The Aggregated Scripts pack contains scripts that execute multiple commands, significantly streamlining playbook creation and execution.
What does this pack do?
- File indicator enrichment using an array file hashes.
Aggregated Scripts
- Details
- Content
- Dependencies
- Version History
A pack containing all aggregated scripts.
The Aggregated Scripts pack contains scripts that execute multiple commands, significantly streamlining playbook creation and execution.
What does this pack do?
- File indicator enrichment using an array file hashes.
Automations
| Name | Description |
|---|---|
| file-enrichment | This script gathers file reputation data from multiple integrations and returns a "FileEnrichment" object with consolidated information to the context output. |
| url-enrichment | This script gathers URL reputation data from multiple integrations and returns a "URLEnrichment" object with consolidated information in the context output. |
| domain-enrichment | This script enriches Domains data with information from multiple integrations and returns a "DomainEnrichment" object with consolidated information in the context output. |
| isolate-endpoint | This script isolates endpoints using multiple integrations and returns a success or failure message. |
| block-external-ip | The script blocks a list of IP addresses in supported integrations. |
| ip-enrichment | This script gathers IP reputation data from multiple integrations and returns an IP entity with consolidated information in the context. |
| quarantine-file | This script executes the 'quarantine-file' command on a specified file via the appropriate agent. This script is used to isolate files identified as suspicious. Currently supported brands are "Cortex XDR - IR", "Cortex Core - IR", and "Microsoft Defender Advanced Threat Protection". |
| get-endpoint-data | This script gathers endpoint data from multiple integrations and returns an endpoint entity with consolidated information to the context. |
| get-user-data | This script gathers user data from multiple integrations and returns an Account entity with consolidated information to the context. |
| disable-user | This script disables users for multiple services. |
| clear-user-session | This script clears user sessions across multiple integrations for a list of usernames. |
Automations
| Name | Description |
|---|---|
| url-enrichment | This script gathers URL reputation data from multiple integrations and returns a "URLEnrichment" object with consolidated information in the context output. |
| disable-user | This script disables users for multiple services. |
| block-external-ip | The script blocks a list of IP addresses in supported integrations. |
| isolate-endpoint | This script isolates endpoints using multiple integrations and returns a success or failure message. |
| clear-user-session | This script clears user sessions across multiple integrations for a list of usernames. |
| quarantine-file | This script executes the 'quarantine-file' command on a specified file via the appropriate agent. This script is used to isolate files identified as suspicious. Currently supported brands are "Cortex XDR - IR", "Cortex Core - IR", and "Microsoft Defender Advanced Threat Protection". |
| file-enrichment | This script gathers file reputation data from multiple integrations and returns a "FileEnrichment" object with consolidated information to the context output. |
| get-user-data | This script gathers user data from multiple integrations and returns an Account entity with consolidated information to the context. |
| domain-enrichment | This script enriches Domains data with information from multiple integrations and returns a "DomainEnrichment" object with consolidated information in the context output. |
| get-endpoint-data | This script gathers endpoint data from multiple integrations and returns an endpoint entity with consolidated information to the context. |
| ip-enrichment | This script gathers IP reputation data from multiple integrations and returns an IP entity with consolidated information in the context. |
Required Content Packs (1)
| Pack Name | Pack By |
|---|---|
| Base | By: Cortex XSOAR |
Optional Content Packs (1)
| Pack Name | Pack By |
|---|---|
| WildFire by Palo Alto Networks | By: Cortex XSOAR |
All level dependencies (1)
| Pack Name | Pack By |
|---|---|
| Base | By: Cortex XSOAR |
1.2.0 - 5200479 (September 30, 2025)
- 41293
- 41295
Download
Scripts
url-enrichment
- New: Added a new script url-enrichment. This script enriches URLs using multiple integrations and returns consolidated results under URLEnrichment context path.
ip-enrichment
- New: Added a new script ip-enrichment. This script enriches IP addresses using multiple integrations and returns consolidated results under IPEnrichment context path.
domain-enrichment
- New: Added a new script domain-enrichment. This script enriches domains using multiple integrations and returns consolidated results under DomainEnrichment context path.
- 41293
- 41295
Download
1.1.10 - 4811097 (September 8, 2025)
1.1.9 - 4796908 (September 7, 2025)
- 41194
Download
Scripts
get-endpoint-data
- Fixed an issue where the script was missing data for endpoints from the Cortex XDR and Cortex Core integrations due to duplicated host names.
isolate-endpoint
- Fixed an issue where the script would fail to appear in the playground due to malformed structure.
disable-user
- Fixed an issue where the script would fail to appear in the playground due to malformed structure.
quarantine-file
- Fixed an issue where the script would fail to appear in the playground due to malformed structure.
clear-user-session
- Fixed an issue where the script would fail to appear in the playground due to malformed structure.
- 41194
Download
1.1.7 - 4791557 (September 7, 2025)
- 41162
- 41194
- 41175
Download
Scripts
file-enrichment
- Updated the
file-enrichmentscript to not fail when encountering an unknown file hash.
clear-user-session
- Documentation and metadata improvements.
disable-user
- Documentation and metadata improvements.
isolate-endpoint
- Documentation and metadata improvements.
quarantine-file
- Documentation and metadata improvements.
block-external-ip
- Fixed an issue where disabled instances will keep running when polling.
- Updated the Docker image to: demisto/python3:3.12.11.4508456.
- 41162
- 41194
- 41175
Download
1.0.21 - 4647015 (August 25, 2025)
- 40779
Download
Scripts
New: quarantine-file
Added the quarantine-file script, which executes the quarantine-file command on a specified file via the appropriate agent.
This script is used to isolate files identified as suspicious. The integration used to perform the quarantine action is selected either by user input (the brands argument) or based on the available configured instances.
- 40779
Download
1.0.18 - 4583601 (August 20, 2025)
- 40852
Download
Scripts
file-enrichment
- Updated the script to ensure it uses commands from the Cortex XSOAR - IR and Palo Alto Networks WildFire integrations for file analysis when available.
- Updated the "enrichment_brands" argument name to "brands" for consistency with other Aggregated Scripts conventions.
- Updated the Docker image to: demisto/python3:3.12.11.4417419.
- 40852
Download
1.0.15 - 4527668 (August 14, 2025)
- 40768
Download
Scripts
New: disable-user
- New: Added a new script disable-user that disables users for multiple services.
(Available from Cortex XSOAR 6.10.0).
get-user-data
- Added new context outputs to the get-user-data script: UserData.Source and UserData.Instance.
- Updated the Docker image to: demisto/python3:3.12.11.4508456
- 40768
Download
1.0.14 - 4519710 (August 13, 2025)
- 40873
Download
Scripts
get-endpoint-data
- Fixed an issue where core-list-risky-hosts command was not running as a part of the get-endpoint-data script.
- Added the RiskLevel context path to the output for list-risky-hosts command.
- Fixed an issue where the script would return duplicated entries for the same brand and endpoint.
- Fixed an issue where the script didn't support multiple hostnames for core-list-risky-hosts command.
- 40873
Download
1.0.13 - 4492991 (August 11, 2025)
- 40797
Download
Scripts
get-endpoint-data
- Added the using-brand argument in the endpoint command. The script now runs from the default list of brands in the documentation and brands not from the list with endpoint command.
- Fixed an issue where the script returned duplicate results for brands that contain the endpoint command.
- 40797
Download
1.0.9 - 4261213 (July 22, 2025)
- 40691
Download
Scripts
get-endpoint-data
- Updated the inputs from agent_id, agent_ip and agent_hostname to endpoint_id, endpoint_ip and endpoint_hostname.
- Updated the output structure.
- Updated the brand support:
- Removed support for 'Cylance Protect v2', 'VMware Carbon Black EDR v2' and 'ExtraHop v2'.
- Added support for 'FireEyeHX v2'.
- Updated the brands argument to support free-text input for multiple brands instead of limiting it to predefined values.
- 40691
Download
1.0.1 - 4023265 (July 1, 2025)
1.0.0 - 3980324 (June 18, 2025)
A pack containing all aggregated scripts.
1.2.0 - 5200479 (September 30, 2025)
- 41293
- 41295
Download
Scripts
url-enrichment
- New: Added a new script url-enrichment. This script enriches URLs using multiple integrations and returns consolidated results under URLEnrichment context path.
ip-enrichment
- New: Added a new script ip-enrichment. This script enriches IP addresses using multiple integrations and returns consolidated results under IPEnrichment context path.
domain-enrichment
- New: Added a new script domain-enrichment. This script enriches domains using multiple integrations and returns consolidated results under DomainEnrichment context path.
- 41293
- 41295
Download
1.1.10 - 4811097 (September 8, 2025)
1.1.9 - 4796908 (September 7, 2025)
- 41194
Download
Scripts
file-enrichment
- Updated the
file-enrichmentscript to not fail when encountering an unknown file hash.
clear-user-session
- Documentation and metadata improvements.
- Fixed an issue where the script would fail to appear in the playground due to malformed structure.
disable-user
- Documentation and metadata improvements.
- Fixed an issue where the script would fail to appear in the playground due to malformed structure.
isolate-endpoint
- Documentation and metadata improvements.
- Fixed an issue where the script would fail to appear in the playground due to malformed structure.
quarantine-file
- Documentation and metadata improvements.
- Fixed an issue where the script would fail to appear in the playground due to malformed structure.
block-external-ip
- Fixed an issue where disabled instances will keep running when polling.
- Updated the Docker image to: demisto/python3:3.12.11.4508456.
get-endpoint-data
- Fixed an issue where the script was missing data for endpoints from the Cortex XDR and Cortex Core integrations due to duplicated host names.
- 41194
Download
1.0.21 - 4647015 (August 25, 2025)
- 40779
Download
Scripts
New: quarantine-file
Added the quarantine-file script, which executes the quarantine-file command on a specified file via the appropriate agent.
This script is used to isolate files identified as suspicious. The integration used to perform the quarantine action is selected either by user input (the brands argument) or based on the available configured instances.
- 40779
Download
1.0.18 - 4583601 (August 20, 2025)
- 40852
Download
Scripts
file-enrichment
- Updated the script to ensure it uses commands from the Cortex XSOAR - IR and Palo Alto Networks WildFire integrations for file analysis when available.
- Updated the "enrichment_brands" argument name to "brands" for consistency with other Aggregated Scripts conventions.
- Updated the Docker image to: demisto/python3:3.12.11.4417419.
- 40852
Download
1.0.15 - 4527668 (August 14, 2025)
- 40768
Download
Scripts
New: disable-user
- New: Added a new script disable-user that disables users for multiple services.
get-user-data
- Added new context outputs to the get-user-data script: UserData.Source and UserData.Instance.
- Updated the Docker image to: demisto/python3:3.12.11.4508456
- 40768
Download
1.0.14 - 4524270 (August 14, 2025)
- 40873
Download
Scripts
get-endpoint-data
- Fixed an issue where core-list-risky-hosts command was not running as a part of the get-endpoint-data script.
- Added the RiskLevel context path to the output for list-risky-hosts command.
- Fixed an issue where the script would return duplicated entries for the same brand and endpoint.
- Fixed an issue where the script didn't support multiple hostnames for core-list-risky-hosts command.
- 40873
Download
1.0.13 - 4492991 (August 11, 2025)
- 40797
Download
Scripts
get-endpoint-data
- Added the using-brand argument in the endpoint command. The script now runs from the default list of brands in the documentation and brands not from the list with endpoint command.
- Fixed an issue where the script returned duplicate results for brands that contain the endpoint command.
- 40797
Download
1.0.9 - 4261213 (July 22, 2025)
- 40691
Download
Scripts
get-endpoint-data
- Updated the inputs from agent_id, agent_ip and agent_hostname to endpoint_id, endpoint_ip and endpoint_hostname.
- Updated the output structure.
- Updated the brand support:
- Removed support for 'Cylance Protect v2', 'VMware Carbon Black EDR v2' and 'ExtraHop v2'.
- Added support for 'FireEyeHX v2'.
- Updated the brands argument to support free-text input for multiple brands instead of limiting it to predefined values.
- 40691
Download
1.0.1 - 4023265 (July 1, 2025)
1.0.0 - 3980324 (June 18, 2025)
A pack containing all aggregated scripts.
PUBLISHER
PLATFORMS
Cortex XSOARCortex XSIAM
INFO
| Certification | Certified | Read more |
| Supported By | Cortex | |
| Created | June 18, 2025 | |
| Last Release | October 17, 2025 |
WORKS WITH THE FOLLOWING INTEGRATIONS:
