Pack Contributors:
- barpec12
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
Frequently used scripts pack.
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
Name | Description |
---|---|
GetByIncidentId | Gets a value from the specified incident's context. |
ContextContains | This script searches for a value in a context path. |
ExtractDomainFromUrlAndEmail | Extract Domain(s) from URL(s) and/or Email(s). |
GetFieldsByIncidentType | Returns the incident field names associated to the specified incident type. |
IsValueInArray | Indicates whether a given value is a member of given array |
ArrayToCSV | Converts a simple Array into a textual comma separated string |
SetByIncidentId | Works the same as the 'Set' command, but can work across incidents by specifying 'id' as an argument. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
LookupCSV | Parses a CSV and looks for a specific value in a specific column, returning a dict of the entire matching row. If no column value is specified, the entire CSV is read into the context. |
CalculateTimeDifference | Calculate the time difference, in minutes |
GetIndicatorDBotScoreFromCache | Get the overall score for the indicator as calculated by DBot. |
ResolveShortenedURL | This script resolves the original URL from a given shortened URL and places the resolved URL in the playbook context and output. |
VerifyJSON | Verifies if the supplied JSON string is valid and optionally verifies against a provided schema. The script utilizes Powershell's Test-JSON cmdlet. |
CheckSenderDomainDistance | Get the string distance for the sender from our domain |
ShowOnMap | Returns a map entry with a marker on the given coordinates (lat,lng), or address (requires a configured GoogleMaps instance). |
EmailAskUser | Ask a user a question via email and process the reply directly into the investigation. |
GetEntries | Collect entries matching to the conditions in the war room. |
IPReputation | A context script for IP entities. |
ContextFilter | Filter context keys by applying one of the various available manipulations and storing in a new context key. Please notice that the resulting context key will not be available automatically as an option but you can still specify it. |
ContentPackInstaller | Content packs installer from marketplace. |
emailFieldTriggered | Sends email to incident owner when selected field is triggered. |
FileToBase64List | Encode a file as base64 and store it in a Demisto list. |
IsUrlPartOfDomain | Checks if the supplied URLs are in the specified domains. |
IsIPInRanges | Returns yes if the IP is in one of the ranges provided, returns no otherwise. |
SetTime | Fill the current time in a custom incident field |
RemoteExec | Execute a command on a remote machine (without installing a D2 agent) |
ConvertTimezoneFromUTC | Takes UTC and converts it to the specified timezone. Format must match the UTC date's format and output will be the same format. Can use in conjunction with ConvertDateToString |
GenerateAsBuilt | Generate an as built document, as HTML, based on the running XSOAR instance. Requires an instance of the Demisto API integration configured. |
ExportContextToJSONFile | Exports the Context for the current Incident to a JSON file in the war room. |
ParseYAML | Parses a YAML string into context. |
DeleteContext | Delete field from context. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
ExtractIndicatorsFromWordFile | Used to extract indicators from Word files (DOC, DOCX). This automation runs using the default Limited User role, unless you explicitly change the permissions. |
GenerateRandomUUID | Generates a random UUID (UUID 4). |
GenericPollingScheduledTask | Runs the polling command repeatedly, completes a blocking manual task when polling is done. |
IncidentFields | Returns a dict of all incident fields that exist in the system. |
FailedInstances | Executes a test for all integration instances available and returns detailed information about succeeded and failed integration instances. |
GetErrorsFromEntry | Get the error(s) associated with a given entry/entries. Use ${lastCompletedTaskEntries} to check the previous task entries. The automation will return an array of the error contents from those entries. |
ExtractIndicatorsFromTextFile | Extract indicators from a text-based file.
This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
displayUtilitiesResults | This script displays the execution results of the tab's buttons in an HTML table format. |
ParseCSV | This script will parse a CSV file and place the unique IPs, Domains and Hashes into the context. |
ExtractFQDNFromUrlAndEmail | Extracts FQDNs from URLs and emails. |
GenerateRandomString | Generates random string |
StringLength | Returns the length of the string passed as argument |
AddEvidence | Adds provided entries to the incident Evidence Board. In playbook, can be positioned after a task to add the previous task's entries to Evidence Board automatically (with no need to provide arguments) |
SetGridField | Creates a Grid table from items or key-value pairs. |
UnEscapeIPs | Remove escaping chars from IP |
LinkIncidentsWithRetry | Use this script to avoid DB version errors when simultaneously running multiple linked incidents. |
CEFParser | Parse CEF data into the context. Please notice that outputs will display only the 7 mandatory fields even if the CEF event includes many other custom or extended fields. |
CreateNewIndicatorsOnly | Create indicators to the Threat Intel database only if they are not registered. All submitted indicators will be associated with the parent incident. When using the script with many indicators, or when the Threat Intel Management database is highly populated, this script may have low performance issue. |
StopScheduledTask | This stops the scheduled task whose ID is given in the taskID argument. |
VerifyCIDR | Verify that the CIDRs are valid. |
StringSimilarity | This automation calculates the similarity ratio between every string in 2 different arrays and outputs a decimal value between 0.0 and 1.0 (1.0 if the sequences are identical, and 0.0 if they don't have anything in common). |
MatchRegexV2 | Extracts regex data from the provided text. The script support groups and looping. |
MarkAsEvidenceByTag | Mark entries as evidence if they are tagged with given tag |
SendEmailOnSLABreach | Sends an email informing the user of an SLA breach. The email is sent to the user who is assigned to the incident. It includes the incident name, ID, name of the SLA field that was breached, duration of that SLA field, and the date and time when that SLA was started. |
GetDomainDNSDetails | Returns DNS details for a domain. |
AppendindicatorFieldWrapper | A wrapper script to the 'AppendindicatorField' script that enables adding tags to certain indicators. |
ConvertFile | Converts a file from one format to a different format by using the convert-to function of Libre Office. For a list of supported input/output formats see: https://wiki.openoffice.org/wiki/Framework/Article/Filter/FilterList_OOo_3_0 |
NotInContextVerification | Not in context verification is a script that executes the given command and verifies that the specified field is not in the context after execution. |
PortListenCheck | Checks whether a port was open on given host. |
GenerateSummaryReports | Generate report summaries for the passed incidents. |
AquatoneDiscoverV2 | aquatone-discover will find the targets nameservers and shuffle DNS lookups between them. Should a lookup fail on the target domains nameservers, aquatone-discover will fall back to using Google public DNS servers to maximize discovery. |
GetListRow | Parses a list by header and value. |
GeneratePassword | This function generates a password and allows various parameters to customize the properties of the password depending on the use case (e.g. password complexity requirements). The default behavior is to generate a password of random length including all four character classes (upper, lower, digits, symbols) with at least five and at most ten characters per class. The min_* values all default to 0. This means that if the command is executed in this way: The debug parameter will print certain properties of the command into the WarRoom for easy diagnostics. |
hideFieldsOnNewIncident | When you apply this script to an incident field, that incident field is hidden for new incidents, and it displays in edit mode. |
FindSimilarIncidents | Deprecated. Use DBotFindSimilarIncidents instead. Finds similar incidents by common incident keys, labels, custom fields or context keys. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
GetDuplicatesMlv2 | Deprecated. Use the "PhishingDedupPreprocessingRule" script instead. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
Base64Encode | Will encode an input using Base64 format. |
FilterByList | Checks whether the specified item is in a list. The default list is the Demisto Indicators Whitelist. |
Ping | Pings an IP or url address, to verify it's up. Note - On Cortex XSOAR 8 and Cortex XSIAM, the script can run only on a custom engine. |
CertificateReputation | Enrich and calculate the reputation of a certificate indicator. |
ServerLogs_docker | Uses the ssh integration to grab the host server logs. |
GetDockerImageLatestTag | Gets docker image latest tag. Script simulates the docker pull flow but doesn't actually pull the image. Returns an entry with the docker image latest tag if all is good, otherwise will return an error. |
ZipStrings | Joins values from two lists by index according to a given format. |
ListUsedDockerImages | List all Docker images that are in use by the installed integrations and automations. |
SetIndicatorGridField | This script updates an indicator's grid field in Cortex XSOAR with provided row data. You can input the rows directly or extract them from the context. |
DockerHardeningCheck | Checks if the Docker container running this script has been hardened according to the recommended settings at:
|
get-endpoint-data | This script gathers endpoint data from multiple integrations and returns an endpoint entity with consolidated information to the context. |
ExifRead | Read image files metadata and provide Exif tags. |
MarkAsNoteByTag | Mark entries as notes if they are tagged with given tag. |
MapValues | Map the given values to the translated values. If given values: a,b,c and translated: 1,2,3 then input is a will return 1 |
EmailAskUserResponse | Extract user's response from EmailAskUser reply. Returns the first textual response line of the provided entry that contains the reply body. Use ${lastCompletedTaskEntries} to analyze the previous playbook task containing the user's reply. |
ChangeRemediationSLAOnSevChange | Changes the remediation SLA once a change in incident severity occurs. |
FileReputation | A context script for hash entities. |
FileCreateAndUpload | Deprecated. Use FileCreateAndUploadV2 instead. Will create a file (using the given data input or entry ID) and upload it to current investigation war room. |
DBotClosedIncidentsPercentage | Data output script for populating dashboard pie graph widget with the percentage of incidents closed by DBot vs. incidents closed by analysts. |
PrintErrorEntry | Prints an error entry with a given message. |
VerifyIPv6Indicator | Verify that the address is a valid IPv6 address. |
ExportToCSV | Export given array to csv file. |
IsListExist | Check if list exist in demisto lists. |
GenerateInvestigationSummaryReport | A script to generate investigation summary report in an automated way |
commentsToContext | Takes the comments of a given entry ID and stores them in the incident context, under a provided context key. |
GetDataCollectionLink | Generates the URL for a Data Collection Task into Context. Can be used to get the url for tasks send via Email, Slack, or even if you select "By Task Only". To generate links for specific users, add an array of users in the users argument. |
HTTPListRedirects | List the redirects for a given URL |
ReadPDFFileV2 | Load a PDF file's content and metadata into context. Supports extraction of hashes, urls, and emails when available. |
Dig | DNS lookup utility to provide 'A' and 'PTR' record. |
ConvertXmlToJson | Converts XML string to JSON format |
Base64ListToFile | Converts Base64 file in a list to a binary file and upload to warroom |
IndicatorMaliciousRatioCalculation | Return indicators appears in resolved incidents, and resolved incident ids. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
BreachConfirmationHTML | |
ReadQRCode | Extracts the text from a QR code. The output of this script includes the output of the script "extractIndicators" run on the text extracted from the QR code. |
MaliciousRatioReputation | Set indicator reputation to "suspicious" when malicious ratio is above threshold. |
CreateIndicatorsFromSTIX | Creates indicators from the submitted STIX file. Supports STIX 1.0 and STIX 2.x. This automation creates indicators and adds an indicator's relationships if available. |
ScheduleGenericPolling | Called by the GenericPolling playbook, schedules the polling task. |
CreateArray | Will create an array object in context from given string input |
LinkIncidentsButton | Incident action button script to link or unlink Incidents from an Incident |
RemoveKeyFromList | Removes a key in key/value store backed by an XSOAR list. |
GridFieldSetup | Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. Instead of a value you can enter |
ShowLocationOnMap | Show indicator geo location on map. |
http | Sends http request. Returns the response as json. |
ExposeIncidentOwner | Expose the incident owner into IncidentOwner context key |
DBotAverageScore | The script calculates the average DBot score for each indicator in the context. |
SCPPullFiles | Take a list of devices and pull a specific file (given by path) from each using SCP. |
PCAPMiner | Deprecated. Use PCAPMinerV2 instead. PCAPMiner is a tool to parse PCAP files and will return things like extracted files that are found, HTTP flows, and a variety of other information. It is uses a docker instance located on docker hub trorabaugh/dempcap:1.0. To use simply upload a PCAP file and then run PCAPMiner entryId="<your_entry_id>". To get the entry id click on the link on the top right hand corner of a file attachment. |
UtilAnyResults | Utility script to use in playbooks - returns "yes" if the input is non-empty. |
IsTrue | Check if a given value is true. Will return 'no' otherwise |
DecodeMimeHeader | Decode MIME base64 headers. |
IsGreaterThan | Checks if one number(float) as bigger than the other(float) |
Prints text to war room (Markdown supported) | |
SearchIndicator | Searches Cortex XSOAR Indicators. Search for XSOAR Indicators and returns the id, indicator_type, value, and score/verdict. You can add additional fields from the indicators using the add_field_to_context argument. |
FeedRelatedIndicatorsWidget | Widget script to view information about the relationship between an indicator, entity and other indicators and connect to indicators, if relevant. |
ChangeContext | Enables changing context in two ways. The first is to capitalize the first letter of each key in following level of the context key entered. The second is to change context keys to new values. |
URLReputation | A context script for URL entities. |
displayMappedFields | Display the mapped fields in a dynamic-section. |
AddDBotScoreToContext | Add DBot score to context for indicators with custom vendor, score, reliability, and type. |
ExtractHyperlinksFromOfficeFiles | Extracts hyperlinks from office files. Supported file types are: xlsx, docx, pptx. |
WordTokenizer | Deprecated. Use DBotPreProcessTextData instead. |
StringReplace | Replaces regex match/es in string. |
PDFUnlocker | Removing the password protection from a PDF file and adding a new file entry with the unlocked PDF. |
IncidentAddSystem | Add a remote system (such as a desktop under investigation) to an investigation (this will allow you to install and agent on the system) |
CloseInvestigationAsDuplicate | Close the current investigation as duplicate to other investigation. |
NumberOfPhishingAttemptPerUser | Shows a bar chart of the number of incident the 'To' and 'From' email addresses. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
CreateHash | Creating a hash of a given input, support sha1, sha256, sha512, md5 and blake. Wrapper for https://docs.python.org/3/library/hashlib.html. |
IsMaliciousIndicatorFound | Checks if the investigation found any malicious indicators (file, URL, IP address, domain, or email). Returns "yes" if at least one malicious indicator is found. |
ShowScheduledEntries | Show all scheduled entries for specific incident. |
LessThanPercentage | Checks if one percentage is less than another |
IsEmailAddressInternal | Checks if the email address is part of the internal domains. |
HTMLtoMD | Converts HTML to Markdown. |
JSONDiff | compares two JSON files and returns their differences, such as added, removed, or changed fields, in a structured format. |
DisplayHTMLWithImages | Display HTML with embedded images. |
GetIndicatorDBotScore | Add into the incident's context the system internal DBot score for the input indicator. |
ParseEmailFiles | Deprecated. Use ParseEmailFilesV2 instead." Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook. |
TextFromHTML | Extract regular text from the given HTML. |
IsIPPrivate | The script takes one or more IP addresses and checks whether they're in the private IP ranges defined in the PrivateIPsListName argument. By default, the PrivateIPsListName argument will use the Cortex XSOAR list called "PrivateIPs".
|
DisplayHTML | Display HTML in the War Room. |
IsIntegrationAvailable | Returns 'yes' if integration brand is available. Otherwise returns 'no'. |
SetAndHandleEmpty | Set a value in context under the key you entered. If no value is entered, the script doesn't do anything. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
OnionURLReputation | This script adds the reputation to Onion URL indicators. The script is automatically triggered when a Onion URL indicator is auto-extracted. For instance, if you run a Cortex XSOAR CLI on a valid Onion URL, the indicators are extracted automatically and this script is triggered for the extracted indicators. |
CertificateExtract | Extract fields from a certificate file and return the standard context. |
MITRENameByID_Formatter | Get a MITRE ATT&CK object name by its ID. The script is using TIMs IOCs to find the correct name. (MITRE ATT&CK IOCs must exist in the Threat Intel data). |
SendMessageToOnlineUsers | Send message to Demisto online users over Email, Slack, Mattermost or all. |
SSDeepReputation | Calculate ssdeep reputation based on similar files (by ssdeep similarity) on the system. |
ticksToTime | Converting time in Ticks to readable time. Ticks are used to represent time by some vendors, most commonly by Microsoft. |
UnPackFile | Deprecated. Use the UnzipFile script instead. UnPack a file using fileName or entryID to specify a file. Files unpacked will be pushed to the war room and names will be pushed to the context. |
cvss_color | This dynamic automation parses the CVSS score of a CVE and presents it in the layout in color according to its score. |
LanguageDetect | Language detection based on Google's language-detection. |
SearchIncidentsSummary | Searches Cortex XSOAR Incidents and returnrs the most relevant fields. Default search range is the last 30 days, if you want to change this, use the fromDate argument. Returns the id, name, type, severity, status, owner, and created/closed times to context. You can add additional fields using the add_field_to_context argument. This automation runs using the default Limited User role, unless you explicitly change the permissions. Based on the SearchIncidentsV2 from the Common Scripts pack, but more efficient. |
ExportToXLSX | Exports context data to a Microsoft Excel Open XML Spreadsheet (XLSX) file. |
Base64EncodeV2 | Encodes an input to Base64 format. |
IncreaseIncidentSeverity | Optionally increases the incident severity to the new value if it is greater than the existing severity. |
DownloadAndArchivePythonLibrary | The script downloads a Python library using PIP, archives it, and returns the file to the war room. |
ZipFile | Zip a file and upload to war room. |
ExportAuditLogsToFile | Uses the Core REST API integration to query the server audit trail logs, and return back a CSV or JSON file. |
CompareLists | Compare two lists and put the differences in context. |
ServerLogs | Uses the ssh integration to grab the host server logs. |
PcapHTTPExtractor | Allows to parse and extract http flows (requests & responses) from a pcap/pcapng file. |
TopMaliciousRatioIndicators | Find the top malicious ratio indicators. |
CheckIndicatorValue | Check if indicators exist in the Threat Intel database. |
UnEscapeURLs | Extract URLs redirected by security tools like Proofpoint. |
VerdictResult | This widget displays the incident verdict or the alert verdict based on the 'incident.verdict' or 'alert.verdict' field. |
PrintContext | Pretty-print the contents of the playbook context. |
ConvertTableToHTML | Converts a given array to an HTML table |
ConvertCountryCodeCountryName | Convert country name to country code or country code to country name. |
EmailDomainSquattingReputation | Check if an email address's domain is trying to squat other domain using Levenshtein distance algorithm. |
checkValue | Gets a value and return it. This is to be used in playbook conditional tasks - get a value from incident field, label or context, and act accordingly. |
JSONtoCSV | Convert a JSON War Room output via EntryID to a CSV file. |
Set | Set a value in context under the key you entered. |
ParseExcel | The automation takes Excel file (entryID) as an input and parses its content to the war room and context. |
LoadJSONFileToContext | Loads a JSON file from the war room to context. |
RepopulateFiles | After running DeleteContext, this script can repopulate all the file entries in the ${File} context key |
TimeStampCompare | Compares a single timestamp to a list of timestamps. |
ContextGetHashes | Gets hashes (MD5,SHA1,SHA256) from context. |
RunDockerCommand | This command will allow you to run commands against a local Docker Container. You can run commands like wc for instance with word count, or other types of commands that you want on the docker container. We recommend for tools that you want to use that are not part of the default Docker container, to cope this Automation script and then create a customer docker container with /docker_image_create with a custom docker container to add any command level tool to Demisto and output the results directly to the context. |
GetServerURL | Get the Server URL. |
URLNumberOfAds | Fetches the numbers of ads in the given url. |
CopyContextToField | Copy a context key to an incident field of multiple incidents, based on an incident query. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
URLSSLVerification | Verify URL SSL certificate. |
CVSSCalculator | This script calculates the CVSS Base Score, Temporal Score, and Environmental Score using either the CVSS 3.0 or CVSS 3.1 calculator according to https://www.first.org/cvss/ calculation documentation. |
DisableUserWrapper | This script allows disabling a specified user using one or more of the following integrations: SailPointIdentityIQ, ActiveDirectoryQuery, Okta, MicrosoftGraphUser, and IAM. |
ExtractAttackPattern | Extract Attack Pattern Threat Intel Object. After auto extract extracts the Attack Pattern IDs, this script is executed and extracts the value (name) of the Attack Pattern. |
AssignAnalystToIncident | Assign analyst to incident. |
AreValuesEqual | Check whether the values provided in arguments are equal. If either of the arguments are missing, no is returned. |
JSONFileToCSV | Script to convert a War Room output JSON File to a CSV file. |
StopTimeToAssignOnOwnerChange | Stops the "Time To Assign" timer if the owner of the incident was changed. |
ExportIndicatorsToCSV | This automation uses the Core REST API Integration to batch export Indicators to CSV and return the resulting CSV file to the war room. |
BinarySearchPy | Deprecated. No available replacement. Search for a binary on an endpoint using Carbon Black |
ExtractEmailV2 | Verifies that an email address is valid and only returns the address if it is valid. |
SSDeepSimilarity | This script finds similar files that can be related to each other by fuzzy hash (SSDeep). |
GenerateSummaryReportButton | This button will generate summary 'Case Report' template for a given Incident |
DumpJSON | Dumps a json from context key input, and returns a json object string result |
FetchIndicatorsFromFile | Fetches indicators from a file. Supports TXT, XLS, XLSX, CSV, DOC and DOCX file types. |
IsInternalDomainName | This script accepts multiple values for both arguments and will iterate through each of the domains to check if the specified subdomains are located in at least one of the specified main domains. If the tested subdomain is in one of the main domains, the result will be true. For example, if the domain_to_check values are apps.paloaltonetworks.com and apps.paloaltonetworks.bla and the domains_to_compare values are paloaltonetworks.com and demisto.com, the result for apps.paloaltonetworks.com will be true since it is a part of the paloaltonetworks.com domain. The result for apps.paloaltonetworks.bla will be false since it is not a part of the paloaltonetworks.com or demisto.com domain. |
clear-user-session | This script clears user sessions across multiple integrations for a list of usernames. |
GetStringsDistance | Get the string distance between inputString and compareString (compareString can be a comma-separated list) based on Levenshtein Distance algorithm. |
RunPollingCommand | Runs a specified polling command one time. This is useful for initiating a local playbook context before running a polling scheduled task. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
DemistoVersion | Return the Demisto server version. |
IdentifyAttachedEmail | Identify whether the incident includes an email message attached as an eml or msg file and return the answer to playbook. Also saves the identified entry ID to context for use for later. Commonly used in automated playbooks that handle phishing reports sent to a special phishing mailbox set up by the security team. |
AddKeyToList | Adds/Replaces a key in key/value store backed by an XSOAR list. |
CompareIncidentsLabels | Compares the labels of two incidents. Returns the labels that are unique to each incident. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
SetWithTemplate | Set a value built by a template in context under the key you entered. |
IsolationAssetWrapper | This is a wrapper to isolate or unisolate hash lists from Cortex XDR, MSDE or CrowdStrike (Available from Cortex XSOAR 6.0.0). |
ToTable | Convert an array to a nice table display. Usually, from the context. |
GetLicenseID | Returns the license ID. |
DeduplicateValuesbyKey | Given a list of objects and a key found in each of those objects, return a unique list of values associated with that key. Returns error if the objects provided do not contain the key of interest. |
ConvertDatetoUTC | Converts a date from a different timezone to UTC timezone. |
PrintRaw | Prints a raw representation of a string or object, visualising things likes tabs and newlines. For instance, '\n' will be displayed instead of a newline character, or a Windows CR will be displayed as '\r\n'. This is useful for debugging issues where things aren't behaving as expected, such as when parsing a string with a regular expression. |
CheckFieldValue | This script checks that a field exists (and contains data), and optionally checks the value of the field for a match against an input value. If a regex is not supplied, the script checks that the field is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value. |
EditServerConfig | Edit the server configuration (under settings/troubleshooting). You can either add a new configuration or update and remove an existing one. |
CommandLineAnalysis | This script evaluates command-line threats by analyzing both original and decoded inputs. It assigns weighted scores to detected patterns, such as AMSI bypass or credential dumping, and applies risk combination bonuses for multiple detections. The total score is normalized to a 0-100 scale, with risk levels categorized as follows:
The scoring mechanism provides a comprehensive risk assessment, considering both the severity and frequency of malicious behaviors. |
findIncidentsWithIndicator | Lookup incidents with specified indicator. Use currentIncidentId to omit the existing incident from output. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
AssignToMeButton | Assigns the current Incident to the Cortex XSOAR user who clicked the button |
Sleep | Sleep for X seconds. |
ExtractDomainAndFQDNFromUrlAndEmail | Extracts domains and FQDNs from URLs and emails. |
ParseEmailFilesV2 | Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook. This script is based on the parse-emails XSOAR python package, check the script documentation for more info. |
CalculateEntropy | Calculates the entropy for the given data. |
CheckContextValue | This script checks that a context key exists (and contains data), and optionally checks the value of the context key for a match against an input value. If a regex is not supplied, the script checks that the key is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value. This scripts does not support a context key which holds a list of values. |
ReadFile | Load the contents of a file into context. |
ShowIncidentIndicators | This script is used to display the indicators of an incident in an incident field of type Array. It can be used to select indicators from the incident in order to later perform some actions, like tagging the indicators for blocking via EDL. |
PositiveDetectionsVSDetectionEngines | Shows a bar chart of the number of Positive Detections out of overall detections |
CountArraySize | Count an array size |
ExampleJSScript | This is only an example script, to showcase how to use and write JavaScript scripts |
ContainsCreditCardInfo | Check if a given value is true. Will return 'no' otherwise |
FormatURL | Strips, unquotes and unescapes URLs. If the URL is a Proofpoint or ATP URL, extracts its redirect URL. If more than one URL is passed to the formatter, the separator must be a pipe ("|"). |
MathUtil | Script will run the provided mathematical action on 2 provided values and produce a result. |
StixCreator | Gets a list of indicators from the indicators argument, and generates a JSON file in STIX 2.1 format. |
ContextGetEmails | Gets all email addresses in context, excluding ones given. |
MatchRegex | Deprecated. Use the MatchRegexV2 script instead. |
isError | Check whether given entry/entries returned an error. Use ${lastCompletedTaskEntries} to check the previous task entries. If array is provided, will return yes if one of the entries returned an error. |
IsPDFFileEncrypted | Checks whether the PDF file is encrypted. |
get-user-data | This script gathers user data from multiple integrations and returns an Account entity with consolidated information to the context. |
FileCreateAndUploadV2 | Creates a file (using the given data input or entry ID) and uploads it to the current investigation War Room. |
cveReputationV2 | Provides the severity of the CVE based on the CVSS score where available. |
SetMultipleValues | Set multiple keys/values to the context. |
HttpV2 | Sends a HTTP request with advanced capabilities. |
ReplaceMatchGroup | Returns a string with all matches of a regex pattern groups replaced by a replacement. |
EncodeToAscii | Input Text Data to Encode as ASCII (Ignores any chars that aren't interpreted as ASCII) |
ExportIncidentsToCSV | This automation uses the Core REST API Integration to batch export Incidents to CSV and return the resulting CSV file to the war room. |
PrettyPrint | Pretty-print data using Python's pprint library. This is useful for seeing the structure of incident and context data. Here's how to use it: !PrettyPrint value=${incident} |
SetDateField | Sets a custom incident field with current date |
CopyNotesToIncident | Copy all entries marked as notes from current incident to another incident. |
PreProcessImage | This script pre-processes (resizes, sharpens, and grayscales) an image file from context, given an entry_id. |
IsInternalHostName | Checks if the supplied hostnames match either the organization's internal naming convention or the domain suffix. |
GetTime | Retrieves the current date and time. |
MarkRelatedIncidents | Marks given incidents as related to current incident. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
Exists | Check if a given value exists in the context. Will return 'no' for empty empty arrays. To be used mostly with DQ and selectors. |
ContextGetIps | Gets all IP addresses in context, excluding ones given. |
PopulateCriticalAssets | Populates critical assets in a grid field that has the section headers "Asset Type" and "Asset Name". |
listExecutedCommands | Lists executed commands in War Room |
enrich_exclude_button | This script is only meant to be used to disable the Enrich Excluded button in an indicator. It should not be used otherwise. |
EmailReputation | A context script for Email entities. |
SearchIncidentsV2 | Searches Demisto incidents. A summarized version of this scrips is available with the summarizedversion argument. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
ContextSearchForString | Searches for string in a path in context. If path is null, string will be searched in full context. |
PublishEntriesToContext | Publish entries to incident's context |
GetInstances | Returns integration instances configured in Cortex XSOAR. You can filter by instance status and/or brand name (vendor). |
Strings | Extract strings from a file with optional filter - similar to binutils strings command |
UnzipFile | Unzip a file using fileName or entryID to specify a file. Unzipped files will be loaded to the War Room and names will be put into the context. |
ProvidesCommand | Finds which integrations implement a specific Demisto command. The results will be returned as comma-separated values (CSV). The "Core REST API" integration must first be enabled. |
LoadJSON | Loads a json from string input, and returns a json object result. |
ScheduleCommand | Schedule a command to run inside the war room at a future time (once or reoccurring) |
GetEnabledInstances | Gets all currently enabled integration instances. |
BMCTool | Parse RDP bitmap cache data into a single collage image file. |
IPNetwork | Gather information regarding CIDR - |
CreateEmailHtmlBody | This script allows sending an HTML email, using a template stored as a list item under Lists (Settings -> Advanced -> Lists).
Note: Sending emails require an active Mail Sender integration instance. |
ContextGetPathForString | Searches for string in context and returns context path, returns null if not found. |
ParseWordDoc | Takes an input docx file (entryID) as an input and saves an output text file (file entry) with the original file's contents. |
DomainReputation | A context script for Domain entities |
ConvertXmlFileToJson | Converts XML file entry to JSON format |
ExtractHTMLTables | Find tables inside HTML and extract the contents into objects using the following logic:
|
GenerateAsBuiltConfiguration | Generate a JSON file that can be downloaded and used to create the As-Built document for Cortex XSOAR. |
ParseHTMLIndicators | This script will extract indicators from given HTML and will handle bad top-level domains to avoid false positives caused by file extensions. |
JsonUnescape | Recursively un-escapes JSON data if escaped JSON is found |
AnalyzeTimestampIntervals | Analyze a list of Unix timestamps in milliseconds, to detect simple patterns of consistency or high frequency. The script can aid in the investigation of multi-event alerts that contain a list of timestamps. |
IPToHost | Try to get the hostname correlated with the input IP. |
IsDomainInternal | The script takes one or more domain names and checks whether they're in the Cortex XSOAR list defined in the InternalDomainsListName argument. By default, the InternalDomainsListName argument will use the Cortex XSOAR list called "InternalDomains". |
Name | Description |
---|---|
Breach Confirmation | Is the DPO confirm the breach |
Telephone no. | |
Size - turnover | |
State where the breach took place | |
Individuals Notification | |
State CISO Notification | |
Unique identification number breached | Is unique identification number breached |
Where is data hosted | |
Resident Notification Option | |
Secretary Notification | |
PII Data Type | |
Health insurance breached | Is health insurance breached |
Management Notification | |
GDPR Notify Authorities | "In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons." - GDPR Art. 33 |
Affected Individuals Contact Information | |
Company Name | |
Country where business has its main establishment | "‘main establishment’ means: as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment; as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;" - GDPR Art. 4 |
Contact Email address | |
Contact Telephone number | |
Account information breached | Is account information breached |
Attorney General Notification | |
Unique biometric data breached | Is unique biometric data breached |
Date/time of the breach | |
DPO Notification | |
Data Encryption Status | |
Affected Data Type | |
Company Address | |
Financial information breached | Is financial information breached |
Likely Impact | "A data protection impact assessment (…) shall in particular be required in the case of: (a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; (b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or (c) a systematic monitoring of a publicly accessible area on a large scale. - GDPR Art. 35 |
Other PII data breached | Is other PII data breached |
Media Notification | The status of the media notification |
Postal Code | |
Contact Name | |
Company Postal Code | |
Country where the breach took place | |
Affected data | "‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;" - GDPR Art. 4 |
DPO E-mail Address | |
Consumer Reporting Agencies Notification | |
Company has Insurance for the Breach | |
Approximate number of affected data subjects | |
Is the Data Subject to DPIA | |
Sector of Affected Party | |
Measures to Mitigate | " (d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects." - GDPR Art. 33 |
Contact Address | |
Malicious Cause (If the cause is a malicious attack) | |
Company City | |
Company Country | |
Residents Email Address | |
E-mail Address | |
Possible Cause of the Breach | |
Medical Information breached | Is Medical Information breached |
Size - number of employees |
Name | Description |
---|---|
PrivateIPs | |
InternalDomains |
Name | Description |
---|---|
displayUtilitiesResults | This script displays the execution results of the tab's buttons in an HTML table format. |
DeleteContext | Delete field from context. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
ContextGetHashes | Gets hashes (MD5,SHA1,SHA256) from context. |
findIncidentsWithIndicator | Lookup incidents with specified indicator. Use currentIncidentId to omit the existing incident from output. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
findAlertsWithIndicator | Lookup alerts with specified indicator. Use currentAlertId to omit the existing alert from output. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
ExportToXLSX | Exports context data to a Microsoft Excel Open XML Spreadsheet (XLSX) file. |
AssignToMeButton | Assigns the current Incident to the Cortex user who clicked the button |
SendMessageToOnlineUsers | Send message to Demisto online users over Email, Slack, Mattermost or all. |
GeneratePassword | This function generates a password and allows various parameters to customize the properties of the password depending on the use case (e.g. password complexity requirements). The default behavior is to generate a password of random length including all four character classes (upper, lower, digits, symbols) with at least five and at most ten characters per class. The min_* values all default to 0. This means that if the command is executed in this way: The debug parameter will print certain properties of the command into the WarRoom for easy diagnostics. |
GetEnabledInstances | Gets all currently enabled integration instances. |
SearchIncidentsSummary | Searches Cortex Incidents and returnrs the most relevant fields. Default search range is the last 30 days, if you want to change this, use the fromDate argument. Returns the id, name, type, severity, status, owner, and created/closed times to context. You can add additional fields using the add_field_to_context argument. This automation runs using the default Limited User role, unless you explicitly change the permissions. Based on the SearchIncidentsV2 from the Common Scripts pack, but more efficient. |
SearchAlertsSummary | Searches Cortex Alerts and returnrs the most relevant fields. Default search range is the last 30 days, if you want to change this, use the fromDate argument. Returns the id, name, type, severity, status, owner, and created/closed times to context. You can add additional fields using the add_field_to_context argument. This automation runs using the default Limited User role, unless you explicitly change the permissions. Based on the SearchAlertsV2 from the Common Scripts pack, but more efficient. |
ShowLocationOnMap | Show indicator geo location on map. |
SearchIncidentsV2 | Searches Demisto incidents. A summarized version of this scrips is available with the summarizedversion argument. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
SearchAlertsV2 | Searches Demisto alerts. A summarized version of this scrips is available with the summarizedversion argument. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
LinkIncidentsButton | Incident action button script to link or unlink Incidents from an Incident |
LinkAlertsButton | Alert action button script to link or unlink Alerts from an Alert |
ContextGetPathForString | Searches for string in context and returns context path, returns null if not found. |
PreProcessImage | This script pre-processes (resizes, sharpens, and grayscales) an image file from context, given an entry_id. |
ToTable | Convert an array to a nice table display. Usually, from the context. |
ParseWordDoc | Takes an input docx file (entryID) as an input and saves an output text file (file entry) with the original file's contents. |
BreachConfirmationHTML | |
SetAndHandleEmpty | Set a value in context under the key you entered. If no value is entered, the script doesn't do anything. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
EmailReputation | A context script for Email entities. |
ExportContextToJSONFile | Exports the Context for the current Incident to a JSON file in the war room. |
LoadJSONFileToContext | Loads a JSON file from the war room to context. |
EncodeToAscii | Input Text Data to Encode as ASCII (Ignores any chars that aren't interpreted as ASCII) |
cvss_color | This dynamic automation parses the CVSS score of a CVE and presents it in the layout in color according to its score. |
ExtractFQDNFromUrlAndEmail | Extracts FQDNs from URLs and emails. |
http | Sends http request. Returns the response as json. |
ScheduleCommand | Schedule a command to run inside the war room at a future time (once or reoccurring) |
ReadQRCode | Extracts the text from a QR code. The output of this script includes the output of the script "extractIndicators" run on the text extracted from the QR code. |
FindSimilarIncidents | Deprecated. Use DBotFindSimilarIncidents instead. Finds similar incidents by common incident keys, labels, custom fields or context keys. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
FindSimilarAlerts | Deprecated. Use DBotFindSimilarAlerts instead. Finds similar alerts by common alert keys, labels, custom fields or context keys. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
DBotClosedIncidentsPercentage | Data output script for populating dashboard pie graph widget with the percentage of incidents closed by DBot vs. incidents closed by analysts. |
DBotClosedAlertsPercentage | Data output script for populating dashboard pie graph widget with the percentage of alerts closed by DBot vs. alerts closed by analysts. |
ContextGetIps | Gets all IP addresses in context, excluding ones given. |
AnalyzeTimestampIntervals | Analyze a list of Unix timestamps in milliseconds, to detect simple patterns of consistency or high frequency. The script can aid in the investigation of multi-event alerts that contain a list of timestamps. |
HttpV2 | Sends a HTTP request with advanced capabilities. |
EmailDomainSquattingReputation | Check if an email address's domain is trying to squat other domain using Levenshtein distance algorithm. |
Set | Set a value in context under the key you entered. |
AppendindicatorFieldWrapper | A wrapper script to the 'AppendindicatorField' script that enables adding tags to certain indicators. |
VerdictResult | This widget displays the incident verdict or the alert verdict based on the 'incident.verdict' or 'alert.verdict' field. |
SetWithTemplate | Set a value built by a template in context under the key you entered. |
UnzipFile | Unzip a file using fileName or entryID to specify a file. Unzipped files will be loaded to the War Room and names will be put into the context. |
FileCreateAndUploadV2 | Creates a file (using the given data input or entry ID) and uploads it to the current investigation War Room. |
ExportIncidentsToCSV | This automation uses the Core REST API Integration to batch export Incidents to CSV and return the resulting CSV file to the war room. |
ExportAlertsToCSV | This automation uses the Core REST API Integration to batch export Alerts to CSV and return the resulting CSV file to the war room. |
VerifyIPv6Indicator | Verify that the address is a valid IPv6 address. |
FetchIndicatorsFromFile | Fetches indicators from a file. Supports TXT, XLS, XLSX, CSV, DOC and DOCX file types. |
EmailAskUser | Ask a user a question via email and process the reply directly into the investigation. |
IsInternalDomainName | This script accepts multiple values for both arguments and will iterate through each of the domains to check if the specified subdomains are located in at least one of the specified main domains. If the tested subdomain is in one of the main domains, the result will be true. For example, if the domain_to_check values are apps.paloaltonetworks.com and apps.paloaltonetworks.bla and the domains_to_compare values are paloaltonetworks.com and demisto.com, the result for apps.paloaltonetworks.com will be true since it is a part of the paloaltonetworks.com domain. The result for apps.paloaltonetworks.bla will be false since it is not a part of the paloaltonetworks.com or demisto.com domain. |
CommandLineAnalysis | This script evaluates command-line threats by analyzing both original and decoded inputs. It assigns weighted scores to detected patterns, such as AMSI bypass or credential dumping, and applies risk combination bonuses for multiple detections. The total score is normalized to a 0-100 scale, with risk levels categorized as follows:
The scoring mechanism provides a comprehensive risk assessment, considering both the severity and frequency of malicious behaviors. |
ContentPackInstaller | Content packs installer from marketplace. |
AddEvidence | Adds provided entries to the incident Evidence Board. In playbook, can be positioned after a task to add the previous task's entries to Evidence Board automatically (with no need to provide arguments) |
Exists | Check if a given value exists in the context. Will return 'no' for empty empty arrays. To be used mostly with DQ and selectors. |
CheckIndicatorValue | Check if indicators exist in the Threat Intel database. |
ReadPDFFileV2 | Load a PDF file's content and metadata into context. Supports extraction of hashes, urls, and emails when available. |
SetDateField | Sets a custom incident field with current date |
AreValuesEqual | Check whether the values provided in arguments are equal. If either of the arguments are missing, no is returned. |
EditServerConfig | Edit the server configuration (under settings/troubleshooting). You can either add a new configuration or update and remove an existing one. |
SearchIndicator | Searches Cortex Indicators. Search for XSOAR Indicators and returns the id, indicator_type, value, and score/verdict. You can add additional fields from the indicators using the add_field_to_context argument. |
ExtractDomainFromUrlAndEmail | Extract Domain(s) from URL(s) and/or Email(s). |
GenerateInvestigationSummaryReport | A script to generate investigation summary report in an automated way |
MathUtil | Script will run the provided mathematical action on 2 provided values and produce a result. |
DisplayHTML | Display HTML in the War Room. |
FileCreateAndUpload | Deprecated. Use FileCreateAndUploadV2 instead. Will create a file (using the given data input or entry ID) and upload it to current investigation war room. |
CreateHash | Creating a hash of a given input, support sha1, sha256, sha512, md5 and blake. Wrapper for https://docs.python.org/3/library/hashlib.html. |
FailedInstances | Executes a test for all integration instances available and returns detailed information about succeeded and failed integration instances. |
ExtractHyperlinksFromOfficeFiles | Extracts hyperlinks from office files. Supported file types are: xlsx, docx, pptx. |
IPReputation | A context script for IP entities. |
ExifRead | Read image files metadata and provide Exif tags. |
GetLicenseID | Returns the license ID. |
commentsToContext | Takes the comments of a given entry ID and stores them in the incident context, under a provided context key. |
JsonUnescape | Recursively un-escapes JSON data if escaped JSON is found |
GridFieldSetup | Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. Instead of a value you can enter |
CalculateTimeDifference | Calculate the time difference, in minutes |
StixCreator | Gets a list of indicators from the indicators argument, and generates a JSON file in STIX 2.1 format. |
SetMultipleValues | Set multiple keys/values to the context. |
MatchRegex | Deprecated. Use the MatchRegexV2 script instead. |
IsListExist | Check if list exist in demisto lists. |
PrintToAlert | Prints a value to the specified alert's war-room. The alert must be in status "Under Investigation". |
IsInternalHostName | Checks if the supplied hostnames match either the organization's internal naming convention or the domain suffix. |
JSONDiff | compares two JSON files and returns their differences, such as added, removed, or changed fields, in a structured format. |
DomainReputation | A context script for Domain entities |
Sleep | Sleep for X seconds. |
IncidentAddSystem | Add a remote system (such as a desktop under investigation) to an investigation (this will allow you to install and agent on the system) |
AlertAddSystem | Add a remote system (such as a desktop under investigation) to an investigation (this will allow you to install and agent on the system) |
MarkAsNoteByTag | Mark entries as notes if they are tagged with given tag. |
PCAPMiner | Deprecated. Use PCAPMinerV2 instead. PCAPMiner is a tool to parse PCAP files and will return things like extracted files that are found, HTTP flows, and a variety of other information. It is uses a docker instance located on docker hub trorabaugh/dempcap:1.0. To use simply upload a PCAP file and then run PCAPMiner entryId="<your_entry_id>". To get the entry id click on the link on the top right hand corner of a file attachment. |
FilterByList | Checks whether the specified item is in a list. The default list is the Demisto Indicators Whitelist. |
GenerateSummaryReports | Generate report summaries for the passed incidents. |
CopyContextToField | Copy a context key to an incident field of multiple incidents, based on an incident query. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
GetServerURL | Get the Server URL. |
MatchRegexV2 | Extracts regex data from the provided text. The script support groups and looping. |
GetDockerImageLatestTag | Gets docker image latest tag. Script simulates the docker pull flow but doesn't actually pull the image. Returns an entry with the docker image latest tag if all is good, otherwise will return an error. |
ExampleJSScript | This is only an example script, to showcase how to use and write JavaScript scripts |
ExportAuditLogsToFile | Uses the Core REST API integration to query the server audit trail logs, and return back a CSV or JSON file. |
ServerLogs_docker | Uses the ssh integration to grab the host server logs. |
GetEntries | Collect entries matching to the conditions in the war room. |
IsGreaterThan | Checks if one number(float) as bigger than the other(float) |
Base64ListToFile | Converts Base64 file in a list to a binary file and upload to warroom |
ContextFilter | Filter context keys by applying one of the various available manipulations and storing in a new context key. Please notice that the resulting context key will not be available automatically as an option but you can still specify it. |
PortListenCheck | Checks whether a port was open on given host. |
clear-user-session | This script clears user sessions across multiple integrations for a list of usernames. |
ZipFile | Zip a file and upload to war room. |
ContextSearchForString | Searches for string in a path in context. If path is null, string will be searched in full context. |
RemoteExec | Execute a command on a remote machine (without installing a D2 agent) |
TopMaliciousRatioIndicators | Find the top malicious ratio indicators. |
EmailAskUserResponse | Extract user's response from EmailAskUser reply. Returns the first textual response line of the provided entry that contains the reply body. Use ${lastCompletedTaskEntries} to analyze the previous playbook task containing the user's reply. |
CompareIncidentsLabels | Compares the labels of two incidents. Returns the labels that are unique to each incident. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
CompareAlertsLabels | Compares the labels of two alerts. Returns the labels that are unique to each alert. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
MapValues | Map the given values to the translated values. If given values: a,b,c and translated: 1,2,3 then input is a will return 1 |
ParseEmailFilesV2 | Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook. This script is based on the parse-emails XSOAR python package, check the script documentation for more info. |
AddDBotScoreToContext | Add DBot score to context for indicators with custom vendor, score, reliability, and type. |
GenerateSummaryReportButton | This button will generate summary 'Case Report' template for a given Incident |
ArrayToCSV | Converts a simple Array into a textual comma separated string |
MarkAsEvidenceByTag | Mark entries as evidence if they are tagged with given tag |
URLSSLVerification | Verify URL SSL certificate. |
VerifyCIDR | Verify that the CIDRs are valid. |
PrettyPrint | Pretty-print data using Python's pprint library. This is useful for seeing the structure of incident and context data. Here's how to use it: !PrettyPrint value=${incident} |
IdentifyAttachedEmail | Identify whether the incident includes an email message attached as an eml or msg file and return the answer to playbook. Also saves the identified entry ID to context for use for later. Commonly used in automated playbooks that handle phishing reports sent to a special phishing mailbox set up by the security team. |
LanguageDetect | Language detection based on Google's language-detection. |
AssignAnalystToIncident | Assign analyst to incident. |
IPNetwork | Gather information regarding CIDR - |
CountArraySize | Count an array size |
CalculateEntropy | Calculates the entropy for the given data. |
Ping | Pings an IP or url address, to verify it's up. Note - On Cortex and Cortex XSIAM, the script can run only on a custom engine. |
CreateEmailHtmlBody | This script allows sending an HTML email, using a template stored as a list item under Lists (Settings -> Advanced -> Lists).
Note: Sending emails require an active Mail Sender integration instance. |
HTTPListRedirects | List the redirects for a given URL |
RunPollingCommand | Runs a specified polling command one time. This is useful for initiating a local playbook context before running a polling scheduled task. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
ScheduleGenericPolling | Called by the GenericPolling playbook, schedules the polling task. |
SetByIncidentId | Works the same as the 'Set' command, but can work across incidents by specifying 'id' as an argument. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
SetByAlertId | Works the same as the 'Set' command, but can work across alerts by specifying 'id' as an argument. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
UtilAnyResults | Utility script to use in playbooks - returns "yes" if the input is non-empty. |
ZipStrings | Joins values from two lists by index according to a given format. |
NumberOfPhishingAttemptPerUser | Shows a bar chart of the number of incident the 'To' and 'From' email addresses. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
GetErrorsFromEntry | Get the error(s) associated with a given entry/entries. Use ${lastCompletedTaskEntries} to check the previous task entries. The automation will return an array of the error contents from those entries. |
ConvertXmlFileToJson | Converts XML file entry to JSON format |
PcapHTTPExtractor | Allows to parse and extract http flows (requests & responses) from a pcap/pcapng file. |
LoadJSON | Loads a json from string input, and returns a json object result. |
ShowIncidentIndicators | This script is used to display the indicators of an incident in an incident field of type Array. It can be used to select indicators from the incident in order to later perform some actions, like tagging the indicators for blocking via EDL. |
ShowAlertIndicators | This script is used to display the indicators of an alert in an alert field of type Array. It can be used to select indicators from the alert in order to later perform some actions, like tagging the indicators for blocking via EDL. |
ParseHTMLIndicators | This script will extract indicators from given HTML and will handle bad top-level domains to avoid false positives caused by file extensions. |
JSONtoCSV | Convert a JSON War Room output via EntryID to a CSV file. |
DeduplicateValuesbyKey | Given a list of objects and a key found in each of those objects, return a unique list of values associated with that key. Returns error if the objects provided do not contain the key of interest. |
get-user-data | This script gathers user data from multiple integrations and returns an Account entity with consolidated information to the context. |
CloseInvestigationAsDuplicate | Close the current investigation as duplicate to other investigation. |
SetTime | Fill the current time in a custom incident field |
ConvertXmlToJson | Converts XML string to JSON format |
LessThanPercentage | Checks if one percentage is less than another |
get-endpoint-data | This script gathers endpoint data from multiple integrations and returns an endpoint entity with consolidated information to the context. |
IndicatorMaliciousRatioCalculation | Return indicators appears in resolved incidents, and resolved incident ids. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
ExportIndicatorsToCSV | This automation uses the Core REST API Integration to batch export Indicators to CSV and return the resulting CSV file to the war room. |
MaliciousRatioReputation | Set indicator reputation to "suspicious" when malicious ratio is above threshold. |
LookupCSV | Parses a CSV and looks for a specific value in a specific column, returning a dict of the entire matching row. If no column value is specified, the entire CSV is read into the context. |
StringReplace | Replaces regex match/es in string. |
GetIndicatorDBotScoreFromCache | Get the overall score for the indicator as calculated by DBot. |
ShowOnMap | Returns a map entry with a marker on the given coordinates (lat,lng), or address (requires a configured GoogleMaps instance). |
BMCTool | Parse RDP bitmap cache data into a single collage image file. |
ConvertFile | Converts a file from one format to a different format by using the convert-to function of Libre Office. For a list of supported input/output formats see: https://wiki.openoffice.org/wiki/Framework/Article/Filter/FilterList_OOo_3_0 |
RepopulateFiles | After running DeleteContext, this script can repopulate all the file entries in the ${File} context key |
GetByIncidentId | Gets a value from the specified incident's context. |
GetByAlertId | Gets a value from the specified alert's context. |
TimeStampCompare | Compares a single timestamp to a list of timestamps. |
CheckContextValue | This script checks that a context key exists (and contains data), and optionally checks the value of the context key for a match against an input value. If a regex is not supplied, the script checks that the key is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value. This scripts does not support a context key which holds a list of values. |
ReadFile | Load the contents of a file into context. |
IsMaliciousIndicatorFound | Checks if the investigation found any malicious indicators (file, URL, IP address, domain, or email). Returns "yes" if at least one malicious indicator is found. |
FileReputation | A context script for hash entities. |
ConvertTableToHTML | Converts a given array to an HTML table |
DockerHardeningCheck | Checks if the Docker container running this script has been hardened according to the recommended settings at:
|
ContainsCreditCardInfo | Check if a given value is true. Will return 'no' otherwise |
ServerLogs | Uses the ssh integration to grab the host server logs. |
BinarySearchPy | Deprecated. No available replacement. Search for a binary on an endpoint using Carbon Black |
GetDuplicatesMlv2 | Deprecated. Use the "PhishingDedupPreprocessingRule" script instead. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
CheckSenderDomainDistance | Get the string distance for the sender from our domain |
cveReputationV2 | Provides the severity of the CVE based on the CVSS score where available. |
listExecutedCommands | Lists executed commands in War Room |
IsIPInRanges | Returns yes if the IP is in one of the ranges provided, returns no otherwise. |
ExtractDomainAndFQDNFromUrlAndEmail | Extracts domains and FQDNs from URLs and emails. |
PopulateCriticalAssets | Populates critical assets in a grid field that has the section headers "Asset Type" and "Asset Name". |
GetTime | Retrieves the current date and time. |
checkValue | Gets a value and return it. This is to be used in playbook conditional tasks - get a value from incident field, label or context, and act accordingly. |
ShowScheduledEntries | Show all scheduled entries for specific incident. |
FormatURL | Strips, unquotes and unescapes URLs. If the URL is a Proofpoint or ATP URL, extracts its redirect URL. If more than one URL is passed to the formatter, the separator must be a pipe ("|"). |
SCPPullFiles | Take a list of devices and pull a specific file (given by path) from each using SCP. |
IncidentFields | Returns a dict of all incident fields that exist in the system. |
AlertFields | Returns a dict of all alert fields that exist in the system. |
PrintToParentIncident | Prints a value to the parent incident's war-room of the current alert. |
StopScheduledTask | This stops the scheduled task whose ID is given in the taskID argument. |
GenerateRandomString | Generates random string |
ChangeContext | Enables changing context in two ways. The first is to capitalize the first letter of each key in following level of the context key entered. The second is to change context keys to new values. |
Dig | DNS lookup utility to provide 'A' and 'PTR' record. |
URLReputation | A context script for URL entities. |
ConvertCountryCodeCountryName | Convert country name to country code or country code to country name. |
GenerateAsBuilt | Generate an as built document, as HTML, based on the running XSOAR instance. Requires an instance of the Demisto API integration configured. |
emailFieldTriggered | Sends email to incident owner when selected field is triggered. |
DBotAverageScore | The script calculates the average DBot score for each indicator in the context. |
IsIntegrationAvailable | Returns 'yes' if integration brand is available. Otherwise returns 'no'. |
CreateArray | Will create an array object in context from given string input |
ParseEmailFiles | Deprecated. Use ParseEmailFilesV2 instead." Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook. |
ResolveShortenedURL | This script resolves the original URL from a given shortened URL and places the resolved URL in the playbook context and output. |
CopyNotesToIncident | Copy all entries marked as notes from current incident to another incident. |
CopyNotesToAlert | Copy all entries marked as notes from current alert to another alert. |
Prints text to war room (Markdown supported) | |
ParseCSV | This script will parse a CSV file and place the unique IPs, Domains and Hashes into the context. |
SetGridField | Creates a Grid table from items or key-value pairs. |
hideFieldsOnNewIncident | When you apply this script to an incident field, that incident field is hidden for new incidents, and it displays in edit mode. |
hideFieldsOnNewAlert | When you apply this script to an alert field, that alert field is hidden for new alerts, and it displays in edit mode. |
RemoveKeyFromList | Removes a key in key/value store backed by an XSOAR list. |
PrintContext | Pretty-print the contents of the playbook context. |
IsolationAssetWrapper | This is a wrapper to isolate or unisolate hash lists from Cortex XDR, MSDE or CrowdStrike (Available from Cortex). |
UnPackFile | Deprecated. Use the UnzipFile script instead. UnPack a file using fileName or entryID to specify a file. Files unpacked will be pushed to the war room and names will be pushed to the context. |
NotInContextVerification | Not in context verification is a script that executes the given command and verifies that the specified field is not in the context after execution. |
Base64EncodeV2 | Encodes an input to Base64 format. |
IsValueInArray | Indicates whether a given value is a member of given array |
IsEmailAddressInternal | Checks if the email address is part of the internal domains. |
SSDeepSimilarity | This script finds similar files that can be related to each other by fuzzy hash (SSDeep). |
DisplayHTMLWithImages | Display HTML with embedded images. |
IncreaseIncidentSeverity | Optionally increases the incident severity to the new value if it is greater than the existing severity. |
IncreaseAlertSeverity | Optionally increases the alert severity to the new value if it is greater than the existing severity. |
ContextGetEmails | Gets all email addresses in context, excluding ones given. |
AquatoneDiscoverV2 | aquatone-discover will find the targets nameservers and shuffle DNS lookups between them. Should a lookup fail on the target domains nameservers, aquatone-discover will fall back to using Google public DNS servers to maximize discovery. |
CVSSCalculator | This script calculates the CVSS Base Score, Temporal Score, and Environmental Score using either the CVSS 3.0 or CVSS 3.1 calculator according to https://www.first.org/cvss/ calculation documentation. |
AddKeyToList | Adds/Replaces a key in key/value store backed by an XSOAR list. |
RunDockerCommand | This command will allow you to run commands against a local Docker Container. You can run commands like wc for instance with word count, or other types of commands that you want on the docker container. We recommend for tools that you want to use that are not part of the default Docker container, to cope this Automation script and then create a customer docker container with /docker_image_create with a custom docker container to add any command level tool to Demisto and output the results directly to the context. |
DisableUserWrapper | This script allows disabling a specified user using one or more of the following integrations: SailPointIdentityIQ, ActiveDirectoryQuery, Okta, MicrosoftGraphUser, and IAM. |
CreateNewIndicatorsOnly | Create indicators to the Threat Intel database only if they are not registered. All submitted indicators will be associated with the parent incident. When using the script with many indicators, or when the Threat Intel Management database is highly populated, this script may have low performance issue. |
ProvidesCommand | Finds which integrations implement a specific Demisto command. The results will be returned as comma-separated values (CSV). The "Core REST API" integration must first be enabled. |
isError | Check whether given entry/entries returned an error. Use ${lastCompletedTaskEntries} to check the previous task entries. If array is provided, will return yes if one of the entries returned an error. |
ListUsedDockerImages | List all Docker images that are in use by the installed integrations and automations. |
PrintRaw | Prints a raw representation of a string or object, visualising things likes tabs and newlines. For instance, '\n' will be displayed instead of a newline character, or a Windows CR will be displayed as '\r\n'. This is useful for debugging issues where things aren't behaving as expected, such as when parsing a string with a regular expression. |
IsPDFFileEncrypted | Checks whether the PDF file is encrypted. |
FileToBase64List | Encode a file as base64 and store it in a Demisto list. |
DumpJSON | Dumps a json from context key input, and returns a json object string result |
ExtractIndicatorsFromTextFile | Extract indicators from a text-based file.
This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
SSDeepReputation | Calculate ssdeep reputation based on similar files (by ssdeep similarity) on the system. |
IsUrlPartOfDomain | Checks if the supplied URLs are in the specified domains. |
CompareLists | Compare two lists and put the differences in context. |
SetIndicatorGridField | This script updates an indicator's grid field in Cortex with provided row data. You can input the rows directly or extract them from the context. |
JSONFileToCSV | Script to convert a War Room output JSON File to a CSV file. |
MITRENameByID_Formatter | Get a MITRE ATT&CK object name by its ID. The script is using TIMs IOCs to find the correct name. (MITRE ATT&CK IOCs must exist in the Threat Intel data). |
ExtractIndicatorsFromWordFile | Used to extract indicators from Word files (DOC, DOCX). This automation runs using the default Limited User role, unless you explicitly change the permissions. |
ExtractAttackPattern | Extract Attack Pattern Threat Intel Object. After auto extract extracts the Attack Pattern IDs, this script is executed and extracts the value (name) of the Attack Pattern. |
CertificateExtract | Extract fields from a certificate file and return the standard context. |
ExportToCSV | Export given array to csv file. |
PositiveDetectionsVSDetectionEngines | Shows a bar chart of the number of Positive Detections out of overall detections |
DownloadAndArchivePythonLibrary | The script downloads a Python library using PIP, archives it, and returns the file to the war room. |
ConvertTimezoneFromUTC | Takes UTC and converts it to the specified timezone. Format must match the UTC date's format and output will be the same format. Can use in conjunction with ConvertDateToString |
PrintErrorEntry | Prints an error entry with a given message. |
IPToHost | Try to get the hostname correlated with the input IP. |
StringSimilarity | This automation calculates the similarity ratio between every string in 2 different arrays and outputs a decimal value between 0.0 and 1.0 (1.0 if the sequences are identical, and 0.0 if they don't have anything in common). |
DecodeMimeHeader | Decode MIME base64 headers. |
GetListRow | Parses a list by header and value. |
ExtractEmailV2 | Verifies that an email address is valid and only returns the address if it is valid. |
GenericPollingScheduledTask | Runs the polling command repeatedly, completes a blocking manual task when polling is done. |
ConvertDatetoUTC | Converts a date from a different timezone to UTC timezone. |
ParseYAML | Parses a YAML string into context. |
VerifyJSON | Verifies if the supplied JSON string is valid and optionally verifies against a provided schema. The script utilizes Powershell's Test-JSON cmdlet. |
PublishEntriesToContext | Publish entries to incident's context |
HTMLtoMD | Converts HTML to Markdown. |
displayMappedFields | Display the mapped fields in a dynamic-section. |
PrintToIncident | Prints a value to the specified incident's war-room. |
FeedRelatedIndicatorsWidget | Widget script to view information about the relationship between an indicator, entity and other indicators and connect to indicators, if relevant. |
CreateIndicatorsFromSTIX | Creates indicators from the submitted STIX file. Supports STIX 1.0 and STIX 2.x. This automation creates indicators and adds an indicator's relationships if available. |
CEFParser | Parse CEF data into the context. Please notice that outputs will display only the 7 mandatory fields even if the CEF event includes many other custom or extended fields. |
TextFromHTML | Extract regular text from the given HTML. |
ContextContains | This script searches for a value in a context path. |
ExtractHTMLTables | Find tables inside HTML and extract the contents into objects using the following logic:
|
GetDomainDNSDetails | Returns DNS details for a domain. |
UnEscapeIPs | Remove escaping chars from IP |
IsTrue | Check if a given value is true. Will return 'no' otherwise |
enrich_exclude_button | This script is only meant to be used to disable the Enrich Excluded button in an indicator. It should not be used otherwise. |
ReplaceMatchGroup | Returns a string with all matches of a regex pattern groups replaced by a replacement. |
CertificateReputation | Enrich and calculate the reputation of a certificate indicator. |
CheckFieldValue | This script checks that a field exists (and contains data), and optionally checks the value of the field for a match against an input value. If a regex is not supplied, the script checks that the field is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value. |
ParseExcel | The automation takes Excel file (entryID) as an input and parses its content to the war room and context. |
GetInstances | Returns integration instances configured in Cortex. You can filter by instance status and/or brand name (vendor). |
GetFieldsByIncidentType | Returns the incident field names associated to the specified incident type. |
GetFieldsByAlertType | Returns the alert field names associated to the specified alert type. |
WordTokenizer | Deprecated. Use DBotPreProcessTextData instead. |
GetStringsDistance | Get the string distance between inputString and compareString (compareString can be a comma-separated list) based on Levenshtein Distance algorithm. |
GetDataCollectionLink | Generates the URL for a Data Collection Task into Context. Can be used to get the url for tasks send via Email, Slack, or even if you select "By Task Only". To generate links for specific users, add an array of users in the users argument. |
ExposeIncidentOwner | Expose the incident owner into IncidentOwner context key |
ExposeAlertOwner | Expose the alert owner into AlertOwner context key |
PDFUnlocker | Removing the password protection from a PDF file and adding a new file entry with the unlocked PDF. |
Base64Encode | Will encode an input using Base64 format. |
GetIndicatorDBotScore | Add into the incident's context the system internal DBot score for the input indicator. |
GenerateRandomUUID | Generates a random UUID (UUID 4). |
URLNumberOfAds | Fetches the numbers of ads in the given url. |
StringLength | Returns the length of the string passed as argument |
ticksToTime | Converting time in Ticks to readable time. Ticks are used to represent time by some vendors, most commonly by Microsoft. |
UnEscapeURLs | Extract URLs redirected by security tools like Proofpoint. |
OnionURLReputation | This script adds the reputation to Onion URL indicators. The script is automatically triggered when a Onion URL indicator is auto-extracted. For instance, if you run a Cortex CLI on a valid Onion URL, the indicators are extracted automatically and this script is triggered for the extracted indicators. |
Strings | Extract strings from a file with optional filter - similar to binutils strings command |
Name | Description |
---|---|
State where the breach took place | |
Company Address | |
Sector of Affected Party | |
Approximate number of affected data subjects | |
Country where business has its main establishment | "‘main establishment’ means: as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment; as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;" - GDPR Art. 4 |
Is the Data Subject to DPIA | |
Management Notification | |
PII Data Type | |
Resident Notification Option | |
Company City | |
Residents Email Address | |
Data Encryption Status | |
Postal Code | |
Other PII data breached | Is other PII data breached |
Telephone no. | |
Malicious Cause (If the cause is a malicious attack) | |
State CISO Notification | |
Company Name | |
E-mail Address | |
Attorney General Notification | |
GDPR Notify Authorities | "In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons." - GDPR Art. 33 |
Company has Insurance for the Breach | |
Secretary Notification | |
Company Postal Code | |
Account information breached | Is account information breached |
Contact Email address | |
Size - number of employees | |
Consumer Reporting Agencies Notification | |
Media Notification | The status of the media notification |
Where is data hosted | |
Affected data | "‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;" - GDPR Art. 4 |
DPO Notification | |
Unique identification number breached | Is unique identification number breached |
Likely Impact | "A data protection impact assessment (…) shall in particular be required in the case of: (a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; (b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or (c) a systematic monitoring of a publicly accessible area on a large scale. - GDPR Art. 35 |
Size - turnover | |
Individuals Notification | |
Contact Name | |
Financial information breached | Is financial information breached |
Affected Data Type | |
Medical Information breached | Is Medical Information breached |
Contact Address | |
Breach Confirmation | Is the DPO confirm the breach |
Health insurance breached | Is health insurance breached |
DPO E-mail Address | |
Affected Individuals Contact Information | |
Unique biometric data breached | Is unique biometric data breached |
Contact Telephone number | |
Possible Cause of the Breach | |
Measures to Mitigate | " (d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects." - GDPR Art. 33 |
Name | Description |
---|---|
PrivateIPs |
Pack Name | Pack By |
---|---|
Base | By: Cortex XSOAR |
Cortex REST API | By: Cortex XSOAR |
Pack Name | Pack By |
---|---|
US - Breach Notification | By: Cortex XSOAR |
Brute Force | By: Cortex XSOAR |
Elasticsearch | By: Cortex XSOAR |
MITRE ATT&CK | By: Cortex XSOAR |
GDPR | By: Cortex XSOAR |
Gmail | By: Cortex XSOAR |
Gmail Single User | By: Cortex XSOAR |
HIPAA - Breach Notification | By: Cortex XSOAR |
IBM Security QRadar SOAR | By: Cortex XSOAR |
Mail Sender (New) | By: Cortex XSOAR |
Microsoft Graph Mail | By: Cortex XSOAR |
ProtectWise | By: Cortex XSOAR |
Remote Access | By: Cortex XSOAR |
Shodan | By: Cortex XSOAR |
Sumo Logic | By: Cortex XSOAR |
Pack Name | Pack By |
---|---|
Base | By: Cortex XSOAR |
Cortex REST API | By: Cortex XSOAR |
New: Added a new script- JSONDiff that compares two JSON files and returns their differences, such as added, removed, or changed fields, in a structured format.
Fixed an issue where under specific conditions the exported times of the indicators were presented as UTC when they were actually in local time. All the exported times are now correctly parsed into UTC the time zone.
Fixed an issue where the timeout_between_retries argument was treated as a string instead of being converted to a number.
Updated the Docker image to: demisto/python3:3.11.11.1940698.
Updated the Docker image to: demisto/python3:3.11.11.1940698.
Updated the Docker image to: demisto/py3-tools:1.0.0.117220.
Code functionality and documentation improvements.
New: Get a MITRE ATT&CK object name by its ID. The script is using TIMs IOCs to find the correct name. (MITRE ATT&CK IOCs must exist in the Threat Intel data).
Fixed an issue where URLs were not parsed correctly when handling nested parenthesis in the URL query.
Internal code improvements.
Improved consistency of the script output by removing carriage return (\r) characters from the end of lines.
New: This script gathers user data from multiple integrations and returns an Account entity with consolidated information to the context. (Available from Cortex XSOAR 6.10.0).
Updated the Docker image to: demisto/mlurlphishing:1.0.0.103417.
stderr
redirection by removing wurlitzer.pipes()
and redirecting stderr
to a temporary file.New: Added a new script- JSONDiff that compares two JSON files and returns their differences, such as added, removed, or changed fields, in a structured format.
Fixed an issue where under specific conditions the exported times of the indicators were presented as UTC when they were actually in local time. All the exported times are now correctly parsed into UTC the time zone.
Fixed an issue where the timeout_between_retries argument was treated as a string instead of being converted to a number.
Updated the Docker image to: demisto/python3:3.11.11.1940698.
Updated the Docker image to: demisto/python3:3.11.11.1940698.
Updated the Docker image to: demisto/py3-tools:1.0.0.117220.
Code functionality and documentation improvements.
New: Get a MITRE ATT&CK object name by its ID. The script is using TIMs IOCs to find the correct name. (MITRE ATT&CK IOCs must exist in the Threat Intel data).
Fixed an issue where URLs were not parsed correctly when handling nested parenthesis in the URL query.
Internal code improvements.
Improved consistency of the script output by removing carriage return (\r) characters from the end of lines.
New: This script gathers user data from multiple integrations and returns an Account entity with consolidated information to the context.##### ShowIncidentIndicators
stderr
redirection by removing wurlitzer.pipes()
and redirecting stderr
to a temporary file.Fixed an issue where the alerts field was not mapped in Cortex XSIAM.
Certification | Certified | Read more |
Supported By | Cortex | |
Created | July 27, 2020 | |
Last Release | April 17, 2025 |