581

Download

1.0.6 - 4166662 (July 14, 2025)

Scripts

get-user-data

Updated the get-user-data script to support retrieving users from Active Directory when providing a user with a domain.

Related pull requests:
- 40588

Download

1.0.5 - 4130170 (July 10, 2025)

Aggregated Scripts

Documentation and Metadata improvements.

Related pull requests:
- 40577

Download

1.0.4 - 4126849 (July 10, 2025)

Aggregated Scripts

Documentation and metadata improvements.

Related pull requests:
- 39712
- 40179

Download

1.0.3 - 4049458 (July 3, 2025)

Aggregated Scripts

Documentation and metadata improvements.

Related pull requests:
- 40478

Download

1.0.2 - 4029801 (July 1, 2025)

Scripts

block-external-ip

block-external-ip moved from CommonScripts.

get-endpoint-data

get-endpoint-data moved from CommonScripts.

clear-user-session

clear-user-session moved from CommonScripts.

Related pull requests:
- 40431

Download

1.0.1 - 4023265 (July 1, 2025)

Scripts

get-user-data

get-user-data moved from CommonScripts.
Added the additional_fields argument to control whether supplementary fields are included in the script's output. Set it to true to include them.
Documentation and metadata improvements.

Related pull requests:
- 40180

Download

1.0.0 - 3980324 (June 18, 2025)

A pack containing all aggregated scripts.

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	June 18, 2025
Last Release	September 30, 2025

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.