Pack Contributors:
- barpec12
- Jaden Evanger
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
Common Scripts
- Details
- Content
- Dependencies
- Version History
Frequently used scripts pack.
Pack Contributors:
- barpec12
- Jaden Evanger
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
Automations
| Name | Description |
|---|---|
| DeleteContext | Delete field from context. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
WordTokenizer | Deprecated. Use DBotPreProcessTextData instead. |
| OnionURLReputation | This script adds the reputation to Onion URL indicators. The script is automatically triggered when a Onion URL indicator is auto-extracted. For instance, if you run a Cortex XSOAR CLI on a valid Onion URL, the indicators are extracted automatically and this script is triggered for the extracted indicators. |
GetDuplicatesMlv2 | Deprecated. Use the "PhishingDedupPreprocessingRule" script instead. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| SetWithTemplate | Set a value built by a template in context under the key you entered. |
| BMCTool | Parse RDP bitmap cache data into a single collage image file. |
| IncidentAddSystem | Add a remote system (such as a desktop under investigation) to an investigation (this will allow you to install and agent on the system) |
| ExtractEmailV2 | Verifies that an email address is valid and only returns the address if it is valid. |
| ExposeIncidentOwner | Expose the incident owner into IncidentOwner context key |
| ExportIndicatorsToCSV | This automation uses the Core REST API Integration to batch export Indicators to CSV and return the resulting CSV file to the war room. |
| EvaluateContextValue | The script is for use with GenericPolling, which checks the completion condition. It uses a DT to retrieve a value from the context data and evaluates it using another DT. |
| TimeStampCompare | Compares a single timestamp to a list of timestamps. |
| ServerLogs_docker | Uses the ssh integration to grab the host server logs. This script is supported only on Cortex XSOAR on-prem (version 6.X). |
| GetByIncidentId | Gets a value from the specified incident's context. |
| CEFParser | Parse CEF data into the context. Please notice that outputs will display only the 7 mandatory fields even if the CEF event includes many other custom or extended fields. |
| FileReputation | A context script for hash entities. |
| DeduplicateValuesbyKey | Given a list of objects and a key found in each of those objects, return a unique list of values associated with that key. Returns error if the objects provided do not contain the key of interest. |
| LinkIncidentsWithRetry | Use this script to avoid DB version errors when simultaneously running multiple linked incidents. |
| emailFieldTriggered | Sends email to incident owner when selected field is triggered. |
| MITRENameByID_Formatter | Get a MITRE ATT&CK object name by its ID. The script is using TIMs IOCs to find the correct name. (MITRE ATT&CK IOCs must exist in the Threat Intel data). |
| RunPollingCommand | Runs a specified polling command one time. This is useful for initiating a local playbook context before running a polling scheduled task. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| CertificateReputation | Enrich and calculate the reputation of a certificate indicator. |
| RepopulateFiles | After running DeleteContext, this script can repopulate all the file entries in the ${File} context key. |
| SetGridField | Creates a Grid table from items or key-value pairs. |
| UnzipFile | Unzip a file using fileName or entryID to specify a file. Unzipped files will be loaded to the War Room and names will be put into the context. |
| ReplaceMatchGroup | Returns a string with all matches of a regex pattern groups replaced by a replacement. |
| IsIntegrationAvailable | Returns 'yes' if integration brand is available. Otherwise returns 'no'. |
| ParseEmailFiles | Deprecated. Use ParseEmailFilesV2 instead." Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook. |
| StringSimilarity | This automation calculates the similarity ratio between every string in 2 different arrays and outputs a decimal value between 0.0 and 1.0 (1.0 if the sequences are identical, and 0.0 if they don't have anything in common). |
| AnalyzeTimestampIntervals | Analyze a list of Unix timestamps in milliseconds, to detect simple patterns of consistency or high frequency. The script can aid in the investigation of multi-event alerts that contain a list of timestamps. |
| IPReputation | A context script for IP entities. |
| ParseYAML | Parses a YAML string into context. |
| SendMessageToOnlineUsers | Send message to Demisto online users over Email, Slack, Mattermost or all. |
| isError | Check whether given entry/entries returned an error. Use ${lastCompletedTaskEntries} to check the previous task entries. If array is provided, will return yes if one of the entries returned an error. |
| PDFUnlocker | Removing the password protection from a PDF file and adding a new file entry with the unlocked PDF. |
| RemoveKeyFromList | Removes a key in key/value store backed by an XSOAR list. |
| IsDomainInternal | The script takes one or more domain names and checks whether they're in the Cortex XSOAR list defined in the InternalDomainsListName argument. By default, the InternalDomainsListName argument will use the Cortex XSOAR list called "InternalDomains". |
| PublishEntriesToContext | Publish entries to incident's context |
| AquatoneDiscoverV2 | aquatone-discover will find the targets nameservers and shuffle DNS lookups between them. Should a lookup fail on the target domains nameservers, aquatone-discover will fall back to using Google public DNS servers to maximize discovery. |
| AssignAnalystToIncident | Assign analyst to incident. |
| ListUsedDockerImages | List all Docker images that are in use by the installed integrations and automations. |
| GeneratePassword | This function generates a password and allows various parameters to customize the properties of the password depending on the use case (e.g. password complexity requirements). The default behavior is to generate a password of random length including all four character classes (upper, lower, digits, symbols) with at least five and at most ten characters per class. The min_* values all default to 0. This means that if the command is executed in this way: The debug parameter will print certain properties of the command into the WarRoom for easy diagnostics. |
| EncodeToAscii | Input Text Data to Encode as ASCII (Ignores any chars that aren't interpreted as ASCII). |
| ContextFilter | Filter context keys by applying one of the various available manipulations and storing in a new context key. Please notice that the resulting context key will not be available automatically as an option but you can still specify it. |
| IsUrlPartOfDomain | Checks if the supplied URLs are in the specified domains. |
| SetAndHandleEmpty | Set a value in context under the key you entered. If no value is entered, the script doesn't do anything. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| GridFieldSetup | Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. Instead of a value you can enter |
| ExportContextToJSONFile | Exports the Context for the current Incident to a JSON file in the war room. |
| MaliciousRatioReputation | Set indicator reputation to "suspicious" when malicious ratio is above threshold. |
| ExtractIndicatorsFromTextFile | Extract indicators from a text-based file.
This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| FilterByList | Checks whether the specified item is in a list. The default list is the Demisto Indicators Whitelist. |
| enrich_exclude_button | This script is only meant to be used to disable the Enrich Excluded button in an indicator. It should not be used otherwise. |
| MatchRegexV2 | Extracts regex data from the provided text. The script support groups and looping. |
| ContainsCreditCardInfo | Check if a given value is true. Will return 'no' otherwise |
| CheckFieldValue | This script checks that a field exists (and contains data), and optionally checks the value of the field for a match against an input value. If a regex is not supplied, the script checks that the field is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value. |
| ParseEmailFilesV2 | Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook. This script is based on the parse-emails XSOAR python package, check the script documentation for more info. |
| SendEmailOnSLABreach | Sends an email informing the user of an SLA breach. The email is sent to the user who is assigned to the incident. It includes the incident name, ID, name of the SLA field that was breached, duration of that SLA field, and the date and time when that SLA was started. |
| Sleep | Sleep for X seconds. |
| DecodeMimeHeader | Decode MIME base64 headers. |
| ContextContains | This script searches for a value in a context path. |
| CheckIndicatorValue | Check if indicators exist in the Threat Intel database. |
| ShowScheduledEntries | Show all scheduled entries for specific incident. |
| SetByIncidentId | Works the same as the 'Set' command, but can work across incidents by specifying 'id' as an argument. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| ExportToXLSX | Exports context data to a Microsoft Excel Open XML Spreadsheet (XLSX) file. |
| hideFieldsOnNewIncident | When you apply this script to an incident field, that incident field is hidden for new incidents, and it displays in edit mode. |
| ContextGetIps | Gets all IP addresses in context, excluding ones given. |
| IdentifyAttachedEmail | Identify whether the incident includes an email message attached as an eml or msg file and return the answer to playbook. Also saves the identified entry ID to context for use for later. Commonly used in automated playbooks that handle phishing reports sent to a special phishing mailbox set up by the security team. |
| AddDBotScoreToContext | Add DBot score to context for indicators with custom vendor, score, reliability, and type. |
| CertificateExtract | Extract fields from a certificate file and return the standard context. |
| ContextGetHashes | Gets hashes (MD5,SHA1,SHA256) from context. |
| MapValues | Map the given values to the translated values. If given values: a,b,c, and translated: 1,2,3, then the input will return 1. |
| IndicatorMaliciousRatioCalculation | Return indicators appears in resolved incidents, and resolved incident ids. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| GenerateRandomUUID | Generates a random UUID (UUID 4). |
| FetchIndicatorsFromFile | Fetches indicators from a file. Supports TXT, XLS, XLSX, CSV, DOC and DOCX file types. |
| ReadQRCode | Extracts the text from a QR code. The output of this script includes the output of the script "extractIndicators" run on the text extracted from the QR code. |
| ScheduleCommand | Schedule a command to run inside the war room at a future time (once or reoccurring) |
| GetStringsDistance | Get the string distance between inputString and compareString (compareString can be a comma-separated list) based on Levenshtein Distance algorithm. |
| UnEscapeURLs | Extract URLs redirected by security tools like Proofpoint. |
| LookupCSV | Parses a CSV and looks for a specific value in a specific column, returning a dict of the entire matching row. If no column value is specified, the entire CSV is read into the context. |
| ContextGetPathForString | Searches for string in context and returns context path, returns null if not found. |
| GetDataCollectionLink | Generates the URL for a Data Collection Task into Context. Can be used to get the url for tasks send via Email, Slack, or even if you select "By Task Only". To generate links for specific users, add an array of users in the users argument. |
| ExtractHTMLTables | Find tables inside HTML and extract the contents into objects using the following logic:
|
| SetMultipleValues | Set multiple keys/values to the context. |
| CopyNotesToIncident | Copy all entries marked as notes from current incident to another incident. |
| VerifyIPv6Indicator | Verify that the address is a valid IPv6 address. |
| FindSimilarIncidents | Deprecated. Use DBotFindSimilarIncidents instead. Finds similar incidents by common incident keys, labels, custom fields or context keys. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| PcapHTTPExtractor | Allows to parse and extract http flows (requests & responses) from a pcap/pcapng file. |
| ShowIncidentIndicators | This script is used to display the indicators of an incident in an incident field of type Array. It can be used to select indicators from the incident in order to later perform some actions, like tagging the indicators for blocking via EDL. |
| JSONFileToCSV | Script to convert a War Room output JSON File to a CSV file. |
| MarkRelatedIncidents | Marks given incidents as related to current incident. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| Set | Set a value in context under the key you entered. |
| ChangeRemediationSLAOnSevChange | Changes the remediation SLA once a change in incident severity occurs. |
| LinkIncidentsButton | Incident action button script to link or unlink Incidents from an Incident. |
| SearchIncidentsSummary | Searches Cortex XSOAR Incidents and returnrs the most relevant fields. Default search range is the last 30 days, if you want to change this, use the fromDate argument. Returns the id, name, type, severity, status, owner, and created/closed times to context. You can add additional fields using the add_field_to_context argument. This automation runs using the default Limited User role, unless you explicitly change the permissions. Based on the SearchIncidentsV2 from the Common Scripts pack, but more efficient. |
| TopMaliciousRatioIndicators | Find the top malicious ratio indicators. |
| ContextGetEmails | Gets all email addresses in context, excluding ones given. |
| FormatURL | Strips, unquotes and unescapes URLs. If the URL is a Proofpoint or ATP URL, extracts its redirect URL. If more than one URL is passed to the formatter, the separator must be a pipe ("|"). |
| ZipFile | Zip a file and upload to war room. |
| VerifyCIDR | Verify that the CIDRs are valid. |
| IsListExist | Check if list exist in demisto lists. |
| StringReplace | Replaces regex match/es in string. |
| IsMaliciousIndicatorFound | Checks if the investigation found any malicious indicators (file, URL, IP address, domain, or email). Returns "yes" if at least one malicious indicator is found. |
| FileToBase64List | Encode a file as base64 and store it in a Demisto list. |
CommandLineAnalysis | This script evaluates command-line threats by analyzing both original and decoded inputs. It assigns weighted scores to detected patterns, such as AMSI bypass or credential dumping, and applies risk combination bonuses for multiple detections. The total score is normalized to a 0-100 scale, with risk levels categorized as follows:
The scoring mechanism provides a comprehensive risk assessment, considering both the severity and frequency of malicious behaviors. |
| ConvertFile | Converts a file from one format to a different format by using the convert-to function of Libre Office. For a list of supported input/output formats see: https://wiki.openoffice.org/wiki/Framework/Article/Filter/FilterList_OOo_3_0 |
| StopScheduledTask | This stops the scheduled task whose ID is given in the taskID argument. |
| PreProcessImage | This script pre-processes (resizes, sharpens, and grayscales) an image file from context, given an entry_id. |
| Base64EncodeV2 | Encodes an input to Base64 format. |
| JSONtoCSV | Convert a JSON War Room output via EntryID to a CSV file. |
| HttpV2 | Sends a HTTP request with advanced capabilities. |
| VerifyValidIP | Verifies if the given input contains valid IP addresses (IPv4 or IPv6). |
| MathUtil | Script will run the provided mathematical action on 2 provided values and produce a result. |
| ExportIncidentsToCSV | This automation uses the Core REST API Integration to batch export Incidents to CSV and return the resulting CSV file to the war room. |
| ticksToTime | Converting time in Ticks to readable time. Ticks are used to represent time by some vendors, most commonly by Microsoft. |
| ExampleJSScript | This is only an example script, to showcase how to use and write JavaScript scripts |
| SSDeepReputation | Calculate ssdeep reputation based on similar files (by ssdeep similarity) on the system. |
| SetIndicatorGridField | This script updates an indicator's grid field in Cortex XSOAR with provided row data. You can input the rows directly or extract them from the context. |
| ShowLocationOnMap | Show indicator geo location on map. |
| PositiveDetectionsVSDetectionEngines | Shows a bar chart of the number of Positive Detections out of overall detections. |
| CalculateTimeDifference | Calculate the time difference, in minutes. |
| ExtractFQDNFromUrlAndEmail | Extracts FQDNs from URLs and emails. |
| ParseHTMLIndicators | This script will extract indicators from given HTML and will handle bad top-level domains to avoid false positives caused by file extensions. |
| Dig | DNS lookup utility to provide 'A' and 'PTR' record. |
| HTTPListRedirects | List the redirects for a given URL. |
| GetEnabledInstances | Gets all currently enabled integration instances. |
| DemistoVersion | Return the Demisto server version. |
| URLSSLVerification | Verify URL SSL certificate. |
| ConvertXmlFileToJson | Converts XML file entry to JSON format |
| SearchIndicator | Searches Cortex XSOAR Indicators. Search for XSOAR Indicators and returns the id, indicator_type, value, and score/verdict. You can add additional fields from the indicators using the add_field_to_context argument. |
| findIncidentsWithIndicator | Lookup incidents with specified indicator. Use currentIncidentId to omit the existing incident from output. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| PrintErrorEntry | Prints an error entry with a given message. |
| ConvertXmlToJson | Converts XML string to JSON format |
| ContextSearchForString | Searches for string in a path in context. If path is null, string will be searched in full context. |
| NotInContextVerification | Not in context verification is a script that executes the given command and verifies that the specified field is not in the context after execution. |
| Strings | Extract strings from a file with optional filter - similar to binutils strings command. |
| SearchIncidentsV2 | Searches Demisto incidents. A summarized version of this scrips is available with the summarizedversion argument. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| FailedInstances | Executes a test for all integration instances available and returns detailed information about succeeded and failed integration instances. |
| ParseExcel | The automation takes Excel file (entryID) as an input and parses its content to the war room and context. |
| IsPDFFileEncrypted | Checks whether the PDF file is encrypted. |
| cvss_color | This dynamic automation parses the CVSS score of a CVE and presents it in the layout in color according to its score. |
| ConvertDatetoUTC | Converts a date from a different timezone to UTC timezone. |
| EmailAskUser | Ask a user a question via email and process the reply directly into the investigation. |
| ToTable | Convert an array to a nice table display. Usually, from the context. |
| ExportToCSV | Export given array to csv file. |
| ResolveShortenedURL | This script resolves the original URL from a given shortened URL and places the resolved URL in the playbook context and output. |
| ScheduleGenericPolling | Called by the GenericPolling playbook, schedules the polling task. |
| CloseInvestigationAsDuplicate | Close the current investigation as duplicate to other investigation. |
| NumberOfPhishingAttemptPerUser | Shows a bar chart of the number of incident the 'To' and 'From' email addresses. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| ReadPDFFileV2 | Load a PDF file's content and metadata into context. Supports extraction of hashes, urls, and emails when available. |
| EmailReputation | A context script for Email entities. |
| JSONDiff | compares two JSON files and returns their differences, such as added, removed, or changed fields, in a structured format. |
| MarkAsEvidenceByTag | Mark entries as evidence if they are tagged with given tag. |
| SetTime | Fill the current time in a custom incident field. |
| DisableUserWrapper | This script allows disabling a specified user using one or more of the following integrations: SailPointIdentityIQ, ActiveDirectoryQuery, Okta, MicrosoftGraphUser, and IAM. |
| PFXAnalyzer | This script is designed to analyze a PFX (Personal Information Exchange) file for various suspicious or noteworthy characteristics from a security perspective. |
| LoadJSON | Loads a json from string input, and returns a json object result. |
| TextFromHTML | Extract regular text from the given HTML. |
| GenerateRandomString | Generates random string. |
| IsolationAssetWrapper | This is a wrapper to isolate or unisolate hash lists from Cortex XDR, MSDE or CrowdStrike (Available from Cortex XSOAR 6.0.0). |
| PopulateCriticalAssets | Populates critical assets in a grid field that has the section headers "Asset Type" and "Asset Name". |
| UnPackFile | Deprecated. Use the UnzipFile script instead. UnPack a file using fileName or entryID to specify a file. Files unpacked will be pushed to the war room and names will be pushed to the context. |
| GetLicenseID | Returns the license ID. |
| ExtractDomainFromUrlAndEmail | Extract Domain(s) from URL(s) and/or Email(s). |
| MatchRegex | Deprecated. Use the MatchRegexV2 script instead. |
| DockerHardeningCheck | Checks if the Docker container running this script has been hardened according to the recommended settings at:
|
| DomainReputation | A context script for Domain entities. |
| LanguageDetect | Language detection based on Google's language-detection. |
| cveReputationV2 | Provides the severity of the CVE based on the CVSS score where available. |
| IsInternalHostName | Checks if the supplied hostnames match either the organization's internal naming convention or the domain suffix. |
| CreateNewIndicatorsOnly | Create indicators to the Threat Intel database only if they are not registered. All submitted indicators will be associated with the parent incident. When using the script with many indicators, or when the Threat Intel Management database is highly populated, this script may have low performance issue. |
| Exists | Check if a given value exists in the context. Will return 'no' for empty empty arrays. To be used mostly with DQ and selectors. |
| IsIPInRanges | Returns yes if the IP is in one of the ranges provided, returns no otherwise. |
| ExtractAttackPattern | Extract Attack Pattern Threat Intel Object. After auto extract extracts the Attack Pattern IDs, this script is executed and extracts the value (name) of the Attack Pattern. |
| listExecutedCommands | Lists executed commands in War Room |
| Base64Encode | Will encode an input using Base64 format. |
| GetEntries | Collect entries matching to the conditions in the war room. |
| ExtractIndicatorsFromWordFile | Used to extract indicators from Word files (DOC, DOCX). This automation runs using the default Limited User role, unless you explicitly change the permissions. |
| UnEscapeIPs | Remove escaping chars from IP |
| CheckContextValue | This script checks that a context key exists (and contains data), and optionally checks the value of the context key for a match against an input value. If a regex is not supplied, the script checks that the key is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value. This scripts does not support a context key which holds a list of values. |
| DisplayHTMLWithImages | Display HTML with embedded images. |
| DownloadAndArchivePythonLibrary | The script downloads a Python library using PIP, archives it, and returns the file to the war room. |
| DBotClosedIncidentsPercentage | Data output script for populating dashboard pie graph widget with the percentage of incidents closed by DBot vs. incidents closed by analysts. |
| displayUtilitiesResults | This script displays the execution results of the tab's buttons in an HTML table format. |
Prints text to war room (Markdown supported) | |
| GetIndicatorDBotScoreFromCache | Get the overall score for the indicator as calculated by DBot. |
| Ping | Pings an IP or url address, to verify it's up. Note - On Cortex XSOAR 8 and Cortex XSIAM, the script can run only on a custom engine. |
| ParseCSV | This script will parse a CSV file and place the unique IPs, Domains and Hashes into the context. |
| VerdictResult | This widget displays the incident verdict or the alert verdict based on the 'incident.verdict' or 'alert.verdict' field. |
| GenerateAsBuiltConfiguration | Generate a JSON file that can be downloaded and used to create the As-Built document for Cortex XSOAR. |
| CountArraySize | Count an array size |
| CheckSenderDomainDistance | Get the string distance for the sender from our domain. |
| IsInternalDomainName | This script accepts multiple values for both arguments and will iterate through each of the domains to check if the specified subdomains are located in at least one of the specified main domains. If the tested subdomain is in one of the main domains, the result will be true. For example, if the domain_to_check values are apps.paloaltonetworks.com and apps.paloaltonetworks.bla and the domains_to_compare values are paloaltonetworks.com and demisto.com, the result for apps.paloaltonetworks.com will be true since it is a part of the paloaltonetworks.com domain. The result for apps.paloaltonetworks.bla will be false since it is not a part of the paloaltonetworks.com or demisto.com domain. |
| ExecuteCommandAt | A wrapper script for the executeCommandAt command to be used in playbooks or the war-room. |
| LoadJSONFileToContext | Loads a JSON file from the war room to context. |
| IsTrue | Check if a given value is true. Will return 'no' otherwise |
| GenericPollingScheduledTask | Runs the polling command repeatedly, completes a blocking manual task when polling is done. |
| AddKeyToList | Adds/Replaces a key in key/value store backed by an XSOAR list. |
| UtilAnyResults | Utility script to use in playbooks - returns "yes" if the input is non-empty. |
| ReadFile | Load the contents of a file into context. |
| ProvidesCommand | Finds which integrations implement a specific Demisto command. The results will be returned as comma-separated values (CSV). The "Core REST API" integration must first be enabled. |
| FileCreateAndUploadV2 | Creates a file (using the given data input or entry ID) and uploads it to the current investigation War Room. |
| URLReputation | A context script for URL entities. |
| IsEmailAddressInternal | Checks if the email address is part of the internal domains. |
| ConvertTimezoneFromUTC | Takes UTC and converts it to the specified timezone. Format must match the UTC date's format and output will be the same format. Can use in conjunction with ConvertDateToString. |
| SSDeepSimilarity | This script finds similar files that can be related to each other by fuzzy hash (SSDeep). |
| IsValueInArray | Indicates whether a given value is a member of given array |
| GenerateInvestigationSummaryReport | A script to generate investigation summary report in an automated way |
| CreateHash | Creating a hash of a given input, support sha1, sha256, sha512, md5 and blake. Wrapper for https://docs.python.org/3/library/hashlib.html. |
| FeedRelatedIndicatorsWidget | Widget script to view information about the relationship between an indicator, entity and other indicators and connect to indicators, if relevant. |
| StixCreator | Gets a list of indicators from the indicators argument, and generates a JSON file in STIX 2.1 format. |
| AreValuesEqual | Check whether the values provided in arguments are equal. If either of the arguments are missing, no is returned. |
| GetErrorsFromEntry | Get the error(s) associated with a given entry/entries. Use ${lastCompletedTaskEntries} to check the previous task entries. The automation will return an array of the error contents from those entries. |
| GetServerURL | Get the Server URL. |
| IsIPPrivate | The script takes one or more IP addresses and checks whether they're in the private IP ranges defined in the PrivateIPsListName argument. By default, the PrivateIPsListName argument will use the Cortex XSOAR list called "PrivateIPs".
|
| RunDockerCommand | This command will allow you to run commands against a local Docker Container. You can run commands like wc for instance with word count, or other types of commands that you want on the docker container. We recommend for tools that you want to use that are not part of the default Docker container, to cope this Automation script and then create a customer docker container with /docker_image_create with a custom docker container to add any command level tool to Demisto and output the results directly to the context. |
| AssignToMeButton | Assigns the current Incident to the Cortex XSOAR user who clicked the button. |
| GenerateSummaryReports | Generate report summaries for the passed incidents. |
| HTMLtoMD | Converts HTML to Markdown. |
| ChangeContext | Enables changing context in two ways. The first is to capitalize the first letter of each key in following level of the context key entered. The second is to change context keys to new values. |
| ShowOnMap | Returns a map entry with a marker on the given coordinates (lat,lng), or address (requires a configured GoogleMaps instance). |
| ServerLogs | Uses the ssh integration to grab the host server logs. This script is supported only on Cortex XSOAR on-prem (version 6.X). |
| CVSSCalculator | This script calculates the CVSS Base Score, Temporal Score, and Environmental Score using either the CVSS 3.0 or CVSS 3.1 calculator according to https://www.first.org/cvss/ calculation documentation. |
| CreateEmailHtmlBody | This script allows sending an HTML email, using a template stored as a list item under Lists:
Note: Sending emails require an active Mail Sender integration instance. |
| AddEvidence | Adds provided entries to the incident Evidence Board. In playbook, can be positioned after a task to add the previous task's entries to Evidence Board automatically (with no need to provide arguments) |
| ExtractDomainAndFQDNFromUrlAndEmail | Extracts domains and FQDNs from URLs and emails. |
| SCPPullFiles | Take a list of devices and pull a specific file (given by path) from each using SCP. |
| GetListRow | Parses a list by header and value. |
| RemoteExec | Execute a command on a remote machine (without installing a D2 agent) |
| GetDomainDNSDetails | Returns DNS details for a domain. |
| StringLength | Returns the length of the string passed as argument |
| ExportAuditLogsToFile | Uses the Core REST API integration to query the server audit trail logs, and return back a CSV or JSON file. |
| BreachConfirmationHTML | |
| DBotAverageScore | The script calculates the average DBot score for each indicator in the context. |
| ZipStrings | Joins values from two lists by index according to a given format. |
| FileCreateAndUpload | Deprecated. Use FileCreateAndUploadV2 instead. Will create a file (using the given data input or entry ID) and upload it to current investigation war room. |
| http | Sends http request. Returns the response as json. |
| ConvertCountryCodeCountryName | Convert country name to country code or country code to country name. |
| CompareIncidentsLabels | Compares the labels of two incidents. Returns the labels that are unique to each incident. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| IncreaseIncidentSeverity | Optionally increases the incident severity to the new value if it is greater than the existing severity. |
| MarkAsNoteByTag | Mark entries as notes if they are tagged with given tag. |
| IPNetwork | Gather information regarding CIDR - |
| IPToHost | Try to get the hostname correlated with the input IP. |
| EditServerConfig | Edit the server configuration (under settings/troubleshooting). You can either add a new configuration or update and remove an existing one. |
| CheckPDFEncryptionAndValidity | Returns wether a PDF is both valid and encrypted. |
| PortListenCheck | Checks whether a port was open on given host. |
displayMappedFields | Display the mapped fields in a dynamic-section. |
| CompareLists | Compare two lists and put the differences in context. |
| GetIndicatorDBotScore | Add into the incident's context the system internal DBot score for the input indicator. |
| LessThanPercentage | Checks if one percentage is less than another |
| PCAPMiner | Deprecated. Use PCAPMinerV2 instead. PCAPMiner is a tool to parse PCAP files and will return things like extracted files that are found, HTTP flows, and a variety of other information. It is uses a docker instance located on docker hub trorabaugh/dempcap:1.0. To use simply upload a PCAP file and then run PCAPMiner entryId="<your_entry_id>". To get the entry id click on the link on the top right hand corner of a file attachment. |
| IsGreaterThan | Checks if one number(float) as bigger than the other(float) |
| ArrayToCSV | Converts a simple Array into a textual comma separated string. |
| ConvertTableToHTML | Converts a given array to an HTML table |
| SetDateField | Sets a custom incident field with current date. |
| JsonUnescape | Recursively un-escapes JSON data if escaped JSON is found |
| GetInstances | Returns integration instances configured in Cortex XSOAR. You can filter by instance status and/or brand name (vendor). |
| DumpJSON | Dumps a json from context key input, and returns a json object string result. |
| StopTimeToAssignOnOwnerChange | Stops the "Time To Assign" timer if the owner of the incident was changed. |
| GenerateAsBuilt | Generate an as built document, as HTML, based on the running XSOAR instance. Requires an instance of the Demisto API integration configured. |
| checkValue | Gets a value and return it. This is to be used in playbook conditional tasks - get a value from incident field, label or context, and act accordingly. |
| BinarySearchPy | Deprecated. No available replacement. Search for a binary on an endpoint using Carbon Black |
| GetFieldsByIncidentType | Returns the incident field names associated to the specified incident type. |
| CalculateEntropy | Calculates the entropy for the given data. |
| CopyContextToField | Copy a context key to an incident field of multiple incidents, based on an incident query. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| ExtractHyperlinksFromOfficeFiles | Extracts hyperlinks from office files. Supported file types are: xlsx, docx, pptx. |
| PrintContext | Pretty-print the contents of the playbook context. |
| GetDockerImageLatestTag | Gets docker image latest tag. Script simulates the docker pull flow but doesn't actually pull the image. Returns an entry with the docker image latest tag if all is good, otherwise will return an error. |
| DisplayHTML | Display HTML in the War Room. |
| EmailAskUserResponse | Extract user's response from EmailAskUser reply. Returns the first textual response line of the provided entry that contains the reply body. Use ${lastCompletedTaskEntries} to analyze the previous playbook task containing the user's reply. |
| ExifRead | Read image files metadata and provide Exif tags. |
| CreateIndicatorsFromSTIX | Creates indicators from the submitted STIX file. Supports STIX 1.0 and STIX 2.x. This automation creates indicators and adds an indicator's relationships if available. |
| PrettyPrint | Pretty-print data using Python's pprint library. This is useful for seeing the structure of incident and context data. Here's how to use it: !PrettyPrint value=${incident}. |
| VerifyJSON | Verifies if the supplied JSON string is valid and optionally verifies against a provided schema. The script utilizes Powershell's Test-JSON cmdlet. |
| AppendindicatorFieldWrapper | A wrapper script to the 'AppendindicatorField' script that enables adding tags to certain indicators. |
| IncidentFields | Returns a dict of all incident fields that exist in the system. |
| GetTime | Retrieves the current date and time. |
| PrintRaw | Prints a raw representation of a string or object, visualising things likes tabs and newlines. For instance, '\n' will be displayed instead of a newline character, or a Windows CR will be displayed as '\r\n'. This is useful for debugging issues where things aren't behaving as expected, such as when parsing a string with a regular expression. |
| GenerateSummaryReportButton | This button will generate summary 'Case Report' template for a given Incident. |
| commentsToContext | Takes the comments of a given entry ID and stores them in the incident context, under a provided context key. |
| EmailDomainSquattingReputation | Check if an email address's domain is trying to squat other domain using Levenshtein distance algorithm. |
| ContentPackInstaller | Content packs installer from marketplace. |
| CreateArray | Will create an array object in context from given string input |
| Base64ListToFile | Converts Base64 file in a list to a binary file and upload to warroom. |
| ParseWordDoc | Takes an input docx file (entryID) as an input and saves an output text file (file entry) with the original file's contents. |
| URLNumberOfAds | Fetches the numbers of ads in the given url. |
Incident Fields
| Name | Description |
|---|---|
Size - turnover | |
Where is data hosted | |
Likely Impact | "A data protection impact assessment (…) shall in particular be required in the case of: (a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; (b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or (c) a systematic monitoring of a publicly accessible area on a large scale. - GDPR Art. 35 |
Telephone no. | |
Account information breached | Is account information breached |
Contact Email address | |
Company Address | |
Company Name | |
Financial information breached | Is financial information breached |
Secretary Notification | |
Contact Address | |
Unique identification number breached | Is unique identification number breached |
Postal Code | |
Country where business has its main establishment | "‘main establishment’ means: as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment; as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;" - GDPR Art. 4 |
State CISO Notification | |
Data Encryption Status | |
Company City | |
PII Data Type | |
Company Postal Code | |
DPO Notification | |
Resident Notification Option | |
Approximate number of affected data subjects | |
Is the Data Subject to DPIA | |
Measures to Mitigate | " (d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects." - GDPR Art. 33 |
Affected data | "‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;" - GDPR Art. 4 |
E-mail Address | |
Malicious Cause (If the cause is a malicious attack) | |
Country where the breach took place | |
Media Notification | The status of the media notification |
Attorney General Notification | |
Individuals Notification | |
Contact Name | |
Affected Data Type | |
Contact Telephone number | |
State where the breach took place | |
Affected Individuals Contact Information | |
DPO E-mail Address | |
Residents Email Address | |
Sector of Affected Party | |
Breach Confirmation | Is the DPO confirm the breach |
Health insurance breached | Is health insurance breached |
Management Notification | |
Size - number of employees | |
Possible Cause of the Breach | |
Medical Information breached | Is Medical Information breached |
Date/time of the breach | |
Unique biometric data breached | Is unique biometric data breached |
Consumer Reporting Agencies Notification | |
Company Country | |
Other PII data breached | Is other PII data breached |
Company has Insurance for the Breach | |
GDPR Notify Authorities | "In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons." - GDPR Art. 33 |
Lists
| Name | Description |
|---|---|
PrivateIPs | |
InternalDomains |
Automations
| Name | Description |
|---|---|
| CertificateExtract | Extract fields from a certificate file and return the standard context. |
| GetDockerImageLatestTag | Gets docker image latest tag. Script simulates the docker pull flow but doesn't actually pull the image. Returns an entry with the docker image latest tag if all is good, otherwise will return an error. |
| ContextGetIps | Gets all IP addresses in context, excluding ones given. |
| ToTable | Convert an array to a nice table display. Usually, from the context. |
| ProvidesCommand | Finds which integrations implement a specific Demisto command. The results will be returned as comma-separated values (CSV). The "Core REST API" integration must first be enabled. |
| Sleep | Sleep for X seconds. |
| UnEscapeURLs | Extract URLs redirected by security tools like Proofpoint. |
| CreateHash | Creating a hash of a given input, support sha1, sha256, sha512, md5 and blake. Wrapper for https://docs.python.org/3/library/hashlib.html. |
| ContextFilter | Filter context keys by applying one of the various available manipulations and storing in a new context key. Please notice that the resulting context key will not be available automatically as an option but you can still specify it. |
| SendMessageToOnlineUsers | Send message to Demisto online users over Email, Slack, Mattermost or all. |
| ReadQRCode | Extracts the text from a QR code. The output of this script includes the output of the script "extractIndicators" run on the text extracted from the QR code. |
| ContextGetEmails | Gets all email addresses in context, excluding ones given. |
| GetIndicatorDBotScore | Add into the incident's context the system internal DBot score for the input indicator. |
| IsInternalHostName | Checks if the supplied hostnames match either the organization's internal naming convention or the domain suffix. |
| GenerateRandomUUID | Generates a random UUID (UUID 4). |
| GenerateInvestigationSummaryReport | A script to generate investigation summary report in an automated way |
| PrintRaw | Prints a raw representation of a string or object, visualising things likes tabs and newlines. For instance, '\n' will be displayed instead of a newline character, or a Windows CR will be displayed as '\r\n'. This is useful for debugging issues where things aren't behaving as expected, such as when parsing a string with a regular expression. |
| http | Sends http request. Returns the response as json. |
| listExecutedCommands | Lists executed commands in War Room |
| DecodeMimeHeader | Decode MIME base64 headers. |
| isError | Check whether given entry/entries returned an error. Use ${lastCompletedTaskEntries} to check the previous task entries. If array is provided, will return yes if one of the entries returned an error. |
| ExtractEmailV2 | Verifies that an email address is valid and only returns the address if it is valid. |
| JSONtoCSV | Convert a JSON War Room output via EntryID to a CSV file. |
| PrettyPrint | Pretty-print data using Python's pprint library. This is useful for seeing the structure of incident and context data. Here's how to use it: !PrettyPrint value=${incident}. |
| IncidentAddSystem | Add a remote system (such as a desktop under investigation) to an investigation (this will allow you to install and agent on the system) |
AlertAddSystem | Add a remote system (such as a desktop under investigation) to an investigation (this will allow you to install and agent on the system) |
| ExportIncidentsToCSV | This automation uses the Core REST API Integration to batch export Incidents to CSV and return the resulting CSV file to the war room. |
ExportAlertsToCSV | This automation uses the Core REST API Integration to batch export Alerts to CSV and return the resulting CSV file to the war room. |
| FetchIndicatorsFromFile | Fetches indicators from a file. Supports TXT, XLS, XLSX, CSV, DOC and DOCX file types. |
| CreateNewIndicatorsOnly | Create indicators to the Threat Intel database only if they are not registered. All submitted indicators will be associated with the parent incident. When using the script with many indicators, or when the Threat Intel Management database is highly populated, this script may have low performance issue. |
CommandLineAnalysis | This script evaluates command-line threats by analyzing both original and decoded inputs. It assigns weighted scores to detected patterns, such as AMSI bypass or credential dumping, and applies risk combination bonuses for multiple detections. The total score is normalized to a 0-100 scale, with risk levels categorized as follows:
The scoring mechanism provides a comprehensive risk assessment, considering both the severity and frequency of malicious behaviors. |
| CreateIndicatorsFromSTIX | Creates indicators from the submitted STIX file. Supports STIX 1.0 and STIX 2.x. This automation creates indicators and adds an indicator's relationships if available. |
| ExampleJSScript | This is only an example script, to showcase how to use and write JavaScript scripts |
| SCPPullFiles | Take a list of devices and pull a specific file (given by path) from each using SCP. |
| GridFieldSetup | Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. Instead of a value you can enter |
| hideFieldsOnNewIncident | When you apply this script to an incident field, that incident field is hidden for new incidents, and it displays in edit mode. |
hideFieldsOnNewAlert | When you apply this script to an alert field, that alert field is hidden for new alerts, and it displays in edit mode. |
| PrintToParentIncident | Prints a value to the parent incident's war-room of the current alert. |
| AnalyzeTimestampIntervals | Analyze a list of Unix timestamps in milliseconds, to detect simple patterns of consistency or high frequency. The script can aid in the investigation of multi-event alerts that contain a list of timestamps. |
| LoadJSONFileToContext | Loads a JSON file from the war room to context. |
| ParseEmailFilesV2 | Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook. This script is based on the parse-emails XSOAR python package, check the script documentation for more info. |
| SetDateField | Sets a custom incident field with current date. |
| ExifRead | Read image files metadata and provide Exif tags. |
| AddEvidence | Adds provided entries to the incident Evidence Board. In playbook, can be positioned after a task to add the previous task's entries to Evidence Board automatically (with no need to provide arguments) |
| ExtractHTMLTables | Find tables inside HTML and extract the contents into objects using the following logic:
|
| StopScheduledTask | This stops the scheduled task whose ID is given in the taskID argument. |
| IsMaliciousIndicatorFound | Checks if the investigation found any malicious indicators (file, URL, IP address, domain, or email). Returns "yes" if at least one malicious indicator is found. |
| ListUsedDockerImages | List all Docker images that are in use by the installed integrations and automations. |
| PopulateCriticalAssets | Populates critical assets in a grid field that has the section headers "Asset Type" and "Asset Name". |
| MITRENameByID_Formatter | Get a MITRE ATT&CK object name by its ID. The script is using TIMs IOCs to find the correct name. (MITRE ATT&CK IOCs must exist in the Threat Intel data). |
| ParseEmailFiles | Deprecated. Use ParseEmailFilesV2 instead." Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook. |
| CheckSenderDomainDistance | Get the string distance for the sender from our domain. |
| UnPackFile | Deprecated. Use the UnzipFile script instead. UnPack a file using fileName or entryID to specify a file. Files unpacked will be pushed to the war room and names will be pushed to the context. |
| TopMaliciousRatioIndicators | Find the top malicious ratio indicators. |
| ArrayToCSV | Converts a simple Array into a textual comma separated string. |
| DisplayHTMLWithImages | Display HTML with embedded images. |
| ExposeIncidentOwner | Expose the incident owner into IncidentOwner context key |
ExposeAlertOwner | Expose the alert owner into AlertOwner context key |
| LessThanPercentage | Checks if one percentage is less than another |
| FailedInstances | Executes a test for all integration instances available and returns detailed information about succeeded and failed integration instances. |
| ConvertFile | Converts a file from one format to a different format by using the convert-to function of Libre Office. For a list of supported input/output formats see: https://wiki.openoffice.org/wiki/Framework/Article/Filter/FilterList_OOo_3_0 |
| ExportToCSV | Export given array to csv file. |
| StringReplace | Replaces regex match/es in string. |
Prints text to war room (Markdown supported) | |
| FilterByList | Checks whether the specified item is in a list. The default list is the Demisto Indicators Whitelist. |
| GetLicenseID | Returns the license ID. |
| HTTPListRedirects | List the redirects for a given URL. |
| CompareLists | Compare two lists and put the differences in context. |
| OnionURLReputation | This script adds the reputation to Onion URL indicators. The script is automatically triggered when a Onion URL indicator is auto-extracted. For instance, if you run a Cortex CLI on a valid Onion URL, the indicators are extracted automatically and this script is triggered for the extracted indicators. |
| GetByIncidentId | Gets a value from the specified incident's context. |
GetByAlertId | Gets a value from the specified alert's context. |
| EmailAskUser | Ask a user a question via email and process the reply directly into the investigation. |
| ReadPDFFileV2 | Load a PDF file's content and metadata into context. Supports extraction of hashes, urls, and emails when available. |
| ReplaceMatchGroup | Returns a string with all matches of a regex pattern groups replaced by a replacement. |
| DockerHardeningCheck | Checks if the Docker container running this script has been hardened according to the recommended settings at:
|
| ConvertTableToHTML | Converts a given array to an HTML table |
| ShowOnMap | Returns a map entry with a marker on the given coordinates (lat,lng), or address (requires a configured GoogleMaps instance). |
| URLSSLVerification | Verify URL SSL certificate. |
| GetStringsDistance | Get the string distance between inputString and compareString (compareString can be a comma-separated list) based on Levenshtein Distance algorithm. |
| SearchIncidentsV2 | Searches Demisto incidents. A summarized version of this scrips is available with the summarizedversion argument. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
SearchAlertsV2 | Searches Demisto alerts. A summarized version of this scrips is available with the summarizedversion argument. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
GetDuplicatesMlv2 | Deprecated. Use the "PhishingDedupPreprocessingRule" script instead. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| PcapHTTPExtractor | Allows to parse and extract http flows (requests & responses) from a pcap/pcapng file. |
| ExtractIndicatorsFromWordFile | Used to extract indicators from Word files (DOC, DOCX). This automation runs using the default Limited User role, unless you explicitly change the permissions. |
| Exists | Check if a given value exists in the context. Will return 'no' for empty empty arrays. To be used mostly with DQ and selectors. |
| IdentifyAttachedEmail | Identify whether the incident includes an email message attached as an eml or msg file and return the answer to playbook. Also saves the identified entry ID to context for use for later. Commonly used in automated playbooks that handle phishing reports sent to a special phishing mailbox set up by the security team. |
| BMCTool | Parse RDP bitmap cache data into a single collage image file. |
| ConvertDatetoUTC | Converts a date from a different timezone to UTC timezone. |
| CopyNotesToIncident | Copy all entries marked as notes from current incident to another incident. |
CopyNotesToAlert | Copy all entries marked as notes from current alert to another alert. |
| StringSimilarity | This automation calculates the similarity ratio between every string in 2 different arrays and outputs a decimal value between 0.0 and 1.0 (1.0 if the sequences are identical, and 0.0 if they don't have anything in common). |
| Base64EncodeV2 | Encodes an input to Base64 format. |
| NumberOfPhishingAttemptPerUser | Shows a bar chart of the number of incident the 'To' and 'From' email addresses. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| VerifyValidIP | Verifies if the given input contains valid IP addresses (IPv4 or IPv6). |
| LoadJSON | Loads a json from string input, and returns a json object result. |
| EditServerConfig | Edit the server configuration (under settings/troubleshooting). You can either add a new configuration or update and remove an existing one. |
| GetListRow | Parses a list by header and value. |
| PrintContext | Pretty-print the contents of the playbook context. |
| LanguageDetect | Language detection based on Google's language-detection. |
| CalculateEntropy | Calculates the entropy for the given data. |
| ExecuteCommandAt | A wrapper script for the executeCommandAt command to be used in playbooks or the war-room. |
| commentsToContext | Takes the comments of a given entry ID and stores them in the incident context, under a provided context key. |
| IsPDFFileEncrypted | Checks whether the PDF file is encrypted. |
| GetServerURL | Get the Server URL. |
| Base64ListToFile | Converts Base64 file in a list to a binary file and upload to warroom. |
| CalculateTimeDifference | Calculate the time difference, in minutes. |
| JsonUnescape | Recursively un-escapes JSON data if escaped JSON is found |
| AquatoneDiscoverV2 | aquatone-discover will find the targets nameservers and shuffle DNS lookups between them. Should a lookup fail on the target domains nameservers, aquatone-discover will fall back to using Google public DNS servers to maximize discovery. |
| FileCreateAndUpload | Deprecated. Use FileCreateAndUploadV2 instead. Will create a file (using the given data input or entry ID) and upload it to current investigation war room. |
displayMappedFields | Display the mapped fields in a dynamic-section. |
| ConvertXmlToJson | Converts XML string to JSON format |
| ContextContains | This script searches for a value in a context path. |
| PrintToAlert | Prints a value to the specified alert's war-room. The alert must be in status "Under Investigation". |
| URLNumberOfAds | Fetches the numbers of ads in the given url. |
| CheckContextValue | This script checks that a context key exists (and contains data), and optionally checks the value of the context key for a match against an input value. If a regex is not supplied, the script checks that the key is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value. This scripts does not support a context key which holds a list of values. |
| ConvertTimezoneFromUTC | Takes UTC and converts it to the specified timezone. Format must match the UTC date's format and output will be the same format. Can use in conjunction with ConvertDateToString. |
| GeneratePassword | This function generates a password and allows various parameters to customize the properties of the password depending on the use case (e.g. password complexity requirements). The default behavior is to generate a password of random length including all four character classes (upper, lower, digits, symbols) with at least five and at most ten characters per class. The min_* values all default to 0. This means that if the command is executed in this way: The debug parameter will print certain properties of the command into the WarRoom for easy diagnostics. |
| IncidentFields | Returns a dict of all incident fields that exist in the system. |
AlertFields | Returns a dict of all alert fields that exist in the system. |
| StixCreator | Gets a list of indicators from the indicators argument, and generates a JSON file in STIX 2.1 format. |
| emailFieldTriggered | Sends email to incident owner when selected field is triggered. |
| SearchIndicator | Searches Cortex Indicators. Search for XSOAR Indicators and returns the id, indicator_type, value, and score/verdict. You can add additional fields from the indicators using the add_field_to_context argument. |
| PrintErrorEntry | Prints an error entry with a given message. |
| IsListExist | Check if list exist in demisto lists. |
| AssignToMeButton | Assigns the current Incident to the Cortex user who clicked the button. |
| ExportToXLSX | Exports context data to a Microsoft Excel Open XML Spreadsheet (XLSX) file. |
| VerdictResult | This widget displays the incident verdict or the alert verdict based on the 'incident.verdict' or 'alert.verdict' field. |
| ExtractHyperlinksFromOfficeFiles | Extracts hyperlinks from office files. Supported file types are: xlsx, docx, pptx. |
| ExtractFQDNFromUrlAndEmail | Extracts FQDNs from URLs and emails. |
| EmailReputation | A context script for Email entities. |
WordTokenizer | Deprecated. Use DBotPreProcessTextData instead. |
| findIncidentsWithIndicator | Lookup incidents with specified indicator. Use currentIncidentId to omit the existing incident from output. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
findAlertsWithIndicator | Lookup alerts with specified indicator. Use currentAlertId to omit the existing alert from output. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| IsIPInRanges | Returns yes if the IP is in one of the ranges provided, returns no otherwise. |
| CheckFieldValue | This script checks that a field exists (and contains data), and optionally checks the value of the field for a match against an input value. If a regex is not supplied, the script checks that the field is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value. |
| ExtractIndicatorsFromTextFile | Extract indicators from a text-based file.
This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| ticksToTime | Converting time in Ticks to readable time. Ticks are used to represent time by some vendors, most commonly by Microsoft. |
| IsUrlPartOfDomain | Checks if the supplied URLs are in the specified domains. |
| PreProcessImage | This script pre-processes (resizes, sharpens, and grayscales) an image file from context, given an entry_id. |
| MarkAsEvidenceByTag | Mark entries as evidence if they are tagged with given tag. |
| Dig | DNS lookup utility to provide 'A' and 'PTR' record. |
| UnEscapeIPs | Remove escaping chars from IP |
| AppendindicatorFieldWrapper | A wrapper script to the 'AppendindicatorField' script that enables adding tags to certain indicators. |
| AreValuesEqual | Check whether the values provided in arguments are equal. If either of the arguments are missing, no is returned. |
| BinarySearchPy | Deprecated. No available replacement. Search for a binary on an endpoint using Carbon Black |
| MapValues | Map the given values to the translated values. If given values: a,b,c, and translated: 1,2,3, then the input will return 1. |
| IsIntegrationAvailable | Returns 'yes' if integration brand is available. Otherwise returns 'no'. |
| ExportIndicatorsToCSV | This automation uses the Core REST API Integration to batch export Indicators to CSV and return the resulting CSV file to the war room. |
| MarkAsNoteByTag | Mark entries as notes if they are tagged with given tag. |
| ScheduleCommand | Schedule a command to run inside the war room at a future time (once or reoccurring) |
| ContextGetPathForString | Searches for string in context and returns context path, returns null if not found. |
| GetDataCollectionLink | Generates the URL for a Data Collection Task into Context. Can be used to get the url for tasks send via Email, Slack, or even if you select "By Task Only". To generate links for specific users, add an array of users in the users argument. |
| PFXAnalyzer | This script is designed to analyze a PFX (Personal Information Exchange) file for various suspicious or noteworthy characteristics from a security perspective. |
| GenerateSummaryReports | Generate report summaries for the passed incidents. |
| SetIndicatorGridField | This script updates an indicator's grid field in Cortex with provided row data. You can input the rows directly or extract them from the context. |
| checkValue | Gets a value and return it. This is to be used in playbook conditional tasks - get a value from incident field, label or context, and act accordingly. |
| ResolveShortenedURL | This script resolves the original URL from a given shortened URL and places the resolved URL in the playbook context and output. |
| RunPollingCommand | Runs a specified polling command one time. This is useful for initiating a local playbook context before running a polling scheduled task. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| enrich_exclude_button | This script is only meant to be used to disable the Enrich Excluded button in an indicator. It should not be used otherwise. |
| ExtractDomainFromUrlAndEmail | Extract Domain(s) from URL(s) and/or Email(s). |
| GetDomainDNSDetails | Returns DNS details for a domain. |
| ChangeContext | Enables changing context in two ways. The first is to capitalize the first letter of each key in following level of the context key entered. The second is to change context keys to new values. |
| EvaluateContextValue | The script is for use with GenericPolling, which checks the completion condition. It uses a DT to retrieve a value from the context data and evaluates it using another DT. |
| ScheduleGenericPolling | Called by the GenericPolling playbook, schedules the polling task. |
| MathUtil | Script will run the provided mathematical action on 2 provided values and produce a result. |
| TimeStampCompare | Compares a single timestamp to a list of timestamps. |
| NotInContextVerification | Not in context verification is a script that executes the given command and verifies that the specified field is not in the context after execution. |
| ParseYAML | Parses a YAML string into context. |
| GetInstances | Returns integration instances configured in Cortex. You can filter by instance status and/or brand name (vendor). |
| Ping | Pings an IP or url address, to verify it's up. Note - On Cortex and Cortex XSIAM, the script can run only on a custom engine. |
| DeduplicateValuesbyKey | Given a list of objects and a key found in each of those objects, return a unique list of values associated with that key. Returns error if the objects provided do not contain the key of interest. |
| EmailAskUserResponse | Extract user's response from EmailAskUser reply. Returns the first textual response line of the provided entry that contains the reply body. Use ${lastCompletedTaskEntries} to analyze the previous playbook task containing the user's reply. |
| MatchRegex | Deprecated. Use the MatchRegexV2 script instead. |
| DeleteContext | Delete field from context. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| FileCreateAndUploadV2 | Creates a file (using the given data input or entry ID) and uploads it to the current investigation War Room. |
| GetIndicatorDBotScoreFromCache | Get the overall score for the indicator as calculated by DBot. |
| ShowIncidentIndicators | This script is used to display the indicators of an incident in an incident field of type Array. It can be used to select indicators from the incident in order to later perform some actions, like tagging the indicators for blocking via EDL. |
ShowAlertIndicators | This script is used to display the indicators of an alert in an alert field of type Array. It can be used to select indicators from the alert in order to later perform some actions, like tagging the indicators for blocking via EDL. |
| TextFromHTML | Extract regular text from the given HTML. |
| displayUtilitiesResults | This script displays the execution results of the tab's buttons in an HTML table format. |
| SetMultipleValues | Set multiple keys/values to the context. |
| PublishEntriesToContext | Publish entries to incident's context |
| RemoteExec | Execute a command on a remote machine (without installing a D2 agent) |
| IsGreaterThan | Checks if one number(float) as bigger than the other(float) |
| IPToHost | Try to get the hostname correlated with the input IP. |
| IsTrue | Check if a given value is true. Will return 'no' otherwise |
| RepopulateFiles | After running DeleteContext, this script can repopulate all the file entries in the ${File} context key. |
| ConvertXmlFileToJson | Converts XML file entry to JSON format |
| PCAPMiner | Deprecated. Use PCAPMinerV2 instead. PCAPMiner is a tool to parse PCAP files and will return things like extracted files that are found, HTTP flows, and a variety of other information. It is uses a docker instance located on docker hub trorabaugh/dempcap:1.0. To use simply upload a PCAP file and then run PCAPMiner entryId="<your_entry_id>". To get the entry id click on the link on the top right hand corner of a file attachment. |
| SetGridField | Creates a Grid table from items or key-value pairs. |
| FileToBase64List | Encode a file as base64 and store it in a Demisto list. |
| EncodeToAscii | Input Text Data to Encode as ASCII (Ignores any chars that aren't interpreted as ASCII). |
| CheckIndicatorValue | Check if indicators exist in the Threat Intel database. |
| SSDeepSimilarity | This script finds similar files that can be related to each other by fuzzy hash (SSDeep). |
| CopyContextToField | Copy a context key to an incident field of multiple incidents, based on an incident query. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| JSONFileToCSV | Script to convert a War Room output JSON File to a CSV file. |
| ConvertCountryCodeCountryName | Convert country name to country code or country code to country name. |
| ZipFile | Zip a file and upload to war room. |
| GenerateRandomString | Generates random string. |
| CreateArray | Will create an array object in context from given string input |
| DomainReputation | A context script for Domain entities. |
| cveReputationV2 | Provides the severity of the CVE based on the CVSS score where available. |
| ExtractAttackPattern | Extract Attack Pattern Threat Intel Object. After auto extract extracts the Attack Pattern IDs, this script is executed and extracts the value (name) of the Attack Pattern. |
| IPNetwork | Gather information regarding CIDR - |
| GetEntries | Collect entries matching to the conditions in the war room. |
| CheckPDFEncryptionAndValidity | Returns wether a PDF is both valid and encrypted. |
| VerifyJSON | Verifies if the supplied JSON string is valid and optionally verifies against a provided schema. The script utilizes Powershell's Test-JSON cmdlet. |
| IsolationAssetWrapper | This is a wrapper to isolate or unisolate hash lists from Cortex XDR, MSDE or CrowdStrike (Available from Cortex). |
| GenericPollingScheduledTask | Runs the polling command repeatedly, completes a blocking manual task when polling is done. |
| VerifyIPv6Indicator | Verify that the address is a valid IPv6 address. |
| CEFParser | Parse CEF data into the context. Please notice that outputs will display only the 7 mandatory fields even if the CEF event includes many other custom or extended fields. |
| MatchRegexV2 | Extracts regex data from the provided text. The script support groups and looping. |
| ContentPackInstaller | Content packs installer from marketplace. |
| IndicatorMaliciousRatioCalculation | Return indicators appears in resolved incidents, and resolved incident ids. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| RunDockerCommand | This command will allow you to run commands against a local Docker Container. You can run commands like wc for instance with word count, or other types of commands that you want on the docker container. We recommend for tools that you want to use that are not part of the default Docker container, to cope this Automation script and then create a customer docker container with /docker_image_create with a custom docker container to add any command level tool to Demisto and output the results directly to the context. |
| PortListenCheck | Checks whether a port was open on given host. |
| DisableUserWrapper | This script allows disabling a specified user using one or more of the following integrations: SailPointIdentityIQ, ActiveDirectoryQuery, Okta, MicrosoftGraphUser, and IAM. |
| DownloadAndArchivePythonLibrary | The script downloads a Python library using PIP, archives it, and returns the file to the war room. |
| cvss_color | This dynamic automation parses the CVSS score of a CVE and presents it in the layout in color according to its score. |
| ZipStrings | Joins values from two lists by index according to a given format. |
| GetErrorsFromEntry | Get the error(s) associated with a given entry/entries. Use ${lastCompletedTaskEntries} to check the previous task entries. The automation will return an array of the error contents from those entries. |
| PositiveDetectionsVSDetectionEngines | Shows a bar chart of the number of Positive Detections out of overall detections. |
| SetAndHandleEmpty | Set a value in context under the key you entered. If no value is entered, the script doesn't do anything. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| Base64Encode | Will encode an input using Base64 format. |
| Set | Set a value in context under the key you entered. |
| ContextGetHashes | Gets hashes (MD5,SHA1,SHA256) from context. |
| SearchIncidentsSummary | Searches Cortex Incidents and returnrs the most relevant fields. Default search range is the last 30 days, if you want to change this, use the fromDate argument. Returns the id, name, type, severity, status, owner, and created/closed times to context. You can add additional fields using the add_field_to_context argument. This automation runs using the default Limited User role, unless you explicitly change the permissions. Based on the SearchIncidentsV2 from the Common Scripts pack, but more efficient. |
SearchAlertsSummary | Searches Cortex Alerts and returnrs the most relevant fields. Default search range is the last 30 days, if you want to change this, use the fromDate argument. Returns the id, name, type, severity, status, owner, and created/closed times to context. You can add additional fields using the add_field_to_context argument. This automation runs using the default Limited User role, unless you explicitly change the permissions. Based on the SearchAlertsV2 from the Common Scripts pack, but more efficient. |
| StringLength | Returns the length of the string passed as argument |
| EmailDomainSquattingReputation | Check if an email address's domain is trying to squat other domain using Levenshtein distance algorithm. |
| HttpV2 | Sends a HTTP request with advanced capabilities. |
| PDFUnlocker | Removing the password protection from a PDF file and adding a new file entry with the unlocked PDF. |
| GenerateAsBuilt | Generate an as built document, as HTML, based on the running XSOAR instance. Requires an instance of the Demisto API integration configured. |
| ContainsCreditCardInfo | Check if a given value is true. Will return 'no' otherwise |
| ParseExcel | The automation takes Excel file (entryID) as an input and parses its content to the war room and context. |
| ShowScheduledEntries | Show all scheduled entries for specific incident. |
| FeedRelatedIndicatorsWidget | Widget script to view information about the relationship between an indicator, entity and other indicators and connect to indicators, if relevant. |
| GetEnabledInstances | Gets all currently enabled integration instances. |
| ParseHTMLIndicators | This script will extract indicators from given HTML and will handle bad top-level domains to avoid false positives caused by file extensions. |
| UtilAnyResults | Utility script to use in playbooks - returns "yes" if the input is non-empty. |
| LookupCSV | Parses a CSV and looks for a specific value in a specific column, returning a dict of the entire matching row. If no column value is specified, the entire CSV is read into the context. |
| GenerateSummaryReportButton | This button will generate summary 'Case Report' template for a given Incident. |
| RemoveKeyFromList | Removes a key in key/value store backed by an XSOAR list. |
| ExportContextToJSONFile | Exports the Context for the current Incident to a JSON file in the war room. |
| SSDeepReputation | Calculate ssdeep reputation based on similar files (by ssdeep similarity) on the system. |
| ReadFile | Load the contents of a file into context. |
| BreachConfirmationHTML | |
| IsInternalDomainName | This script accepts multiple values for both arguments and will iterate through each of the domains to check if the specified subdomains are located in at least one of the specified main domains. If the tested subdomain is in one of the main domains, the result will be true. For example, if the domain_to_check values are apps.paloaltonetworks.com and apps.paloaltonetworks.bla and the domains_to_compare values are paloaltonetworks.com and demisto.com, the result for apps.paloaltonetworks.com will be true since it is a part of the paloaltonetworks.com domain. The result for apps.paloaltonetworks.bla will be false since it is not a part of the paloaltonetworks.com or demisto.com domain. |
| AddKeyToList | Adds/Replaces a key in key/value store backed by an XSOAR list. |
| ContextSearchForString | Searches for string in a path in context. If path is null, string will be searched in full context. |
| FindSimilarIncidents | Deprecated. Use DBotFindSimilarIncidents instead. Finds similar incidents by common incident keys, labels, custom fields or context keys. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
FindSimilarAlerts | Deprecated. Use DBotFindSimilarAlerts instead. Finds similar alerts by common alert keys, labels, custom fields or context keys. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| MaliciousRatioReputation | Set indicator reputation to "suspicious" when malicious ratio is above threshold. |
| IsEmailAddressInternal | Checks if the email address is part of the internal domains. |
| PrintToIncident | Prints a value to the specified incident's war-room. |
| CloseInvestigationAsDuplicate | Close the current investigation as duplicate to other investigation. |
| SetWithTemplate | Set a value built by a template in context under the key you entered. |
| CompareIncidentsLabels | Compares the labels of two incidents. Returns the labels that are unique to each incident. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
CompareAlertsLabels | Compares the labels of two alerts. Returns the labels that are unique to each alert. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| ParseCSV | This script will parse a CSV file and place the unique IPs, Domains and Hashes into the context. |
| VerifyCIDR | Verify that the CIDRs are valid. |
| ParseWordDoc | Takes an input docx file (entryID) as an input and saves an output text file (file entry) with the original file's contents. |
| ExtractDomainAndFQDNFromUrlAndEmail | Extracts domains and FQDNs from URLs and emails. |
| GetFieldsByIncidentType | Returns the incident field names associated to the specified incident type. |
GetFieldsByAlertType | Returns the alert field names associated to the specified alert type. |
| CreateEmailHtmlBody | This script allows sending an HTML email, using a template stored as a list item under Lists:
Note: Sending emails require an active Mail Sender integration instance. |
| URLReputation | A context script for URL entities. |
| CVSSCalculator | This script calculates the CVSS Base Score, Temporal Score, and Environmental Score using either the CVSS 3.0 or CVSS 3.1 calculator according to https://www.first.org/cvss/ calculation documentation. |
| GetTime | Retrieves the current date and time. |
| CountArraySize | Count an array size |
| IsValueInArray | Indicates whether a given value is a member of given array |
| SetTime | Fill the current time in a custom incident field. |
| IncreaseIncidentSeverity | Optionally increases the incident severity to the new value if it is greater than the existing severity. |
IncreaseAlertSeverity | Optionally increases the alert severity to the new value if it is greater than the existing severity. |
| FormatURL | Strips, unquotes and unescapes URLs. If the URL is a Proofpoint or ATP URL, extracts its redirect URL. If more than one URL is passed to the formatter, the separator must be a pipe ("|"). |
| AssignAnalystToIncident | Assign analyst to incident. |
| FileReputation | A context script for hash entities. |
| AddDBotScoreToContext | Add DBot score to context for indicators with custom vendor, score, reliability, and type. |
| ExportAuditLogsToFile | Uses the Core REST API integration to query the server audit trail logs, and return back a CSV or JSON file. |
| DBotClosedIncidentsPercentage | Data output script for populating dashboard pie graph widget with the percentage of incidents closed by DBot vs. incidents closed by analysts. |
DBotClosedAlertsPercentage | Data output script for populating dashboard pie graph widget with the percentage of alerts closed by DBot vs. alerts closed by analysts. |
| SetByIncidentId | Works the same as the 'Set' command, but can work across incidents by specifying 'id' as an argument. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
SetByAlertId | Works the same as the 'Set' command, but can work across alerts by specifying 'id' as an argument. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| DBotAverageScore | The script calculates the average DBot score for each indicator in the context. |
| JSONDiff | compares two JSON files and returns their differences, such as added, removed, or changed fields, in a structured format. |
| ShowLocationOnMap | Show indicator geo location on map. |
| CertificateReputation | Enrich and calculate the reputation of a certificate indicator. |
| DumpJSON | Dumps a json from context key input, and returns a json object string result. |
| IPReputation | A context script for IP entities. |
| HTMLtoMD | Converts HTML to Markdown. |
| DisplayHTML | Display HTML in the War Room. |
| UnzipFile | Unzip a file using fileName or entryID to specify a file. Unzipped files will be loaded to the War Room and names will be put into the context. |
| Strings | Extract strings from a file with optional filter - similar to binutils strings command. |
Incident Fields
| Name | Description |
|---|---|
Affected Data Type | |
Company Postal Code | |
Size - turnover | |
Likely Impact | "A data protection impact assessment (…) shall in particular be required in the case of: (a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; (b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or (c) a systematic monitoring of a publicly accessible area on a large scale. - GDPR Art. 35 |
Affected data | "‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;" - GDPR Art. 4 |
Telephone no. | |
Company City | |
Financial information breached | Is financial information breached |
Where is data hosted | |
Contact Email address | |
Data Encryption Status | |
Attorney General Notification | |
Unique identification number breached | Is unique identification number breached |
Breach Confirmation | Is the DPO confirm the breach |
Country where business has its main establishment | "‘main establishment’ means: as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment; as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;" - GDPR Art. 4 |
Approximate number of affected data subjects | |
Residents Email Address | |
Consumer Reporting Agencies Notification | |
E-mail Address | |
Resident Notification Option | |
Affected Individuals Contact Information | |
DPO Notification | |
Company has Insurance for the Breach | |
Contact Address | |
Secretary Notification | |
GDPR Notify Authorities | "In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons." - GDPR Art. 33 |
DPO E-mail Address | |
Postal Code | |
State CISO Notification | |
Unique biometric data breached | Is unique biometric data breached |
Contact Telephone number | |
Management Notification | |
Company Address | |
Contact Name | |
Company Name | |
Medical Information breached | Is Medical Information breached |
PII Data Type | |
Media Notification | The status of the media notification |
State where the breach took place | |
Size - number of employees | |
Other PII data breached | Is other PII data breached |
Possible Cause of the Breach | |
Sector of Affected Party | |
Individuals Notification | |
Measures to Mitigate | " (d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects." - GDPR Art. 33 |
Is the Data Subject to DPIA | |
Account information breached | Is account information breached |
Malicious Cause (If the cause is a malicious attack) | |
Health insurance breached | Is health insurance breached |
Lists
| Name | Description |
|---|---|
PrivateIPs |
Required Content Packs (2)
| Pack Name | Pack By |
|---|---|
| Base | By: Cortex XSOAR |
| Cortex REST API | By: Cortex XSOAR |
Optional Content Packs (15)
| Pack Name | Pack By |
|---|---|
| US - Breach Notification | By: Cortex XSOAR |
| Brute Force | By: Cortex XSOAR |
| Elasticsearch | By: Cortex XSOAR |
| MITRE ATT&CK | By: Cortex XSOAR |
| GDPR | By: Cortex XSOAR |
| Gmail | By: Cortex XSOAR |
| Gmail Single User | By: Cortex XSOAR |
| HIPAA - Breach Notification | By: Cortex XSOAR |
| IBM Security QRadar SOAR | By: Cortex XSOAR |
| Mail Sender (New) | By: Cortex XSOAR |
| Microsoft Graph Mail | By: Cortex XSOAR |
| ProtectWise | By: Cortex XSOAR |
| Remote Access | By: Cortex XSOAR |
| Shodan | By: Cortex XSOAR |
| Sumo Logic | By: Cortex XSOAR |
All level dependencies (3)
| Pack Name | Pack By |
|---|---|
| Cortex REST API | By: Cortex XSOAR |
| Base | By: Cortex XSOAR |
| Aggregated Scripts | By: Cortex XSOAR |
1.22.14 - 9383878 (May 26, 2026)
1.22.11 - 8994397 (May 13, 2026)
- 44128
Download
Scripts
ServerLogs
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ServerLogs_docker
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
AnalyzeTimestampIntervals
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
FilterByList
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
DomainReputation
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ArrayToCSV
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
CheckIndicatorValue
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
FileCreateAndUploadV2
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ListUsedDockerImages
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
SendEmailOnSLABreach
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
MatchRegexV2
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
IsDomainInternal
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
SetIndicatorGridField
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
DeduplicateValuesbyKey
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
VerifyValidIP
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ExtractAttackPattern
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
LookupCSV
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
FormatURL
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
CheckContextValue
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
BreachConfirmationHTML
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
SetDateField
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
StopTimeToAssignOnOwnerChange
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
HttpV2
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
Base64ListToFile
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
VerifyIPv6Indicator
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
GetDataCollectionLink
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
VerifyCIDR
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
CheckFieldValue
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
PortListenCheck
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
PrettyPrint
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
LinkIncidentsWithRetry
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
FeedRelatedIndicatorsWidget
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
IPNetwork
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
PrintContext
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
SCPPullFiles
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
GetInstances
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
StopScheduledTask
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
IncidentFields
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
TextFromHTML
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
BMCTool
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
CheckSenderDomainDistance
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
CopyContextToField
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
GenerateSummaryReportButton
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
Strings
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
HTTPListRedirects
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
hideFieldsOnNewIncident
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
RepopulateFiles
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ReplaceMatchGroup
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
IPReputation
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
RunPollingCommand
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ConvertCountryCodeCountryName
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
MaliciousRatioReputation
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
GenerateRandomString
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
AppendindicatorFieldWrapper
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
GenerateAsBuiltConfiguration
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
LoadJSONFileToContext
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
cvss_color
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
IsInternalDomainName
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
JSONDiff
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ExportIncidentsToCSV
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
URLNumberOfAds
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
DBotAverageScore
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
PrintErrorEntry
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ChangeRemediationSLAOnSevChange
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ExportContextToJSONFile
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
EncodeToAscii
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
IsInternalHostName
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
PopulateCriticalAssets
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
EditServerConfig
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
LoadJSON
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
IdentifyAttachedEmail
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
JSONtoCSV
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
GetIndicatorDBotScore
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
SSDeepReputation
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
RunDockerCommand
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ExtractEmailV2
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
GetFieldsByIncidentType
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
GenerateRandomUUID
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ConvertTimezoneFromUTC
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ResolveShortenedURL
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
DisplayHTML
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
StringSimilarity
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ExtractIndicatorsFromTextFile
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
NumberOfPhishingAttemptPerUser
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
GeneratePassword
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
RemoveKeyFromList
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
MarkAsNoteByTag
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
displayMappedFields
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
CVSSCalculator
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
FileToBase64List
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
CompareIncidentsLabels
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ProvidesCommand
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ShowIncidentIndicators
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ZipStrings
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
URLReputation
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
GetStringsDistance
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
SetTime
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
DockerHardeningCheck
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
GetListRow
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
IsolationAssetWrapper
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
cveReputationV2
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
UtilAnyResults
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ScheduleGenericPolling
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ChangeContext
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
GetLicenseID
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
DisplayHTMLWithImages
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ReadFile
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
GetEntries
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ExportIndicatorsToCSV
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
DisableUserWrapper
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
CreateHash
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
AddKeyToList
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ShowLocationOnMap
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
OnionURLReputation
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ParseYAML
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
GetEnabledInstances
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
MITRENameByID_Formatter
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
JSONFileToCSV
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
CloseInvestigationAsDuplicate
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
TopMaliciousRatioIndicators
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
CompareLists
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
IPToHost
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
SetWithTemplate
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
GetErrorsFromEntry
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
CalculateEntropy
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
PrintRaw
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
DemistoVersion
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
AssignToMeButton
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
GridFieldSetup
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
SetByIncidentId
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
EmailReputation
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
FileReputation
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
DecodeMimeHeader
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
IndicatorMaliciousRatioCalculation
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
PositiveDetectionsVSDetectionEngines
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
GetByIncidentId
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ExportAuditLogsToFile
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
IsUrlPartOfDomain
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
URLSSLVerification
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
SetMultipleValues
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
LinkIncidentsButton
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
CertificateReputation
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
IsIPPrivate
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
SearchIncidentsSummary
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ContextContains
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
DumpJSON
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ConvertDatetoUTC
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
AddDBotScoreToContext
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
Base64EncodeV2
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
MarkAsEvidenceByTag
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
TimeStampCompare
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
VerdictResult
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ParseCSV
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
IsListExist
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
CreateIndicatorsFromSTIX
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
displayUtilitiesResults
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
- 44128
Download
1.22.6 - 8668717 (May 3, 2026)
- 44120
Download
Scripts
DownloadAndArchivePythonLibrary
- Updated the Docker image to: demisto/py3-tools:1.0.0.8544956.
ExtractDomainFromUrlAndEmail
- Updated the Docker image to: demisto/py3-tools:1.0.0.8544956.
ExtractDomainAndFQDNFromUrlAndEmail
- Updated the Docker image to: demisto/py3-tools:1.0.0.8544956.
FetchIndicatorsFromFile
- Updated the Docker image to: demisto/py3-tools:1.0.0.8544956.
ParseExcel
- Updated the Docker image to: demisto/py3-tools:1.0.0.8544956.
LanguageDetect
- Updated the Docker image to: demisto/py3-tools:1.0.0.8544956.
ExtractFQDNFromUrlAndEmail
- Updated the Docker image to: demisto/py3-tools:1.0.0.8544956.
ExifRead
- Updated the Docker image to: demisto/py3-tools:1.0.0.8544956.
StixCreator
- Updated the Docker image to: demisto/py3-tools:1.0.0.8544956.
- 44120
Download
1.22.5 - 8624674 (April 30, 2026)
- 43930
Download
Scripts
SetGridField
- Updated the Docker image to: demisto/pandas:1.0.0.8416510.
UnzipFile
- Updated the documentation and metadata.
- Maintenance and stability improvements.
- Updated the Docker image to: demisto/unzip:1.0.0.8160132.
DisplayHTMLWithImages
- Updated the documentation and metadata.
- Maintenance and stability improvements.
- Updated the Docker image to: demisto/python3:3.12.13.8319994.
displayMappedFields
- Updated the documentation and metadata.
- Maintenance and stability improvements.
- Updated the Docker image to: demisto/python3:3.12.13.8319994.
ExtractHyperlinksFromOfficeFiles
- Updated the documentation and metadata.
- Maintenance and stability improvements.
- 43930
Download
1.21.9 - 8417408 (April 23, 2026)
- 43415
Download
Scripts
ParseEmailFilesV2
- Added a new context output Email.HTMLUnescape, which provides the HTML body with special characters (such as &) converted into HTML entities to improve indicator extraction accuracy.
- Updated the Docker image to: demisto/parse-emails:0.1.48.8231046.
- 43415
Download
1.21.4 - 8009783 (March 30, 2026)
1.20.78 - 7154617 (February 15, 2026)
- 43011
Download
Scripts
ExtractIndicatorsFromWordFile
- Updated the Docker image to: demisto/office-utils:2.0.0.7091443.
ExtractHyperlinksFromOfficeFiles
- Updated the Docker image to: demisto/office-utils:2.0.0.7091443.
ConvertFile
- Updated the Docker image to: demisto/office-utils:2.0.0.7091443.
ParseWordDoc
- Updated the Docker image to: demisto/office-utils:2.0.0.7091443.
- 43011
Download
1.20.75 - 6936977 (January 29, 2026)
1.20.67 - 6565142 (January 5, 2026)
- 42527
Download
Scripts
SSDeepReputation
- Fixed an issue where the script could fail when processing investigation data in certain formats.
StixCreator
- Fixed an issue where software indicators were not exported when clicking on the export indicators button in the Cortex tenant, resulting in blank files or missing indicators in mixed exports.
ParseEmailFilesV2
- Fixed an issue where embedded EML attachments with base64 encoding were being double-decoded, causing parsing failures.
- Updated the Docker image to: demisto/parse-emails:0.1.48.6539219.
- 42527
Download
1.20.54 - 6238358 (December 11, 2025)
- 42247
Download
Scripts
displayMappedFields
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
ExtractAttackPattern
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
EncodeToAscii
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
Base64ListToFile
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
MarkAsEvidenceByTag
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
EditServerConfig
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
PositiveDetectionsVSDetectionEngines
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
displayUtilitiesResults
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
cveReputationV2
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
SetDateField
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
JSONDiff
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
BreachConfirmationHTML
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
ParseCSV
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
IsInternalHostName
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
IsDomainInternal
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
RemoveKeyFromList
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
ExportContextToJSONFile
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
GenerateAsBuiltConfiguration
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
CertificateReputation
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
GetLicenseID
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
BMCTool
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
CompareIncidentsLabels
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
GenerateSummaryReportButton
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
CompareLists
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
LinkIncidentsWithRetry
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
CVSSCalculator
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
LoadJSONFileToContext
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
SearchIncidentsSummary
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
DockerHardeningCheck
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
GenerateRandomUUID
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
ParseYAML
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
DemistoVersion
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
NumberOfPhishingAttemptPerUser
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
CopyContextToField
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
SendEmailOnSLABreach
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
CalculateEntropy
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
HTTPListRedirects
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
LookupCSV
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
AssignToMeButton
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
SetByIncidentId
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
FilterByList
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
IPToHost
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
SSDeepReputation
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
ConvertDatetoUTC
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
PopulateCriticalAssets
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
ContextContains
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
IsIPPrivate
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
HttpV2
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
IndicatorMaliciousRatioCalculation
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
IsInternalDomainName
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
StopScheduledTask
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
GenerateRandomString
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
- 42247
Download
1.20.52 - 6204767 (December 9, 2025)
- 42194
- 41575
Download
Scripts
New: EvaluateContextValue
- New: Added a new script- EvaluateContextValue that The script is for use with GenericPolling, which checks the completion condition. It uses a DT to retrieve a value from the context data and evaluates it using another DT.
(Available from Cortex XSOAR 6.10.0).
- 42194
- 41575
Download
1.20.44 - 6025169 (November 26, 2025)
- 41949
Download
Scripts
LinkIncidentsButton
- Updated the LinkIncidentsButton script to be supported only in Cortex XSOAR.
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
CloseInvestigationAsDuplicate
- Updated the CloseInvestigationAsDuplicate script to be supported only in Cortex XSOAR.
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
- 41949
Download
1.20.42 - R5949376 (November 20, 2025)
- 41956
Download
Scripts
ExifRead
- Updated the Docker image to: demisto/py3-tools:1.0.0.5475267.
ExtractDomainFromUrlAndEmail
- Updated the Docker image to: demisto/py3-tools:1.0.0.5475267.
ExtractFQDNFromUrlAndEmail
- Updated the Docker image to: demisto/py3-tools:1.0.0.5475267.
DownloadAndArchivePythonLibrary
- Updated the Docker image to: demisto/py3-tools:1.0.0.5475267.
SetGridField
- Updated the Docker image to: demisto/pandas:1.0.0.5493115.
StixCreator
- Updated the Docker image to: demisto/py3-tools:1.0.0.5475267.
ParseExcel
- Updated the Docker image to: demisto/py3-tools:1.0.0.5475267.
AddKeyToList
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
LanguageDetect
- Updated the Docker image to: demisto/py3-tools:1.0.0.5475267.
AddDBotScoreToContext
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
FetchIndicatorsFromFile
- Updated the Docker image to: demisto/py3-tools:1.0.0.5475267.
CertificateExtract
- Updated the Docker image to: demisto/crypto:1.0.0.5490413.
PFXAnalyzer
- Updated the Docker image to: demisto/crypto:1.0.0.5490413.
- 41956
Download
1.20.32 - 5717993 (November 3, 2025)
- 41760
Download
Scripts
VerifyValidIP
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
DisplayHTML
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
DisableUserWrapper
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
enrich_exclude_button
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
CreateIndicatorsFromSTIX
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
GetStringsDistance
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
MarkAsNoteByTag
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
StopTimeToAssignOnOwnerChange
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
ArrayToCSV
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
DBotAverageScore
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
GridFieldSetup
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
SetTime
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
ConvertTimezoneFromUTC
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
PrintContext
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
DumpJSON
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
MatchRegexV2
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
ReplaceMatchGroup
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
VerifyIPv6Indicator
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
CheckContextValue
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
ExportIncidentsToCSV
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
ExtractIndicatorsFromTextFile
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
CommandLineAnalysis
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
SearchIncidentsV2
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
URLNumberOfAds
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
FileToBase64List
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
VerdictResult
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
ProvidesCommand
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
CheckFieldValue
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
AnalyzeTimestampIntervals
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
GetFieldsByIncidentType
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
URLSSLVerification
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
GetByIncidentId
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
ReadFile
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
GetEnabledInstances
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
GeneratePassword
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
IsUrlPartOfDomain
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
ServerLogs
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
CheckIndicatorValue
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
CreateHash
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
ZipStrings
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
ChangeContext
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
ExtractEmailV2
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
TopMaliciousRatioIndicators
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
FileCreateAndUploadV2
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
GetDataCollectionLink
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
JSONFileToCSV
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
GetIndicatorDBotScore
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
AppendindicatorFieldWrapper
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
SetMultipleValues
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
CreateNewIndicatorsOnly
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
cvss_color
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
ScheduleGenericPolling
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
URLReputation
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
IPNetwork
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
hideFieldsOnNewIncident
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
UtilAnyResults
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
ExportIndicatorsToCSV
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
PrettyPrint
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
MaliciousRatioReputation
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
ServerLogs_docker
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
DeduplicateValuesbyKey
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
IsolationAssetWrapper
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
FileReputation
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
SetIndicatorGridField
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
EmailReputation
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
ShowLocationOnMap
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
GetInstances
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
ShowIncidentIndicators
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
GetDockerImageLatestTag
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
ChangeRemediationSLAOnSevChange
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
SetWithTemplate
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
MITRENameByID_Formatter
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
RunPollingCommand
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
CopyNotesToIncident
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
FormatURL
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
ConvertCountryCodeCountryName
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
ExportAuditLogsToFile
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
ResolveShortenedURL
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
LoadJSON
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
TextFromHTML
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
PrintErrorEntry
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
RepopulateFiles
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
DecodeMimeHeader
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
PrintRaw
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
IncidentFields
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
FeedRelatedIndicatorsWidget
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
TimeStampCompare
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
GetEntries
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
GetListRow
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
DomainReputation
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
CheckSenderDomainDistance
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
VerifyCIDR
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
IPReputation
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
IdentifyAttachedEmail
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
StringSimilarity
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
JSONtoCSV
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
Base64EncodeV2
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
OnionURLReputation
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
PortListenCheck
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
RunDockerCommand
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
Strings
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
GetErrorsFromEntry
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
IsListExist
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
SCPPullFiles
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
- 41760
Download
1.20.27 - 5610417 (October 28, 2025)
1.20.16 - 5038087 (September 23, 2025)
- 41157
- 41197
- 41180
- 41095
- 41161
- 41115
- 41165
- 41199
- 41190
- 41185
- 41203
- 41152
- 41201
- 41144
- 41131
- 41202
- 41209
- 41224
- 41198
- 40922
- 40712
- 41227
- 41200
- 41100
- 40927
- 41226
- 40900
- 41234
- 41030
- 41106
- 41235
- 41217
- 40533
- 41193
- 41103
- 41228
- 41243
- 40912
- 41252
- 41250
- 41262
- 41059
- 41237
- 41236
- 41231
- 41241
Download
Changes are not relevant for XSOAR marketplace.
- 41157
- 41197
- 41180
- 41095
- 41161
- 41115
- 41165
- 41199
- 41190
- 41185
- 41203
- 41152
- 41201
- 41144
- 41131
- 41202
- 41209
- 41224
- 41198
- 40922
- 40712
- 41227
- 41200
- 41100
- 40927
- 41226
- 40900
- 41234
- 41030
- 41106
- 41235
- 41217
- 40533
- 41193
- 41103
- 41228
- 41243
- 40912
- 41252
- 41250
- 41262
- 41059
- 41237
- 41236
- 41231
- 41241
Download
1.20.14 - 4874171 (September 14, 2025)
1.20.8 - 4669908 (August 27, 2025)
- 41087
Download
Common Scripts
- Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.
Scripts
ParseWordDoc
- Updated the Docker image to: demisto/office-utils:2.0.0.4655756.
ExtractHyperlinksFromOfficeFiles
- Updated the Docker image to: demisto/office-utils:2.0.0.4655756.
ExtractIndicatorsFromWordFile
- Updated the Docker image to: demisto/office-utils:2.0.0.4655756.
ConvertFile
- Updated the Docker image to: demisto/office-utils:2.0.0.4655756.
- 41087
Download
1.20.4 - 4633304 (August 24, 2025)
- 41035
Download
Scripts
CalculateTimeDifference
- Fixed an issue in CalculateTimeDifference automation, where the raw response value was not compatible with previous versions.
GetIndicatorDBotScoreFromCache
- Fixed an issue in GetIndicatorDBotScoreFromCache automation, where the raw response value was not compatible with previous versions.
GetServerURL
- Fixed an issue in GetServerURL automation, where the raw response value was not compatible with previous versions.
SearchIndicator
- Fixed an issue in SearchIndicator automation, where the raw response value was not compatible with previous versions.
- 41035
Download
1.20.3 - 4608444 (August 21, 2025)
Changes are not relevant for XSOAR marketplace.
1.19.99 - 4492991 (August 11, 2025)
- 40880
Download
Scripts
MapValues
- Updated the MapValues script to issue an error if the
inputorvaluesarguments are objects.
GetServerURL
- Updated the GetServerURL script to use return_results instead of deprecated return_outputs.
- Updated the Docker image to: demisto/python3:3.12.11.4417419.
- 40880
Download
1.19.82 - 4121830 (July 10, 2025)
- 40523
Download
Incident Fields
Company has Insurance for the Breach
Documentation and metadata improvements.
Sector of Affected Party
Documentation and metadata improvements.
Company Name
Documentation and metadata improvements.
Breach Confirmation
Documentation and metadata improvements.
Resident Notification Option
Documentation and metadata improvements.
Where is data hosted
Documentation and metadata improvements.
Other PII data breached
Documentation and metadata improvements.
Management Notification
Documentation and metadata improvements.
Financial information breached
Documentation and metadata improvements.
Individuals Notification
Documentation and metadata improvements.
Affected Individuals Contact Information
Documentation and metadata improvements.
Unique identification number breached
Documentation and metadata improvements.
Affected Data Type
Documentation and metadata improvements.
Account information breached
Documentation and metadata improvements.
DPO E-mail Address
Documentation and metadata improvements.
Malicious Cause (If the cause is a malicious attack)
Documentation and metadata improvements.
Affected data
Documentation and metadata improvements.
Measures to Mitigate
Documentation and metadata improvements.
Contact Address
Documentation and metadata improvements.
Company Postal Code
Documentation and metadata improvements.
Contact Telephone number
Documentation and metadata improvements.
Country where business has its main establishment
Documentation and metadata improvements.
Secretary Notification
Documentation and metadata improvements.
State where the breach took place
Documentation and metadata improvements.
PII Data Type
Documentation and metadata improvements.
Company City
Documentation and metadata improvements.
Residents Email Address
Documentation and metadata improvements.
Likely Impact
Documentation and metadata improvements.
State CISO Notification
Documentation and metadata improvements.
Contact Name
Documentation and metadata improvements.
Consumer Reporting Agencies Notification
Documentation and metadata improvements.
Company Address
Documentation and metadata improvements.
Medical Information breached
Documentation and metadata improvements.
Postal Code
Documentation and metadata improvements.
Health insurance breached
Documentation and metadata improvements.
Size - turnover
Documentation and metadata improvements.
GDPR Notify Authorities
Documentation and metadata improvements.
DPO Notification
Documentation and metadata improvements.
Possible Cause of the Breach
Documentation and metadata improvements.
Approximate number of affected data subjects
Documentation and metadata improvements.
Contact Email address
Documentation and metadata improvements.
Unique biometric data breached
Documentation and metadata improvements.
Data Encryption Status
Documentation and metadata improvements.
Is the Data Subject to DPIA
Documentation and metadata improvements.
Size - number of employees
Documentation and metadata improvements.
Attorney General Notification
Documentation and metadata improvements.
E-mail Address
Documentation and metadata improvements.
Telephone no.
Documentation and metadata improvements.
Media Notification
Documentation and metadata improvements.
Lists
PrivateIPs
- Documentation and metadata improvements.
- 40523
Download
1.19.78 - 4029801 (July 1, 2025)
- 40431
Download
Scripts
SearchIncidentsV2
- Fixed an issue where the SearchIncidentsV2 script failed on a query with escape sequence character.
block-external-ip
- Moved block-external-ip script from CommonScripts to AggregatedScripts.
get-endpoint-data
- Moved get-endpoint-data script from CommonScripts to AggregatedScripts.
clear-user-session
- Moved clear-user-session script from CommonScripts to AggregatedScripts.
- 40431
Download
1.19.75 - 4010943 (June 30, 2025)
- 40394
Download
Scripts
ExtractHyperlinksFromOfficeFiles
- Updated the Docker image to: demisto/office-utils:2.0.0.3998874.
ConvertFile
- Updated the Docker image to: demisto/office-utils:2.0.0.3998874.
ParseWordDoc
- Updated the Docker image to: demisto/office-utils:2.0.0.3998874.
ExtractIndicatorsFromWordFile
- Updated the Docker image to: demisto/office-utils:2.0.0.3998874.
- 40394
Download
1.19.72 - 3849419 (June 18, 2025)
- 40221
Download
Scripts
GenerateSummaryReportButton
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ContextContains
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
CompareIncidentsLabels
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
IsDomainInternal
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
LinkIncidentsButton
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
IndicatorMaliciousRatioCalculation
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
IsInternalDomainName
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
GenerateRandomUUID
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
EncodeToAscii
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
MarkAsEvidenceByTag
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
CompareLists
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
CVSSCalculator
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
CopyContextToField
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
DemistoVersion
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
SetDateField
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
displayUtilitiesResults
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
LinkIncidentsWithRetry
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
IPToHost
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
AssignToMeButton
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
EditServerConfig
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
displayMappedFields
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
CloseInvestigationAsDuplicate
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
JSONDiff
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
GenerateRandomString
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
SSDeepReputation
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ConvertDatetoUTC
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
AddDBotScoreToContext
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
PopulateCriticalAssets
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
HttpV2
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
IsInternalHostName
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ExportContextToJSONFile
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ListUsedDockerImages
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
CalculateTimeDifference
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
LoadJSONFileToContext
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
DockerHardeningCheck
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
IsIPPrivate
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
- 40221
Download
1.19.66 - 3617165 (June 3, 2025)
- 40133
Download
Scripts
Dig
- Updated the Docker image to: demisto/netutils:1.0.0.3562043.
JsonUnescape
- Updated the Docker image to: demisto/python3-deb:3.12.10.3561556.
ExportToXLSX
- Updated the Docker image to: demisto/xslxwriter:1.0.0.3451966.
SetGridField
- Updated the Docker image to: demisto/pandas:1.0.0.3540678.
GetDomainDNSDetails
- Updated the Docker image to: demisto/netutils:1.0.0.3562043.
CertificateExtract
- Updated the Docker image to: demisto/crypto:1.0.0.3539024.
ConvertXmlFileToJson
- Updated the Docker image to: demisto/xml-feed:1.0.0.3540467.
Ping
- Updated the Docker image to: demisto/netutils:1.0.0.3562043.
AquatoneDiscoverV2
- Updated the Docker image to: demisto/aquatone:2.0.0.3557745.
- 40133
Download
1.22.14 - 9383878 (May 26, 2026)
1.22.11 - 8994397 (May 13, 2026)
- 44128
Download
Scripts
AnalyzeTimestampIntervals
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
FilterByList
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
DomainReputation
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ArrayToCSV
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
CheckIndicatorValue
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
FileCreateAndUploadV2
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ListUsedDockerImages
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
MatchRegexV2
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
SetIndicatorGridField
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
DeduplicateValuesbyKey
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
VerifyValidIP
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ExtractAttackPattern
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
LookupCSV
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
FormatURL
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
CheckContextValue
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
BreachConfirmationHTML
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
SetDateField
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
HttpV2
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
Base64ListToFile
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
VerifyIPv6Indicator
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
GetDataCollectionLink
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
VerifyCIDR
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
CheckFieldValue
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
PortListenCheck
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
PrettyPrint
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
FeedRelatedIndicatorsWidget
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
IPNetwork
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
PrintContext
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
SCPPullFiles
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
GetInstances
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
StopScheduledTask
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
IncidentFields
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
TextFromHTML
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
BMCTool
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
CheckSenderDomainDistance
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
CopyContextToField
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
GenerateSummaryReportButton
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
Strings
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
HTTPListRedirects
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
hideFieldsOnNewIncident
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
RepopulateFiles
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ReplaceMatchGroup
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
IPReputation
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
RunPollingCommand
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ConvertCountryCodeCountryName
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
MaliciousRatioReputation
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
GenerateRandomString
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
AppendindicatorFieldWrapper
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
LoadJSONFileToContext
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
cvss_color
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
IsInternalDomainName
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
JSONDiff
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ExportIncidentsToCSV
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
URLNumberOfAds
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
DBotAverageScore
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
PrintErrorEntry
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ExportContextToJSONFile
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
EncodeToAscii
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
IsInternalHostName
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
PopulateCriticalAssets
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
EditServerConfig
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
LoadJSON
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
IdentifyAttachedEmail
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
JSONtoCSV
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
GetIndicatorDBotScore
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
SSDeepReputation
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
RunDockerCommand
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ExtractEmailV2
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
GetFieldsByIncidentType
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
GenerateRandomUUID
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ConvertTimezoneFromUTC
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ResolveShortenedURL
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
DisplayHTML
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
StringSimilarity
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ExtractIndicatorsFromTextFile
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
NumberOfPhishingAttemptPerUser
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
GeneratePassword
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
RemoveKeyFromList
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
MarkAsNoteByTag
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
displayMappedFields
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
CVSSCalculator
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
FileToBase64List
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
CompareIncidentsLabels
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ProvidesCommand
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ShowIncidentIndicators
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ZipStrings
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
URLReputation
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
GetStringsDistance
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
SetTime
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
DockerHardeningCheck
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
GetListRow
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
IsolationAssetWrapper
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
cveReputationV2
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
UtilAnyResults
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ScheduleGenericPolling
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ChangeContext
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
GetLicenseID
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
DisplayHTMLWithImages
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ReadFile
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
GetEntries
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ExportIndicatorsToCSV
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
DisableUserWrapper
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
CreateHash
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
AddKeyToList
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ShowLocationOnMap
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
OnionURLReputation
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ParseYAML
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
GetEnabledInstances
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
MITRENameByID_Formatter
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
JSONFileToCSV
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
CloseInvestigationAsDuplicate
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
TopMaliciousRatioIndicators
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
CompareLists
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
IPToHost
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
SetWithTemplate
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
GetErrorsFromEntry
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
CalculateEntropy
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
PrintRaw
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
AssignToMeButton
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
GridFieldSetup
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
SetByIncidentId
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
EmailReputation
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
FileReputation
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
DecodeMimeHeader
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
IndicatorMaliciousRatioCalculation
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
PositiveDetectionsVSDetectionEngines
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
GetByIncidentId
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ExportAuditLogsToFile
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
IsUrlPartOfDomain
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
URLSSLVerification
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
SetMultipleValues
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
CertificateReputation
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
SearchIncidentsSummary
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ContextContains
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
DumpJSON
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ConvertDatetoUTC
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
AddDBotScoreToContext
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
Base64EncodeV2
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
MarkAsEvidenceByTag
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
TimeStampCompare
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
VerdictResult
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
ParseCSV
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
IsListExist
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
CreateIndicatorsFromSTIX
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
displayUtilitiesResults
- Updated the Docker image to: demisto/python3:3.12.13.8428455.
- 44128
Download
1.22.6 - 8668717 (May 3, 2026)
- 44120
Download
Scripts
DownloadAndArchivePythonLibrary
- Updated the Docker image to: demisto/py3-tools:1.0.0.8544956.
ExtractDomainFromUrlAndEmail
- Updated the Docker image to: demisto/py3-tools:1.0.0.8544956.
ExtractDomainAndFQDNFromUrlAndEmail
- Updated the Docker image to: demisto/py3-tools:1.0.0.8544956.
FetchIndicatorsFromFile
- Updated the Docker image to: demisto/py3-tools:1.0.0.8544956.
ParseExcel
- Updated the Docker image to: demisto/py3-tools:1.0.0.8544956.
LanguageDetect
- Updated the Docker image to: demisto/py3-tools:1.0.0.8544956.
ExtractFQDNFromUrlAndEmail
- Updated the Docker image to: demisto/py3-tools:1.0.0.8544956.
ExifRead
- Updated the Docker image to: demisto/py3-tools:1.0.0.8544956.
StixCreator
- Updated the Docker image to: demisto/py3-tools:1.0.0.8544956.
- 44120
Download
1.22.5 - 8624674 (April 30, 2026)
- 43930
Download
Scripts
SetGridField
- Updated the Docker image to: demisto/pandas:1.0.0.8416510.
UnzipFile
- Updated the documentation and metadata.
- Maintenance and stability improvements.
- Updated the Docker image to: demisto/unzip:1.0.0.8160132.
DisplayHTMLWithImages
- Updated the documentation and metadata.
- Maintenance and stability improvements.
- Updated the Docker image to: demisto/python3:3.12.13.8319994.
displayMappedFields
- Updated the documentation and metadata.
- Maintenance and stability improvements.
- Updated the Docker image to: demisto/python3:3.12.13.8319994.
ExtractHyperlinksFromOfficeFiles
- Updated the documentation and metadata.
- Maintenance and stability improvements.
- 43930
Download
1.21.9 - 8417408 (April 23, 2026)
- 43415
Download
Scripts
ParseEmailFilesV2
- Added a new context output Email.HTMLUnescape, which provides the HTML body with special characters (such as &) converted into HTML entities to improve indicator extraction accuracy.
- Updated the Docker image to: demisto/parse-emails:0.1.48.8231046.
- 43415
Download
1.21.4 - 8009783 (March 30, 2026)
1.20.78 - 7154617 (February 15, 2026)
- 43011
Download
Scripts
ExtractIndicatorsFromWordFile
- Updated the Docker image to: demisto/office-utils:2.0.0.7091443.
ExtractHyperlinksFromOfficeFiles
- Updated the Docker image to: demisto/office-utils:2.0.0.7091443.
ConvertFile
- Updated the Docker image to: demisto/office-utils:2.0.0.7091443.
ParseWordDoc
- Updated the Docker image to: demisto/office-utils:2.0.0.7091443.
- 43011
Download
1.20.75 - 6936977 (January 29, 2026)
1.20.67 - 6565142 (January 5, 2026)
- 42527
Download
Scripts
SSDeepReputation
- Fixed an issue where the script could fail when processing investigation data in certain formats.
StixCreator
- Fixed an issue where software indicators were not exported when clicking on the export indicators button in the Cortex tenant, resulting in blank files or missing indicators in mixed exports.
ParseEmailFilesV2
- Fixed an issue where embedded EML attachments with base64 encoding were being double-decoded, causing parsing failures.
- Updated the Docker image to: demisto/parse-emails:0.1.48.6539219.
- 42527
Download
1.20.54 - 6238358 (December 11, 2025)
- 42247
Download
Scripts
displayMappedFields
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
ExtractAttackPattern
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
EncodeToAscii
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
Base64ListToFile
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
MarkAsEvidenceByTag
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
EditServerConfig
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
PositiveDetectionsVSDetectionEngines
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
displayUtilitiesResults
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
cveReputationV2
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
SetDateField
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
JSONDiff
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
BreachConfirmationHTML
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
ParseCSV
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
IsInternalHostName
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
RemoveKeyFromList
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
ExportContextToJSONFile
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
CertificateReputation
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
GetLicenseID
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
BMCTool
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
CompareIncidentsLabels
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
GenerateSummaryReportButton
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
CompareLists
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
CVSSCalculator
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
LoadJSONFileToContext
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
SearchIncidentsSummary
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
DockerHardeningCheck
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
GenerateRandomUUID
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
ParseYAML
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
NumberOfPhishingAttemptPerUser
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
CopyContextToField
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
CalculateEntropy
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
HTTPListRedirects
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
LookupCSV
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
AssignToMeButton
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
SetByIncidentId
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
FilterByList
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
IPToHost
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
SSDeepReputation
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
ConvertDatetoUTC
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
PopulateCriticalAssets
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
ContextContains
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
HttpV2
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
IndicatorMaliciousRatioCalculation
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
IsInternalDomainName
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
StopScheduledTask
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
GenerateRandomString
- Updated the Docker image to: demisto/python3:3.12.12.6204436.
- 42247
Download
1.20.52 - 6204767 (December 9, 2025)
- 42194
- 41575
Download
Scripts
New: EvaluateContextValue
- New: Added a new script- EvaluateContextValue that The script is for use with GenericPolling, which checks the completion condition. It uses a DT to retrieve a value from the context data and evaluates it using another DT.
(Available from Cortex XSIAM 2.4).
- 42194
- 41575
Download
1.20.42 - R5949376 (November 20, 2025)
- 41956
Download
Scripts
ExifRead
- Updated the Docker image to: demisto/py3-tools:1.0.0.5475267.
ExtractDomainFromUrlAndEmail
- Updated the Docker image to: demisto/py3-tools:1.0.0.5475267.
ExtractFQDNFromUrlAndEmail
- Updated the Docker image to: demisto/py3-tools:1.0.0.5475267.
DownloadAndArchivePythonLibrary
- Updated the Docker image to: demisto/py3-tools:1.0.0.5475267.
SetGridField
- Updated the Docker image to: demisto/pandas:1.0.0.5493115.
StixCreator
- Updated the Docker image to: demisto/py3-tools:1.0.0.5475267.
ParseExcel
- Updated the Docker image to: demisto/py3-tools:1.0.0.5475267.
AddKeyToList
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
LanguageDetect
- Updated the Docker image to: demisto/py3-tools:1.0.0.5475267.
AddDBotScoreToContext
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
FetchIndicatorsFromFile
- Updated the Docker image to: demisto/py3-tools:1.0.0.5475267.
CertificateExtract
- Updated the Docker image to: demisto/crypto:1.0.0.5490413.
PFXAnalyzer
- Updated the Docker image to: demisto/crypto:1.0.0.5490413.
- 41956
Download
1.20.32 - 5717993 (November 3, 2025)
- 41760
Download
Scripts
VerifyValidIP
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
DisplayHTML
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
DisableUserWrapper
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
enrich_exclude_button
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
CreateIndicatorsFromSTIX
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
GetStringsDistance
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
MarkAsNoteByTag
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
ArrayToCSV
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
PrintToParentIncident
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
DBotAverageScore
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
GridFieldSetup
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
SetTime
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
ConvertTimezoneFromUTC
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
PrintContext
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
DumpJSON
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
MatchRegexV2
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
ReplaceMatchGroup
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
VerifyIPv6Indicator
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
CheckContextValue
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
ExportIncidentsToCSV
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
ExtractIndicatorsFromTextFile
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
CommandLineAnalysis
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
SearchIncidentsV2
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
URLNumberOfAds
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
FileToBase64List
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
VerdictResult
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
ProvidesCommand
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
CheckFieldValue
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
AnalyzeTimestampIntervals
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
GetFieldsByIncidentType
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
URLSSLVerification
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
GetByIncidentId
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
ReadFile
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
GetEnabledInstances
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
GeneratePassword
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
IsUrlPartOfDomain
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
CheckIndicatorValue
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
CreateHash
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
ZipStrings
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
ChangeContext
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
ExtractEmailV2
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
TopMaliciousRatioIndicators
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
FileCreateAndUploadV2
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
GetDataCollectionLink
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
JSONFileToCSV
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
GetIndicatorDBotScore
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
AppendindicatorFieldWrapper
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
SetMultipleValues
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
CreateNewIndicatorsOnly
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
cvss_color
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
ScheduleGenericPolling
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
URLReputation
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
IPNetwork
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
hideFieldsOnNewIncident
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
UtilAnyResults
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
ExportIndicatorsToCSV
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
PrettyPrint
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
MaliciousRatioReputation
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
DeduplicateValuesbyKey
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
IsolationAssetWrapper
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
FileReputation
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
SetIndicatorGridField
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
PrintToAlert
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
EmailReputation
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
ShowLocationOnMap
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
GetInstances
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
ShowIncidentIndicators
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
GetDockerImageLatestTag
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
SetWithTemplate
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
MITRENameByID_Formatter
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
RunPollingCommand
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
CopyNotesToIncident
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
FormatURL
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
ConvertCountryCodeCountryName
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
ExportAuditLogsToFile
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
ResolveShortenedURL
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
LoadJSON
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
TextFromHTML
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
PrintErrorEntry
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
RepopulateFiles
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
DecodeMimeHeader
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
PrintRaw
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
IncidentFields
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
FeedRelatedIndicatorsWidget
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
TimeStampCompare
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
GetEntries
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
GetListRow
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
DomainReputation
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
CheckSenderDomainDistance
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
PrintToIncident
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
VerifyCIDR
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
IPReputation
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
IdentifyAttachedEmail
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
StringSimilarity
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
JSONtoCSV
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
Base64EncodeV2
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
OnionURLReputation
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
PortListenCheck
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
RunDockerCommand
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
Strings
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
GetErrorsFromEntry
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
IsListExist
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
SCPPullFiles
- Updated the Docker image to: demisto/python3:3.12.12.5490952.
- 41760
Download
1.20.27 - 5610417 (October 28, 2025)
1.20.16 - 5038087 (September 23, 2025)
- 41157
- 41197
- 41180
- 41095
- 41161
- 41115
- 41165
- 41199
- 41190
- 41185
- 41203
- 41152
- 41201
- 41144
- 41131
- 41202
- 41209
- 41224
- 41198
- 40922
- 40712
- 41227
- 41200
- 41100
- 40927
- 41226
- 40900
- 41234
- 41030
- 41106
- 41235
- 41217
- 40533
- 41193
- 41103
- 41228
- 41243
- 40912
- 41252
- 41250
- 41262
- 41059
- 41237
- 41236
- 41231
- 41241
Download
Changes are not relevant for XSIAM marketplace.
- 41157
- 41197
- 41180
- 41095
- 41161
- 41115
- 41165
- 41199
- 41190
- 41185
- 41203
- 41152
- 41201
- 41144
- 41131
- 41202
- 41209
- 41224
- 41198
- 40922
- 40712
- 41227
- 41200
- 41100
- 40927
- 41226
- 40900
- 41234
- 41030
- 41106
- 41235
- 41217
- 40533
- 41193
- 41103
- 41228
- 41243
- 40912
- 41252
- 41250
- 41262
- 41059
- 41237
- 41236
- 41231
- 41241
Download
1.20.14 - 4874171 (September 14, 2025)
1.20.8 - 4669908 (August 27, 2025)
- 41087
Download
Common Scripts
- Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.
Scripts
ParseWordDoc
- Updated the Docker image to: demisto/office-utils:2.0.0.4655756.
ExtractHyperlinksFromOfficeFiles
- Updated the Docker image to: demisto/office-utils:2.0.0.4655756.
ExtractIndicatorsFromWordFile
- Updated the Docker image to: demisto/office-utils:2.0.0.4655756.
ConvertFile
- Updated the Docker image to: demisto/office-utils:2.0.0.4655756.
- 41087
Download
1.20.4 - 4633304 (August 24, 2025)
- 41035
Download
Scripts
CalculateTimeDifference
- Fixed an issue in CalculateTimeDifference automation, where the raw response value was not compatible with previous versions.
GetIndicatorDBotScoreFromCache
- Fixed an issue in GetIndicatorDBotScoreFromCache automation, where the raw response value was not compatible with previous versions.
GetServerURL
- Fixed an issue in GetServerURL automation, where the raw response value was not compatible with previous versions.
SearchIndicator
- Fixed an issue in SearchIndicator automation, where the raw response value was not compatible with previous versions.
- 41035
Download
1.20.3 - 4608444 (August 21, 2025)
Changes are not relevant for XSIAM marketplace.
1.19.99 - 4492991 (August 11, 2025)
- 40880
Download
Scripts
MapValues
- Updated the MapValues script to issue an error if the
inputorvaluesarguments are objects.
GetServerURL
- Updated the GetServerURL script to use return_results instead of deprecated return_outputs.
- Updated the Docker image to: demisto/python3:3.12.11.4417419.
- 40880
Download
1.19.82 - 4118212 (July 9, 2025)
- 40523
Download
Incident Fields
Company has Insurance for the Breach
Documentation and metadata improvements.
Sector of Affected Party
Documentation and metadata improvements.
Company Name
Documentation and metadata improvements.
Breach Confirmation
Documentation and metadata improvements.
Resident Notification Option
Documentation and metadata improvements.
Where is data hosted
Documentation and metadata improvements.
Other PII data breached
Documentation and metadata improvements.
Management Notification
Documentation and metadata improvements.
Financial information breached
Documentation and metadata improvements.
Individuals Notification
Documentation and metadata improvements.
Affected Individuals Contact Information
Documentation and metadata improvements.
Unique identification number breached
Documentation and metadata improvements.
Affected Data Type
Documentation and metadata improvements.
Account information breached
Documentation and metadata improvements.
DPO E-mail Address
Documentation and metadata improvements.
Malicious Cause (If the cause is a malicious attack)
Documentation and metadata improvements.
Affected data
Documentation and metadata improvements.
Measures to Mitigate
Documentation and metadata improvements.
Contact Address
Documentation and metadata improvements.
Company Postal Code
Documentation and metadata improvements.
Contact Telephone number
Documentation and metadata improvements.
Country where business has its main establishment
Documentation and metadata improvements.
Secretary Notification
Documentation and metadata improvements.
State where the breach took place
Documentation and metadata improvements.
PII Data Type
Documentation and metadata improvements.
Company City
Documentation and metadata improvements.
Residents Email Address
Documentation and metadata improvements.
Likely Impact
Documentation and metadata improvements.
State CISO Notification
Documentation and metadata improvements.
Contact Name
Documentation and metadata improvements.
Consumer Reporting Agencies Notification
Documentation and metadata improvements.
Company Address
Documentation and metadata improvements.
Medical Information breached
Documentation and metadata improvements.
Postal Code
Documentation and metadata improvements.
Health insurance breached
Documentation and metadata improvements.
Size - turnover
Documentation and metadata improvements.
GDPR Notify Authorities
Documentation and metadata improvements.
DPO Notification
Documentation and metadata improvements.
Possible Cause of the Breach
Documentation and metadata improvements.
Approximate number of affected data subjects
Documentation and metadata improvements.
Contact Email address
Documentation and metadata improvements.
Unique biometric data breached
Documentation and metadata improvements.
Data Encryption Status
Documentation and metadata improvements.
Is the Data Subject to DPIA
Documentation and metadata improvements.
Size - number of employees
Documentation and metadata improvements.
Attorney General Notification
Documentation and metadata improvements.
E-mail Address
Documentation and metadata improvements.
Telephone no.
Documentation and metadata improvements.
Media Notification
Documentation and metadata improvements.
Lists
PrivateIPs
- Documentation and metadata improvements.
- 40523
Download
1.19.78 - 4029801 (July 1, 2025)
- 40431
Download
Scripts
SearchIncidentsV2
- Fixed an issue where the SearchIncidentsV2 script failed on a query with escape sequence character.
block-external-ip
- Moved block-external-ip script from CommonScripts to AggregatedScripts.
get-endpoint-data
- Moved get-endpoint-data script from CommonScripts to AggregatedScripts.
clear-user-session
- Moved clear-user-session script from CommonScripts to AggregatedScripts.
- 40431
Download
1.19.75 - 4010943 (June 30, 2025)
- 40394
Download
Scripts
ExtractHyperlinksFromOfficeFiles
- Updated the Docker image to: demisto/office-utils:2.0.0.3998874.
ConvertFile
- Updated the Docker image to: demisto/office-utils:2.0.0.3998874.
ParseWordDoc
- Updated the Docker image to: demisto/office-utils:2.0.0.3998874.
ExtractIndicatorsFromWordFile
- Updated the Docker image to: demisto/office-utils:2.0.0.3998874.
- 40394
Download
1.19.72 - 3849419 (June 18, 2025)
- 40221
Download
Scripts
GenerateSummaryReportButton
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ContextContains
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
CompareIncidentsLabels
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
LinkIncidentsButton
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
IndicatorMaliciousRatioCalculation
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
IsInternalDomainName
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
GenerateRandomUUID
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
EncodeToAscii
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
MarkAsEvidenceByTag
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
CompareLists
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
CVSSCalculator
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
CopyContextToField
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
SetDateField
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
displayUtilitiesResults
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
IPToHost
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
AssignToMeButton
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
EditServerConfig
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
displayMappedFields
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
CloseInvestigationAsDuplicate
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
JSONDiff
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
GenerateRandomString
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
SSDeepReputation
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ConvertDatetoUTC
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
AddDBotScoreToContext
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
PopulateCriticalAssets
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
HttpV2
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
IsInternalHostName
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ExportContextToJSONFile
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ListUsedDockerImages
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
CalculateTimeDifference
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
LoadJSONFileToContext
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
DockerHardeningCheck
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
- 40221
Download
1.19.66 - 3617165 (June 3, 2025)
- 40133
Download
Scripts
Dig
- Updated the Docker image to: demisto/netutils:1.0.0.3562043.
JsonUnescape
- Updated the Docker image to: demisto/python3-deb:3.12.10.3561556.
ExportToXLSX
- Updated the Docker image to: demisto/xslxwriter:1.0.0.3451966.
SetGridField
- Updated the Docker image to: demisto/pandas:1.0.0.3540678.
GetDomainDNSDetails
- Updated the Docker image to: demisto/netutils:1.0.0.3562043.
CertificateExtract
- Updated the Docker image to: demisto/crypto:1.0.0.3539024.
ConvertXmlFileToJson
- Updated the Docker image to: demisto/xml-feed:1.0.0.3540467.
Ping
- Updated the Docker image to: demisto/netutils:1.0.0.3562043.
AquatoneDiscoverV2
- Updated the Docker image to: demisto/aquatone:2.0.0.3557745.
- 40133
Download
PUBLISHER
PLATFORMS
Cortex XSOARCortex XSIAM
INFO
| Certification | Certified | Read more |
| Supported By | Cortex | |
| Created | July 27, 2020 | |
| Last Release | May 26, 2026 |
WORKS WITH THE FOLLOWING INTEGRATIONS:
