Common Scripts

Details
Content
Dependencies
Version History

Frequently used scripts pack.

Automations

Name	Description
ReplaceMatchGroup	Returns a string with all matches of a regex pattern groups replaced by a replacement.
ParseWordDoc	Takes an input docx file (entryID) as an input and saves an output text file (file entry) with the original file's contents.
Base64Encode	Will encode an input using Base64 format.
IsTrue	Check if a given value is true. Will return 'no' otherwise
PortListenCheck	Checks whether a port was open on given host.
NumberOfPhishingAttemptPerUser	Shows a bar chart of the number of incident the 'To' and 'From' email addresses. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
Base64EncodeV2	Encodes an input to Base64 format.
isError	Check whether given entry/entries returned an error. Use ${lastCompletedTaskEntries} to check the previous task entries. If array is provided, will return yes if one of the entries returned an error.
SCPPullFiles	Take a list of devices and pull a specific file (given by path) from each using SCP.
GetByIncidentId	Gets a value from the specified incident's context.
ContentPackInstaller	Content packs installer from marketplace.
ConvertTableToHTML	Converts a given array to an HTML table
PrintErrorEntry	Prints an error entry with a given message.
GenerateAsBuiltConfiguration	Generate a JSON file that can be downloaded and used to create the As-Built document for Cortex XSOAR.
SendMessageToOnlineUsers	Send message to Demisto online users over Email, Slack, Mattermost or all.
RunDockerCommand	This command will allow you to run commands against a local Docker Container. You can run commands like wc for instance with word count, or other types of commands that you want on the docker container. We recommend for tools that you want to use that are not part of the default Docker container, to cope this Automation script and then create a customer docker container with /docker_image_create with a custom docker container to add any command level tool to Demisto and output the results directly to the context.
CopyNotesToIncident	Copy all entries marked as notes from current incident to another incident.
FetchIndicatorsFromFile	Fetches indicators from a file. Supports TXT, XLS, XLSX, CSV, DOC and DOCX file types.
ShowLocationOnMap	Show indicator geo location on map.
GetErrorsFromEntry	Get the error(s) associated with a given entry/entries. Use ${lastCompletedTaskEntries} to check the previous task entries. The automation will return an array of the error contents from those entries.
DBotUpdateLogoURLPhishing	Add, remove, or modify logos from the URL Phishing model.
listExecutedCommands	Lists executed commands in War Room
IsIntegrationAvailable	Returns 'yes' if integration brand is available. Otherwise returns 'no'.
CountArraySize	Count an array size
SetDateField	Sets a custom incident field with current date
DomainReputation	A context script for Domain entities
ExtractDomainAndFQDNFromUrlAndEmail	Extracts domains and FQDNs from URLs and emails.
ConvertDatetoUTC	Converts a date from a different timezone to UTC timezone.
ContextSearchForString	Searches for string in a path in context. If path is null, string will be searched in full context.
PCAPMiner	Deprecated. Use PCAPMinerV2 instead. PCAPMiner is a tool to parse PCAP files and will return things like extracted files that are found, HTTP flows, and a variety of other information. It is uses a docker instance located on docker hub trorabaugh/dempcap:1.0. To use simply upload a PCAP file and then run PCAPMiner entryId="<your_entry_id>". To get the entry id click on the link on the top right hand corner of a file attachment.
PositiveDetectionsVSDetectionEngines	Shows a bar chart of the number of Positive Detections out of overall detections
CloseInvestigationAsDuplicate	Close the current investigation as duplicate to other investigation.
Strings	Extract strings from a file with optional filter - similar to binutils strings command
http	Sends http request. Returns the response as json.
hideFieldsOnNewIncident	When you apply this script to an incident field, that incident field is hidden for new incidents, and it displays in edit mode.
UnzipFile	Unzip a file using fileName or entryID to specify a file. Unzipped files will be loaded to the War Room and names will be put into the context.
ReadPDFFileV2	Load a PDF file's content and metadata into context. Supports extraction of hashes, urls, and emails when available.
ShowScheduledEntries	Show all scheduled entries for specific incident.
CompareLists	Compare two lists and put the differences in context.
IncidentAddSystem	Add a remote system (such as a desktop under investigation) to an investigation (this will allow you to install and agent on the system)
IncidentFields	Returns a dict of all incident fields that exist in the system.
SSDeepReputation	Calculate ssdeep reputation based on similar files (by ssdeep similarity) on the system.
UnEscapeURLs	Extract URLs redirected by security tools like Proofpoint. Changes https://urldefense.proofpoint.com/v2/url?u=https-3A__example.com_something.html -> https://example.com/something.html Also, un-escape URLs that are escaped for safety with formats like hxxps://www[.]demisto[.]com
DisplayHTMLWithImages	Display HTML with embedded images.
RunPollingCommand	Runs a specified polling command one time. This is useful for initiating a local playbook context before running a polling scheduled task. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
commentsToContext	Takes the comments of a given entry ID and stores them in the incident context, under a provided context key. For accessing the last executed task's comments, provide ${lastCompletedTaskEntries.[0]} as the value for the entryId input parameter.
FilterByList	Checks whether the specified item is in a list. The default list is the Demisto Indicators Whitelist.
DBotClosedIncidentsPercentage	Data output script for populating dashboard pie graph widget with the percentage of incidents closed by DBot vs. incidents closed by analysts.
ArrayToCSV	Converts a simple Array into a textual comma separated string
Dig	DNS lookup utility to provide 'A' and 'PTR' record
GetDataCollectionLink	Generates the URL for a Data Collection Task into Context. Can be used to get the url for tasks send via Email, Slack, or even if you select "By Task Only". To generate links for specific users, add an array of users in the users argument.
HTTPListRedirects	List the redirects for a given URL
ExportContextToJSONFile	Exports the Context for the current Incident to a JSON file in the war room.
ConvertXmlToJson	Converts XML string to JSON format
ResolveShortenedURL	This script resolves the original URL from a given shortened URL and places the resolved URL in the playbook context and output.
ConvertFile	Converts a file from one format to a different format by using the convert-to function of Libre Office. For a list of supported input/output formats see: https://wiki.openoffice.org/wiki/Framework/Article/Filter/FilterList_OOo_3_0
RepopulateFiles	After running DeleteContext, this script can repopulate all the file entries in the ${File} context key
IsListExist	Check if list exist in demisto lists.
PreProcessImage	This script pre-processes (resizes, sharpens, and grayscales) an image file from context, given an entry_id.
MarkRelatedIncidents	Marks given incidents as related to current incident. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
AssignToMeButton	Assigns the current Incident to the Cortex XSOAR user who clicked the button
SearchIncidentsV2	Searches Demisto incidents. A summarized version of this scrips is avilable with the summarizedversion argument. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
CalculateTimeDifference	Calculate the time difference, in minutes
VerifyCIDR	Verify that the CIDRs are valid.
IndicatorMaliciousRatioCalculation	Return indicators appears in resolved incidents, and resolved incident ids. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
ScheduleCommand	Schedule a command to run inside the war room at a future time (once or reoccurring)
WordTokenizer	Deprecated. Use DBotPreProcessTextData instead.
CreateNewIndicatorsOnly	Create indicators to the Threat Intel database only if they are not registered. All submitted indicators will be associated with the parent incident. When using the script with many indicators, or when the Threat Intel Management database is highly populated, this script may have low performance issue.
URLReputation	A context script for URL entities.
OnionURLReputation	This script adds the reputation to Onion URL indicators. The script is automatically triggered when a Onion URL indicator is auto-extracted. For instance, if you run a Cortex XSOAR CLI on a valid Onion URL, the indicators are extracted automatically and this script is triggered for the extracted indicators.
DisableUserWrapper	This script allows disabling a specified user using one or more of the following integrations: SailPointIdentityIQ, ActiveDirectoryQuery, Okta, MicrosoftGraphUser, and IAM.
CheckSenderDomainDistance	Get the string distance for the sender from our domain
StixCreator	Gets a list of indicators from the indicators argument, and generates a JSON file in STIX 2.1 format.
SetTime	Fill the current time in a custom incident field
GetFieldsByIncidentType	Returns the incident field names associated to the specified incident type.
checkValue	Gets a value and return it. This is to be used in playbook conditional tasks - get a value from incident field, label or context, and act accordingly. If an array is returned. the first value will be the decision making value.
JsonUnescape	Recursively un-escapes JSON data if escaped JSON is found
IsolationAssetWrapper	This is a wrapper to isolate or unisolate hash lists from Cortex XDR, MSDE or CrowdStrike (Available from Cortex XSOAR 6.0.0).
EmailAskUser	Ask a user a question via email and process the reply directly into the investigation.
BreachConfirmationHTML
CheckFieldValue	This script checks that a field exists (and contains data), and optionally checks the value of the field for a match against an input value. If a regex is not supplied, the script checks that the field is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value.
IsUrlPartOfDomain	Checks if the supplied URLs are in the specified domains.
RemoteExec	Execute a command on a remote machine (without installing a D2 agent)
EditServerConfig	Edit the server configuration (under settings/troubleshooting). You can either add a new configuration or update and remove an existing one.
GenerateSummaryReports	Generate report summaries for the passed incidents.
FindSimilarIncidents	Deprecated. Use DBotFindSimilarIncidents instead. Finds similar incidents by common incident keys, labels, custom fields or context keys. It's highly recommended to use incident keys if possible (e.g., "type" for the same incident type). For best performance, it's recommended to avoid using context keys if possible (for example, if the value also appears in a label key, use label). This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
MaliciousRatioReputation	Set indicator reputation to "suspicious" when malicious ratio is above threshold. Malicious ratio is the ration between number of "bad" incidents to total number of incidents the indicator appears in.
EmailReputation	A context script for Email entities.
StringReplace	Replaces regex match/es in string. Returns the string after replace was preformed.
ConvertXmlFileToJson	Converts XML file entry to JSON format
GetIndicatorDBotScore	Add into the incident's context the system internal DBot score for the input indicator.
BMCTool	Parse RDP bitmap cache data into a single collage image file.
FileToBase64List	Encode a file as base64 and store it in a Demisto list.
CheckIndicatorValue	Check if indicators exist in the Threat Intel database.
DisplayHTML	Display HTML in the War Room.
AppendindicatorFieldWrapper	A wrapper script to the 'AppendindicatorField' script that enables adding tags to certain indicators. Note: You can use this script in an incident Layout button to allow tags to be added to indicators through the incident.
displayUtilitiesResults	This script displays the execution results of the tab's buttons in an HTML table format.
emailFieldTriggered	Sends email to incident owner when selected field is triggered.
ExtractAttackPattern	Extract Attack Pattern Threat Intel Object. After auto extract extracts the Attack Pattern IDs, this script is executed and extracts the value (name) of the Attack Pattern.
LoadJSON	Loads a json from string input, and returns a json object result.
ParseExcel	The automation takes Excel file (entryID) as an input and parses its content to the war room and context.
Ping	Pings an IP or url address, to verify it's up. Note - On Cortex XSOAR 8 and Cortex XSIAM, the script can run only on a custom engine.
ReadQRCode	Extracts the text from a QR code. The output of this script includes the output of the script "extractIndicators" run on the text extracted from the QR code.
UtilAnyResults	Utility script to use in playbooks - returns "yes" if the input is non-empty.
IsEmailAddressInternal	Checks if the email address is part of the internal domains.
ContextGetIps	Gets all IP addresses in context, excluding ones given.
MatchRegexV2	Extracts regex data from the provided text. The script support groups and looping.
Print	Prints text to war room (Markdown supported)
ListUsedDockerImages	List all Docker images that are in use by the installed integrations and automations.
GetIndicatorDBotScoreFromCache	Get the overall score for the indicator as calculated by DBot.
UnEscapeIPs	Remove escaping chars from IP 127[.]0[.]0[.]1 -> 127.0.0.1
get-user-data	This script gathers user data from multiple integrations and returns an Account entity with consolidated information to the context.
JSONFileToCSV	Script to convert a War Room output JSON File to a CSV file.
cvss_color	This dynamic automation parses the CVSS score of a CVE and presents it in the layout in color according to its score.
TopMaliciousRatioIndicators	Find the top malicious ratio indicators. Malicious ratio is defined by the ratio between the number of "bad" incidents divided by the number of total number of incidents that the indicators appears in.
GetDuplicatesMlv2	Deprecated. Use the "PhishingDedupPreprocessingRule" script instead. Find duplicate incidents candidates. Using machine learning techniques with pre-defined data (can also use data from the local environment), this script takes into consideration different features such as: labels comparison, email labels (relevant for phishing), incident time difference and shared indicators, which can be customized by the arguments. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
GetListRow	Parses a list by header and value.
AddDBotScoreToContext	Add DBot score to context for indicators with custom vendor, score, reliability, and type.
IPToHost	Try to get the hostname correlated with the input IP.
PopulateCriticalAssets	Populates critical assets in a grid field that has the section headers "Asset Type" and "Asset Name".
CEFParser	Parse CEF data into the context. Please notice that outputs will display only the 7 mandatory fields even if the CEF event includes many other custom or extended fields.
LessThanPercentage	Checks if one percentage is less than another Returns less: if firstPercentage < secondPercentage Returns more: if firstPercentage >= secondPercentage Returns exception if one of the inputs is not a float
JSONtoCSV	Convert a JSON War Room output via EntryID to a CSV file.
NotInContextVerification	Not in context verification is a script that executes the given command and verifies that the specified field is not in the context after execution.
PrettyPrint	Pretty-print data using Python's pprint library. This is useful for seeing the structure of incident and context data. Here's how to use it: !PrettyPrint value=${incident}
ToTable	Convert an array to a nice table display. Usually, from the context.
ExtractIndicatorsFromWordFile	Used to extract indicators from Word files (DOC, DOCX). The script does not extract data from macros (e.g., embedded code). This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
IdentifyAttachedEmail	Identify whether the incident includes an email message attached as an eml or msg file and return the answer to playbook. Also saves the identified entry ID to context for use for later. Commonly used in automated playbooks that handle phishing reports sent to a special phishing mailbox set up by the security team.
SetByIncidentId	Works the same as the 'Set' command, but can work across incidents by specifying 'id' as an argument. Sets a value into the context with the given context key. Doesn't append by default. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
ticksToTime	Converting time in Ticks to readable time. Ticks are used to represent time by some vendors, most commonly by Microsoft.
MarkAsEvidenceByTag	Mark entries as evidence if they are tagged with given tag
MathUtil	Script will run the provided mathematical action on 2 provided values and produce a result. The result can be stored on the context using the contextKey argument
EmailAskUserResponse	Extract user's response from EmailAskUser reply. Returns the first textual response line of the provided entry that contains the reply body. Use ${lastCompletedTaskEntries} to analyze the previous playbook task containing the user's reply.
FormatURL	Strips, unquotes and unescapes URLs. If the URL is a Proofpoint or ATP URL, extracts its redirect URL. If more than one URL is passed to the formatter, the separator must be a pipe ("\|").
SetIndicatorGridField	This script updates an indicator's grid field in Cortex XSOAR with provided row data. You can input the rows directly or extract them from the context.
IsDomainInternal	The script takes one or more domain names and checks whether they're in the Cortex XSOAR list defined in the InternalDomainsListName argument. By default, the InternalDomainsListName argument will use the Cortex XSOAR list called "InternalDomains". The list can be customized by the user. It should contain the organization's internal domain names, separated by new lines. Subdomains are also supported in the list. The results of the script are tagged with the "Internal_Domain_Check_Results" tag, so they can be displayed in the War Room entry sections in incident layouts.
ExampleJSScript	This is only an example script, to showcase how to use and write JavaScript scripts
ServerLogs	Uses the ssh integration to grab the host server logs.
ChangeContext	Enables changing context in two ways. The first is to capitalize the first letter of each key in following level of the context key entered. The second is to change context keys to new values.
GridFieldSetup	Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. Instead of a value you can enter `TIMESTAMP` to get the current timestamp in ISO format. For example: `!GridFieldSetup keys=ip,src,timestamp val1=${AWS.EC2.Instances.NetworkInterfaces.PrivateIpAddress} val2="AWS" val3="TIMESTAMP" gridfiled="gridfield"`.
DemistoVersion	Return the Demisto server version.
IPNetwork	Gather information regarding CIDR - 1. Broadcast_address 2. CIDR 3. First_address 4. Last address 5. Max prefix len 6. Num addresses 7. Private 8. Version
ParseEmailFiles	Deprecated. Use ParseEmailFilesV2 instead." Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook.
ServerLogs_docker	Uses the ssh integration to grab the host server logs.
ExtractHyperlinksFromOfficeFiles	Extracts hyperlinks from office files. Supported file types are: xlsx, docx, pptx.
ContextGetHashes	Gets hashes (MD5,SHA1,SHA256) from context.
IsGreaterThan	Checks if one number(float) as bigger than the other(float) Returns yes: if first > second Returns no: if first <= second Returns exception if one of the inputs is not a number
ExportIncidentsToCSV	This automation uses the Core REST API Integration to batch export Incidents to CSV and return the resulting CSV file to the war room.
PrintRaw	Prints a raw representation of a string or object, visualising things likes tabs and newlines. For instance, '\n' will be displayed instead of a newline character, or a Windows CR will be displayed as '\r\n'. This is useful for debugging issues where things aren't behaving as expected, such as when parsing a string with a regular expression.
LinkIncidentsWithRetry	Use this script to avoid DB version errors when simultaneously running multiple linked incidents.
CalculateEntropy	Calculates the entropy for the given data.
VerdictResult	This widget displays the incident verdict or the alert verdict based on the 'incident.verdict' or 'alert.verdict' field.
PrintContext	Pretty-print the contents of the playbook context.
ParseHTMLIndicators	This script will extract indicators from given HTML and will handle bad top-level domains to avoid false positives caused by file extensions.
GetLicenseID	Returns the license ID.
FileCreateAndUpload	Deprecated. Use FileCreateAndUploadV2 instead. Will create a file (using the given data input or entry ID) and upload it to current investigation war room.
VerifyIPv6Indicator	Verify that the address is a valid IPv6 address.
displayMappedFields	Display the mapped fields in a dynamic-section.
IsIPInRanges	Returns yes if the IP is in one of the ranges provided, returns no otherwise.
AreValuesEqual	Check whether the values provided in arguments are equal. If either of the arguments are missing, no is returned.
DownloadAndArchivePythonLibrary	The script downloads a Python library using PIP, archives it, and returns the file to the war room.
ParseEmailFilesV2	Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook. This script is based on the parse-emails XSOAR python package, check the script documentation for more info.
IPReputation	A context script for IP entities.
AquatoneDiscoverV2	aquatone-discover will find the targets nameservers and shuffle DNS lookups between them. Should a lookup fail on the target domains nameservers, aquatone-discover will fall back to using Google public DNS servers to maximize discovery.
DockerHardeningCheck	Checks if the Docker container running this script has been hardened according to the recommended settings at: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Docker-Hardening-Guide
SearchIncidentsSummary	Searches Cortex XSOAR Incidents and returnrs the most relevant fields. Default search range is the last 30 days, if you want to change this, use the fromDate argument. Returns the id, name, type, severity, status, owner, and created/closed times to context. You can add additional fields using the add_field_to_context argument. This automation runs using the default Limited User role, unless you explicitly change the permissions. Based on the SearchIncidentsV2 from the Common Scripts pack, but more efficient.
ReadFile	Load the contents of a file into context.
ContextGetEmails	Gets all email addresses in context, excluding ones given.
GenerateRandomString	Generates random string
SetGridField	Creates a Grid table from items or key-value pairs.
StopTimeToAssignOnOwnerChange	Stops the "Time To Assign" timer if the owner of the incident was changed.
StringSimilarity	This automation calculates the similarity ratio between every string in 2 different arrays and outputs a decimal value between 0.0 and 1.0 (1.0 if the sequences are identical, and 0.0 if they don't have anything in common).
PcapHTTPExtractor	Allows to parse and extract http flows (requests & responses) from a pcap/pcapng file.
Sleep	Sleep for X seconds.
EncodeToAscii	Input Text Data to Encode as ASCII (Ignores any chars that aren't interpreted as ASCII)
ExportAuditLogsToFile	Uses the Core REST API integration to query the server audit trail logs, and return back a CSV or JSON file.
IsInternalHostName	Checks if the supplied hostnames match either the organization's internal naming convention or the domain suffix.
GenerateAsBuilt	Generate an as built document, as HTML, based on the running XSOAR instance. Requires an instance of the Demisto API integration configured.
MapValues	Map the given values to the translated values. If given values: a,b,c and translated: 1,2,3 then input is a will return 1
ProvidesCommand	Finds which integrations implement a specific Demisto command. The results will be returned as comma-separated values (CSV). The "Core REST API" integration must first be enabled.
FileCreateAndUploadV2	Creates a file (using the given data input or entry ID) and uploads it to the current investigation War Room.
GetInstances	Returns integration instances configured in Cortex XSOAR. You can filter by instance status and/or brand name (vendor).
ExposeIncidentOwner	Expose the incident owner into IncidentOwner context key
AssignAnalystToIncident	Assign analyst to incident. By default, the analyst is picked randomly from the available users, according to the provided roles (if no roles provided, will fetch all users). Otherwise, the analyst will be picked according to the 'assignBy' arguments. machine-learning: DBot will calculated and decide who is the best analyst for the job. top-user: The user that is most commonly owns this type of incident less-busy-user: The less busy analyst will be picked to be the incident owner. online: The analyst is picked randomly from all online analysts, according to the provided roles (if no roles provided, will fetch all users). current: The user that executed the command.
GenerateInvestigationSummaryReport	A script to generate investigation summary report in an automated way Can be used in post-processing flow as well.
ZipStrings	Joins values from two lists by index according to a given format.
FileReputation	A context script for hash entities.
ExportToXLSX	Exports context data to a Microsoft Excel Open XML Spreadsheet (XLSX) file.
ExtractDomainFromUrlAndEmail	Extract Domain(s) from URL(s) and/or Email(s).
FailedInstances	Executes a test for all integration instances available and returns detailed information about succeeded and failed integration instances.
GenerateSummaryReportButton	This button will generate summary 'Case Report' template for a given Incident
IsIPPrivate	The script takes one or more IP addresses and checks whether they're in the private IP ranges defined in the PrivateIPsListName argument. By default, the PrivateIPsListName argument will use the Cortex XSOAR list called "PrivateIPs". The list can be modified, and by default uses the ranges defined by the Internet Assigned Numbers Authority (IANA). The following are the default CIDR ranges for private IPv4 addresses: 10.0.0.0/8 (range: 10.0.0.0 to 10.255.255.255) 172.16.0.0/12 (range: 172.16.0.0 to 172.31.255.255) 192.168.0.0/16 (range: 192.168.0.0 to 192.168.255.255) In addition to ranges, it's also possible to add specific IP addresses to the list. You may also tag IPs or IP ranges by adding a comma after the IP or range, and then adding the tag that you want to tag the corresponding IP indicators with.
ContextFilter	Filter context keys by applying one of the various available manipulations and storing in a new context key. Please notice that the resulting context key will not be available automatically as an option but you can still specify it.
enrich_exclude_button	This script is only meant to be used to disable the Enrich Excluded button in an indicator. It should not be used otherwise.
IncreaseIncidentSeverity	Optionally increases the incident severity to the new value if it is greater than the existing severity.
GenericPollingScheduledTask	Runs the polling command repeatedly, completes a blocking manual task when polling is done.
LoadJSONFileToContext	Loads a JSON file from the war room to context.
CompareIncidentsLabels	Compares the labels of two incidents. Returns the labels that are unique to each incident. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
ExtractIndicatorsFromTextFile	Extract indicators from a text-based file. Indicators that can be extracted: IP Domain URL File Hash Email Address This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
CheckContextValue	This script checks that a context key exists (and contains data), and optionally checks the value of the context key for a match against an input value. If a regex is not supplied, the script checks that the key is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value. This scripts does not support a context key which holds a list of values.
IsMaliciousIndicatorFound	Checks if the investigation found any malicious indicators (file, URL, IP address, domain, or email). Returns "yes" if at least one malicious indicator is found.
cveReputationV2	Provides the severity of the CVE based on the CVSS score where available.
AddEvidence	Adds provided entries to the incident Evidence Board. In playbook, can be positioned after a task to add the previous task's entries to Evidence Board automatically (with no need to provide arguments)
SetMultipleValues	Set multiple keys/values to the context.
MarkAsNoteByTag	Mark entries as notes if they are tagged with given tag.
EmailDomainSquattingReputation	Check if an email address's domain is trying to squat other domain using Levenshtein distance algorithm.
ExportIndicatorsToCSV	This automation uses the Core REST API Integration to batch export Indicators to CSV and return the resulting CSV file to the war room.
SendEmailOnSLABreach	Sends an email informing the user of an SLA breach. The email is sent to the user who is assigned to the incident. It includes the incident name, ID, name of the SLA field that was breached, duration of that SLA field, and the date and time when that SLA was started. In order to run successfully, the script should be configured to trigger on SLA breach, through field edit mode.
SearchIndicator	Searches Cortex XSOAR Indicators. Search for XSOAR Indicators and returns the id, indicator_type, value, and score/verdict. You can add additional fields from the indicators using the add_field_to_context argument.
SetWithTemplate	Set a value built by a template in context under the key you entered.
GetEnabledInstances	Gets all currently enabled integration instances.
ContextGetPathForString	Searches for string in context and returns context path, returns null if not found.
CertificateReputation	Enrich and calculate the reputation of a certificate indicator.
ParseCSV	This script will parse a CSV file and place the unique IPs, Domains and Hashes into the context.
PublishEntriesToContext	Publish entries to incident's context
findIncidentsWithIndicator	Lookup incidents with specified indicator. Use currentIncidentId to omit the existing incident from output. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
ConvertCountryCodeCountryName	Convert country name to country code or country code to country name. Only one of 'country_code' or 'country_name' can be provided. Example: Input: { "country_code": "US" } Output: { "United States" } Another Example: Input: { "country_name": "United States" } Output: { "US" }.
ExportToCSV	Export given array to csv file.
MatchRegex	Deprecated. Use the MatchRegexV2 script instead.
CopyContextToField	Copy a context key to an incident field of multiple incidents, based on an incident query. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
Base64ListToFile	Converts Base64 file in a list to a binary file and upload to warroom
BinarySearchPy	Deprecated. No available replacement. Search for a binary on an endpoint using Carbon Black
FeedRelatedIndicatorsWidget	Widget script to view information about the relationship between an indicator, entity and other indicators and connect to indicators, if relevant.
Exists	Check if a given value exists in the context. Will return 'no' for empty empty arrays. To be used mostly with DQ and selectors.
ConvertTimezoneFromUTC	Takes UTC and converts it to the specified timezone. Format must match the UTC date's format and output will be the same format. Can use in conjunction with ConvertDateToString
DBotAverageScore	The script calculates the average DBot score for each indicator in the context.
ExtractHTMLTables	Find tables inside HTML and extract the contents into objects using the following logic: If table has a single column, just create an array of strings from the values If table has 2 columns and has no header row, treat the first column as key and second as value and create a table of key/value If table has a header row, create a table of objects where attribute names are the headers If table does not have a header row, create table of objects where attribute names are cell1, cell2, cell3…
GetEntries	Collect entries matching to the conditions in the war room.
TextFromHTML	Extract regular text from the given HTML.
ShowOnMap	Returns a map entry with a marker on the given coordinates (lat,lng), or address (requires a configured GoogleMaps instance).
GetServerURL	Get the Server URL.
ExtractEmailV2	Verifies that an email address is valid and only returns the address if it is valid.
ScheduleGenericPolling	Called by the GenericPolling playbook, schedules the polling task.
LookupCSV	Parses a CSV and looks for a specific value in a specific column, returning a dict of the entire matching row. If no column value is specified, the entire CSV is read into the context.
GenerateRandomUUID	Generates a random UUID (UUID 4).
GetDomainDNSDetails	Returns DNS details for a domain.
RemoveKeyFromList	Removes a key in key/value store backed by an XSOAR list.
PDFUnlocker	Removing the password protection from a PDF file and adding a new file entry with the unlocked PDF.
CreateHash	Creating a hash of a given input, support sha1, sha256, sha512, md5 and blake. Wrapper for https://docs.python.org/3/library/hashlib.html.
GeneratePassword	This function generates a password and allows various parameters to customize the properties of the password depending on the use case (e.g. password complexity requirements). The default behavior is to generate a password of random length including all four character classes (upper, lower, digits, symbols) with at least five and at most ten characters per class. The min_* values all default to 0. This means that if the command is executed in this way: !GeneratePassword max_lcase=10 It is possible that a password of length zero could be generated. It is therefore recommended to always include a min_* parameter that matches. The debug parameter will print certain properties of the command into the WarRoom for easy diagnostics.
DeduplicateValuesbyKey	Given a list of objects and a key found in each of those objects, return a unique list of values associated with that key. Returns error if the objects provided do not contain the key of interest.
ChangeRemediationSLAOnSevChange	Changes the remediation SLA once a change in incident severity occurs. This is done automatically and the changes can be configured to your needs.
VerifyJSON	Verifies if the supplied JSON string is valid and optionally verifies against a provided schema. The script utilizes Powershell's Test-JSON cmdlet.
ContainsCreditCardInfo	Check if a given value is true. Will return 'no' otherwise
StringLength	Returns the length of the string passed as argument
DumpJSON	Dumps a json from context key input, and returns a json object string result
GetTime	Retrieves the current date and time.
IsValueInArray	Indicates whether a given value is a member of given array
AddKeyToList	Adds/Replaces a key in key/value store backed by an XSOAR list.
CreateEmailHtmlBody	This script allows sending an HTML email, using a template stored as a list item under Lists (Settings -> Advanced -> Lists). Placeholders are marked in DT format (i.e. ${incident.id} for incident ID). Available placeholders for example: ${incident.labels.Email/from} ${incident.name} ${object.value} See incident Context Data menu for available placeholders Note: Sending emails require an active Mail Sender integration instance.
DecodeMimeHeader	Decode MIME base64 headers.
StopScheduledTask	This stops the scheduled task whose ID is given in the taskID argument.
DeleteContext	Delete field from context. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
IsInternalDomainName	This script accepts multiple values for both arguments and will iterate through each of the domains to check if the specified subdomains are located in at least one of the specified main domains. If the tested subdomain is in one of the main domains, the result will be true. For example, if the domain_to_check values are apps.paloaltonetworks.com and apps.paloaltonetworks.bla and the domains_to_compare values are paloaltonetworks.com and demisto.com, the result for apps.paloaltonetworks.com will be true since it is a part of the paloaltonetworks.com domain. The result for apps.paloaltonetworks.bla will be false since it is not a part of the paloaltonetworks.com or demisto.com domain.
GetStringsDistance	Get the string distance between inputString and compareString (compareString can be a comma-separated list) based on Levenshtein Distance algorithm.
CVSSCalculator	This script calculates the CVSS Base Score, Temporal Score, and Environmental Score using either the CVSS 3.0 or CVSS 3.1 calculator according to https://www.first.org/cvss/ calculation documentation.
HttpV2	Sends a HTTP request with advanced capabilities
Set	Set a value in context under the key you entered.
ExtractFQDNFromUrlAndEmail	Extracts FQDNs from URLs and emails.
SSDeepSimilarity	This script finds similar files that can be related to each other by fuzzy hash (SSDeep).
CreateArray	Will create an array object in context from given string input
LinkIncidentsButton	Incident action button script to link or unlink Incidents from an Incident
URLSSLVerification	Verify URL SSL certificate
AnalyzeTimestampIntervals	Analyze a list of Unix timestamps in milliseconds, to detect simple patterns of consistency or high frequency. The script can aid in the investigation of multi-event alerts that contain a list of timestamps.
ExifRead	Read image files metadata and provide Exif tags.
SetAndHandleEmpty	Set a value in context under the key you entered. If no value is entered, the script doesn't do anything. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
TimeStampCompare	Compares a single timestamp to a list of timestamps.
ZipFile	Zip a file and upload to war room.
CreateIndicatorsFromSTIX	Creates indicators from the submitted STIX file. Supports STIX 1.0 and STIX 2.x. This automation creates indicators and adds an indicator's relationships if available.
CertificateExtract	Extract fields from a certificate file and return the standard context.
HTMLtoMD	Converts HTML to Markdown.
LanguageDetect	Language detection based on Google's language-detection.
ParseYAML	Parses a YAML string into context
UnPackFile	Deprecated. Use the UnzipFile script instead. UnPack a file using fileName or entryID to specify a file. Files unpacked will be pushed to the war room and names will be pushed to the context. supported types are: 7z (.7z), ACE (.ace), ALZIP (.alz), AR (.a), ARC (.arc), ARJ (.arj), BZIP2 (.bz2), CAB (.cab), compress (.Z), CPIO (.cpio), DEB (.deb), DMS (.dms), GZIP (.gz), LRZIP (.lrz), LZH (.lha, .lzh), LZIP (.lz), LZMA (.lzma), LZOP (.lzo), RPM (.rpm), RAR (.rar), RZIP (.rz), TAR (.tar), XZ (.xz), ZIP (.zip, .jar) and ZOO (.zoo)
ShowIncidentIndicators	This script is used to display the indicators of an incident in an incident field of type Array. It can be used to select indicators from the incident in order to later perform some actions, like tagging the indicators for blocking via EDL. This script is a field-display script, so it needs to be configured as such, when editing the incident field that will be used to display the indicators.
ContextContains	This script searches for a value in a context path.
URLNumberOfAds	Fetches the numbers of ads in the given url.
GetDockerImageLatestTag	Gets docker image latest tag. Script simulates the docker pull flow but doesn't actually pull the image. Returns an entry with the docker image latest tag if all is good, otherwise will return an error.

Incident Fields

Name	Description
Individuals Notification
Account information breached	Is account information breached
Approximate number of affected data subjects
Other PII data breached	Is other PII data breached
Date/time of the breach
Company Postal Code
Residents Email Address
Resident Notification Option
Company Name
Possible Cause of the Breach
Country where the breach took place
Company City
E-mail Address
Is the Data Subject to DPIA
Consumer Reporting Agencies Notification
Malicious Cause (If the cause is a malicious attack)
Medical Information breached	Is Medical Information breached
Size - turnover
Likely Impact	"A data protection impact assessment (…) shall in particular be required in the case of: (a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; (b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or (c) a systematic monitoring of a publicly accessible area on a large scale. - GDPR Art. 35
Affected Data Type
Contact Name
Measures to Mitigate	" (d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects." - GDPR Art. 33
State CISO Notification
Affected Individuals Contact Information
State where the breach took place
Breach Confirmation	Is the DPO confirm the breach
Media Notification	The status of the media notification
Secretary Notification
Company Country
Company has Insurance for the Breach
GDPR Notify Authorities	"In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons." - GDPR Art. 33
Health insurance breached	Is health insurance breached
Country where business has its main establishment	"‘main establishment’ means: as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment; as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;" - GDPR Art. 4
Management Notification
DPO E-mail Address
PII Data Type
Unique identification number breached	Is unique identification number breached
Contact Email address
Postal Code
Company Address
Contact Telephone number
Where is data hosted
Financial information breached	Is financial information breached
Size - number of employees
Contact Address
Sector of Affected Party
Data Encryption Status
Unique biometric data breached	Is unique biometric data breached
DPO Notification
Attorney General Notification
Affected data	"‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;" - GDPR Art. 4
Telephone no.

Lists

Name	Description
PrivateIPs
InternalDomains

Automations

Name	Description
ContentPackInstaller	Content packs installer from marketplace.
SetTime	Fill the current time in a custom incident field
EmailDomainSquattingReputation	Check if an email address's domain is trying to squat other domain using Levenshtein distance algorithm.
MaliciousRatioReputation	Set indicator reputation to "suspicious" when malicious ratio is above threshold. Malicious ratio is the ration between number of "bad" incidents to total number of incidents the indicator appears in.
HTMLtoMD	Converts HTML to Markdown.
isError	Check whether given entry/entries returned an error. Use ${lastCompletedTaskEntries} to check the previous task entries. If array is provided, will return yes if one of the entries returned an error.
ExportContextToJSONFile	Exports the Context for the current Incident to a JSON file in the war room.
FileCreateAndUpload	Deprecated. Use FileCreateAndUploadV2 instead. Will create a file (using the given data input or entry ID) and upload it to current investigation war room.
EncodeToAscii	Input Text Data to Encode as ASCII (Ignores any chars that aren't interpreted as ASCII)
ExposeIncidentOwner	Expose the incident owner into IncidentOwner context key
ExposeAlertOwner	Expose the alert owner into AlertOwner context key
CreateArray	Will create an array object in context from given string input
ContextContains	This script searches for a value in a context path.
CheckSenderDomainDistance	Get the string distance for the sender from our domain
ExportIndicatorsToCSV	This automation uses the Core REST API Integration to batch export Indicators to CSV and return the resulting CSV file to the war room.
ExtractEmailV2	Verifies that an email address is valid and only returns the address if it is valid.
PDFUnlocker	Removing the password protection from a PDF file and adding a new file entry with the unlocked PDF.
ExtractAttackPattern	Extract Attack Pattern Threat Intel Object. After auto extract extracts the Attack Pattern IDs, this script is executed and extracts the value (name) of the Attack Pattern.
GetEnabledInstances	Gets all currently enabled integration instances.
CheckIndicatorValue	Check if indicators exist in the Threat Intel database.
EditServerConfig	Edit the server configuration (under settings/troubleshooting). You can either add a new configuration or update and remove an existing one.
IsUrlPartOfDomain	Checks if the supplied URLs are in the specified domains.
CopyNotesToIncident	Copy all entries marked as notes from current incident to another incident.
CopyNotesToAlert	Copy all entries marked as notes from current alert to another alert.
ParseExcel	The automation takes Excel file (entryID) as an input and parses its content to the war room and context.
ToTable	Convert an array to a nice table display. Usually, from the context.
MatchRegex	Deprecated. Use the MatchRegexV2 script instead.
DisplayHTMLWithImages	Display HTML with embedded images.
GetByIncidentId	Gets a value from the specified incident's context.
GetByAlertId	Gets a value from the specified alert's context.
ConvertTimezoneFromUTC	Takes UTC and converts it to the specified timezone. Format must match the UTC date's format and output will be the same format. Can use in conjunction with ConvertDateToString
LinkIncidentsButton	Incident action button script to link or unlink Incidents from an Incident
LinkAlertsButton	Alert action button script to link or unlink Alerts from an Alert
VerifyIPv6Indicator	Verify that the address is a valid IPv6 address.
ExtractDomainAndFQDNFromUrlAndEmail	Extracts domains and FQDNs from URLs and emails.
ParseEmailFiles	Deprecated. Use ParseEmailFilesV2 instead." Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook.
AddEvidence	Adds provided entries to the incident Evidence Board. In playbook, can be positioned after a task to add the previous task's entries to Evidence Board automatically (with no need to provide arguments)
ConvertTableToHTML	Converts a given array to an HTML table
SetMultipleValues	Set multiple keys/values to the context.
LoadJSON	Loads a json from string input, and returns a json object result.
MarkAsEvidenceByTag	Mark entries as evidence if they are tagged with given tag
GetTime	Retrieves the current date and time.
StopScheduledTask	This stops the scheduled task whose ID is given in the taskID argument.
AreValuesEqual	Check whether the values provided in arguments are equal. If either of the arguments are missing, no is returned.
EmailAskUserResponse	Extract user's response from EmailAskUser reply. Returns the first textual response line of the provided entry that contains the reply body. Use ${lastCompletedTaskEntries} to analyze the previous playbook task containing the user's reply.
DeduplicateValuesbyKey	Given a list of objects and a key found in each of those objects, return a unique list of values associated with that key. Returns error if the objects provided do not contain the key of interest.
ScheduleCommand	Schedule a command to run inside the war room at a future time (once or reoccurring)
FileReputation	A context script for hash entities.
ShowScheduledEntries	Show all scheduled entries for specific incident.
CreateHash	Creating a hash of a given input, support sha1, sha256, sha512, md5 and blake. Wrapper for https://docs.python.org/3/library/hashlib.html.
ZipFile	Zip a file and upload to war room.
BreachConfirmationHTML
LanguageDetect	Language detection based on Google's language-detection.
ticksToTime	Converting time in Ticks to readable time. Ticks are used to represent time by some vendors, most commonly by Microsoft.
ExtractHyperlinksFromOfficeFiles	Extracts hyperlinks from office files. Supported file types are: xlsx, docx, pptx.
IsMaliciousIndicatorFound	Checks if the investigation found any malicious indicators (file, URL, IP address, domain, or email). Returns "yes" if at least one malicious indicator is found.
checkValue	Gets a value and return it. This is to be used in playbook conditional tasks - get a value from incident field, label or context, and act accordingly. If an array is returned. the first value will be the decision making value.
UnPackFile	Deprecated. Use the UnzipFile script instead. UnPack a file using fileName or entryID to specify a file. Files unpacked will be pushed to the war room and names will be pushed to the context. supported types are: 7z (.7z), ACE (.ace), ALZIP (.alz), AR (.a), ARC (.arc), ARJ (.arj), BZIP2 (.bz2), CAB (.cab), compress (.Z), CPIO (.cpio), DEB (.deb), DMS (.dms), GZIP (.gz), LRZIP (.lrz), LZH (.lha, .lzh), LZIP (.lz), LZMA (.lzma), LZOP (.lzo), RPM (.rpm), RAR (.rar), RZIP (.rz), TAR (.tar), XZ (.xz), ZIP (.zip, .jar) and ZOO (.zoo)
MarkAsNoteByTag	Mark entries as notes if they are tagged with given tag.
ContextGetPathForString	Searches for string in context and returns context path, returns null if not found.
GetFieldsByIncidentType	Returns the incident field names associated to the specified incident type.
GetFieldsByAlertType	Returns the alert field names associated to the specified alert type.
MathUtil	Script will run the provided mathematical action on 2 provided values and produce a result. The result can be stored on the context using the contextKey argument
FeedRelatedIndicatorsWidget	Widget script to view information about the relationship between an indicator, entity and other indicators and connect to indicators, if relevant.
GenerateAsBuilt	Generate an as built document, as HTML, based on the running XSOAR instance. Requires an instance of the Demisto API integration configured.
RemoteExec	Execute a command on a remote machine (without installing a D2 agent)
HTTPListRedirects	List the redirects for a given URL
ConvertDatetoUTC	Converts a date from a different timezone to UTC timezone.
StringSimilarity	This automation calculates the similarity ratio between every string in 2 different arrays and outputs a decimal value between 0.0 and 1.0 (1.0 if the sequences are identical, and 0.0 if they don't have anything in common).
SSDeepSimilarity	This script finds similar files that can be related to each other by fuzzy hash (SSDeep).
MapValues	Map the given values to the translated values. If given values: a,b,c and translated: 1,2,3 then input is a will return 1
SetByIncidentId	Works the same as the 'Set' command, but can work across incidents by specifying 'id' as an argument. Sets a value into the context with the given context key. Doesn't append by default. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
SetByAlertId	Works the same as the 'Set' command, but can work across alerts by specifying 'id' as an argument. Sets a value into the context with the given context key. Doesn't append by default. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
AssignAnalystToIncident	Assign analyst to incident. By default, the analyst is picked randomly from the available users, according to the provided roles (if no roles provided, will fetch all users). Otherwise, the analyst will be picked according to the 'assignBy' arguments. machine-learning: DBot will calculated and decide who is the best analyst for the job. top-user: The user that is most commonly owns this type of incident less-busy-user: The less busy analyst will be picked to be the incident owner. online: The analyst is picked randomly from all online analysts, according to the provided roles (if no roles provided, will fetch all users). current: The user that executed the command.
ExampleJSScript	This is only an example script, to showcase how to use and write JavaScript scripts
NotInContextVerification	Not in context verification is a script that executes the given command and verifies that the specified field is not in the context after execution.
GeneratePassword	This function generates a password and allows various parameters to customize the properties of the password depending on the use case (e.g. password complexity requirements). The default behavior is to generate a password of random length including all four character classes (upper, lower, digits, symbols) with at least five and at most ten characters per class. The min_* values all default to 0. This means that if the command is executed in this way: !GeneratePassword max_lcase=10 It is possible that a password of length zero could be generated. It is therefore recommended to always include a min_* parameter that matches. The debug parameter will print certain properties of the command into the WarRoom for easy diagnostics.
ShowOnMap	Returns a map entry with a marker on the given coordinates (lat,lng), or address (requires a configured GoogleMaps instance).
DisplayHTML	Display HTML in the War Room.
URLReputation	A context script for URL entities.
BMCTool	Parse RDP bitmap cache data into a single collage image file.
IndicatorMaliciousRatioCalculation	Return indicators appears in resolved incidents, and resolved incident ids. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
Sleep	Sleep for X seconds.
ArrayToCSV	Converts a simple Array into a textual comma separated string
ExportToCSV	Export given array to csv file.
CreateIndicatorsFromSTIX	Creates indicators from the submitted STIX file. Supports STIX 1.0 and STIX 2.x. This automation creates indicators and adds an indicator's relationships if available.
GetDockerImageLatestTag	Gets docker image latest tag. Script simulates the docker pull flow but doesn't actually pull the image. Returns an entry with the docker image latest tag if all is good, otherwise will return an error.
FindSimilarIncidents	Deprecated. Use DBotFindSimilarIncidents instead. Finds similar incidents by common incident keys, labels, custom fields or context keys. It's highly recommended to use incident keys if possible (e.g., "type" for the same incident type). For best performance, it's recommended to avoid using context keys if possible (for example, if the value also appears in a label key, use label). This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
FindSimilarAlerts	Deprecated. Use DBotFindSimilarAlerts instead. Finds similar alerts by common alert keys, labels, custom fields or context keys. It's highly recommended to use alert keys if possible (e.g., "type" for the same alert type). For best performance, it's recommended to avoid using context keys if possible (for example, if the value also appears in a label key, use label). This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
GenerateSummaryReportButton	This button will generate summary 'Case Report' template for a given Incident
GetErrorsFromEntry	Get the error(s) associated with a given entry/entries. Use ${lastCompletedTaskEntries} to check the previous task entries. The automation will return an array of the error contents from those entries.
SendMessageToOnlineUsers	Send message to Demisto online users over Email, Slack, Mattermost or all.
IsGreaterThan	Checks if one number(float) as bigger than the other(float) Returns yes: if first > second Returns no: if first <= second Returns exception if one of the inputs is not a number
PrintContext	Pretty-print the contents of the playbook context.
PcapHTTPExtractor	Allows to parse and extract http flows (requests & responses) from a pcap/pcapng file.
SetGridField	Creates a Grid table from items or key-value pairs.
DockerHardeningCheck	Checks if the Docker container running this script has been hardened according to the recommended settings at: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Docker-Hardening-Guide
IncidentFields	Returns a dict of all incident fields that exist in the system.
AlertFields	Returns a dict of all alert fields that exist in the system.
ListUsedDockerImages	List all Docker images that are in use by the installed integrations and automations.
ShowIncidentIndicators	This script is used to display the indicators of an incident in an incident field of type Array. It can be used to select indicators from the incident in order to later perform some actions, like tagging the indicators for blocking via EDL. This script is a field-display script, so it needs to be configured as such, when editing the incident field that will be used to display the indicators.
ShowAlertIndicators	This script is used to display the indicators of an alert in an alert field of type Array. It can be used to select indicators from the alert in order to later perform some actions, like tagging the indicators for blocking via EDL. This script is a field-display script, so it needs to be configured as such, when editing the alert field that will be used to display the indicators.
DBotAverageScore	The script calculates the average DBot score for each indicator in the context.
URLSSLVerification	Verify URL SSL certificate
StixCreator	Gets a list of indicators from the indicators argument, and generates a JSON file in STIX 2.1 format.
CreateEmailHtmlBody	This script allows sending an HTML email, using a template stored as a list item under Lists (Settings -> Advanced -> Lists). Placeholders are marked in DT format (i.e. ${incident.id} for incident ID). Available placeholders for example: ${incident.labels.Email/from} ${incident.name} ${object.value} See incident Context Data menu for available placeholders Note: Sending emails require an active Mail Sender integration instance.
Base64Encode	Will encode an input using Base64 format.
AddKeyToList	Adds/Replaces a key in key/value store backed by an XSOAR list.
PrintErrorEntry	Prints an error entry with a given message.
PrintRaw	Prints a raw representation of a string or object, visualising things likes tabs and newlines. For instance, '\n' will be displayed instead of a newline character, or a Windows CR will be displayed as '\r\n'. This is useful for debugging issues where things aren't behaving as expected, such as when parsing a string with a regular expression.
IsInternalHostName	Checks if the supplied hostnames match either the organization's internal naming convention or the domain suffix.
ReadPDFFileV2	Load a PDF file's content and metadata into context. Supports extraction of hashes, urls, and emails when available.
IsIntegrationAvailable	Returns 'yes' if integration brand is available. Otherwise returns 'no'.
Set	Set a value in context under the key you entered.
CompareLists	Compare two lists and put the differences in context.
IsInternalDomainName	This script accepts multiple values for both arguments and will iterate through each of the domains to check if the specified subdomains are located in at least one of the specified main domains. If the tested subdomain is in one of the main domains, the result will be true. For example, if the domain_to_check values are apps.paloaltonetworks.com and apps.paloaltonetworks.bla and the domains_to_compare values are paloaltonetworks.com and demisto.com, the result for apps.paloaltonetworks.com will be true since it is a part of the paloaltonetworks.com domain. The result for apps.paloaltonetworks.bla will be false since it is not a part of the paloaltonetworks.com or demisto.com domain.
AddDBotScoreToContext	Add DBot score to context for indicators with custom vendor, score, reliability, and type.
FileCreateAndUploadV2	Creates a file (using the given data input or entry ID) and uploads it to the current investigation War Room.
FileToBase64List	Encode a file as base64 and store it in a Demisto list.
GetListRow	Parses a list by header and value.
StringReplace	Replaces regex match/es in string. Returns the string after replace was preformed.
Ping	Pings an IP or url address, to verify it's up. Note - On Cortex XSIAM 8 and Cortex XSIAM, the script can run only on a custom engine.
CheckContextValue	This script checks that a context key exists (and contains data), and optionally checks the value of the context key for a match against an input value. If a regex is not supplied, the script checks that the key is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value. This scripts does not support a context key which holds a list of values.
CheckFieldValue	This script checks that a field exists (and contains data), and optionally checks the value of the field for a match against an input value. If a regex is not supplied, the script checks that the field is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value.
ProvidesCommand	Finds which integrations implement a specific Demisto command. The results will be returned as comma-separated values (CSV). The "Core REST API" integration must first be enabled.
ContextGetHashes	Gets hashes (MD5,SHA1,SHA256) from context.
VerdictResult	This widget displays the incident verdict or the alert verdict based on the 'incident.verdict' or 'alert.verdict' field.
GridFieldSetup	Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. Instead of a value you can enter `TIMESTAMP` to get the current timestamp in ISO format. For example: `!GridFieldSetup keys=ip,src,timestamp val1=${AWS.EC2.Instances.NetworkInterfaces.PrivateIpAddress} val2="AWS" val3="TIMESTAMP" gridfiled="gridfield"`.
CertificateExtract	Extract fields from a certificate file and return the standard context.
SearchIncidentsSummary	Searches Cortex XSIAM Incidents and returnrs the most relevant fields. Default search range is the last 30 days, if you want to change this, use the fromDate argument. Returns the id, name, type, severity, status, owner, and created/closed times to context. You can add additional fields using the add_field_to_context argument. This automation runs using the default Limited User role, unless you explicitly change the permissions. Based on the SearchIncidentsV2 from the Common Scripts pack, but more efficient.
SearchAlertsSummary	Searches Cortex XSIAM Alerts and returnrs the most relevant fields. Default search range is the last 30 days, if you want to change this, use the fromDate argument. Returns the id, name, type, severity, status, owner, and created/closed times to context. You can add additional fields using the add_field_to_context argument. This automation runs using the default Limited User role, unless you explicitly change the permissions. Based on the SearchAlertsV2 from the Common Scripts pack, but more efficient.
ExifRead	Read image files metadata and provide Exif tags.
DecodeMimeHeader	Decode MIME base64 headers.
ExportToXLSX	Exports context data to a Microsoft Excel Open XML Spreadsheet (XLSX) file.
TopMaliciousRatioIndicators	Find the top malicious ratio indicators. Malicious ratio is defined by the ratio between the number of "bad" incidents divided by the number of total number of incidents that the indicators appears in.
ConvertXmlToJson	Converts XML string to JSON format
PCAPMiner	Deprecated. Use PCAPMinerV2 instead. PCAPMiner is a tool to parse PCAP files and will return things like extracted files that are found, HTTP flows, and a variety of other information. It is uses a docker instance located on docker hub trorabaugh/dempcap:1.0. To use simply upload a PCAP file and then run PCAPMiner entryId="<your_entry_id>". To get the entry id click on the link on the top right hand corner of a file attachment.
Base64ListToFile	Converts Base64 file in a list to a binary file and upload to warroom
PrettyPrint	Pretty-print data using Python's pprint library. This is useful for seeing the structure of incident and context data. Here's how to use it: !PrettyPrint value=${incident}
LookupCSV	Parses a CSV and looks for a specific value in a specific column, returning a dict of the entire matching row. If no column value is specified, the entire CSV is read into the context.
EmailAskUser	Ask a user a question via email and process the reply directly into the investigation.
ContextGetEmails	Gets all email addresses in context, excluding ones given.
IdentifyAttachedEmail	Identify whether the incident includes an email message attached as an eml or msg file and return the answer to playbook. Also saves the identified entry ID to context for use for later. Commonly used in automated playbooks that handle phishing reports sent to a special phishing mailbox set up by the security team.
JSONFileToCSV	Script to convert a War Room output JSON File to a CSV file.
GetLicenseID	Returns the license ID.
ParseEmailFilesV2	Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook. This script is based on the parse-emails XSOAR python package, check the script documentation for more info.
PortListenCheck	Checks whether a port was open on given host.
CertificateReputation	Enrich and calculate the reputation of a certificate indicator.
DomainReputation	A context script for Domain entities
IPNetwork	Gather information regarding CIDR - 1. Broadcast_address 2. CIDR 3. First_address 4. Last address 5. Max prefix len 6. Num addresses 7. Private 8. Version
displayMappedFields	Display the mapped fields in a dynamic-section.
SetIndicatorGridField	This script updates an indicator's grid field in Cortex XSIAM with provided row data. You can input the rows directly or extract them from the context.
TimeStampCompare	Compares a single timestamp to a list of timestamps.
ExportAuditLogsToFile	Uses the Core REST API integration to query the server audit trail logs, and return back a CSV or JSON file.
ExtractHTMLTables	Find tables inside HTML and extract the contents into objects using the following logic: If table has a single column, just create an array of strings from the values If table has 2 columns and has no header row, treat the first column as key and second as value and create a table of key/value If table has a header row, create a table of objects where attribute names are the headers If table does not have a header row, create table of objects where attribute names are cell1, cell2, cell3…
CreateNewIndicatorsOnly	Create indicators to the Threat Intel database only if they are not registered. All submitted indicators will be associated with the parent incident. When using the script with many indicators, or when the Threat Intel Management database is highly populated, this script may have low performance issue.
SetDateField	Sets a custom incident field with current date
GetDuplicatesMlv2	Deprecated. Use the "PhishingDedupPreprocessingRule" script instead. Find duplicate incidents candidates. Using machine learning techniques with pre-defined data (can also use data from the local environment), this script takes into consideration different features such as: labels comparison, email labels (relevant for phishing), incident time difference and shared indicators, which can be customized by the arguments. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
IncidentAddSystem	Add a remote system (such as a desktop under investigation) to an investigation (this will allow you to install and agent on the system)
AlertAddSystem	Add a remote system (such as a desktop under investigation) to an investigation (this will allow you to install and agent on the system)
hideFieldsOnNewIncident	When you apply this script to an incident field, that incident field is hidden for new incidents, and it displays in edit mode.
hideFieldsOnNewAlert	When you apply this script to an alert field, that alert field is hidden for new alerts, and it displays in edit mode.
DeleteContext	Delete field from context. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
MatchRegexV2	Extracts regex data from the provided text. The script support groups and looping.
CEFParser	Parse CEF data into the context. Please notice that outputs will display only the 7 mandatory fields even if the CEF event includes many other custom or extended fields.
ScheduleGenericPolling	Called by the GenericPolling playbook, schedules the polling task.
HttpV2	Sends a HTTP request with advanced capabilities
URLNumberOfAds	Fetches the numbers of ads in the given url.
FetchIndicatorsFromFile	Fetches indicators from a file. Supports TXT, XLS, XLSX, CSV, DOC and DOCX file types.
PublishEntriesToContext	Publish entries to incident's context
RemoveKeyFromList	Removes a key in key/value store backed by an XSOAR list.
CopyContextToField	Copy a context key to an incident field of multiple incidents, based on an incident query. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
ShowLocationOnMap	Show indicator geo location on map.
emailFieldTriggered	Sends email to incident owner when selected field is triggered.
PreProcessImage	This script pre-processes (resizes, sharpens, and grayscales) an image file from context, given an entry_id.
GetDataCollectionLink	Generates the URL for a Data Collection Task into Context. Can be used to get the url for tasks send via Email, Slack, or even if you select "By Task Only". To generate links for specific users, add an array of users in the users argument.
JsonUnescape	Recursively un-escapes JSON data if escaped JSON is found
VerifyJSON	Verifies if the supplied JSON string is valid and optionally verifies against a provided schema. The script utilizes Powershell's Test-JSON cmdlet.
LoadJSONFileToContext	Loads a JSON file from the war room to context.
FilterByList	Checks whether the specified item is in a list. The default list is the Demisto Indicators Whitelist.
VerifyCIDR	Verify that the CIDRs are valid.
ZipStrings	Joins values from two lists by index according to a given format.
AnalyzeTimestampIntervals	Analyze a list of Unix timestamps in milliseconds, to detect simple patterns of consistency or high frequency. The script can aid in the investigation of multi-event alerts that contain a list of timestamps.
IsTrue	Check if a given value is true. Will return 'no' otherwise
ContextGetIps	Gets all IP addresses in context, excluding ones given.
BinarySearchPy	Deprecated. No available replacement. Search for a binary on an endpoint using Carbon Black
UnEscapeURLs	Extract URLs redirected by security tools like Proofpoint. Changes https://urldefense.proofpoint.com/v2/url?u=https-3A__example.com_something.html -> https://example.com/something.html Also, un-escape URLs that are escaped for safety with formats like hxxps://www[.]demisto[.]com
ExtractDomainFromUrlAndEmail	Extract Domain(s) from URL(s) and/or Email(s).
enrich_exclude_button	This script is only meant to be used to disable the Enrich Excluded button in an indicator. It should not be used otherwise.
GenerateRandomUUID	Generates a random UUID (UUID 4).
GetDomainDNSDetails	Returns DNS details for a domain.
DumpJSON	Dumps a json from context key input, and returns a json object string result
IsolationAssetWrapper	This is a wrapper to isolate or unisolate hash lists from Cortex XDR, MSDE or CrowdStrike (Available from Cortex XSIAM 6.0.0).
RunDockerCommand	This command will allow you to run commands against a local Docker Container. You can run commands like wc for instance with word count, or other types of commands that you want on the docker container. We recommend for tools that you want to use that are not part of the default Docker container, to cope this Automation script and then create a customer docker container with /docker_image_create with a custom docker container to add any command level tool to Demisto and output the results directly to the context.
ParseYAML	Parses a YAML string into context
IncreaseIncidentSeverity	Optionally increases the incident severity to the new value if it is greater than the existing severity.
IncreaseAlertSeverity	Optionally increases the alert severity to the new value if it is greater than the existing severity.
ServerLogs_docker	Uses the ssh integration to grab the host server logs.
IsIPInRanges	Returns yes if the IP is in one of the ranges provided, returns no otherwise.
ConvertXmlFileToJson	Converts XML file entry to JSON format
PrintToAlert	Prints a value to the specified alert's war-room. The alert must be in status "Under Investigation".
IsListExist	Check if list exist in demisto lists.
ExtractFQDNFromUrlAndEmail	Extracts FQDNs from URLs and emails.
GetInstances	Returns integration instances configured in Cortex XSIAM. You can filter by instance status and/or brand name (vendor).
AssignToMeButton	Assigns the current Incident to the Cortex XSIAM user who clicked the button
OnionURLReputation	This script adds the reputation to Onion URL indicators. The script is automatically triggered when a Onion URL indicator is auto-extracted. For instance, if you run a Cortex XSIAM CLI on a valid Onion URL, the indicators are extracted automatically and this script is triggered for the extracted indicators.
ContextFilter	Filter context keys by applying one of the various available manipulations and storing in a new context key. Please notice that the resulting context key will not be available automatically as an option but you can still specify it.
IPReputation	A context script for IP entities.
CVSSCalculator	This script calculates the CVSS Base Score, Temporal Score, and Environmental Score using either the CVSS 3.0 or CVSS 3.1 calculator according to https://www.first.org/cvss/ calculation documentation.
ConvertFile	Converts a file from one format to a different format by using the convert-to function of Libre Office. For a list of supported input/output formats see: https://wiki.openoffice.org/wiki/Framework/Article/Filter/FilterList_OOo_3_0
CountArraySize	Count an array size
DisableUserWrapper	This script allows disabling a specified user using one or more of the following integrations: SailPointIdentityIQ, ActiveDirectoryQuery, Okta, MicrosoftGraphUser, and IAM.
PositiveDetectionsVSDetectionEngines	Shows a bar chart of the number of Positive Detections out of overall detections
GenericPollingScheduledTask	Runs the polling command repeatedly, completes a blocking manual task when polling is done.
FailedInstances	Executes a test for all integration instances available and returns detailed information about succeeded and failed integration instances.
GetServerURL	Get the Server URL.
PrintToIncident	Prints a value to the specified incident's war-room.
ContainsCreditCardInfo	Check if a given value is true. Will return 'no' otherwise
Strings	Extract strings from a file with optional filter - similar to binutils strings command
ParseWordDoc	Takes an input docx file (entryID) as an input and saves an output text file (file entry) with the original file's contents.
ReadFile	Load the contents of a file into context.
SetAndHandleEmpty	Set a value in context under the key you entered. If no value is entered, the script doesn't do anything. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
IPToHost	Try to get the hostname correlated with the input IP.
CalculateTimeDifference	Calculate the time difference, in minutes
UtilAnyResults	Utility script to use in playbooks - returns "yes" if the input is non-empty.
CompareIncidentsLabels	Compares the labels of two incidents. Returns the labels that are unique to each incident. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
CompareAlertsLabels	Compares the labels of two alerts. Returns the labels that are unique to each alert. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
EmailReputation	A context script for Email entities.
PopulateCriticalAssets	Populates critical assets in a grid field that has the section headers "Asset Type" and "Asset Name".
ContextSearchForString	Searches for string in a path in context. If path is null, string will be searched in full context.
LessThanPercentage	Checks if one percentage is less than another Returns less: if firstPercentage < secondPercentage Returns more: if firstPercentage >= secondPercentage Returns exception if one of the inputs is not a float
ServerLogs	Uses the ssh integration to grab the host server logs.
GetEntries	Collect entries matching to the conditions in the war room.
ChangeContext	Enables changing context in two ways. The first is to capitalize the first letter of each key in following level of the context key entered. The second is to change context keys to new values.
GenerateInvestigationSummaryReport	A script to generate investigation summary report in an automated way Can be used in post-processing flow as well.
SSDeepReputation	Calculate ssdeep reputation based on similar files (by ssdeep similarity) on the system.
GenerateRandomString	Generates random string
ReplaceMatchGroup	Returns a string with all matches of a regex pattern groups replaced by a replacement.
findIncidentsWithIndicator	Lookup incidents with specified indicator. Use currentIncidentId to omit the existing incident from output. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
findAlertsWithIndicator	Lookup alerts with specified indicator. Use currentAlertId to omit the existing alert from output. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
SetWithTemplate	Set a value built by a template in context under the key you entered.
SearchIndicator	Searches Cortex XSIAM Indicators. Search for XSOAR Indicators and returns the id, indicator_type, value, and score/verdict. You can add additional fields from the indicators using the add_field_to_context argument.
RunPollingCommand	Runs a specified polling command one time. This is useful for initiating a local playbook context before running a polling scheduled task. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
UnEscapeIPs	Remove escaping chars from IP 127[.]0[.]0[.]1 -> 127.0.0.1
ParseHTMLIndicators	This script will extract indicators from given HTML and will handle bad top-level domains to avoid false positives caused by file extensions.
ExtractIndicatorsFromTextFile	Extract indicators from a text-based file. Indicators that can be extracted: IP Domain URL File Hash Email Address This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
ConvertCountryCodeCountryName	Convert country name to country code or country code to country name. Only one of 'country_code' or 'country_name' can be provided. Example: Input: { "country_code": "US" } Output: { "United States" } Another Example: Input: { "country_name": "United States" } Output: { "US" }.
IsEmailAddressInternal	Checks if the email address is part of the internal domains.
CloseInvestigationAsDuplicate	Close the current investigation as duplicate to other investigation.
get-user-data	This script gathers user data from multiple integrations and returns an Account entity with consolidated information to the context.
ExtractIndicatorsFromWordFile	Used to extract indicators from Word files (DOC, DOCX). The script does not extract data from macros (e.g., embedded code). This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
FormatURL	Strips, unquotes and unescapes URLs. If the URL is a Proofpoint or ATP URL, extracts its redirect URL. If more than one URL is passed to the formatter, the separator must be a pipe ("\|").
listExecutedCommands	Lists executed commands in War Room
cveReputationV2	Provides the severity of the CVE based on the CVSS score where available.
JSONtoCSV	Convert a JSON War Room output via EntryID to a CSV file.
Print	Prints text to war room (Markdown supported)
http	Sends http request. Returns the response as json.
StringLength	Returns the length of the string passed as argument
UnzipFile	Unzip a file using fileName or entryID to specify a file. Unzipped files will be loaded to the War Room and names will be put into the context.
AppendindicatorFieldWrapper	A wrapper script to the 'AppendindicatorField' script that enables adding tags to certain indicators. Note: You can use this script in an incident Layout button to allow tags to be added to indicators through the incident.
TextFromHTML	Extract regular text from the given HTML.
SCPPullFiles	Take a list of devices and pull a specific file (given by path) from each using SCP.
AquatoneDiscoverV2	aquatone-discover will find the targets nameservers and shuffle DNS lookups between them. Should a lookup fail on the target domains nameservers, aquatone-discover will fall back to using Google public DNS servers to maximize discovery.
ExportIncidentsToCSV	This automation uses the Core REST API Integration to batch export Incidents to CSV and return the resulting CSV file to the war room.
ExportAlertsToCSV	This automation uses the Core REST API Integration to batch export Alerts to CSV and return the resulting CSV file to the war room.
commentsToContext	Takes the comments of a given entry ID and stores them in the incident context, under a provided context key. For accessing the last executed task's comments, provide ${lastCompletedTaskEntries.[0]} as the value for the entryId input parameter.
GenerateSummaryReports	Generate report summaries for the passed incidents.
GetStringsDistance	Get the string distance between inputString and compareString (compareString can be a comma-separated list) based on Levenshtein Distance algorithm.
ParseCSV	This script will parse a CSV file and place the unique IPs, Domains and Hashes into the context.
ReadQRCode	Extracts the text from a QR code. The output of this script includes the output of the script "extractIndicators" run on the text extracted from the QR code.
GetIndicatorDBotScore	Add into the incident's context the system internal DBot score for the input indicator.
PrintToParentIncident	Prints a value to the parent incident's war-room of the current alert.
SearchIncidentsV2	Searches Demisto incidents. A summarized version of this scrips is avilable with the summarizedversion argument. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
SearchAlertsV2	Searches Demisto alerts. A summarized version of this scrips is avilable with the summarizedversion argument. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
Dig	DNS lookup utility to provide 'A' and 'PTR' record
cvss_color	This dynamic automation parses the CVSS score of a CVE and presents it in the layout in color according to its score.
ResolveShortenedURL	This script resolves the original URL from a given shortened URL and places the resolved URL in the playbook context and output.
GetIndicatorDBotScoreFromCache	Get the overall score for the indicator as calculated by DBot.
RepopulateFiles	After running DeleteContext, this script can repopulate all the file entries in the ${File} context key
IsValueInArray	Indicates whether a given value is a member of given array
DBotClosedIncidentsPercentage	Data output script for populating dashboard pie graph widget with the percentage of incidents closed by DBot vs. incidents closed by analysts.
DBotClosedAlertsPercentage	Data output script for populating dashboard pie graph widget with the percentage of alerts closed by DBot vs. alerts closed by analysts.
CalculateEntropy	Calculates the entropy for the given data.
NumberOfPhishingAttemptPerUser	Shows a bar chart of the number of incident the 'To' and 'From' email addresses. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
WordTokenizer	Deprecated. Use DBotPreProcessTextData instead.
displayUtilitiesResults	This script displays the execution results of the tab's buttons in an HTML table format.
Exists	Check if a given value exists in the context. Will return 'no' for empty empty arrays. To be used mostly with DQ and selectors.
DownloadAndArchivePythonLibrary	The script downloads a Python library using PIP, archives it, and returns the file to the war room.
Base64EncodeV2	Encodes an input to Base64 format.

Incident Fields

Name	Description
Contact Email address
Management Notification
Secretary Notification
PII Data Type
Individuals Notification
Account information breached	Is account information breached
Affected Data Type
DPO Notification
Breach Confirmation	Is the DPO confirm the breach
Sector of Affected Party
Contact Name
Is the Data Subject to DPIA
Affected Individuals Contact Information
Size - turnover
Affected data	"‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;" - GDPR Art. 4
Postal Code
Country where business has its main establishment	"‘main establishment’ means: as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment; as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;" - GDPR Art. 4
Company Address
DPO E-mail Address
Other PII data breached	Is other PII data breached
Measures to Mitigate	" (d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects." - GDPR Art. 33
Media Notification	The status of the media notification
Telephone no.
Company Name
Unique biometric data breached	Is unique biometric data breached
Size - number of employees
GDPR Notify Authorities	"In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons." - GDPR Art. 33
State where the breach took place
Where is data hosted
Medical Information breached	Is Medical Information breached
Company Postal Code
Financial information breached	Is financial information breached
Contact Telephone number
Attorney General Notification
State CISO Notification
Approximate number of affected data subjects
Resident Notification Option
Malicious Cause (If the cause is a malicious attack)
Data Encryption Status
Health insurance breached	Is health insurance breached
Consumer Reporting Agencies Notification
Company City
Unique identification number breached	Is unique identification number breached
Likely Impact	"A data protection impact assessment (…) shall in particular be required in the case of: (a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; (b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or (c) a systematic monitoring of a publicly accessible area on a large scale. - GDPR Art. 35
Company has Insurance for the Breach
E-mail Address
Residents Email Address
Possible Cause of the Breach
Contact Address

Lists

Name	Description
PrivateIPs

Required Content Packs (2)

Pack Name	Pack By
Base	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR

Optional Content Packs (15)

Pack Name	Pack By
US - Breach Notification	By: Cortex XSOAR
Brute Force	By: Cortex XSOAR
Elasticsearch	By: Cortex XSOAR
MITRE ATT&CK	By: Cortex XSOAR
GDPR	By: Cortex XSOAR
Gmail	By: Cortex XSOAR
Gmail Single User	By: Cortex XSOAR
HIPAA - Breach Notification	By: Cortex XSOAR
IBM Security QRadar SOAR	By: Cortex XSOAR
Mail Sender (New)	By: Cortex XSOAR
Microsoft Graph Mail	By: Cortex XSOAR
ProtectWise	By: Cortex XSOAR
Remote Access	By: Cortex XSOAR
Shodan	By: Cortex XSOAR
Sumo Logic	By: Cortex XSOAR

All level dependencies (2)

Pack Name	Pack By
Cortex REST API	By: Cortex XSOAR
Base	By: Cortex XSOAR

1.15.88 - 1647729 (November 14, 2024)

Scripts

DeduplicateValuesbyKey

Updated the Docker image to: demisto/python3:3.11.10.115186.

SendEmailOnSLABreach

Updated the Docker image to: demisto/python3:3.11.10.115186.

TimeStampCompare

Updated the Docker image to: demisto/python3:3.11.10.115186.

URLNumberOfAds

Updated the Docker image to: demisto/python3:3.11.10.115186.

DisplayHTML

Updated the Docker image to: demisto/python3:3.11.10.115186.

VerdictResult

Updated the Docker image to: demisto/python3:3.11.10.115186.

IsListExist

Updated the Docker image to: demisto/python3:3.11.10.115186.

LookupCSV

Updated the Docker image to: demisto/python3:3.11.10.115186.

GetIndicatorDBotScore

Updated the Docker image to: demisto/python3:3.11.10.115186.

ZipStrings

Updated the Docker image to: demisto/python3:3.11.10.115186.

CreateIndicatorsFromSTIX

Updated the Docker image to: demisto/python3:3.11.10.115186.

GetLicenseID

Updated the Docker image to: demisto/python3:3.11.10.115186.

hideFieldsOnNewIncident

Updated the Docker image to: demisto/python3:3.11.10.115186.

ExportIncidentsToCSV

Updated the Docker image to: demisto/python3:3.11.10.115186.

ResolveShortenedURL

Updated the Docker image to: demisto/python3:3.11.10.115186.

SearchIndicator

Updated the Docker image to: demisto/python3:3.11.10.115186.

ExtractIndicatorsFromTextFile

Updated the Docker image to: demisto/python3:3.11.10.115186.

Base64EncodeV2

Updated the Docker image to: demisto/python3:3.11.10.115186.

VerifyIPv6Indicator

Updated the Docker image to: demisto/python3:3.11.10.115186.

ReadFile

Updated the Docker image to: demisto/python3:3.11.10.115186.

PrintErrorEntry

Updated the Docker image to: demisto/python3:3.11.10.115186.

SCPPullFiles

Updated the Docker image to: demisto/python3:3.11.10.115186.

DecodeMimeHeader

Updated the Docker image to: demisto/python3:3.11.10.115186.

HTTPListRedirects

Updated the Docker image to: demisto/python3:3.11.10.115186.

StopTimeToAssignOnOwnerChange

Updated the Docker image to: demisto/python3:3.11.10.115186.

SetMultipleValues

Updated the Docker image to: demisto/python3:3.11.10.115186.

ConvertCountryCodeCountryName

Updated the Docker image to: demisto/python3:3.11.10.115186.

ParseCSV

Updated the Docker image to: demisto/python3:3.11.10.115186.

SearchIncidentsSummary

Updated the Docker image to: demisto/python3:3.11.10.115186.

CertificateReputation

Updated the Docker image to: demisto/python3:3.11.10.115186.

BMCTool

Updated the Docker image to: demisto/python3:3.11.10.115186.

CheckIndicatorValue

Updated the Docker image to: demisto/python3:3.11.10.115186.

AddKeyToList

Updated the Docker image to: demisto/python3:3.11.10.115186.

ChangeRemediationSLAOnSevChange

Updated the Docker image to: demisto/python3:3.11.10.115186.

GetInstances

Updated the Docker image to: demisto/python3:3.11.10.115186.

IdentifyAttachedEmail

Updated the Docker image to: demisto/python3:3.11.10.115186.

JSONtoCSV

Updated the Docker image to: demisto/python3:3.11.10.115186.

CreateHash

Updated the Docker image to: demisto/python3:3.11.10.115186.

DumpJSON

Updated the Docker image to: demisto/python3:3.11.10.115186.

ServerLogs_docker

Updated the Docker image to: demisto/python3:3.11.10.115186.

ScheduleGenericPolling

Updated the Docker image to: demisto/python3:3.11.10.115186.

ConvertTimezoneFromUTC

Updated the Docker image to: demisto/python3:3.11.10.115186.

GridFieldSetup

Updated the Docker image to: demisto/python3:3.11.10.115186.

TextFromHTML

Updated the Docker image to: demisto/python3:3.11.10.115186.

SetIndicatorGridField

Updated the Docker image to: demisto/python3:3.11.10.115186.

enrich_exclude_button

Updated the Docker image to: demisto/python3:3.11.10.115186.

PrettyPrint

Updated the Docker image to: demisto/python3:3.11.10.115186.

CheckSenderDomainDistance

Updated the Docker image to: demisto/python3:3.11.10.115186.

Base64ListToFile

Updated the Docker image to: demisto/python3:3.11.10.115186.

DomainReputation

Updated the Docker image to: demisto/python3:3.11.10.115186.

CopyNotesToIncident

Updated the Docker image to: demisto/python3:3.11.10.115186.

SetWithTemplate

Updated the Docker image to: demisto/python3:3.11.10.115186.

UtilAnyResults

Updated the Docker image to: demisto/python3:3.11.10.115186.

ChangeContext

Updated the Docker image to: demisto/python3:3.11.10.115186.

cveReputationV2

Updated the Docker image to: demisto/python3:3.11.10.115186.

MaliciousRatioReputation

Updated the Docker image to: demisto/python3:3.11.10.115186.

ExtractEmailV2

Updated the Docker image to: demisto/python3:3.11.10.115186.

FeedRelatedIndicatorsWidget

Updated the Docker image to: demisto/python3:3.11.10.115186.

ArrayToCSV

Updated the Docker image to: demisto/python3:3.11.10.115186.

DisplayHTMLWithImages

Updated the Docker image to: demisto/python3:3.11.10.115186.

ParseYAML

Updated the Docker image to: demisto/python3:3.11.10.115186.

IsolationAssetWrapper

Updated the Docker image to: demisto/python3:3.11.10.115186.

GeneratePassword

Updated the Docker image to: demisto/python3:3.11.10.115186.

DisableUserWrapper

Updated the Docker image to: demisto/python3:3.11.10.115186.

StringSimilarity

Updated the Docker image to: demisto/python3:3.11.10.115186.

PortListenCheck

Updated the Docker image to: demisto/python3:3.11.10.115186.

PrintContext

Updated the Docker image to: demisto/python3:3.11.10.115186.

ShowIncidentIndicators

Updated the Docker image to: demisto/python3:3.11.10.115186.

JSONFileToCSV

Updated the Docker image to: demisto/python3:3.11.10.115186.

CheckContextValue

Updated the Docker image to: demisto/python3:3.11.10.115186.

GetStringsDistance

Updated the Docker image to: demisto/python3:3.11.10.115186.

GetServerURL

Updated the Docker image to: demisto/python3:3.11.10.115186.

IPReputation

Updated the Docker image to: demisto/python3:3.11.10.115186.

OnionURLReputation

Updated the Docker image to: demisto/python3:3.11.10.115186.

URLSSLVerification

Updated the Docker image to: demisto/python3:3.11.10.115186.

AppendindicatorFieldWrapper

Updated the Docker image to: demisto/python3:3.11.10.115186.

StopScheduledTask

Updated the Docker image to: demisto/python3:3.11.10.115186.

URLReputation

Updated the Docker image to: demisto/python3:3.11.10.115186.

ServerLogs

Updated the Docker image to: demisto/python3:3.11.10.115186.

get-user-data

Updated the Docker image to: demisto/python3:3.11.10.115186.

PositiveDetectionsVSDetectionEngines

Updated the Docker image to: demisto/python3:3.11.10.115186.

ExportAuditLogsToFile

Updated the Docker image to: demisto/python3:3.11.10.115186.

RunPollingCommand

Updated the Docker image to: demisto/python3:3.11.10.115186.

RunDockerCommand

Updated the Docker image to: demisto/python3:3.11.10.115186.

DBotAverageScore

Updated the Docker image to: demisto/python3:3.11.10.115186.

FilterByList

Updated the Docker image to: demisto/python3:3.11.10.115186.

RemoveKeyFromList

Updated the Docker image to: demisto/python3:3.11.10.115186.

CalculateEntropy

Updated the Docker image to: demisto/python3:3.11.10.115186.

GenerateAsBuiltConfiguration

Updated the Docker image to: demisto/python3:3.11.10.115186.

ExtractAttackPattern

Updated the Docker image to: demisto/python3:3.11.10.115186.

GetEnabledInstances

Updated the Docker image to: demisto/python3:3.11.10.115186.

SearchIncidentsV2

Updated the Docker image to: demisto/python3:3.11.10.115186.

EmailReputation

Updated the Docker image to: demisto/python3:3.11.10.115186.

FileCreateAndUploadV2

Updated the Docker image to: demisto/python3:3.11.10.115186.

PrintRaw

Updated the Docker image to: demisto/python3:3.11.10.115186.

IsUrlPartOfDomain

Updated the Docker image to: demisto/python3:3.11.10.115186.

ProvidesCommand

Updated the Docker image to: demisto/python3:3.11.10.115186.

GetFieldsByIncidentType

Updated the Docker image to: demisto/python3:3.11.10.115186.

ReplaceMatchGroup

Updated the Docker image to: demisto/python3:3.11.10.115186.

VerifyCIDR

Updated the Docker image to: demisto/python3:3.11.10.115186.

MatchRegexV2

Updated the Docker image to: demisto/python3:3.11.10.115186.

GetByIncidentId

Updated the Docker image to: demisto/python3:3.11.10.115186.

cvss_color

Updated the Docker image to: demisto/python3:3.11.10.115186.

Strings

Updated the Docker image to: demisto/python3:3.11.10.115186.

GetListRow

Updated the Docker image to: demisto/python3:3.11.10.115186.

IncidentFields

Updated the Docker image to: demisto/python3:3.11.10.115186.

ShowLocationOnMap

Updated the Docker image to: demisto/python3:3.11.10.115186.

GetIndicatorDBotScoreFromCache

Updated the Docker image to: demisto/python3:3.11.10.115186.

FileReputation

Updated the Docker image to: demisto/python3:3.11.10.115186.

GetEntries

Updated the Docker image to: demisto/python3:3.11.10.115186.

CheckFieldValue

Updated the Docker image to: demisto/python3:3.11.10.115186.

RepopulateFiles

Updated the Docker image to: demisto/python3:3.11.10.115186.

GetDockerImageLatestTag

Updated the Docker image to: demisto/python3:3.11.10.115186.

AnalyzeTimestampIntervals

Updated the Docker image to: demisto/python3:3.11.10.115186.

LoadJSON

Updated the Docker image to: demisto/python3:3.11.10.115186.

TopMaliciousRatioIndicators

Updated the Docker image to: demisto/python3:3.11.10.115186.

ExportIndicatorsToCSV

Updated the Docker image to: demisto/python3:3.11.10.115186.

BreachConfirmationHTML

Updated the Docker image to: demisto/python3:3.11.10.115186.

ListUsedDockerImages

Updated the Docker image to: demisto/python3:3.11.10.115186.

SetByIncidentId

Updated the Docker image to: demisto/python3:3.11.10.115186.

GetDataCollectionLink

Updated the Docker image to: demisto/python3:3.11.10.115186.

SetTime

Updated the Docker image to: demisto/python3:3.11.10.115186.

GetErrorsFromEntry

Updated the Docker image to: demisto/python3:3.11.10.115186.

FormatURL

Updated the Docker image to: demisto/python3:3.11.10.115186.

CreateNewIndicatorsOnly

Updated the Docker image to: demisto/python3:3.11.10.115186.

FileToBase64List

Updated the Docker image to: demisto/python3:3.11.10.115186.

MarkAsNoteByTag

Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37147
- 37137
- 37136
- 37140
- 37138
- 37139

Download

1.15.87 - 1631266 (November 12, 2024)

Scripts

displayMappedFields

Fixed an misalignment issue when field values contains "|" character.
Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37176

Download

1.15.86 - 1627458 (November 12, 2024)

Scripts

SetMultipleValues

Updated the Docker image to: demisto/python3:3.11.10.113941.

Related pull requests:
- 35282

Download

1.15.85 - 1621428 (November 11, 2024)

Scripts

DBotUpdateLogoURLPhishing

Updated the Docker image to: demisto/mlurlphishing:1.0.0.115323.

Related pull requests:
- 37153

Download

1.15.84 - 1619437 (November 10, 2024)

Scripts

ParseEmailFilesV2

Fixed an issue where email addresses with commas in the display name were not parsed correctly.
Updated the Docker image to: demisto/parse-emails:1.0.0.115640.

Related pull requests:
- 37135

Download

1.15.83 - 1615839 (November 10, 2024)

Scripts

Ping

Updated the Docker image to: demisto/netutils:1.0.0.115452.

Dig

Updated the Docker image to: demisto/netutils:1.0.0.115452.

GetDomainDNSDetails

Updated the Docker image to: demisto/netutils:1.0.0.115452.

HTMLtoMD

Updated the Docker image to: demisto/btfl-soup:1.0.1.115405.

ContentPackInstaller

Updated the Docker image to: demisto/xsoar-tools:1.0.0.115559.

Related pull requests:
- 37108
- 37122
- 37109
- 37115
- 37124
- 37111

Download

1.15.81 - 1605511 (November 7, 2024)

Scripts

PreProcessImage

Updated the Docker image to: demisto/processing-image-file:1.0.0.115372.

Related pull requests:
- 37103
- 37093

Download

1.15.80 - 1602991 (November 6, 2024)

Scripts

ParseExcel

Updated the Docker image to: demisto/py3-tools:1.0.0.114656.

DownloadAndArchivePythonLibrary

Updated the Docker image to: demisto/py3-tools:1.0.0.114656.

FetchIndicatorsFromFile

Updated the Docker image to: demisto/py3-tools:1.0.0.114656.

ExtractFQDNFromUrlAndEmail

Updated the Docker image to: demisto/py3-tools:1.0.0.114656.

ZipFile

Updated the Docker image to: demisto/py3-tools:1.0.0.114656.

StixCreator

Updated the Docker image to: demisto/py3-tools:1.0.0.114656.

ExifRead

Updated the Docker image to: demisto/py3-tools:1.0.0.114656.

ExtractDomainFromUrlAndEmail

Updated the Docker image to: demisto/py3-tools:1.0.0.114656.

LanguageDetect

Updated the Docker image to: demisto/py3-tools:1.0.0.114656.

ExtractDomainAndFQDNFromUrlAndEmail

Updated the Docker image to: demisto/py3-tools:1.0.0.114656.

cvss_color

Updated the Docker image to: demisto/python3:3.11.10.113941.

CheckSenderDomainDistance

Updated the Docker image to: demisto/python3:3.11.10.113941.

DisplayHTMLWithImages

Updated the Docker image to: demisto/python3:3.11.10.113941.

Base64EncodeV2

Updated the Docker image to: demisto/python3:3.11.10.113941.

ResolveShortenedURL

Updated the Docker image to: demisto/python3:3.11.10.113941.

GetByIncidentId

Updated the Docker image to: demisto/python3:3.11.10.113941.

CloseInvestigationAsDuplicate

Updated the Docker image to: demisto/python3:3.11.10.113941.

Strings

Updated the Docker image to: demisto/python3:3.11.10.113941.

CheckIndicatorValue

Updated the Docker image to: demisto/python3:3.11.10.113941.

DisableUserWrapper

Updated the Docker image to: demisto/python3:3.11.10.113941.

ChangeContext

Updated the Docker image to: demisto/python3:3.11.10.113941.

GetDockerImageLatestTag

Updated the Docker image to: demisto/python3:3.11.10.113941.

AnalyzeTimestampIntervals

Updated the Docker image to: demisto/python3:3.11.10.113941.

IPToHost

Updated the Docker image to: demisto/python3:3.11.10.113941.

ShowLocationOnMap

Updated the Docker image to: demisto/python3:3.11.10.113941.

ExportIndicatorsToCSV

Updated the Docker image to: demisto/python3:3.11.10.113941.

StopTimeToAssignOnOwnerChange

Updated the Docker image to: demisto/python3:3.11.10.113941.

ChangeRemediationSLAOnSevChange

Updated the Docker image to: demisto/python3:3.11.10.113941.

GetDataCollectionLink

Updated the Docker image to: demisto/python3:3.11.10.113941.

GenerateAsBuiltConfiguration

Updated the Docker image to: demisto/python3:3.11.10.113941.

ExtractAttackPattern

Updated the Docker image to: demisto/python3:3.11.10.113941.

GenerateRandomString

Updated the Docker image to: demisto/python3:3.11.10.113941.

ExportContextToJSONFile

Updated the Docker image to: demisto/python3:3.11.10.113941.

ReadFile

Updated the Docker image to: demisto/python3:3.11.10.113941.

ScheduleGenericPolling

Updated the Docker image to: demisto/python3:3.11.10.113941.

ContextContains

Updated the Docker image to: demisto/python3:3.11.10.113941.

CreateHash

Updated the Docker image to: demisto/python3:3.11.10.113941.

IsolationAssetWrapper

Updated the Docker image to: demisto/python3:3.11.10.113941.

SearchIncidentsV2

Updated the Docker image to: demisto/python3:3.11.10.113941.

GeneratePassword

Updated the Docker image to: demisto/python3:3.11.10.113941.

HTTPListRedirects

Updated the Docker image to: demisto/python3:3.11.10.113941.

LoadJSONFileToContext

Updated the Docker image to: demisto/python3:3.11.10.113941.

CreateNewIndicatorsOnly

Updated the Docker image to: demisto/python3:3.11.10.113941.

AddDBotScoreToContext

Updated the Docker image to: demisto/python3:3.11.10.113941.

SetMultipleValues

Updated the Docker image to: demisto/python3:3.11.10.113941.

FeedRelatedIndicatorsWidget

Updated the Docker image to: demisto/python3:3.11.10.113941.

GenerateRandomUUID

Updated the Docker image to: demisto/python3:3.11.10.113941.

SetTime

Updated the Docker image to: demisto/python3:3.11.10.113941.

PrettyPrint

Updated the Docker image to: demisto/python3:3.11.10.113941.

cveReputationV2

Updated the Docker image to: demisto/python3:3.11.10.113941.

VerifyCIDR

Updated the Docker image to: demisto/python3:3.11.10.113941.

IsListExist

Updated the Docker image to: demisto/python3:3.11.10.113941.

get-user-data

Updated the Docker image to: demisto/python3:3.11.10.113941.

LookupCSV

Updated the Docker image to: demisto/python3:3.11.10.113941.

DomainReputation

Updated the Docker image to: demisto/python3:3.11.10.113941.

SCPPullFiles

Updated the Docker image to: demisto/python3:3.11.10.113941.

ParseCSV

Updated the Docker image to: demisto/python3:3.11.10.113941.

AppendindicatorFieldWrapper

Updated the Docker image to: demisto/python3:3.11.10.113941.

CVSSCalculator

Updated the Docker image to: demisto/python3:3.11.10.113941.

GetEntries

Updated the Docker image to: demisto/python3:3.11.10.113941.

ExportAuditLogsToFile

Updated the Docker image to: demisto/python3:3.11.10.113941.

MaliciousRatioReputation

Updated the Docker image to: demisto/python3:3.11.10.113941.

ZipStrings

Updated the Docker image to: demisto/python3:3.11.10.113941.

CheckContextValue

Updated the Docker image to: demisto/python3:3.11.10.113941.

displayUtilitiesResults

Updated the Docker image to: demisto/python3:3.11.10.113941.

RepopulateFiles

Updated the Docker image to: demisto/python3:3.11.10.113941.

CheckFieldValue

Updated the Docker image to: demisto/python3:3.11.10.113941.

IsUrlPartOfDomain

Updated the Docker image to: demisto/python3:3.11.10.113941.

ConvertCountryCodeCountryName

Updated the Docker image to: demisto/python3:3.11.10.113941.

GenerateSummaryReportButton

Updated the Docker image to: demisto/python3:3.11.10.113941.

ConvertDatetoUTC

Updated the Docker image to: demisto/python3:3.11.10.113941.

IsDomainInternal

Updated the Docker image to: demisto/python3:3.11.10.113941.

GetEnabledInstances

Updated the Docker image to: demisto/python3:3.11.10.113941.

GetServerURL

Updated the Docker image to: demisto/python3:3.11.10.113941.

DumpJSON

Updated the Docker image to: demisto/python3:3.11.10.113941.

TimeStampCompare

Updated the Docker image to: demisto/python3:3.11.10.113941.

SetByIncidentId

Updated the Docker image to: demisto/python3:3.11.10.113941.

CompareLists

Updated the Docker image to: demisto/python3:3.11.10.113941.

ConvertTimezoneFromUTC

Updated the Docker image to: demisto/python3:3.11.10.113941.

TextFromHTML

Updated the Docker image to: demisto/python3:3.11.10.113941.

ServerLogs_docker

Updated the Docker image to: demisto/python3:3.11.10.113941.

CalculateEntropy

Updated the Docker image to: demisto/python3:3.11.10.113941.

DockerHardeningCheck

Updated the Docker image to: demisto/python3:3.11.10.113941.

ListUsedDockerImages

Updated the Docker image to: demisto/python3:3.11.10.113941.

IncidentFields

Updated the Docker image to: demisto/python3:3.11.10.113941.

FilterByList

Updated the Docker image to: demisto/python3:3.11.10.113941.

FileReputation

Updated the Docker image to: demisto/python3:3.11.10.113941.

URLSSLVerification

Updated the Docker image to: demisto/python3:3.11.10.113941.

NumberOfPhishingAttemptPerUser

Updated the Docker image to: demisto/python3:3.11.10.113941.

PortListenCheck

Updated the Docker image to: demisto/python3:3.11.10.113941.

URLReputation

Updated the Docker image to: demisto/python3:3.11.10.113941.

IsInternalHostName

Updated the Docker image to: demisto/python3:3.11.10.113941.

URLNumberOfAds

Updated the Docker image to: demisto/python3:3.11.10.113941.

JSONtoCSV

Updated the Docker image to: demisto/python3:3.11.10.113941.

IPReputation

Updated the Docker image to: demisto/python3:3.11.10.113941.

PrintContext

Updated the Docker image to: demisto/python3:3.11.10.113941.

ReplaceMatchGroup

Updated the Docker image to: demisto/python3:3.11.10.113941.

TopMaliciousRatioIndicators

Updated the Docker image to: demisto/python3:3.11.10.113941.

UtilAnyResults

Updated the Docker image to: demisto/python3:3.11.10.113941.

ServerLogs

Updated the Docker image to: demisto/python3:3.11.10.113941.

OnionURLReputation

Updated the Docker image to: demisto/python3:3.11.10.113941.

enrich_exclude_button

Updated the Docker image to: demisto/python3:3.11.10.113941.

GetFieldsByIncidentType

Updated the Docker image to: demisto/python3:3.11.10.113941.

SetDateField

Updated the Docker image to: demisto/python3:3.11.10.113941.

AssignToMeButton

Updated the Docker image to: demisto/python3:3.11.10.113941.

AddKeyToList

Updated the Docker image to: demisto/python3:3.11.10.113941.

PopulateCriticalAssets

Updated the Docker image to: demisto/python3:3.11.10.113941.

ExtractEmailV2

Updated the Docker image to: demisto/python3:3.11.10.113941.

SearchIncidentsSummary

Updated the Docker image to: demisto/python3:3.11.10.113941.

IsIPPrivate

Updated the Docker image to: demisto/python3:3.11.10.113941.

FileToBase64List

Updated the Docker image to: demisto/python3:3.11.10.113941.

IsInternalDomainName

Updated the Docker image to: demisto/python3:3.11.10.113941.

FileCreateAndUploadV2

Updated the Docker image to: demisto/python3:3.11.10.113941.

RemoveKeyFromList

Updated the Docker image to: demisto/python3:3.11.10.113941.

DecodeMimeHeader

Updated the Docker image to: demisto/python3:3.11.10.113941.

DeduplicateValuesbyKey

Updated the Docker image to: demisto/python3:3.11.10.113941.

ExtractIndicatorsFromTextFile

Updated the Docker image to: demisto/python3:3.11.10.113941.

LoadJSON

Updated the Docker image to: demisto/python3:3.11.10.113941.

BreachConfirmationHTML

Updated the Docker image to: demisto/python3:3.11.10.113941.

DBotAverageScore

Updated the Docker image to: demisto/python3:3.11.10.113941.

CalculateTimeDifference

Updated the Docker image to: demisto/python3:3.11.10.113941.

SSDeepReputation

Updated the Docker image to: demisto/python3:3.11.10.113941.

MarkAsNoteByTag

Updated the Docker image to: demisto/python3:3.11.10.113941.

ShowIncidentIndicators

Updated the Docker image to: demisto/python3:3.11.10.113941.

displayMappedFields

Updated the Docker image to: demisto/python3:3.11.10.113941.

MarkAsEvidenceByTag

Updated the Docker image to: demisto/python3:3.11.10.113941.

EncodeToAscii

Updated the Docker image to: demisto/python3:3.11.10.113941.

PrintRaw

Updated the Docker image to: demisto/python3:3.11.10.113941.

GetStringsDistance

Updated the Docker image to: demisto/python3:3.11.10.113941.

HttpV2

Updated the Docker image to: demisto/python3:3.11.10.113941.

SetIndicatorGridField

Updated the Docker image to: demisto/python3:3.11.10.113941.

IndicatorMaliciousRatioCalculation

Updated the Docker image to: demisto/python3:3.11.10.113941.

EmailReputation

Updated the Docker image to: demisto/python3:3.11.10.113941.

PrintErrorEntry

Updated the Docker image to: demisto/python3:3.11.10.113941.

GridFieldSetup

Updated the Docker image to: demisto/python3:3.11.10.113941.

JSONFileToCSV

Updated the Docker image to: demisto/python3:3.11.10.113941.

GetIndicatorDBotScore

Updated the Docker image to: demisto/python3:3.11.10.113941.

CopyNotesToIncident

Updated the Docker image to: demisto/python3:3.11.10.113941.

MatchRegexV2

Updated the Docker image to: demisto/python3:3.11.10.113941.

IdentifyAttachedEmail

Updated the Docker image to: demisto/python3:3.11.10.113941.

GetInstances

Updated the Docker image to: demisto/python3:3.11.10.113941.

ArrayToCSV

Updated the Docker image to: demisto/python3:3.11.10.113941.

EditServerConfig

Updated the Docker image to: demisto/python3:3.11.10.113941.

GetErrorsFromEntry

Updated the Docker image to: demisto/python3:3.11.10.113941.

CopyContextToField

Updated the Docker image to: demisto/python3:3.11.10.113941.

DisplayHTML

Updated the Docker image to: demisto/python3:3.11.10.113941.

GetLicenseID

Updated the Docker image to: demisto/python3:3.11.10.113941.

GetIndicatorDBotScoreFromCache

Updated the Docker image to: demisto/python3:3.11.10.113941.

DemistoVersion

Updated the Docker image to: demisto/python3:3.11.10.113941.

StringSimilarity

Updated the Docker image to: demisto/python3:3.11.10.113941.

ParseYAML

Updated the Docker image to: demisto/python3:3.11.10.113941.

VerifyIPv6Indicator

Updated the Docker image to: demisto/python3:3.11.10.113941.

StopScheduledTask

Updated the Docker image to: demisto/python3:3.11.10.113941.

RunDockerCommand

Updated the Docker image to: demisto/python3:3.11.10.113941.

RunPollingCommand

Updated the Docker image to: demisto/python3:3.11.10.113941.

BMCTool

Updated the Docker image to: demisto/python3:3.11.10.113941.

VerdictResult

Updated the Docker image to: demisto/python3:3.11.10.113941.

hideFieldsOnNewIncident

Updated the Docker image to: demisto/python3:3.11.10.113941.

CompareIncidentsLabels

Updated the Docker image to: demisto/python3:3.11.10.113941.

PositiveDetectionsVSDetectionEngines

Updated the Docker image to: demisto/python3:3.11.10.113941.

SetWithTemplate

Updated the Docker image to: demisto/python3:3.11.10.113941.

Base64ListToFile

Updated the Docker image to: demisto/python3:3.11.10.113941.

SearchIndicator

Updated the Docker image to: demisto/python3:3.11.10.113941.

CreateIndicatorsFromSTIX

Updated the Docker image to: demisto/python3:3.11.10.113941.

FormatURL

Updated the Docker image to: demisto/python3:3.11.10.113941.

SendEmailOnSLABreach

Updated the Docker image to: demisto/python3:3.11.10.113941.

LinkIncidentsButton

Updated the Docker image to: demisto/python3:3.11.10.113941.

GetListRow

Updated the Docker image to: demisto/python3:3.11.10.113941.

CertificateReputation

Updated the Docker image to: demisto/python3:3.11.10.113941.

LinkIncidentsWithRetry

Updated the Docker image to: demisto/python3:3.11.10.113941.

Related pull requests:
- 36995
- 37051
- 37052
- 36992
- 37006
- 36997
- 36994
- 36998
- 36993
- 37059

Download

1.15.79 - 1597102 (November 5, 2024)

Scripts

JsonUnescape

Updated the Docker image to: demisto/python3-deb:3.11.10.114849.

Related pull requests:
- 37046
- 37042
- 37041

Download

1.15.78 - 1592987 (November 5, 2024)

Scripts

SearchIncidentsV2

Documentation and metadata improvements.

Related pull requests:
- 37048

Download

1.15.77 - 1574765 (October 31, 2024)

Scripts

FailedInstances

Fixed an issue where the script was ignoring instances in an error state.

Related pull requests:
- 37004

Download

1.15.76 - 1563308 (October 29, 2024)

Scripts

SSDeepSimilarity

Updated the Docker image to: demisto/ssdeep:1.0.0.114703.

Related pull requests:
- 36856
- 36845
- 36844
- 36843
- 36840
- 36837
- 36836
- 36832
- 36842
- 36841
- 36839
- 36838
- 36834
- 36835
- 36833

Download

1.15.75 - 1537605 (October 22, 2024)

Scripts

PreProcessImage

Updated the Docker image to: demisto/processing-image-file:1.0.0.113909.

PcapHTTPExtractor

Updated the Docker image to: demisto/pcap-http-extractor:1.0.0.113908.

Related pull requests:
- 36780
- 36769
- 36784
- 36766
- 36771
- 36498
- 36747
- 36773
- 36759
- 36725
- 36774
- 35865

Download

1.15.74 - 1533081 (October 21, 2024)

Scripts

SearchIncidentsV2

Updated the Docker image to: demisto/python3:3.11.10.111526.

Related pull requests:
- 35865

Download

1.15.73 - 1504524 (October 14, 2024)

Scripts

SSDeepSimilarity

Updated the Docker image to: demisto/ssdeep:1.0.0.112284.

PDFUnlocker

Updated the Docker image to: demisto/readpdf:1.0.0.112283.

JsonUnescape

Updated the Docker image to: demisto/python3-deb:3.11.10.112166.

ReadPDFFileV2

Updated the Docker image to: demisto/readpdf:1.0.0.112283.

UnzipFile

Updated the Docker image to: demisto/unzip:1.0.0.112289.

PcapHTTPExtractor

Updated the Docker image to: demisto/pcap-http-extractor:1.0.0.112272.

ReadQRCode

Updated the Docker image to: demisto/qrcode:1.0.0.112357.

Related pull requests:
- 36505
- 36495
- 36494
- 36493
- 36492
- 36491
- 36490
- 36489
- 36486
- 36485
- 36484
- 36483
- 36488
- 36487

Download

1.15.72 - 1491068 (October 10, 2024)

Scripts

SearchIncidentsV2

Fixed an issue (typo)

Related pull requests:
- 36667
- 36664

Download

1.15.71 - 1487718 (October 9, 2024)

Scripts

ParseEmailFilesV2

Fixed an issue where attachment file name encoded in windows-874 could not be parsed correctly.
Updated the Docker image to: demisto/parse-emails:1.0.0.113216.

Related pull requests:
- 36629

Download

1.15.70 - 1480610 (October 8, 2024)

Scripts

New: get-user-data

New: This script gathers user data from multiple integrations and returns an Account entity with consolidated information to the context. (Available from Cortex XSOAR 6.10.0).

ShowIncidentIndicators

Fixed an issue with ShowIncidentIndicators fetching indicators with the same IDs.
Updated the Docker image to: demisto/python3:3.11.10.111526.

Related pull requests:
- 36260
- 36657

Download

1.15.68 - 1477969 (October 8, 2024)

Scripts

SearchIncidentsV2

Fixed an issue when asking for a summarized version of found incidents would not show properly in XSIAM.

Related pull requests:
- 36650
- 36631

Download

1.15.67 - 1475337 (October 7, 2024)

Scripts

IdentifyAttachedEmail

Fixed an issue where files of type 'message/rfc822' were not identified as emails.

Related pull requests:
- 36620

Download

1.15.66 - 1470320 (October 6, 2024)

Scripts

DeleteContext

Fixed an issue where DBotScore key was not excluded from deletion.

Related pull requests:
- 36594

Download

1.15.65 - 1457639 (October 1, 2024)

Scripts

StixCreator

Enhanced TAXII2FeedApiModule to support setting indicator enrichment exclusion in select feeds. The change has no impact on this script.

Related pull requests:
- 36445

Download

1.15.64 - 1434344 (September 25, 2024)

Scripts

ExtractDomainAndFQDNFromUrlAndEmail

Updated the formatter to avoid ".onion" domains.

New: AnalyzeTimestampIntervals

New: This script analyzes Unix timestamps to detect patterns of automation, focusing on consistent intervals and high frequency.

Related pull requests:
- 36082

Download

1.15.62 - 1419889 (September 23, 2024)

Incident Fields

Breach Confirmation
Added support for IBM QRadar SOAR Incident in the Breach Confirmation field.

Related pull requests:
- 35286

Download

1.15.61 - 1378119 (September 12, 2024)

Scripts

DeleteContext

Fixed an issue where in some cases the script ignored the keysToKeep argument.

Related pull requests:
- 36292

Download

1.15.60 - 1368468 (September 10, 2024)

Scripts

ExtractHyperlinksFromOfficeFiles

Fixed an issue where the script failed to detect files with uppercase or mixed-case extensions (e.g., .Xlsx).

Related pull requests:
- 36193

Download

1.15.59 - 1358619 (September 8, 2024)

Scripts

StixCreator

Fixed an issue where the fetch-indicators command failed to parse nested reports indicators correctly in the Unit42v2 Feed.

enrich_exclude_button

Updated the script description.

Related pull requests:
- 36024

Download

1.15.57 - 1350055 (September 5, 2024)

Scripts

GetEntries

Added the following arguments:
- page_size
- last_id
- first_id
- selected_entry_id
- users
- tags_and_operator
- from_time
- parent_id
Updated the Docker image to: demisto/python3:3.11.9.109226.

Related pull requests:
- 36114
- 36150

Download

1.15.56 - R1340401 (September 3, 2024)

Scripts

ExtractFQDNFromUrlAndEmail

Documentation and metadata improvements.
Updated the Docker image to: demisto/py3-tools:1.0.0.108682.

ExtractDomainAndFQDNFromUrlAndEmail

Documentation and metadata improvements.
Updated the Docker image to: demisto/py3-tools:1.0.0.108682.

Related pull requests:
- 36053

Download

1.15.55 - 1316088 (August 27, 2024)

Scripts

ScheduleGenericPolling

Fixed an issue where the script would fail in case one of the arguments: additionalPollingCommandArgNames or additionalPollingCommandArgValues was not given.

Related pull requests:
- 36036

Download

1.15.54 - 1311942 (August 26, 2024)

Scripts

ScheduleGenericPolling

Fixed an issue where the script failed when given values containing quotation marks.
Updated the Docker image to: demisto/python3:3.11.9.107902.

GenericPollingScheduledTask

Fixed an issue where the script failed when given values containing quotation marks.

Related pull requests:
- 35995

Download

1.15.53 - 1284734 (August 18, 2024)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 35705

Download

1.15.52 - 1277948 (August 15, 2024)

Scripts

AquatoneDiscoverV2

Updated the Docker image to: demisto/aquatone:2.0.0.108439.

Related pull requests:
- 35899

Download

1.15.51 - 1271135 (August 14, 2024)

Scripts

ParseEmailFilesV2

Fixed an issue where UTF-8 encoded EML files with 8-bit Content-Transfer-Encoding headers could not be parsed correctly.
Updated the Docker image to: demisto/parse-emails:1.0.0.108364.

Related pull requests:
- 35853

Download

1.15.50 - 1265696 (August 12, 2024)

Scripts

ExtractIndicatorsFromWordFile

Updated the Docker image to: demisto/office-utils:2.0.0.107687.

ExtractHyperlinksFromOfficeFiles

Updated the Docker image to: demisto/office-utils:2.0.0.107687.

ConvertFile

Updated the Docker image to: demisto/office-utils:2.0.0.107687.

ParseWordDoc

Updated the Docker image to: demisto/office-utils:2.0.0.107687.

Related pull requests:
- 35403

Download

1.15.49 - 1262174 (August 11, 2024)

Scripts

FileToBase64List

Improved implementation to prevent the script from running in a new docker container for each call.
Updated the Docker image to: demisto/python3:3.11.9.107902.

Related pull requests:
- 35481

Download

1.15.48 - 1259921 (August 11, 2024)

Scripts

FindSimilarIncidents

Maintenance and stability enhancements.

Related pull requests:
- 35643

Download

1.15.47 - 1257268 (August 9, 2024)

Scripts

ParseEmailFilesV2

Fixed an issue where parsing p7m files fails to remove signature.
Updated the Docker image to: demisto/parse-emails:1.0.0.107885.

Related pull requests:
- 35796

Download

1.15.46 - 1256255 (August 8, 2024)

Scripts

DockerHardeningCheck

Internal code improvements.
Updated the Docker image to: demisto/python3:3.11.9.107421.

Related pull requests:
- 35801

Download

1.15.45 - 1252429 (August 7, 2024)

Scripts

IsIntegrationAvailable

Fixed an issue where the script would return an error when the raw-response argument was provided.

Related pull requests:
- 35787

Download

1.15.44 - 1244506 (August 5, 2024)

Scripts

DeleteContext

Performance improvements.

ParseEmailFilesV2

Updated the Docker image to: demisto/parse-emails:1.0.0.106927.

Related pull requests:
- 35732

Download

1.15.42 - 1242168 (August 5, 2024)

Scripts

ContentPackInstaller

Added clearer error messages for cases the script fails.
Updated the Docker image to: demisto/xsoar-tools:1.0.0.104430.

Related pull requests:
- 35622

Download

1.15.41 - 1238470 (August 4, 2024)

Scripts

DisplayHTMLWithImages

Fixed an issue where in XSOAR 8, embedded images did not display in the Email Body section in the Phishing layout.
Updated the Docker image to: demisto/python3:3.11.9.105369.

Related pull requests:
- 35702

Download

1.15.40 - 1230534 (July 31, 2024)

Scripts

FailedInstances

Fixed an issue where the script failed when a ServiceNow CMDB instance was configured with OAuth flow enabled.

Related pull requests:
- 35694

Download

1.15.39 - 1226445 (July 30, 2024)

Scripts

DBotUpdateLogoURLPhishing

Maintenance and stability enhancements.

Related pull requests:
- 35570

Download

1.15.38 - 1218660 (July 28, 2024)

Scripts

IdentifyAttachedEmail

Fixed an issue in which email attachments were not identified in Cortex XSOAR 8.
Fixed an issue in which only one entry ID was added to the context.
Updated the docker image to demisto/python3:3.11.9.104657.

Related pull requests:
- 35569

Download

1.15.37 - 1208894 (July 24, 2024)

Scripts

DisplayHTMLWithImages

Fixed an issue where some embedded images not appear in the Email Body section in the Phishing incident layout.
Updated the Docker image to: demisto/python3:3.11.9.104657.

Related pull requests:
- 35566

Download

1.15.36 - 1206393 (July 24, 2024)

Scripts

New: SetIndicatorGridField

New script to allow you to easily set an indicator grid field.

Related pull requests:
- 35553

Download

1.15.35 - 1204731 (July 23, 2024)

Scripts

ParseEmailFilesV2

Updated the Docker image to: demisto/parse-emails:1.0.0.104899.

Related pull requests:
- 35567

Download

1.15.34 - 1200812 (July 22, 2024)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 35547

Download

1.15.33 - 1198326 (July 22, 2024)

Scripts

WordTokenizer

Deprecated. Use DBotPreProcessTextData instead.

Related pull requests:
- 35511

Download

1.15.32 - 1191003 (July 18, 2024)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 35468

Download

1.15.31 - 1179382 (July 15, 2024)

Scripts

LookupCSV

Fixed an issue where the script results were added to LookupCSV.result instead of LookupCSV.Result in the context.
Updated the Docker image to: demisto/python3:3.11.9.103066.

Related pull requests:
- 35418

Download

1.15.30 - 1177096 (July 15, 2024)

Scripts

ExportToCSV

Updated the script to handle the issue of encoding non english characters while loading the CSV file in the Microsoft excel sheet. Added a new argument 'codec' to choose between UTF-8 and UTF-16-BOM.

Related pull requests:
- 35407
- 35297

Download

1.15.29 - 1175817 (July 14, 2024)

Scripts

DBotUpdateLogoURLPhishing

Updated the Docker image to: demisto/mlurlphishing:1.0.0.103417.

New: GenerateAsBuiltConfiguration

New: Generate a JSON file that can be downloaded and used to create the As-Built document for Cortex XSOAR. (Available from Cortex XSOAR 6.10.0).

Related pull requests:
- 35178
- 35115

Download

1.15.27 - 1173616 (July 14, 2024)

Scripts

DisplayHTMLWithImages

Fixed an issue where there was no default text color, and now the default is black.
Updated the Docker image to: demisto/python3:3.11.9.103066.

Related pull requests:
- 35367

Download

1.15.26 - 1169083 (July 11, 2024)

Scripts

VerifyIPv6Indicator

Updated the IPv6 formatter to remove unneeded prefixed characters.
Updated the Docker image to: demisto/python3:3.10.14.101217.

DisplayHTMLWithImages

Fixed an issue where embedded images not appear in the Email Body section in the Phishing incident layout.
Updated the Docker image to: demisto/python3:3.10.14.99474.

Related pull requests:
- 35135

Download

1.15.24 - 1164474 (July 10, 2024)

Scripts

SetGridField

Updated the Docker image to: demisto/pandas:1.0.0.102566.

Related pull requests:
- 35339

Download

1.15.23 - 1159246 (July 8, 2024)

Scripts

ExportAuditLogsToFile

Fixed an issue with Cortex XSOAR 6.x where the command would fail by sending the wrong request.
Updated the Docker image to: demisto/python3:3.10.14.101217.

Related pull requests:
- 35280

Download

1.15.22 - 1156543 (July 8, 2024)

Scripts

ParseCSV

Fixed an issue where passing no escapechar would result in failure.
Updated the Docker image to: demisto/python3:3.10.14.99865.

Related pull requests:
- 33951

Download

1.15.21 - 1150618 (July 5, 2024)

Scripts

New: DownloadAndArchivePythonLibrary

New: The script downloads a Python library using PIP, archives it, and returns the file to the war room.
(Available from Cortex XSOAR 6.10.0).

Related pull requests:
- 33742

Download

1.15.20 - 1149551 (July 4, 2024)

Scripts

ContentPackInstaller

Updated the Docker image to: demisto/xsoar-tools:1.0.0.99061.

Related pull requests:
- 35232

Download

1.15.19 - 1142826 (July 2, 2024)

Scripts

ExtractIndicatorsFromTextFile

Fixed an issue where the outputs were not displayed in the context data.
Updated the Docker image to: demisto/python3:3.10.14.99865.

Related pull requests:
- 35179

Download

1.15.18 - 1135833 (June 30, 2024)

Scripts

ReadQRCode

Fixed an issue where indicators were not extracted from the output.

Related pull requests:
- 35110

Download

1.15.17 - 1126229 (June 26, 2024)

Scripts

ReadQRCode

Improved implementation of stderr redirection by removing wurlitzer.pipes() and redirecting stderr to a temporary file.
The automation now extracts QR codes exclusively to improve performance.
Updated the Docker image to: demisto/qrcode:1.0.0.98232.

Related pull requests:
- 34579

Download

1.15.16 - 1120391 (June 25, 2024)

Scripts

GridFieldSetup

Updated the script to include 10 additional inputs.

Related pull requests:
- 35016
- 35046

Download

1.15.15 - 1110626 (June 21, 2024)

Scripts

DisplayHTMLWithImages

Resolved a situation where there was no default background, and now the default background is white.
Updated the Docker image to: demisto/python3:3.10.14.98889.

Related pull requests:
- 34985

Download

1.15.14 - 1110034 (June 21, 2024)

Scripts

CreateEmailHtmlBody

Fixed an issue where the alerts field was not mapped in Cortex XSIAM.

Related pull requests:
- 34966

Download

1.15.13 - 1109132 (June 20, 2024)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 34979

Download

1.15.12 - 1104278 (June 19, 2024)

Scripts

FailedInstances

Fixed an issue where the script failed when a ServiceNow v2 instance was configured with OAuth flow enabled.

Related pull requests:
- 34871

Download

1.15.11 - 1103228 (June 18, 2024)

Scripts

ReadPDFFileV2

Fixed an issue where the script failed to open and extract the PDF's data.
Updated the Docker image to: demisto/readpdf:1.0.0.98214.

Related pull requests:
- 34908

Download

1.15.10 - 1098002 (June 17, 2024)

Scripts

ExtractHyperlinksFromOfficeFiles

Added support for parsing grouped shapes in power point files.

Related pull requests:
- 34876

Download

1.15.9 - 1089105 (June 13, 2024)

Scripts

GetIndicatorDBotScoreFromCache

Added support for additional special characters that were not escaped properly.

Related pull requests:
- 34818

Download

1.15.8 - 1084629 (June 10, 2024)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 34765

Download

1.15.7 - 1082615 (June 10, 2024)

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 34804

Download

1.15.6 - 1072918 (June 5, 2024)

Scripts

GetListRow

Fixed an issue where new lines at the end of the list could lead to an exception.
Updated the Docker image to: demisto/python3:3.10.14.96411.

Related pull requests:
- 34652

Download

1.15.5 - 1067546 (June 4, 2024)

Scripts

ExtractHyperlinksFromOfficeFiles

Fixed an issue where images with hyperlinks were not extracted properly from docx files.
Updated the Docker image to: demisto/office-utils:2.0.0.96781.

Related pull requests:
- 34671

Download

1.15.4 - 1063016 (June 2, 2024)

Scripts

FetchIndicatorsFromFile

Updated the Docker image to: demisto/py3-tools:1.0.0.96102.

ExifRead

Updated the Docker image to: demisto/py3-tools:1.0.0.96102.

ExtractDomainAndFQDNFromUrlAndEmail

Updated the Docker image to: demisto/py3-tools:1.0.0.96102.

ExtractFQDNFromUrlAndEmail

Updated the Docker image to: demisto/py3-tools:1.0.0.96102.

LanguageDetect

Updated the Docker image to: demisto/py3-tools:1.0.0.96102.

StixCreator

Updated the Docker image to: demisto/py3-tools:1.0.0.96102.

ExtractDomainFromUrlAndEmail

Updated the Docker image to: demisto/py3-tools:1.0.0.96102.

ParseExcel

Updated the Docker image to: demisto/py3-tools:1.0.0.96102.

Related pull requests:
- 34465
- 33830
- 33831
- 33828
- 33825
- 33805
- 33871

Download

1.15.3 - 1057933 (May 30, 2024)

Scripts

GetIndicatorDBotScoreFromCache

Fixed an issue where not all special chars were escaped correctly.

Related pull requests:
- 34647

Download

1.15.2 - 1051712 (May 28, 2024)

Scripts

VerdictResult

Added support for Suspicious verdict.
Updated the Docker image to: demisto/python3:3.10.14.95956.

Related pull requests:
- 34575

Download

1.15.1 - 1049953 (May 28, 2024)

Scripts

GetIndicatorDBotScoreFromCache

Fixed an issue where some special chars of indicator values were not escaped correctly.
Updated the Docker image to: demisto/python3:3.10.14.95956.

Related pull requests:
- 34576

Download

1.15.0 - 1046017 (May 26, 2024)

Scripts

ZipFile

Replaced the pyminizip library with pyzipper.
Updated the Docker image to: demisto/py3-tools:1.0.0.95440.

Related pull requests:
- 34399

Download

1.14.49 - 1038463 (May 23, 2024)

Scripts

StixCreator

Fixed an issue in the TAXII2ApiModule related to TAXII2 server integration.

Related pull requests:
- 34399
- 34484

Download

1.14.48 - 1029456 (May 20, 2024)

Scripts

ParseWordDoc

Updated the Docker image to: demisto/office-utils:2.0.0.93886.

DBotUpdateLogoURLPhishing

Updated the Docker image to: demisto/mlurlphishing:1.0.0.90588.

SSDeepSimilarity

Updated the Docker image to: demisto/ssdeep:1.0.0.93570.

PreProcessImage

Updated the Docker image to: demisto/processing-image-file:1.0.0.93358.

AquatoneDiscoverV2

Updated the Docker image to: demisto/aquatone:2.0.0.93318.

PcapHTTPExtractor

Updated the Docker image to: demisto/pcap-http-extractor:1.0.0.93351.

ReadPDFFileV2

Updated the Docker image to: demisto/readpdf:1.0.0.93363.

ExtractIndicatorsFromWordFile

Updated the Docker image to: demisto/office-utils:2.0.0.93886.

PDFUnlocker

Updated the Docker image to: demisto/readpdf:1.0.0.93363.

Related pull requests:
- 34378

Download

1.14.47 - 1027410 (May 20, 2024)

Scripts

StixCreator

Fixed an issue in the TAXII2ApiModule related to TAXII2 server integration.

Related pull requests:
- 34434

Download

1.14.46 - 1021616 (May 16, 2024)

Scripts

ScheduleGenericPolling

Fixed an issue where polling didn't reach into timeouts.

Related pull requests:
- 34357

Download

1.14.45 - 1005026 (May 8, 2024)

Scripts

SendEmailOnSLABreach

Updated the Docker image to: demisto/python3:3.10.14.92207.

Related pull requests:
- 34251

Download

1.14.44 - 1000160 (May 7, 2024)

Scripts

ParseEmailFilesV2

Documentation and metadata improvements.
Updated the Docker image to: demisto/parse-emails:1.0.0.93148.

Related pull requests:
- 33388

Download

1.14.43 - 998827 (May 6, 2024)

Common Scripts

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 34212

Download

1.14.42 - R995825 (May 5, 2024)

Scripts

Ping

Improved the error message to clarify that the script can only run on a custom engine on Cortex XSOAR 8 and Cortex XSIAM.
Updated the Docker image to: demisto/netutils:1.0.0.92795.

Related pull requests:
- 34167

Download

1.14.41 - 986039 (May 1, 2024)

Scripts

DeleteContext

Fixed an issue where results' object, contents' format, did not match actual content type.

Related pull requests:
- 34132

Download

1.14.40 - 978880 (April 26, 2024)

Scripts

FormatURL

Internal code adjustments.
Updated the Docker image to: demisto/python3:3.10.14.92207.

FindSimilarIncidents

Deprecated. Use the DBotFindSimilarIncidents script instead.

Related pull requests:
- 33245

Download

1.14.38 - 978218 (April 25, 2024)

Scripts

CreateNewIndicatorsOnly

Added the associate_to_current argument which associates the indicator with the current incident.

Related pull requests:
- 33907

Download

1.14.37 - 976988 (April 25, 2024)

Scripts

ParseEmailFilesV2

Added support for Apple HFS file type.
Updated the Docker image to: demisto/parse-emails:1.0.0.93148.

Related pull requests:
- 34084

Download

1.14.36 - 971504 (April 21, 2024)

Scripts

ParseEmailFilesV2

Fixed an issue where some eml files where not recognized.

Related pull requests:
- 34081

Download

1.14.35 - 970211 (April 21, 2024)

Scripts

FormatURL

Fixed an issue with microsoft safe links not being formatted correctly when the link had office365.us as a domain or a path as part of the wrapper.

Related pull requests:
- 34050

Download

1.14.34 - 962639 (April 17, 2024)

Scripts

ReadQRCode

Added a log for the extractIndictors command used in the script.

Related pull requests:
- 33941

Download

1.14.33 - R958204 (April 15, 2024)

Scripts

DeleteContext

Added a test playbook for DeleteContext script.

FileCreateAndUploadV2

Fixed an issue where the script failed when using the entryId argument with an ID of EntryNote.

Related pull requests:
- 33920

Download

1.14.31 - 949376 (April 11, 2024)

Scripts

ParseEmailFilesV2

Added log handler.
Updated the Docker image to: demisto/parse-emails:1.0.0.92018.

Related pull requests:
- 33908

Download

1.14.30 - 945534 (April 9, 2024)

Scripts

DeleteContext

Fixed an issue where the values of excluded keys, were converted to arrays.

Related pull requests:
- 33847

Download

1.14.29 - 943711 (April 9, 2024)

Scripts

DockerHardeningCheck

Updated the Docker image to: demisto/python3:3.10.14.91134.

Related pull requests:
- 33805

Download

1.14.28 - 942617 (April 8, 2024)

Scripts

ZipFile

Downgraded the docker image to demisto/py3-tools:1.0.0.49703 to address script malfunction when running on latest docker image.

Related pull requests:
- 33825

Download

1.14.27 - 941102 (April 8, 2024)

Scripts

DeleteContext

Fixed an issue where setting 'all=yes' would not delete keys with null values.
Fixed an issue with keys exclusion when deleting all keys.

Related pull requests:
- 33760

Download

1.14.26 - 938811 (April 7, 2024)

Scripts

ExtractDomainFromUrlAndEmail

Updated the Docker image to: demisto/py3-tools:1.0.0.91504.

LanguageDetect

Updated the Docker image to: demisto/py3-tools:1.0.0.91504.

ExifRead

Updated the Docker image to: demisto/py3-tools:1.0.0.91504.

ParseExcel

Updated the Docker image to: demisto/py3-tools:1.0.0.91504.

ZipFile

Updated the Docker image to: demisto/py3-tools:1.0.0.91504.

ExtractFQDNFromUrlAndEmail

Updated the Docker image to: demisto/py3-tools:1.0.0.91504.

Related pull requests:
- 33641
- 33516
- 33519
- 33515
- 33329
- 33314
- 33318
- 33328
- 33357
- 33344
- 33359
- 33458
- 33535
- 33534
- 33537
- 33552
- 33580
- 33553
- 33418
- 33583
- 33555
- 33556
- 33559
- 33560
- 33619
- 33591
- 33602
- 33600
- 33314
- 33318
- 33328
- 33357
- 33344
- 33359
- 33458

Download

1.14.25 - R934602 (April 4, 2024)

Scripts

StixCreator

Improved implementation of the code.
Updated the Docker image to: demisto/py3-tools:1.0.0.91504.

Related pull requests:
- 33106

Download

1.14.24 - R925751 (April 1, 2024)

Scripts

FileCreateAndUploadV2

Fixed an issue where the script returned an empty file when using the entryId argument.
Updated the script context path to support file entry context output.

Related pull requests:
- 33611

Download

1.14.23 - 919001 (March 27, 2024)

Scripts

GenericPollingScheduledTask

Fixed an issue where a value was not sanitized.

ScheduleGenericPolling

Fixed an issue where a value was not sanitized.

Related pull requests:
- 33368

Download

1.14.22 - 916317 (March 26, 2024)

Scripts

ParseWordDoc

Updated the Docker image to: demisto/office-utils:2.0.0.89801.

PcapHTTPExtractor

Updated the Docker image to: demisto/pcap-http-extractor:1.0.0.90745.

Related pull requests:
- 33450

Download

1.14.20 - R913451 (March 25, 2024)

Scripts

ReadPDFFileV2

Added the argument unescape_url. When set, the script will unescape the URLs that have been escaped (by ignoring them). Default is 'true'.
Updated the Docker image to: demisto/readpdf:1.0.0.89247.

Related pull requests:
- 33258

Download

1.14.19 - 904622 (March 20, 2024)

Scripts

AquatoneDiscoverV2

Updated the Docker image to: demisto/aquatone:2.0.0.89205.

FetchIndicatorsFromFile

Updated the Docker image to: demisto/py3-tools:1.0.0.89345.

VerifyJSON

Updated the Docker image to: demisto/powershell:7.4.0.80528.

Related pull requests:
- 33391
- 33314
- 33318
- 33328
- 33357
- 33344
- 33359
- 33348

Download

1.14.18 - 899684 (March 19, 2024)

Scripts

DeleteContext

Fixed an issue where comma-separated values key parsing was broken.

Related pull requests:
- 33407

Download

1.14.17 - 897231 (March 18, 2024)

Lists

PrivateIPs

Added the list 'PrivateIPs' to XSIAM.

Related pull requests:
- 33201

Download

1.14.16 - 891799 (March 14, 2024)

Scripts

GetDockerImageLatestTag

Added support for OPP gateway.
Upgraded the Docker image to: demisto/python3:3.10.13.89009.

Related pull requests:
- 33353
- 33355

Download

1.14.15 - 889167 (March 13, 2024)

Scripts

CreateNewIndicatorsOnly

Added the functionality to associate submitted indicators with an incident.
Updated the Docker image to: demisto/python3:3.10.13.89009.

DeleteContext

Fixed an issue where provided non-string keys are not deleted.

Related pull requests:
- 33342

Download

1.14.13 - 883873 (March 11, 2024)

Scripts

ScheduleGenericPolling

Added support for propagating the auto-extract argument in both the initial and subsequent executions by introducing the extractMode argument.
Updated the Docker image to: demisto/python3:3.10.13.89009.

GenericPollingScheduledTask

Added support for propagating the auto-extract argument in both the initial and subsequent executions by introducing the extractMode argument.

Related pull requests:
- 33146

Download

1.14.12 - 882064 (March 11, 2024)

Scripts

DeleteContext

Added support for comma separated values for the 'key' parameter.

Related pull requests:
- 33256

Download

1.14.11 - 881200 (March 10, 2024)

Scripts

GridFieldSetup

Updated the Docker image to: demisto/python3:3.10.13.89009.

IsInternalDomainName

Fixed an issue where the script would return false positive results on edge cases.

Related pull requests:
- 33288

Download

1.14.9 - 873658 (March 6, 2024)

Scripts

FormatURL

Fixed an issue where URLs without a path and with an email caused the formatter to return an empty string.

Related pull requests:
- 33242

Download

1.14.8 - 871927 (March 6, 2024)

Scripts

FormatURL

Fixed an issue that an extra char caught by the regex resulted in the formatter tagging valid CIDRs as URLs.

Related pull requests:
- 33222

Download

1.14.7 - 870683 (March 5, 2024)

Scripts

CertificateExtract

New: Extract fields from a certificate file and return the standard context. (Available from Cortex XSOAR 6.0.0).
Updated the Docker image to: demisto/crypto:1.0.0.88857.

New: CertificateReputation

New: Enrich and calculate the reputation of a certificate indicator. (Available from Cortex XSOAR 6.0.0).

FileCreateAndUploadV2

Updated the Docker image to: demisto/python3:3.10.13.89009.

Related pull requests:
- 31341

Download

1.14.6 - R867923 (March 4, 2024)

Scripts

ConvertFile

Updated the Docker image to: demisto/office-utils:2.0.0.88735.

Related pull requests:
- 33141

Download

1.14.5 - 865088 (March 3, 2024)

Scripts

StixCreator

Fixed an issue where Export Stix failed when exporting a not STIX compatible object of type Report.
Updated the Docker image to demisto/py3-tools:1.0.0.88283.

ScheduleGenericPolling

Fixed an issue where a value was not sanitized.
Updated the Docker image to: demisto/python3:3.10.13.87159.

Related pull requests:
- 32878

Download

1.14.3 - 860237 (February 29, 2024)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 33078

Download

1.14.2 - 854016 (February 26, 2024)

Scripts

New: ExtractHyperlinksFromOfficeFiles

New: Extract hyperlinks from office files. Supported file types are: xlsx, docx, pptx. (Available from Cortex XSOAR 5.5.0).

Related pull requests:
- 33073

Download

1.14.1 - 844718 (February 22, 2024)

Scripts

Sleep

Fixed an issue where sometimes tasks using Sleep did not continue as expected.

Related pull requests:
- 33056

Download

1.14.0 - 836299 (February 18, 2024)

Scripts

LinkIncidentsWithRetry

Updated the Docker image to: demisto/python3:3.10.13.86272.

CVSSCalculator

Updated the Docker image to: demisto/python3:3.10.13.86272.

ExportContextToJSONFile

Updated the Docker image to: demisto/python3:3.10.13.86272.

displayUtilitiesResults

Updated the Docker image to: demisto/python3:3.10.13.86272.

PopulateCriticalAssets

Updated the Docker image to: demisto/python3:3.10.13.86272.

LinkIncidentsButton

Updated the Docker image to: demisto/python3:3.10.13.86272.

ConvertDatetoUTC

Updated the Docker image to: demisto/python3:3.10.13.86272.

AssignToMeButton

Updated the Docker image to: demisto/python3:3.10.13.86272.

IsDomainInternal

Updated the Docker image to: demisto/python3:3.10.13.86272.

IndicatorMaliciousRatioCalculation

Updated the Docker image to: demisto/python3:3.10.13.86272.

IPToHost

Updated the Docker image to: demisto/python3:3.10.13.86272.

MarkAsEvidenceByTag

Updated the Docker image to: demisto/python3:3.10.13.86272.

CopyContextToField

Updated the Docker image to: demisto/python3:3.10.13.86272.

AddDBotScoreToContext

Updated the Docker image to: demisto/python3:3.10.13.86272.

CloseInvestigationAsDuplicate

Updated the Docker image to: demisto/python3:3.10.13.86272.

SetDateField

Updated the Docker image to: demisto/python3:3.10.13.86272.

CompareIncidentsLabels

Updated the Docker image to: demisto/python3:3.10.13.86272.

ContextContains

Updated the Docker image to: demisto/python3:3.10.13.86272.

GenerateSummaryReportButton

Updated the Docker image to: demisto/python3:3.10.13.86272.

DemistoVersion

Updated the Docker image to: demisto/python3:3.10.13.86272.

IsIPPrivate

Updated the Docker image to: demisto/python3:3.10.13.86272.

GenerateRandomString

Updated the Docker image to: demisto/python3:3.10.13.86272.

EncodeToAscii

Updated the Docker image to: demisto/python3:3.10.13.86272.

LoadJSONFileToContext

Updated the Docker image to: demisto/python3:3.10.13.86272.

CalculateTimeDifference

Updated the Docker image to: demisto/python3:3.10.13.86272.

IdentifyAttachedEmail

Fixed an issue where the script was erroring when there were no File entries in the warroom.
Updated the Docker image to: demisto/python3:3.10.13.87159.

Related pull requests:
- 32966

Download

1.13.39 - 829761 (February 15, 2024)

Scripts

ExportToXLSX

Updated the Docker image to: demisto/xslxwriter:1.0.0.86441.

UnzipFile

Updated the Docker image to: demisto/unzip:1.0.0.86000.

PcapHTTPExtractor

Updated the Docker image to: demisto/pcap-http-extractor:1.0.0.85826.

Dig

Updated the Docker image to: demisto/netutils:1.0.0.86390.

HTMLtoMD

Updated the Docker image to: demisto/btfl-soup:1.0.1.86352.

JsonUnescape

Updated the Docker image to: demisto/python3-deb:3.10.13.85666.

GetDomainDNSDetails

Updated the Docker image to: demisto/netutils:1.0.0.86390.

Ping

Updated the Docker image to: demisto/netutils:1.0.0.86390.

ParseHTMLIndicators

Updated the Docker image to: demisto/bs4-tld:1.0.0.86470.

ConvertXmlFileToJson

Updated the Docker image to: demisto/xml-feed:1.0.0.86490.

ExtractHTMLTables

Updated the Docker image to: demisto/bs4-py3:1.0.0.86348.

WordTokenizer

Updated the Docker image to: demisto/nltk:2.0.0.86396.

Related pull requests:
- 32938
- 32763
- 32762
- 32741
- 32744
- 32745
- 32752
- 32753
- 32754
- 32759
- 32761

Download

1.13.38 - 823153 (February 12, 2024)

Scripts

FormatURL

Improved implementation when unquoting double quoted URLs.
Updated the Docker image to: demisto/python3:3.10.13.87159.

Related pull requests:
- 32719

Download

1.13.37 - 820763 (February 11, 2024)

Scripts

GenericPollingScheduledTask

Fixed an issue where a line containing only '0' was removed and improved JavaScript syntax.

Related pull requests:
- 32820

Download

1.13.36 - 815435 (February 8, 2024)

Scripts

IdentifyAttachedEmail

Improved the implementation of the script by optimizing the entry filtering.

Related pull requests:
- 32459

Download

1.13.35 - 813091 (February 7, 2024)

Scripts

ReadQRCode

Improved implementation by adding the pybar library to cover a wider range of cases.
Updated the Docker image to: demisto/qrcode:1.0.0.87067.

Related pull requests:
- 32556

Download

1.13.34 - 807749 (February 5, 2024)

Scripts

CreateEmailHtmlBody

Fixed an issue where fields with false values was not being copied correctly.

Related pull requests:
- 32712

Download

1.13.33 - 806093 (February 5, 2024)

Scripts

TopMaliciousRatioIndicators

Added the investigationsCount query argument to the findIndicators command.
Updated the maxNumberOfIndicators parameter default value to from 10,000 to 1,000.

Related pull requests:
- 32581

Download

1.13.32 - 801540 (February 2, 2024)

Scripts

ProvidesCommand

Fixed an issue where the script would miss enabled commands due to a mismatch between comparison key when checking that a command is part of enabled instances.
Updated the Docker image to: demisto/python3:3.10.13.86272.

Related pull requests:
- 32552
- 32676

Download

1.13.31 - 798475 (February 1, 2024)

Scripts

GetIndicatorDBotScoreFromCache

Fixed an issue where the GetIndicatorDBotScoreFromCache automation failed when no IOCs were returned from the cache.
Updated the Docker image to demisto/python3:3.10.13.86272.

CompareLists

Updated the Docker image to: demisto/python3:3.10.13.86272.

SSDeepReputation

Updated the Docker image to: demisto/python3:3.10.13.86272.

IsInternalDomainName

Updated the Docker image to: demisto/python3:3.10.13.86272.

ListUsedDockerImages

Updated the Docker image to: demisto/python3:3.10.13.86272.

FilterByList

Updated the Docker image to: demisto/python3:3.10.13.86272.

GenerateRandomUUID

Updated the Docker image to: demisto/python3:3.10.13.86272.

NumberOfPhishingAttemptPerUser

Updated the Docker image to: demisto/python3:3.10.13.86272.

DockerHardeningCheck

Updated the Docker image to: demisto/python3:3.10.13.86272.

HttpV2

Updated the Docker image to: demisto/python3:3.10.13.86272.

Related pull requests:
- 32445

Download

1.13.27 - 793334 (January 30, 2024)

Scripts

DecodeMimeHeader

Updated the Docker image to: demisto/python3:3.10.13.86272.

DisableUserWrapper

Updated the Docker image to: demisto/python3:3.10.13.86272.

ParseYAML

Updated the Docker image to: demisto/python3:3.10.13.86272.

GetInstances

Updated the Docker image to: demisto/python3:3.10.13.86272.

PrettyPrint

Updated the Docker image to: demisto/python3:3.10.13.86272.

Base64EncodeV2

Updated the Docker image to: demisto/python3:3.10.13.86272.

DisplayHTML

Updated the Docker image to: demisto/python3:3.10.13.86272.

SetByIncidentId

Updated the Docker image to: demisto/python3:3.10.13.86272.

LookupCSV

Updated the Docker image to: demisto/python3:3.10.13.86272.

FeedRelatedIndicatorsWidget

Updated the Docker image to: demisto/python3:3.10.13.86272.

URLSSLVerification

Updated the Docker image to: demisto/python3:3.10.13.86272.

ArrayToCSV

Updated the Docker image to: demisto/python3:3.10.13.86272.

TimeStampCompare

Updated the Docker image to: demisto/python3:3.10.13.86272.

IsListExist

Updated the Docker image to: demisto/python3:3.10.13.86272.

MaliciousRatioReputation

Updated the Docker image to: demisto/python3:3.10.13.86272.

SetMultipleValues

Updated the Docker image to: demisto/python3:3.10.13.86272.

DomainReputation

Updated the Docker image to: demisto/python3:3.10.13.86272.

DumpJSON

Updated the Docker image to: demisto/python3:3.10.13.86272.

SearchIndicator

Updated the Docker image to: demisto/python3:3.10.13.86272.

CheckFieldValue

Updated the Docker image to: demisto/python3:3.10.13.86272.

IdentifyAttachedEmail

Updated the Docker image to: demisto/python3:3.10.13.86272.

TopMaliciousRatioIndicators

Updated the Docker image to: demisto/python3:3.10.13.86272.

GetLicenseID

Updated the Docker image to: demisto/python3:3.10.13.86272.

Strings

Updated the Docker image to: demisto/python3:3.10.13.86272.

CheckSenderDomainDistance

Updated the Docker image to: demisto/python3:3.10.13.86272.

HTTPListRedirects

Updated the Docker image to: demisto/python3:3.10.13.86272.

ConvertTimezoneFromUTC

Updated the Docker image to: demisto/python3:3.10.13.86272.

SetWithTemplate

Updated the Docker image to: demisto/python3:3.10.13.86272.

CheckIndicatorValue

Updated the Docker image to: demisto/python3:3.10.13.86272.

RunPollingCommand

Updated the Docker image to: demisto/python3:3.10.13.86272.

AddKeyToList

Updated the Docker image to: demisto/python3:3.10.13.86272.

ResolveShortenedURL

Updated the Docker image to: demisto/python3:3.10.13.86272.

ExtractAttackPattern

Updated the Docker image to: demisto/python3:3.10.13.86272.

BreachConfirmationHTML

Updated the Docker image to: demisto/python3:3.10.13.86272.

PortListenCheck

Updated the Docker image to: demisto/python3:3.10.13.86272.

JSONtoCSV

Updated the Docker image to: demisto/python3:3.10.13.86272.

ParseCSV

Updated the Docker image to: demisto/python3:3.10.13.86272.

CalculateEntropy

Updated the Docker image to: demisto/python3:3.10.13.86272.

CreateHash

Updated the Docker image to: demisto/python3:3.10.13.86272.

SendEmailOnSLABreach

Updated the Docker image to: demisto/python3:3.10.13.86272.

Base64ListToFile

Updated the Docker image to: demisto/python3:3.10.13.86272.

PositiveDetectionsVSDetectionEngines

Updated the Docker image to: demisto/python3:3.10.13.86272.

MatchRegexV2

Updated the Docker image to: demisto/python3:3.10.13.86272.

RunDockerCommand

Updated the Docker image to: demisto/python3:3.10.13.86272.

GetEntries

Updated the Docker image to: demisto/python3:3.10.13.86272.

JSONFileToCSV

Updated the Docker image to: demisto/python3:3.10.13.86272.

cveReputationV2

Updated the Docker image to: demisto/python3:3.10.13.86272.

RepopulateFiles

Updated the Docker image to: demisto/python3:3.10.13.86272.

SearchIncidentsSummary

Updated the Docker image to: demisto/python3:3.10.13.86272.

StopScheduledTask

Updated the Docker image to: demisto/python3:3.10.13.86272.

IsolationAssetWrapper

Updated the Docker image to: demisto/python3:3.10.13.86272.

RemoveKeyFromList

Updated the Docker image to: demisto/python3:3.10.13.86272.

VerifyIPv6Indicator

Updated the Docker image to: demisto/python3:3.10.13.86272.

ReadFile

Updated the Docker image to: demisto/python3:3.10.13.86272.

SetTime

Updated the Docker image to: demisto/python3:3.10.13.86272.

Related pull requests:
- 32408

Download

1.13.26 - 790023 (January 28, 2024)

Scripts

CopyNotesToIncident

Added auto_extract argument to the script. When set to true, the script will extract indicators from the note. The default value is false.
Updated the Docker image to: demisto/python3:3.10.13.86272.

Related pull requests:
- 32342

Download

1.13.25 - 785965 (January 25, 2024)

Scripts

SetGridField

Fixed an issue where the script fails on XSOAR 8.0 and above.
Updated the Docker image to: demisto/pandas:1.0.0.86039.

Related pull requests:
- 32428

Download

1.13.24 - 784509 (January 25, 2024)

Scripts

ReadPDFFileV2

Added support for extracting hashes.
Updated the Docker image to: demisto/readpdf:1.0.0.85832.

Related pull requests:
- 32387

Download

1.13.23 - 778227 (January 22, 2024)

Common Scripts

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 32331

Download

1.13.22 - 769959 (January 18, 2024)

Scripts

Sleep

Fixed an issue where long run times failed when using integer values passed from the context.

Related pull requests:
- 32270

Download

1.13.21 - 766592 (January 16, 2024)

Scripts

DBotUpdateLogoURLPhishing

Fixed an issue where the script failed to run.
Updated the Docker image to: demisto/mlurlphishing:1.0.0.85127.

Set

Fixed an issue where the Set command couldn't set large numbers.

Related pull requests:
- 32220

Download

1.13.19 - R760302 (January 14, 2024)

Scripts

EmailAskUser

Added support for attachCIDs argument to embed attachments within the email.

Related pull requests:
- 31918

Download

1.13.18 - 740656 (January 3, 2024)

Common Scripts

Pack changes are not relevant for current marketplace.

Related pull requests:
- 31950
- 23810
- 24291
- 31841

Download

1.13.17 - R740516 (January 3, 2024)

Scripts

FindSimilarIncidents

Fixed an issue where incidents were incorrectly called "alerts" in Cortex XSOAR.

Related pull requests:
- 31853

Download

1.13.16 - 727613 (December 31, 2023)

Scripts

IsIntegrationAvailable

Improved implementation for better performance.

Related pull requests:
- 31838

Download

1.13.15 - 722180 (December 28, 2023)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 31820
- 23810
- 24291

Download

1.13.14 - 717685 (December 26, 2023)

Scripts

displayMappedFields

Fixed an issue where the HTML tags were generating large HTML output.
Fixed an issue where some empty values were not filtered out.
Updated the Docker image to: demisto/python3:3.10.13.83255.

Related pull requests:
- 31718

Download

1.13.13 - 7254058 (December 24, 2023)

Scripts

New: VerdictResult

New: This widget displays the incident verdict or the alert verdict based on the 'incident.verdict' or 'alert.verdict' field.

ParseEmailFilesV2

Fixed a parsing issue when running on msg email files with headers only.
Fixed an issue where EML multipart files were not parsed if they have a broken boundary.
Updated the Docker image to: demisto/parse-emails:1.0.0.83945.

Related pull requests:
- 31683

Download

1.13.11 - 7220184 (December 20, 2023)

Scripts

SetGridField

Fixed an issue where an error was raised when trying to run the script from the playbook debugger.

ExportIncidentsToCSV

Improved the logs.

Related pull requests:
- 31438

Download

1.13.9 - 7216131 (December 20, 2023)

Scripts

IncidentFields

Deprecated the demisto-api-* commands and replaced with the core-api-* commands. (Commands are identical, no effect is expected.)

ExportIndicatorsToCSV

Deprecated the demisto-api-* commands and replaced with the core-api-* commands. (Commands are identical, no effect is expected.)

ExportIncidentsToCSV

Deprecated the demisto-api-* commands and replaced with the core-api-* commands. (Commands are identical, no effect is expected.)

GetFieldsByIncidentType

Deprecated the demisto-api-* commands and replaced with the core-api-* commands. (Commands are identical, no effect is expected.)

EditServerConfig

Deprecated the demisto-api-* commands and replaced with the core-api-* commands. (Commands are identical, no effect is expected.)
Updated the Docker image to: demisto/python3:3.10.13.83255.

GenerateAsBuilt

Deprecated the demisto-api-* commands and replaced with the core-api-* commands. (Commands are identical, no effect is expected.)

ExportAuditLogsToFile

Deprecated the demisto-api-* commands and replaced with the core-api-* commands. (Commands are identical, no effect is expected.)
Updated the Docker image to: demisto/python3:3.10.13.83255.

ContentPackInstaller

Deprecated the demisto-api-* commands and replaced with the core-api-* commands. (Commands are identical, no effect is expected.)
Updated the Docker image to: demisto/xsoar-tools:1.0.0.83431.

ProvidesCommand

Deprecated the demisto-api-* commands and replaced with the core-api-* commands. (Commands are identical, no effect is expected.)

Related pull requests:
- 31388

Download

1.13.8 - 7199151 (December 18, 2023)

Scripts

SearchIncidentsV2

Fixed an issue where the script failed to pull all available incidents in XSOAR 8.
Updated the Docker image to: demisto/python3:3.10.13.83255.

Related pull requests:
- 31531

Download

1.13.7 - 7187156 (December 17, 2023)

Scripts

PDFUnlocker

Updated the Docker image to: demisto/readpdf:1.0.0.83506.

ReadPDFFileV2

Updated the Docker image to: demisto/readpdf:1.0.0.83506.

Related pull requests:
- 31507

Download

1.13.6 - 7164950 (December 14, 2023)

Scripts

ParseEmailFilesV2

Updated the Docker image to: demisto/parse-emails:1.0.0.83392.

CreateIndicatorsFromSTIX

Added the add_context and * tags* arguments for context output.
Updated the Docker image to: demisto/python3:3.10.13.83255.

Related pull requests:
- 31485
- 31140

Download

1.13.4 - 7161298 (December 14, 2023)

Scripts

ConvertFile

Updated the Docker image to: demisto/office-utils:2.0.0.82639.

ScheduleGenericPolling

Updated the Docker image to: demisto/python3:3.10.13.83255.

ChangeContext

Updated the Docker image to: demisto/python3:3.10.13.83255.

MarkAsNoteByTag

Updated the Docker image to: demisto/python3:3.10.13.83255.

ExportIncidentsToCSV

Updated the Docker image to: demisto/python3:3.10.13.83255.

EmailReputation

Updated the Docker image to: demisto/python3:3.10.13.83255.

OnionURLReputation

Updated the Docker image to: demisto/python3:3.10.13.83255.

FileCreateAndUploadV2

Updated the Docker image to: demisto/python3:3.10.13.83255.

GetServerURL

Updated the Docker image to: demisto/python3:3.10.13.83255.

ShowLocationOnMap

Updated the Docker image to: demisto/python3:3.10.13.83255.

ExportIndicatorsToCSV

Updated the Docker image to: demisto/python3:3.10.13.83255.

CheckContextValue

Updated the Docker image to: demisto/python3:3.10.13.83255.

GetEnabledInstances

Updated the Docker image to: demisto/python3:3.10.13.83255.

FileReputation

Updated the Docker image to: demisto/python3:3.10.13.83255.

ConvertCountryCodeCountryName

Updated the Docker image to: demisto/python3:3.10.13.83255.

IsUrlPartOfDomain

Updated the Docker image to: demisto/python3:3.10.13.83255.

ServerLogs

Updated the Docker image to: demisto/python3:3.10.13.83255.

PrintRaw

Updated the Docker image to: demisto/python3:3.10.13.83255.

DisplayHTMLWithImages

Updated the Docker image to: demisto/python3:3.10.13.83255.

SCPPullFiles

Updated the Docker image to: demisto/python3:3.10.13.83255.

StopTimeToAssignOnOwnerChange

Updated the Docker image to: demisto/python3:3.10.13.83255.

CreateIndicatorsFromSTIX

Updated the Docker image to: demisto/python3:3.10.13.83255.

ShowIncidentIndicators

Updated the Docker image to: demisto/python3:3.10.13.83255.

GetDataCollectionLink

Updated the Docker image to: demisto/python3:3.10.13.83255.

PrintContext

Updated the Docker image to: demisto/python3:3.10.13.83255.

ServerLogs_docker

Updated the Docker image to: demisto/python3:3.10.13.83255.

GetStringsDistance

Updated the Docker image to: demisto/python3:3.10.13.83255.

GetDockerImageLatestTag

Updated the Docker image to: demisto/python3:3.10.13.83255.

GetIndicatorDBotScore

Updated the Docker image to: demisto/python3:3.10.13.83255.

CreateNewIndicatorsOnly

Updated the Docker image to: demisto/python3:3.10.13.83255.

ChangeRemediationSLAOnSevChange

Updated the Docker image to: demisto/python3:3.10.13.83255.

DBotAverageScore

Updated the Docker image to: demisto/python3:3.10.13.83255.

PrintErrorEntry

Updated the Docker image to: demisto/python3:3.10.13.83255.

ExtractIndicatorsFromTextFile

Updated the Docker image to: demisto/python3:3.10.13.83255.

UtilAnyResults

Updated the Docker image to: demisto/python3:3.10.13.83255.

ZipStrings

Updated the Docker image to: demisto/python3:3.10.13.83255.

GridFieldSetup

Updated the Docker image to: demisto/python3:3.10.13.83255.

GetByIncidentId

Updated the Docker image to: demisto/python3:3.10.13.83255.

ProvidesCommand

Updated the Docker image to: demisto/python3:3.10.13.83255.

ReplaceMatchGroup

Updated the Docker image to: demisto/python3:3.10.13.83255.

VerifyCIDR

Updated the Docker image to: demisto/python3:3.10.13.83255.

AppendindicatorFieldWrapper

Updated the Docker image to: demisto/python3:3.10.13.83255.

URLNumberOfAds

Updated the Docker image to: demisto/python3:3.10.13.83255.

FileToBase64List

Updated the Docker image to: demisto/python3:3.10.13.83255.

GetFieldsByIncidentType

Updated the Docker image to: demisto/python3:3.10.13.83255.

LoadJSON

Updated the Docker image to: demisto/python3:3.10.13.83255.

URLReputation

Updated the Docker image to: demisto/python3:3.10.13.83255.

IncidentFields

Updated the Docker image to: demisto/python3:3.10.13.83255.

hideFieldsOnNewIncident

Updated the Docker image to: demisto/python3:3.10.13.83255.

IPReputation

Updated the Docker image to: demisto/python3:3.10.13.83255.

DeduplicateValuesbyKey

Updated the Docker image to: demisto/python3:3.10.13.83255.

GenerateAsBuilt

Updated the Docker image to: demisto/teams:1.0.0.83464.

Related pull requests:
- 31448

Download

1.13.1 - 7153835 (December 13, 2023)

Scripts

SSDeepSimilarity

Updated the Docker image to: demisto/ssdeep:1.0.0.82649.

Related pull requests:
- 31446

Download

1.13.0 - 7149458 (December 13, 2023)

Scripts

New: ReadQRCode

New: This script uses the open-source library OpenCV to extract text from QR codes. The output of this script includes the output of the script "extractIndicators" run on the text extracted from the QR code. (Available from Cortex XSOAR 6.10.0).

Related pull requests:
- 31323

Download

1.12.57 - 7142940 (December 12, 2023)

Scripts

SetGridField

Fixed an issue where an uninformative error was raised when trying to run the script from the playground or form the playbook debugger.
Updated the Docker image to: demisto/pandas:1.0.0.83429.

Related pull requests:
- 31318

Download

1.12.56 - 7132024 (December 11, 2023)

Scripts

FindSimilarIncidents

Fixed an issue where alerts were incorrectly called "incidents" in Cortex XSIAM.
Updated the Docker image to: demisto/python3:3.10.13.83255.

Related pull requests:
- 31223

Download

1.12.55 - 7087775 (December 6, 2023)

Scripts

ParseEmailFilesV2

Fixed an issue where the Bcc was not parsed.
Fixed an issue where EML files were not parsed correctly if they contained text before the standard headers.
Updated the Docker image to: demisto/parse-emails:1.0.0.82865.

Related pull requests:
- 31331

Download

1.12.54 - 7033788 (November 30, 2023)

Scripts

IsEmailAddressInternal

Fixed an issue where the domain argument did not work as expected when run with a single value rather than a list. The issue was introduced in 1.12.53.

Related pull requests:
- 31222

Download

1.12.53 - 7022868 (November 29, 2023)

Scripts

displayMappedFields

Replaced the text color hardcoded values with system variables.

Related pull requests:
- 31085

Download

1.12.52 - 7018867 (November 29, 2023)

Scripts

IsEmailAddressInternal

Improved implementation for better performance.

SetAndHandleEmpty

Improved implementation for better performance.

Related pull requests:
- 30897

Download

1.12.51 - 7012606 (November 28, 2023)

Scripts

FormatURL

Improved error handling for better performance when the script fails.
Updated the Docker image to: demisto/python3:3.10.13.80593.

ExtractDomainAndFQDNFromUrlAndEmail

Improved error handling for better performance when the script fails.
Updated the Docker image to: demisto/py3-tools:1.0.0.81280.

ExtractEmailV2

Improved error handling for better performance when the script fails.
Updated the Docker image to: demisto/python3:3.10.13.80593.

Sleep

Improved performance for longer sleep times. When seconds is greater than the configured threshold (5 minutes by default), sleep will switch to a polling state instead of waiting.

Related pull requests:
- 30661

Download

1.12.49 - 7001088 (November 27, 2023)

Scripts

GetIndicatorDBotScoreFromCache

Fixed an issue where the script failed when providing indicator values with special characters.
Updated the Docker image to: demisto/python3:3.10.13.80593.

Related pull requests:
- 31070

Download

1.12.48 - 6992191 (November 26, 2023)

Scripts

DBotClosedIncidentsPercentage

Updated the query in theDBotClosedIncidentsPercentage script to status:closed and closingUser:DBot.

Related pull requests:
- 31093

Download

1.12.47 - 6989486 (November 26, 2023)

Scripts

IsIntegrationAvailable

Fixed an issue where the outputs for Conditional Tasks were not 'yes' or 'no' (issue was introduced in 1.12.46).

Related pull requests:
- 31107

Download

1.12.46 - 6965450 (November 22, 2023)

Scripts

IsIntegrationAvailable

Improved implementation for better performance.
Updated the Docker image to: demisto/python3:3.10.13.80593.

GetListRow

Fixed an issue where sometimes a redundant \r would appear at the end of the line.
Updated the Docker image to: demisto/python3:3.10.13.80593.

Related pull requests:
- 31020

Download

1.12.44 - 6910634 (November 16, 2023)

Scripts

GetErrorsFromEntry

The script will now use the getEntriesByIDs command instead of getEntry command to get entries by ID in XSIAM and XSOAR SAAS.

Related pull requests:
- 30930

Download

1.12.43 - 6906425 (November 16, 2023)

Scripts

ReadPDFFileV2

Updated the docker image to demisto/readpdf:1.0.0.78799.
Added support for opening PDF files with owner passwords.

Related pull requests:
- 30927

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	July 27, 2020
Last Release	November 14, 2024

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.