Execute a command on a remote machine (without installing a D2 agent)
Common Scripts
- Details
- Content
- Dependencies
- Version History
Frequently used scripts pack.
Name | Description |
---|---|
RemoteExec | |
ExtractFQDNFromUrlAndEmail | Extracts FQDNs from URLs and emails. |
GetEntries | Collect entries matching to the conditions in the war room |
ContextSearchForString | Searches for string in a path in context. If path is null, string will be searched in full context. |
StringReplace | Replaces regex match/es in string. |
TopMaliciousRatioIndicators | Find the top malicious ratio indicators. |
AreValuesEqual | Check whether the values provided in arguments are equal. If either of the arguments are missing, no is returned. |
MathUtil | Script will run the provided mathematical action on 2 provided values and produce a result. |
IsIPPrivate | The script takes one or more IP addresses and checks whether they're in the private IP ranges defined in the PrivateIPsListName argument. By default, the PrivateIPsListName argument will use the Cortex XSOAR list called "PrivateIPs".
|
BreachConfirmationHTML | |
MarkRelatedIncidents | Marks given incidents as related to current incident. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
IsUrlPartOfDomain | Checks if the supplied URLs are in the specified domains. |
PortListenCheck | Checks whether a port was open on given host. |
GenerateInvestigationSummaryReport | A script to generate investigation summary report in an automated way |
DisableUserWrapper | This script allows disabling a specified user using one or more of the following integrations: SailPointIdentityIQ, ActiveDirectoryQuery, Okta, MicrosoftGraphUser, and IAM. |
ExportAuditLogsToFile | Uses the Core REST API integration to query the server audit trail logs, and return back a CSV or JSON file. |
SetByIncidentId | Works the same as the 'Set' command, but can work across incidents by specifying 'id' as an argument. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
GetDockerImageLatestTag | Gets docker image latest tag. Script simulates the docker pull flow but doesn't actually pull the image. Returns an entry with the docker image latest tag if all is good, otherwise will return an error. |
Exists | Check if a given value exists in the context. Will return 'no' for empty empty arrays. To be used mostly with DQ and selectors. |
AddKeyToList | Adds/Replaces a key in key/value store backed by an XSOAR list. |
LoadJSON | Loads a json from string input, and returns a json object result. |
CompareIncidentsLabels | Compares the labels of two incidents. Returns the labels that are unique to each incident. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
SendEmailOnSLABreach | Sends an email informing the user of an SLA breach. The email is sent to the user who is assigned to the incident. It includes the incident name, ID, name of the SLA field that was breached, duration of that SLA field, and the date and time when that SLA was started. |
DisplayHTMLWithImages | Display HTML with embedded images. |
CEFParser | Parse CEF data into the context. Please notice that outputs will display only the 7 mandatory fields even if the CEF event includes many other custom or extended fields. |
SendMessageToOnlineUsers | Send message to Demisto online users over Email, Slack, Mattermost or all. |
URLNumberOfAds | Fetches the numbers of ads in the given url. |
IPNetwork | Gather information regarding CIDR - |
EmailDomainSquattingReputation | Check if an email address's domain is trying to squat other domain using Levenshtein distance algorithm. |
ScheduleGenericPolling | Called by the GenericPolling playbook, schedules the polling task. |
MatchRegexV2 | Extracts regex data from the provided text. The script support groups and looping. |
PrettyPrint | Pretty-print data using Python's pprint library. This is useful for seeing the structure of incident and context data. Here's how to use it: !PrettyPrint value=${incident} |
FetchIndicatorsFromFile | Fetches indicators from a file. Supports TXT, XLS, XLSX, CSV, DOC and DOCX file types. |
UnzipFile | Unzip a file using fileName or entryID to specify a file. Unzipped files will be loaded to the War Room and names will be put into the context. |
ConvertXmlFileToJson | Converts XML file entry to JSON format |
SCPPullFiles | Take a list of devices and pull a specific file (given by path) from each using SCP. |
ExtractIndicatorsFromWordFile | Used to extract indicators from Word files (DOC, DOCX). This automation runs using the default Limited User role, unless you explicitly change the permissions. |
ZipStrings | Joins values from two lists by index according to a given format. |
IsMaliciousIndicatorFound | Checks if the investigation found any malicious indicators (file, URL, IP address, domain, or email). Returns "yes" if at least one malicious indicator is found. |
PreProcessImage | This script pre-processes (resizes, sharpens, and grayscales) an image file from context, given an entry_id. |
GetFieldsByIncidentType | Returns the incident field names associated to the specified incident type. |
ToTable | Convert an array to a nice table display. Usually, from the context. |
StopTimeToAssignOnOwnerChange | Stops the "Time To Assign" timer if the owner of the incident was changed. |
ExtractHTMLTables | Find tables inside HTML and extract the contents into objects using the following logic:
|
ticksToTime | Converting time in Ticks to readable time. Ticks are used to represent time by some vendors, most commonly by Microsoft. |
CopyContextToField | Copy a context key to an incident field of multiple incidents, based on an incident query. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
ExportToCSV | Export given array to csv file |
VerifyCIDR | Verify that the CIDRs are valid. |
FeedRelatedIndicatorsWidget | Widget script to view information about the relationship between an indicator, entity and other indicators and connect to indicators, if relevant. |
CalculateTimeDifference | Calculate the time difference, in minutes |
MarkAsEvidenceByTag | Mark entries as evidence if they are tagged with given tag |
IsListExist | Check if list exist in demisto lists. |
ChangeRemediationSLAOnSevChange | Changes the remediation SLA once a change in incident severity occurs. |
DBotClosedIncidentsPercentage | Data output script for populating dashboard pie graph widget with the percentage of incidents closed by DBot vs. incidents closed by analysts. |
UtilAnyResults | Utility script to use in playbooks - returns "yes" if the input is non-empty. |
ZipFile | Zip a file and upload to war room |
ConvertFile | Converts a file from one format to a different format by using the convert-to function of Libre Office. For a list of supported input/output formats see: https://wiki.openoffice.org/wiki/Framework/Article/Filter/FilterList_OOo_3_0 |
ParseWordDoc | Takes an input docx file (entryID) as an input and saves an output text file (file entry) with the original file's contents. |
HttpV2 | Sends a HTTP request with advanced capabilities |
GenerateRandomString | Generates random string |
ContextGetEmails | Gets all email addresses in context, excluding ones given. |
UnEscapeIPs | Remove escaping chars from IP |
GetDataCollectionLink | Generates the URL for a Data Collection Task into Context. Can be used to get the url for tasks send via Email, Slack, or even if you select "By Task Only". To generate links for specific users, add an array of users in the users argument. |
CreateHash | Creating a hash of a given input, support sha1, sha256, sha512, md5 and blake. Wrapper for https://docs.python.org/3/library/hashlib.html. |
TimeStampCompare | Compares a single timestamp to a list of timestamps. |
ReadQRCode | Extracts the text from a QR code. The output of this script includes the output of the script "extractIndicators" run on the text extracted from the QR code. |
MapValues | Map the given values to the translated values. If given values: a,b,c and translated: 1,2,3 then input is a will return 1 |
GridFieldSetup | Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. Instead of a value you can enter |
ParseExcel | The automation takes Excel file (entryID) as an input and parses its content to the war room and context |
TextFromHTML | Extract regular text from the given HTML. |
CertificateExtract | Extract fields from a certificate file and return the standard context. |
BMCTool | Parse RDP bitmap cache data into a single collage image file. |
CheckFieldValue | This script checks that a field exists (and contains data), and optionally checks the value of the field for a match against an input value. If a regex is not supplied, the script checks that the field is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value. |
CertificateReputation | Enrich and calculate the reputation of a certificate indicator. |
GenerateAsBuilt | Generate an as built document, as HTML, based on the running XSOAR instance. Requires an instance of the Demisto API integration configured. |
CheckContextValue | This script checks that a context key exists (and contains data), and optionally checks the value of the context key for a match against an input value. If a regex is not supplied, the script checks that the key is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value. This scripts does not support a context key which holds a list of values. |
EmailAskUserResponse | Extract user's response from EmailAskUser reply. Returns the first textual response line of the provided entry that contains the reply body. Use ${lastCompletedTaskEntries} to analyze the previous playbook task containing the user's reply. |
ExportToXLSX | Exports context data to a Microsoft Excel Open XML Spreadsheet (XLSX) file. |
Strings | Extract strings from a file with optional filter - similar to binutils strings command |
IsolationAssetWrapper | This is a wrapper to isolate or unisolate hash lists from Cortex XDR, MSDE or CrowdStrike (Available from Cortex XSOAR 6.0.0). |
listExecutedCommands | Lists executed commands in War Room |
GenerateRandomUUID | Generates a random UUID (UUID 4). |
ReplaceMatchGroup | Returns a string with all matches of a regex pattern groups replaced by a replacement. |
ServerLogs | Uses the ssh integration to grab the host server logs. |
StopScheduledTask | This stops the scheduled task whose ID is given in the taskID argument. |
IsIPInRanges | Returns yes if the IP is in one of the ranges provided, returns no otherwise. |
UnPackFile | Deprecated. Use the UnzipFile script instead. UnPack a file using fileName or entryID to specify a file. Files unpacked will be pushed to the war room and names will be pushed to the context. |
AppendindicatorFieldWrapper | A wrapper script to the 'AppendindicatorField' script that enables adding tags to certain indicators. |
RunDockerCommand | This command will allow you to run commands against a local Docker Container. You can run commands like wc for instance with word count, or other types of commands that you want on the docker container. We recommend for tools that you want to use that are not part of the default Docker container, to cope this Automation script and then create a customer docker container with /docker_image_create with a custom docker container to add any command level tool to Demisto and output the results directly to the context. |
CreateNewIndicatorsOnly | Create indicators to the Threat Intel database only if they are not registered. All submitted indicators will be associated with the parent incident. When using the script with many indicators, or when the Threat Intel Management database is highly populated, this script may have low performance issue. |
LanguageDetect | Language detection based on Google's language-detection. |
DisplayHTML | Display HTML in the War Room. |
ExtractIndicatorsFromTextFile | Extract indicators from a text-based file.
This automation runs using the default Limited User role, unless you explicitly change the permissions. |
ShowLocationOnMap | Show indicator geo location on map. |
ExampleJSScript | This is only an example script, to showcase how to use and write JavaScript scripts |
SearchIncidentsV2 | Searches Demisto incidents. A summarized version of this scrips is avilable with the summarizedversion argument. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
OnionURLReputation | This script adds the reputation to Onion URL indicators. The script is automatically triggered when a Onion URL indicator is auto-extracted. For instance, if you run a Cortex XSOAR CLI on a valid Onion URL, the indicators are extracted automatically and this script is triggered for the extracted indicators. |
ExportIndicatorsToCSV | This automation uses the Core REST API Integration to batch export Indicators to CSV and return the resulting CSV file to the war room. |
EditServerConfig | Edit the server configuration (under settings/troubleshooting). You can either add a new configuration or update and remove an existing one. |
MaliciousRatioReputation | Set indicator reputation to "suspicious" when malicious ratio is above threshold. |
GetTime | Retrieves the current date and time. |
ExtractDomainAndFQDNFromUrlAndEmail | Extracts domains and FQDNs from URLs and emails. |
PDFUnlocker | Removing the password protection from a PDF file and adding a new file entry with the unlocked PDF. |
SearchIndicator | Searches Cortex XSOAR Indicators. Search for XSOAR Indicators and returns the id, indicator_type, value, and score/verdict. You can add additional fields from the indicators using the add_field_to_context argument. |
RepopulateFiles | After running DeleteContext, this script can repopulate all the file entries in the ${File} context key |
AquatoneDiscoverV2 | aquatone-discover will find the targets nameservers and shuffle DNS lookups between them. Should a lookup fail on the target domains nameservers, aquatone-discover will fall back to using Google public DNS servers to maximize discovery. |
ContextContains | This script searches for a value in a context path. |
DumpJSON | Dumps a json from context key input, and returns a json object string result |
CalculateEntropy | Calculates the entropy for the given data. |
IPReputation | A context script for IP entities. |
GenerateSummaryReports | Generate report summaries for the passed incidents. |
FileCreateAndUploadV2 | Creates a file (using the given data input or entry ID) and uploads it to the current investigation War Room. |
VerifyIPv6Indicator | Verify that the address is a valid IPv6 address. |
IncreaseIncidentSeverity | Optionally increases the incident severity to the new value if it is greater than the existing severity. |
FileToBase64List | Encode a file as base64 and store it in a Demisto list. |
cveReputationV2 | Provides the severity of the CVE based on the CVSS score where available. |
GetListRow | Parses a list by header and value. |
RemoveKeyFromList | Removes a key in key/value store backed by an XSOAR list. |
Base64ListToFile | Converts Base64 file in a list to a binary file and upload to warroom |
PositiveDetectionsVSDetectionEngines | Shows a bar chart of the number of Positive Detections out of overall detections |
ParseEmailFiles | Deprecated. Use ParseEmailFilesV2 instead." Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook. |
MarkAsNoteByTag | Mark entries as notes if they are tagged with given tag. |
ContainsCreditCardInfo | Check if a given value is true. Will return 'no' otherwise |
GetInstances | Returns integration instances configured in Cortex XSOAR. You can filter by instance status and/or brand name (vendor). |
AssignAnalystToIncident | Assign analyst to incident. |
AddEvidence | Adds provided entries to the incident Evidence Board. In playbook, can be positioned after a task to add the previous task's entries to Evidence Board automatically (with no need to provide arguments) |
ConvertTableToHTML | Converts a given array to an HTML table |
GetEnabledInstances | Gets all currently enabled integration instances. |
WordTokenizer | Tokenize the words in a input text. |
DBotAverageScore | The script calculates the average DBot score for each indicator in the context. |
ConvertXmlToJson | Converts XML string to JSON format |
ShowScheduledEntries | Show all scheduled entries for specific incident. |
IncidentAddSystem | Add a remote system (such as a desktop under investigation) to an investigation (this will allow you to install and agent on the system) |
GetServerURL | Get the Server URL. |
VerdictResult | This widget displays the incident verdict or the alert verdict based on the 'incident.verdict' or 'alert.verdict' field. |
UnEscapeURLs | Extract URLs redirected by security tools like Proofpoint. |
ParseCSV | This script will parse a CSV file and place the unique IPs, Domains and Hashes into the context. |
ExportIncidentsToCSV | This automation uses the Core REST API Integration to batch export Incidents to CSV and return the resulting CSV file to the war room. |
JSONtoCSV | Convert a JSON War Room output via EntryID to a CSV file. |
Set | Set a value in context under the key you entered. |
CreateArray | Will create an array object in context from given string input |
LinkIncidentsWithRetry | Use this script to avoid DB version errors when simultaneously running multiple linked incidents. |
ContextGetHashes | Gets hashes (MD5,SHA1,SHA256) from context. |
IsIntegrationAvailable | Returns 'yes' if integration brand is available. Otherwise returns 'no'. |
DeleteContext | Delete field from context. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
FailedInstances | Executes a test for all integration instances available and returns detailed information about succeeded and failed integration instances. |
Prints text to war room (Markdown supported) | |
DockerHardeningCheck | Checks if the Docker container running this script has been hardened according to the recommended settings at: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Docker-Hardening-Guide |
ExposeIncidentOwner | Expose the incident owner into IncidentOwner context key |
PrintErrorEntry | Prints an error entry with a given message. |
CheckIndicatorValue | Check if indicators exist in the Threat Intel database. |
emailFieldTriggered | Sends email to incident owner when selected field is triggered. |
PcapHTTPExtractor | Allows to parse and extract http flows (requests & responses) from a pcap/pcapng file. |
HTMLtoMD | Converts HTML to Markdown. |
IsEmailAddressInternal | Checks if the email address is part of the internal domains. |
ExtractHyperlinksFromOfficeFiles | Extracts hyperlinks from office files. Supported file types are: xlsx, docx, pptx. |
CloseInvestigationAsDuplicate | Close the current investigation as duplicate to other investigation. |
IsInternalHostName | Checks if the supplied hostnames match either the organization's internal naming convention or the domain suffix. |
PublishEntriesToContext | Publish entries to incident's context |
ChangeContext | Enables changing context in two ways. The first is to capitalize the first letter of each key in following level of the context key entered. The second is to change context keys to new values. |
ExtractDomainFromUrlAndEmail | Extract Domain(s) from URL(s) and/or Email(s) |
PrintContext | Pretty-print the contents of the playbook context. |
LoadJSONFileToContext | Loads a JSON file from the war room to context. |
NumberOfPhishingAttemptPerUser | Shows a bar chart of the number of incident the 'To' and 'From' email addresses. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
CountArraySize | Count an array size |
SetMultipleValues | Set multiple keys/values to the context. |
IdentifyAttachedEmail | Identify whether the incident includes an email message attached as an eml or msg file and return the answer to playbook. Also saves the identified entry ID to context for use for later. Commonly used in automated playbooks that handle phishing reports sent to a special phishing mailbox set up by the security team. |
LookupCSV | Parses a CSV and looks for a specific value in a specific column, returning a dict of the entire matching row. If no column value is specified, the entire CSV is read into the context. |
DecodeMimeHeader | Decode MIME base64 headers. |
http | Sends http request. Returns the response as json. |
ParseEmailFilesV2 | Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook. This script is based on the parse-emails XSOAR python package, check the script documentation for more info. |
PrintRaw | Prints a raw representation of a string or object, visualising things likes tabs and newlines. For instance, '\n' will be displayed instead of a newline character, or a Windows CR will be displayed as '\r\n'. This is useful for debugging issues where things aren't behaving as expected, such as when parsing a string with a regular expression. |
findIncidentsWithIndicator | Lookup incidents with specified indicator. Use currentIncidentId to omit the existing incident from output. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
cvss_color | This dynamic automation parses the CVSS score of a CVE and presents it in the layout in color according to its score. |
JsonUnescape | Recursively un-escapes JSON data if escaped JSON is found |
ResolveShortenedURL | This script resolves the original URL from a given shortened URL and places the resolved URL in the playbook context and output. |
VerifyJSON | Verifies if the supplied JSON string is valid and optionally verifies against a provided schema. The script utilizes Powershell's Test-JSON cmdlet. |
CVSSCalculator | This script calculates the CVSS Base Score, Temporal Score, and Environmental Score using either the CVSS 3.0 or CVSS 3.1 calculator according to https://www.first.org/cvss/ calculation documentation. |
Ping | Pings an IP or url address, to verify it's up |
GetByIncidentId | Gets a value from the specified incident's context. |
ConvertDatetoUTC | Converts a date from a different timezone to UTC timezone. |
ContextGetIps | Gets all IP addresses in context, excluding ones given. |
Base64EncodeV2 | Encodes an input to Base64 format. |
SearchIncidentsSummary | Searches Cortex XSOAR Incidents and returnrs the most relevant fields. Default search range is the last 30 days, if you want to change this, use the fromDate argument. Returns the id, name, type, severity, status, owner, and created/closed times to context. You can add additional fields using the add_field_to_context argument. This automation runs using the default Limited User role, unless you explicitly change the permissions. Based on the SearchIncidentsV2 from the Common Scripts pack, but more efficient. |
FindSimilarIncidents | Finds similar incidents by common incident keys, labels, custom fields or context keys. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
HTTPListRedirects | List the redirects for a given URL |
checkValue | Gets a value and return it. This is to be used in playbook conditional tasks - get a value from incident field, label or context, and act accordingly. |
DeduplicateValuesbyKey | Given a list of objects and a key found in each of those objects, return a unique list of values associated with that key. Returns error if the objects provided do not contain the key of interest. |
ExportContextToJSONFile | Exports the Context for the current Incident to a JSON file in the war room. |
StringSimilarity | This automation calculates the similarity ratio between every string in 2 different arrays and outputs a decimal value between 0.0 and 1.0 (1.0 if the sequences are identical, and 0.0 if they don't have anything in common). |
ExtractAttackPattern | Extract Attack Pattern Threat Intel Object. After auto extract extracts the Attack Pattern IDs, this script is executed and extracts the value (name) of the Attack Pattern. |
Base64Encode | Will encode an input using Base64 format. |
displayUtilitiesResults | This script displays the execution results of the tab's buttons in an HTML table format. |
ParseYAML | Parses a YAML string into context |
LessThanPercentage | Checks if one percentage is less than another |
ContentPackInstaller | Content packs installer from marketplace. |
ContextFilter | Filter context keys by applying one of the various available manipulations and storing in a new context key. Please notice that the resulting context key will not be available automatically as an option but you can still specify it. |
IncidentFields | Returns a dict of all incident fields that exist in the system. |
IndicatorMaliciousRatioCalculation | Return indicators appears in resolved incidents, and resolved incident ids. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
EmailReputation | A context script for Email entities. |
GeneratePassword | This function generates a password and allows various parameters to customize the properties of the password depending on the use case (e.g. password complexity requirements). The default behavior is to generate a password of random length including all four character classes (upper, lower, digits, symbols) with at least five and at most ten characters per class. The min_* values all default to 0. This means that if the command is executed in this way: The debug parameter will print certain properties of the command into the WarRoom for easy diagnostics. |
GetLicenseID | Returns the license ID. |
DBotUpdateLogoURLPhishing | Add, remove, or modify logos from the URL Phishing model. |
ContextGetPathForString | Searches for string in context and returns context path, returns null if not found. |
SSDeepReputation | Calculate ssdeep reputation based on similar files (by ssdeep similarity) on the system. |
ShowIncidentIndicators | This script is used to display the indicators of an incident in an incident field of type Array. It can be used to select indicators from the incident in order to later perform some actions, like tagging the indicators for blocking via EDL. |
IPToHost | Try to get the hostname correlated with the input IP. |
ServerLogs_docker | Uses the ssh integration to grab the host server logs. |
BinarySearchPy | Deprecated. No available replacement. Search for a binary on an endpoint using Carbon Black |
ExifRead | Read image files metadata and provide Exif tags |
DemistoVersion | Return the Demisto server version. |
AssignToMeButton | Assigns the current Incident to the Cortex XSOAR user who clicked the button |
JSONFileToCSV | Script to convert a War Room output JSON File to a CSV file. |
GenerateSummaryReportButton | This button will generate summary 'Case Report' template for a given Incident |
ParseHTMLIndicators | This script will extract indicators from given HTML and will handle bad top-level domains to avoid false positives caused by file extensions. |
ReadFile | Load the contents of a file into context. |
IsInternalDomainName | This script accepts multiple values for both arguments and will iterate through each of the domains to check if the specified subdomains are located in at least one of the specified main domains. If the tested subdomain is in one of the main domains, the result will be true. For example, if the domain_to_check values are apps.paloaltonetworks.com and apps.paloaltonetworks.bla and the domains_to_compare values are paloaltonetworks.com and demisto.com, the result for apps.paloaltonetworks.com will be true since it is a part of the paloaltonetworks.com domain. The result for apps.paloaltonetworks.bla will be false since it is not a part of the paloaltonetworks.com or demisto.com domain. |
StringLength | Returns the length of the string passed as argument |
GetIndicatorDBotScoreFromCache | Get the overall score for the indicator as calculated by DBot. |
EncodeToAscii | Input Text Data to Encode as ASCII (Ignores any chars that aren't interpreted as ASCII) |
IsValueInArray | Indicates whether a given value is a member of given array |
SetTime | Fill the current time in a custom incident field |
URLSSLVerification | Verify URL SSL certificate |
CreateEmailHtmlBody | This script allows sending an HTML email, using a template stored as a list item under Lists (Settings -> Advanced -> Lists).
Note: Sending emails require an active Mail Sender integration instance. |
ShowOnMap | Returns a map entry with a marker on the given coordinates (lat,lng), or address (requires a configured GoogleMaps instance). |
SSDeepSimilarity | This script finds similar files that can be related to each other by fuzzy hash (SSDeep). |
RunPollingCommand | Runs a specified polling command one time. This is useful for initiating a local playbook context before running a polling scheduled task. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
ReadPDFFileV2 | Load a PDF file's content and metadata into context. Supports extraction of hashes, urls, and emails when available. |
ProvidesCommand | Finds which integrations implement a specific Demisto command. The results will be returned as comma-separated values (CSV). The "Core REST API" integration must first be enabled. |
GetDuplicatesMlv2 | Deprecated. Use the "PhishingDedupPreprocessingRule" script instead. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
GetErrorsFromEntry | Get the error(s) associated with a given entry/entries. Use ${lastCompletedTaskEntries} to check the previous task entries. The automation will return an array of the error contents from those entries. |
ConvertTimezoneFromUTC | Takes UTC and converts it to the specified timezone. Format must match the UTC date's format and output will be the same format. Can use in conjunction with ConvertDateToString |
ExtractEmailV2 | Verifies that an email address is valid and only returns the address if it is valid. |
ArrayToCSV | Converts a simple Array into a textual comma separated string |
SetDateField | Sets a custom incident field with current date |
IsGreaterThan | Checks if one number(float) as bigger than the other(float) |
IsDomainInternal | The script takes one or more domain names and checks whether they're in the Cortex XSOAR list defined in the InternalDomainsListName argument. By default, the InternalDomainsListName argument will use the Cortex XSOAR list called "InternalDomains". |
commentsToContext | Takes the comments of a given entry ID and stores them in the incident context, under a provided context key. |
AddDBotScoreToContext | Add DBot score to context for indicators with custom vendor, score, reliability, and type. |
URLReputation | A context script for URL entities. |
EmailAskUser | Ask a user a question via email and process the reply directly into the investigation. |
IsTrue | Check if a given value is true. Will return 'no' otherwise |
FileCreateAndUpload | Deprecated. Use FileCreateAndUploadV2 instead. Will create a file (using the given data input or entry ID) and upload it to current investigation war room. |
ScheduleCommand | Schedule a command to run inside the war room at a future time (once or reoccurring) |
ConvertCountryCodeCountryName | Convert country name to country code or country code to country name. |
FormatURL | Strips, unquotes and unescapes URLs. If the URL is a Proofpoint or ATP URL, extracts its redirect URL. If more than one URL is passed to the formatter, the separator must be a pipe ("|"). |
GetIndicatorDBotScore | Add into the incident's context the system internal DBot score for the input indicator. |
SetWithTemplate | Set a value built by a template in context under the key you entered. |
GetStringsDistance | Get the string distance between inputString and compareString (compareString can be a comma-separated list) based on Levenshtein Distance algorithm. |
Sleep | Sleep for X seconds. |
NotInContextVerification | Not in context verification is a script that executes the given command and verifies that the specified field is not in the context after execution. |
hideFieldsOnNewIncident | When you apply this script to an incident field, that incident field is hidden for new incidents, and it displays in edit mode. |
GetDomainDNSDetails | Returns DNS details for a domain. |
SetGridField | Creates a Grid table from items or key-value pairs. |
ListUsedDockerImages | List all Docker images that are in use by the installed integrations and automations. |
GenericPollingScheduledTask | Runs the polling command repeatedly, completes a blocking manual task when polling is done. |
CheckSenderDomainDistance | Get the string distance for the sender from our domain |
LinkIncidentsButton | Incident action button script to link or unlink Incidents from an Incident |
CreateIndicatorsFromSTIX | Creates indicators from the submitted STIX file. Supports STIX 1.0 and STIX 2.x. This automation creates indicators and adds an indicator's relationships if available. |
MatchRegex | Deprecated. Use the MatchRegexV2 script instead. |
FilterByList | Checks whether the specified item is in a list. The default list is the Demisto Indicators Whitelist. |
PCAPMiner | Deprecated. Use PCAPMinerV2 instead. PCAPMiner is a tool to parse PCAP files and will return things like extracted files that are found, HTTP flows, and a variety of other information. It is uses a docker instance located on docker hub trorabaugh/dempcap:1.0. To use simply upload a PCAP file and then run PCAPMiner entryId="<your_entry_id>". To get the entry id click on the link on the top right hand corner of a file attachment. |
CompareLists | Compare two lists and put the differences in context. |
PopulateCriticalAssets | Populates critical assets in a grid field that has the section headers "Asset Type" and "Asset Name". |
isError | Check whether given entry/entries returned an error. Use ${lastCompletedTaskEntries} to check the previous task entries. If array is provided, will return yes if one of the entries returned an error. |
SetAndHandleEmpty | Set a value in context under the key you entered. If no value is entered, the script doesn't do anything. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
FileReputation | A context script for hash entities. |
displayMappedFields | Display the mapped fields in a dynamic-section. |
CopyNotesToIncident | Copy all entries marked as notes from current incident to another incident. |
StixCreator | Gets a list of indicators from the indicators argument, and generates a JSON file in STIX 2.1 format. |
DomainReputation | A context script for Domain entities |
Dig | DNS lookup utility to provide 'A' and 'PTR' record |
Name | Description |
---|---|
Is the Data Subject to DPIA | |
State CISO Notification | |
Contact Address | |
Account information breached | Is account information breached |
Possible Cause of the Breach | |
Other PII data breached | Is other PII data breached |
Telephone no. | |
Company Address | |
Financial information breached | Is financial information breached |
Company Country | |
Management Notification | |
Where is data hosted | |
Secretary Notification | |
Media Notification | The status of the media notification |
PII Data Type | |
Company has Insurance for the Breach | |
Individuals Notification | |
Unique biometric data breached | Is unique biometric data breached |
Breach Confirmation | Is the DPO confirm the breach |
Affected Data Type | |
Company City | |
Consumer Reporting Agencies Notification | |
Medical Information breached | Is Medical Information breached |
Company Postal Code | |
DPO Notification | |
Approximate number of affected data subjects | |
Contact Telephone number | |
Attorney General Notification | |
Size - number of employees | |
E-mail Address | |
DPO E-mail Address | |
Likely Impact | "A data protection impact assessment (…) shall in particular be required in the case of: (a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; (b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or (c) a systematic monitoring of a publicly accessible area on a large scale. - GDPR Art. 35 |
Affected Individuals Contact Information | |
State where the breach took place | |
Malicious Cause (If the cause is a malicious attack) | |
Date/time of the breach | |
Country where business has its main establishment | "‘main establishment’ means: as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment; as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;" - GDPR Art. 4 |
GDPR Notify Authorities | "In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons." - GDPR Art. 33 |
Contact Name | |
Measures to Mitigate | " (d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects." - GDPR Art. 33 |
Resident Notification Option | |
Contact Email address | |
Unique identification number breached | Is unique identification number breached |
Health insurance breached | Is health insurance breached |
Sector of Affected Party | |
Company Name | |
Affected data | "‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;" - GDPR Art. 4 |
Country where the breach took place | |
Size - turnover | |
Postal Code | |
Residents Email Address | |
Data Encryption Status |
Name | Description |
---|---|
PrivateIPs | |
InternalDomains |
Name | Description |
---|---|
IsTrue | Check if a given value is true. Will return 'no' otherwise |
ConvertTableToHTML | Converts a given array to an HTML table |
ConvertTimezoneFromUTC | Takes UTC and converts it to the specified timezone. Format must match the UTC date's format and output will be the same format. Can use in conjunction with ConvertDateToString |
emailFieldTriggered | Sends email to incident owner when selected field is triggered. |
ScheduleGenericPolling | Called by the GenericPolling playbook, schedules the polling task. |
ParseHTMLIndicators | This script will extract indicators from given HTML and will handle bad top-level domains to avoid false positives caused by file extensions. |
CEFParser | Parse CEF data into the context. Please notice that outputs will display only the 7 mandatory fields even if the CEF event includes many other custom or extended fields. |
PositiveDetectionsVSDetectionEngines | Shows a bar chart of the number of Positive Detections out of overall detections |
IsIntegrationAvailable | Returns 'yes' if integration brand is available. Otherwise returns 'no'. |
EmailAskUser | Ask a user a question via email and process the reply directly into the investigation. |
NotInContextVerification | Not in context verification is a script that executes the given command and verifies that the specified field is not in the context after execution. |
GetIndicatorDBotScoreFromCache | Get the overall score for the indicator as calculated by DBot. |
ScheduleCommand | Schedule a command to run inside the war room at a future time (once or reoccurring) |
IsInternalDomainName | This script accepts multiple values for both arguments and will iterate through each of the domains to check if the specified subdomains are located in at least one of the specified main domains. If the tested subdomain is in one of the main domains, the result will be true. For example, if the domain_to_check values are apps.paloaltonetworks.com and apps.paloaltonetworks.bla and the domains_to_compare values are paloaltonetworks.com and demisto.com, the result for apps.paloaltonetworks.com will be true since it is a part of the paloaltonetworks.com domain. The result for apps.paloaltonetworks.bla will be false since it is not a part of the paloaltonetworks.com or demisto.com domain. |
VerifyCIDR | Verify that the CIDRs are valid. |
ExtractIndicatorsFromWordFile | Used to extract indicators from Word files (DOC, DOCX). This automation runs using the default Limited User role, unless you explicitly change the permissions. |
SetTime | Fill the current time in a custom incident field |
TopMaliciousRatioIndicators | Find the top malicious ratio indicators. |
IsUrlPartOfDomain | Checks if the supplied URLs are in the specified domains. |
ExportToCSV | Export given array to csv file |
LanguageDetect | Language detection based on Google's language-detection. |
GetDockerImageLatestTag | Gets docker image latest tag. Script simulates the docker pull flow but doesn't actually pull the image. Returns an entry with the docker image latest tag if all is good, otherwise will return an error. |
Dig | DNS lookup utility to provide 'A' and 'PTR' record |
IdentifyAttachedEmail | Identify whether the incident includes an email message attached as an eml or msg file and return the answer to playbook. Also saves the identified entry ID to context for use for later. Commonly used in automated playbooks that handle phishing reports sent to a special phishing mailbox set up by the security team. |
Prints text to war room (Markdown supported) | |
Set | Set a value in context under the key you entered. |
PCAPMiner | Deprecated. Use PCAPMinerV2 instead. PCAPMiner is a tool to parse PCAP files and will return things like extracted files that are found, HTTP flows, and a variety of other information. It is uses a docker instance located on docker hub trorabaugh/dempcap:1.0. To use simply upload a PCAP file and then run PCAPMiner entryId="<your_entry_id>". To get the entry id click on the link on the top right hand corner of a file attachment. |
FormatURL | Strips, unquotes and unescapes URLs. If the URL is a Proofpoint or ATP URL, extracts its redirect URL. If more than one URL is passed to the formatter, the separator must be a pipe ("|"). |
ToTable | Convert an array to a nice table display. Usually, from the context. |
IsMaliciousIndicatorFound | Checks if the investigation found any malicious indicators (file, URL, IP address, domain, or email). Returns "yes" if at least one malicious indicator is found. |
displayUtilitiesResults | This script displays the execution results of the tab's buttons in an HTML table format. |
ExtractFQDNFromUrlAndEmail | Extracts FQDNs from URLs and emails. |
IncidentFields | Returns a dict of all incident fields that exist in the system. |
AlertFields | Returns a dict of all alert fields that exist in the system. |
ReplaceMatchGroup | Returns a string with all matches of a regex pattern groups replaced by a replacement. |
Exists | Check if a given value exists in the context. Will return 'no' for empty empty arrays. To be used mostly with DQ and selectors. |
ExportContextToJSONFile | Exports the Context for the current Incident to a JSON file in the war room. |
PrintErrorEntry | Prints an error entry with a given message. |
ParseEmailFiles | Deprecated. Use ParseEmailFilesV2 instead." Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook. |
EmailAskUserResponse | Extract user's response from EmailAskUser reply. Returns the first textual response line of the provided entry that contains the reply body. Use ${lastCompletedTaskEntries} to analyze the previous playbook task containing the user's reply. |
IndicatorMaliciousRatioCalculation | Return indicators appears in resolved incidents, and resolved incident ids. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
DockerHardeningCheck | Checks if the Docker container running this script has been hardened according to the recommended settings at: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Docker-Hardening-Guide |
ParseWordDoc | Takes an input docx file (entryID) as an input and saves an output text file (file entry) with the original file's contents. |
http | Sends http request. Returns the response as json. |
SetGridField | Creates a Grid table from items or key-value pairs. |
GetInstances | Returns integration instances configured in Cortex XSIAM. You can filter by instance status and/or brand name (vendor). |
ExtractIndicatorsFromTextFile | Extract indicators from a text-based file.
This automation runs using the default Limited User role, unless you explicitly change the permissions. |
IsIPInRanges | Returns yes if the IP is in one of the ranges provided, returns no otherwise. |
CreateNewIndicatorsOnly | Create indicators to the Threat Intel database only if they are not registered. All submitted indicators will be associated with the parent incident. When using the script with many indicators, or when the Threat Intel Management database is highly populated, this script may have low performance issue. |
EncodeToAscii | Input Text Data to Encode as ASCII (Ignores any chars that aren't interpreted as ASCII) |
TimeStampCompare | Compares a single timestamp to a list of timestamps. |
CloseInvestigationAsDuplicate | Close the current investigation as duplicate to other investigation. |
IsListExist | Check if list exist in demisto lists. |
HttpV2 | Sends a HTTP request with advanced capabilities |
SearchIndicator | Searches Cortex XSIAM Indicators. Search for XSOAR Indicators and returns the id, indicator_type, value, and score/verdict. You can add additional fields from the indicators using the add_field_to_context argument. |
VerifyIPv6Indicator | Verify that the address is a valid IPv6 address. |
StopScheduledTask | This stops the scheduled task whose ID is given in the taskID argument. |
ContextGetPathForString | Searches for string in context and returns context path, returns null if not found. |
CopyNotesToIncident | Copy all entries marked as notes from current incident to another incident. |
CopyNotesToAlert | Copy all entries marked as notes from current alert to another alert. |
CountArraySize | Count an array size |
MathUtil | Script will run the provided mathematical action on 2 provided values and produce a result. |
ExportIndicatorsToCSV | This automation uses the Core REST API Integration to batch export Indicators to CSV and return the resulting CSV file to the war room. |
FailedInstances | Executes a test for all integration instances available and returns detailed information about succeeded and failed integration instances. |
DeleteContext | Delete field from context. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
ContainsCreditCardInfo | Check if a given value is true. Will return 'no' otherwise |
CalculateEntropy | Calculates the entropy for the given data. |
ReadQRCode | Extracts the text from a QR code. The output of this script includes the output of the script "extractIndicators" run on the text extracted from the QR code. |
GetStringsDistance | Get the string distance between inputString and compareString (compareString can be a comma-separated list) based on Levenshtein Distance algorithm. |
SearchIncidentsV2 | Searches Demisto incidents. A summarized version of this scrips is avilable with the summarizedversion argument. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
SearchAlertsV2 | Searches Demisto alerts. A summarized version of this scrips is avilable with the summarizedversion argument. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
CopyContextToField | Copy a context key to an incident field of multiple incidents, based on an incident query. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
ExifRead | Read image files metadata and provide Exif tags |
SSDeepSimilarity | This script finds similar files that can be related to each other by fuzzy hash (SSDeep). |
ExtractHyperlinksFromOfficeFiles | Extracts hyperlinks from office files. Supported file types are: xlsx, docx, pptx. |
UnPackFile | Deprecated. Use the UnzipFile script instead. UnPack a file using fileName or entryID to specify a file. Files unpacked will be pushed to the war room and names will be pushed to the context. |
AddEvidence | Adds provided entries to the incident Evidence Board. In playbook, can be positioned after a task to add the previous task's entries to Evidence Board automatically (with no need to provide arguments) |
GenerateAsBuilt | Generate an as built document, as HTML, based on the running XSOAR instance. Requires an instance of the Demisto API integration configured. |
NumberOfPhishingAttemptPerUser | Shows a bar chart of the number of incident the 'To' and 'From' email addresses. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
SetMultipleValues | Set multiple keys/values to the context. |
SearchIncidentsSummary | Searches Cortex XSIAM Incidents and returnrs the most relevant fields. Default search range is the last 30 days, if you want to change this, use the fromDate argument. Returns the id, name, type, severity, status, owner, and created/closed times to context. You can add additional fields using the add_field_to_context argument. This automation runs using the default Limited User role, unless you explicitly change the permissions. Based on the SearchIncidentsV2 from the Common Scripts pack, but more efficient. |
SearchAlertsSummary | Searches Cortex XSIAM Alerts and returnrs the most relevant fields. Default search range is the last 30 days, if you want to change this, use the fromDate argument. Returns the id, name, type, severity, status, owner, and created/closed times to context. You can add additional fields using the add_field_to_context argument. This automation runs using the default Limited User role, unless you explicitly change the permissions. Based on the SearchAlertsV2 from the Common Scripts pack, but more efficient. |
DBotAverageScore | The script calculates the average DBot score for each indicator in the context. |
HTMLtoMD | Converts HTML to Markdown. |
CertificateReputation | Enrich and calculate the reputation of a certificate indicator. |
AssignAnalystToIncident | Assign analyst to incident. |
SetByIncidentId | Works the same as the 'Set' command, but can work across incidents by specifying 'id' as an argument. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
SetByAlertId | Works the same as the 'Set' command, but can work across alerts by specifying 'id' as an argument. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
MapValues | Map the given values to the translated values. If given values: a,b,c and translated: 1,2,3 then input is a will return 1 |
UnEscapeURLs | Extract URLs redirected by security tools like Proofpoint. |
ExportIncidentsToCSV | This automation uses the Core REST API Integration to batch export Incidents to CSV and return the resulting CSV file to the war room. |
ExportAlertsToCSV | This automation uses the Core REST API Integration to batch export Alerts to CSV and return the resulting CSV file to the war room. |
HTTPListRedirects | List the redirects for a given URL |
PopulateCriticalAssets | Populates critical assets in a grid field that has the section headers "Asset Type" and "Asset Name". |
cvss_color | This dynamic automation parses the CVSS score of a CVE and presents it in the layout in color according to its score. |
OnionURLReputation | This script adds the reputation to Onion URL indicators. The script is automatically triggered when a Onion URL indicator is auto-extracted. For instance, if you run a Cortex XSIAM CLI on a valid Onion URL, the indicators are extracted automatically and this script is triggered for the extracted indicators. |
SendMessageToOnlineUsers | Send message to Demisto online users over Email, Slack, Mattermost or all. |
AssignToMeButton | Assigns the current Incident to the Cortex XSIAM user who clicked the button |
LookupCSV | Parses a CSV and looks for a specific value in a specific column, returning a dict of the entire matching row. If no column value is specified, the entire CSV is read into the context. |
CompareLists | Compare two lists and put the differences in context. |
EmailReputation | A context script for Email entities. |
URLReputation | A context script for URL entities. |
ZipStrings | Joins values from two lists by index according to a given format. |
FilterByList | Checks whether the specified item is in a list. The default list is the Demisto Indicators Whitelist. |
PcapHTTPExtractor | Allows to parse and extract http flows (requests & responses) from a pcap/pcapng file. |
MarkAsEvidenceByTag | Mark entries as evidence if they are tagged with given tag |
PrettyPrint | Pretty-print data using Python's pprint library. This is useful for seeing the structure of incident and context data. Here's how to use it: !PrettyPrint value=${incident} |
ConvertFile | Converts a file from one format to a different format by using the convert-to function of Libre Office. For a list of supported input/output formats see: https://wiki.openoffice.org/wiki/Framework/Article/Filter/FilterList_OOo_3_0 |
ParseCSV | This script will parse a CSV file and place the unique IPs, Domains and Hashes into the context. |
PrintRaw | Prints a raw representation of a string or object, visualising things likes tabs and newlines. For instance, '\n' will be displayed instead of a newline character, or a Windows CR will be displayed as '\r\n'. This is useful for debugging issues where things aren't behaving as expected, such as when parsing a string with a regular expression. |
displayMappedFields | Display the mapped fields in a dynamic-section. |
FileToBase64List | Encode a file as base64 and store it in a Demisto list. |
LessThanPercentage | Checks if one percentage is less than another |
GetDataCollectionLink | Generates the URL for a Data Collection Task into Context. Can be used to get the url for tasks send via Email, Slack, or even if you select "By Task Only". To generate links for specific users, add an array of users in the users argument. |
IsGreaterThan | Checks if one number(float) as bigger than the other(float) |
TextFromHTML | Extract regular text from the given HTML. |
FileReputation | A context script for hash entities. |
IsEmailAddressInternal | Checks if the email address is part of the internal domains. |
StringReplace | Replaces regex match/es in string. |
ConvertCountryCodeCountryName | Convert country name to country code or country code to country name. |
WordTokenizer | Tokenize the words in a input text. |
ServerLogs | Uses the ssh integration to grab the host server logs. |
URLSSLVerification | Verify URL SSL certificate |
hideFieldsOnNewIncident | When you apply this script to an incident field, that incident field is hidden for new incidents, and it displays in edit mode. |
hideFieldsOnNewAlert | When you apply this script to an alert field, that alert field is hidden for new alerts, and it displays in edit mode. |
DomainReputation | A context script for Domain entities |
IsValueInArray | Indicates whether a given value is a member of given array |
GetByIncidentId | Gets a value from the specified incident's context. |
GetByAlertId | Gets a value from the specified alert's context. |
findIncidentsWithIndicator | Lookup incidents with specified indicator. Use currentIncidentId to omit the existing incident from output. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
findAlertsWithIndicator | Lookup alerts with specified indicator. Use currentAlertId to omit the existing alert from output. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
DisplayHTML | Display HTML in the War Room. |
ExtractHTMLTables | Find tables inside HTML and extract the contents into objects using the following logic:
|
GetTime | Retrieves the current date and time. |
ExtractEmailV2 | Verifies that an email address is valid and only returns the address if it is valid. |
GetDuplicatesMlv2 | Deprecated. Use the "PhishingDedupPreprocessingRule" script instead. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
checkValue | Gets a value and return it. This is to be used in playbook conditional tasks - get a value from incident field, label or context, and act accordingly. |
JSONFileToCSV | Script to convert a War Room output JSON File to a CSV file. |
commentsToContext | Takes the comments of a given entry ID and stores them in the incident context, under a provided context key. |
ListUsedDockerImages | List all Docker images that are in use by the installed integrations and automations. |
ServerLogs_docker | Uses the ssh integration to grab the host server logs. |
GenericPollingScheduledTask | Runs the polling command repeatedly, completes a blocking manual task when polling is done. |
SCPPullFiles | Take a list of devices and pull a specific file (given by path) from each using SCP. |
CreateEmailHtmlBody | This script allows sending an HTML email, using a template stored as a list item under Lists (Settings -> Advanced -> Lists).
Note: Sending emails require an active Mail Sender integration instance. |
Base64Encode | Will encode an input using Base64 format. |
AppendindicatorFieldWrapper | A wrapper script to the 'AppendindicatorField' script that enables adding tags to certain indicators. |
MatchRegex | Deprecated. Use the MatchRegexV2 script instead. |
UnEscapeIPs | Remove escaping chars from IP |
SendEmailOnSLABreach | Sends an email informing the user of an SLA breach. The email is sent to the user who is assigned to the incident. It includes the incident name, ID, name of the SLA field that was breached, duration of that SLA field, and the date and time when that SLA was started. |
ParseYAML | Parses a YAML string into context |
Ping | Pings an IP or url address, to verify it's up |
SetWithTemplate | Set a value built by a template in context under the key you entered. |
ConvertXmlFileToJson | Converts XML file entry to JSON format |
SetDateField | Sets a custom incident field with current date |
CreateIndicatorsFromSTIX | Creates indicators from the submitted STIX file. Supports STIX 1.0 and STIX 2.x. This automation creates indicators and adds an indicator's relationships if available. |
EmailDomainSquattingReputation | Check if an email address's domain is trying to squat other domain using Levenshtein distance algorithm. |
ContextGetEmails | Gets all email addresses in context, excluding ones given. |
VerdictResult | This widget displays the incident verdict or the alert verdict based on the 'incident.verdict' or 'alert.verdict' field. |
LoadJSON | Loads a json from string input, and returns a json object result. |
GetListRow | Parses a list by header and value. |
CertificateExtract | Extract fields from a certificate file and return the standard context. |
ShowIncidentIndicators | This script is used to display the indicators of an incident in an incident field of type Array. It can be used to select indicators from the incident in order to later perform some actions, like tagging the indicators for blocking via EDL. |
ShowAlertIndicators | This script is used to display the indicators of an alert in an alert field of type Array. It can be used to select indicators from the alert in order to later perform some actions, like tagging the indicators for blocking via EDL. |
IsolationAssetWrapper | This is a wrapper to isolate or unisolate hash lists from Cortex XDR, MSDE or CrowdStrike (Available from Cortex XSIAM 6.0.0). |
CheckFieldValue | This script checks that a field exists (and contains data), and optionally checks the value of the field for a match against an input value. If a regex is not supplied, the script checks that the field is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value. |
SetAndHandleEmpty | Set a value in context under the key you entered. If no value is entered, the script doesn't do anything. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
ExtractDomainAndFQDNFromUrlAndEmail | Extracts domains and FQDNs from URLs and emails. |
AreValuesEqual | Check whether the values provided in arguments are equal. If either of the arguments are missing, no is returned. |
ExampleJSScript | This is only an example script, to showcase how to use and write JavaScript scripts |
IPNetwork | Gather information regarding CIDR - |
GetDomainDNSDetails | Returns DNS details for a domain. |
ParseEmailFilesV2 | Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook. This script is based on the parse-emails XSOAR python package, check the script documentation for more info. |
IsInternalHostName | Checks if the supplied hostnames match either the organization's internal naming convention or the domain suffix. |
PortListenCheck | Checks whether a port was open on given host. |
BMCTool | Parse RDP bitmap cache data into a single collage image file. |
EditServerConfig | Edit the server configuration (under settings/troubleshooting). You can either add a new configuration or update and remove an existing one. |
FileCreateAndUpload | Deprecated. Use FileCreateAndUploadV2 instead. Will create a file (using the given data input or entry ID) and upload it to current investigation war room. |
DumpJSON | Dumps a json from context key input, and returns a json object string result |
ReadFile | Load the contents of a file into context. |
ExportToXLSX | Exports context data to a Microsoft Excel Open XML Spreadsheet (XLSX) file. |
listExecutedCommands | Lists executed commands in War Room |
DisplayHTMLWithImages | Display HTML with embedded images. |
ContextGetHashes | Gets hashes (MD5,SHA1,SHA256) from context. |
ChangeContext | Enables changing context in two ways. The first is to capitalize the first letter of each key in following level of the context key entered. The second is to change context keys to new values. |
GenerateSummaryReportButton | This button will generate summary 'Case Report' template for a given Incident |
GenerateRandomUUID | Generates a random UUID (UUID 4). |
isError | Check whether given entry/entries returned an error. Use ${lastCompletedTaskEntries} to check the previous task entries. If array is provided, will return yes if one of the entries returned an error. |
ParseExcel | The automation takes Excel file (entryID) as an input and parses its content to the war room and context |
PrintContext | Pretty-print the contents of the playbook context. |
FileCreateAndUploadV2 | Creates a file (using the given data input or entry ID) and uploads it to the current investigation War Room. |
CreateArray | Will create an array object in context from given string input |
ZipFile | Zip a file and upload to war room |
FindSimilarIncidents | Finds similar incidents by common incident keys, labels, custom fields or context keys. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
FindSimilarAlerts | Finds similar alerts by common alert keys, labels, custom fields or context keys. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
AquatoneDiscoverV2 | aquatone-discover will find the targets nameservers and shuffle DNS lookups between them. Should a lookup fail on the target domains nameservers, aquatone-discover will fall back to using Google public DNS servers to maximize discovery. |
IPToHost | Try to get the hostname correlated with the input IP. |
GetServerURL | Get the Server URL. |
URLNumberOfAds | Fetches the numbers of ads in the given url. |
Base64EncodeV2 | Encodes an input to Base64 format. |
ExtractAttackPattern | Extract Attack Pattern Threat Intel Object. After auto extract extracts the Attack Pattern IDs, this script is executed and extracts the value (name) of the Attack Pattern. |
DBotClosedIncidentsPercentage | Data output script for populating dashboard pie graph widget with the percentage of incidents closed by DBot vs. incidents closed by analysts. |
DBotClosedAlertsPercentage | Data output script for populating dashboard pie graph widget with the percentage of alerts closed by DBot vs. alerts closed by analysts. |
GetErrorsFromEntry | Get the error(s) associated with a given entry/entries. Use ${lastCompletedTaskEntries} to check the previous task entries. The automation will return an array of the error contents from those entries. |
CVSSCalculator | This script calculates the CVSS Base Score, Temporal Score, and Environmental Score using either the CVSS 3.0 or CVSS 3.1 calculator according to https://www.first.org/cvss/ calculation documentation. |
CreateHash | Creating a hash of a given input, support sha1, sha256, sha512, md5 and blake. Wrapper for https://docs.python.org/3/library/hashlib.html. |
ShowScheduledEntries | Show all scheduled entries for specific incident. |
ContentPackInstaller | Content packs installer from marketplace. |
MatchRegexV2 | Extracts regex data from the provided text. The script support groups and looping. |
ConvertDatetoUTC | Converts a date from a different timezone to UTC timezone. |
ContextFilter | Filter context keys by applying one of the various available manipulations and storing in a new context key. Please notice that the resulting context key will not be available automatically as an option but you can still specify it. |
ticksToTime | Converting time in Ticks to readable time. Ticks are used to represent time by some vendors, most commonly by Microsoft. |
ArrayToCSV | Converts a simple Array into a textual comma separated string |
GenerateSummaryReports | Generate report summaries for the passed incidents. |
ExposeIncidentOwner | Expose the incident owner into IncidentOwner context key |
ExposeAlertOwner | Expose the alert owner into AlertOwner context key |
StixCreator | Gets a list of indicators from the indicators argument, and generates a JSON file in STIX 2.1 format. |
CheckIndicatorValue | Check if indicators exist in the Threat Intel database. |
GenerateRandomString | Generates random string |
DecodeMimeHeader | Decode MIME base64 headers. |
MarkAsNoteByTag | Mark entries as notes if they are tagged with given tag. |
GetLicenseID | Returns the license ID. |
ConvertXmlToJson | Converts XML string to JSON format |
JSONtoCSV | Convert a JSON War Room output via EntryID to a CSV file. |
Strings | Extract strings from a file with optional filter - similar to binutils strings command |
RemoteExec | Execute a command on a remote machine (without installing a D2 agent) |
cveReputationV2 | Provides the severity of the CVE based on the CVSS score where available. |
GeneratePassword | This function generates a password and allows various parameters to customize the properties of the password depending on the use case (e.g. password complexity requirements). The default behavior is to generate a password of random length including all four character classes (upper, lower, digits, symbols) with at least five and at most ten characters per class. The min_* values all default to 0. This means that if the command is executed in this way: The debug parameter will print certain properties of the command into the WarRoom for easy diagnostics. |
ProvidesCommand | Finds which integrations implement a specific Demisto command. The results will be returned as comma-separated values (CSV). The "Core REST API" integration must first be enabled. |
UtilAnyResults | Utility script to use in playbooks - returns "yes" if the input is non-empty. |
CalculateTimeDifference | Calculate the time difference, in minutes |
GetEntries | Collect entries matching to the conditions in the war room |
RepopulateFiles | After running DeleteContext, this script can repopulate all the file entries in the ${File} context key |
AddDBotScoreToContext | Add DBot score to context for indicators with custom vendor, score, reliability, and type. |
ResolveShortenedURL | This script resolves the original URL from a given shortened URL and places the resolved URL in the playbook context and output. |
StringSimilarity | This automation calculates the similarity ratio between every string in 2 different arrays and outputs a decimal value between 0.0 and 1.0 (1.0 if the sequences are identical, and 0.0 if they don't have anything in common). |
CheckSenderDomainDistance | Get the string distance for the sender from our domain |
ContextSearchForString | Searches for string in a path in context. If path is null, string will be searched in full context. |
Base64ListToFile | Converts Base64 file in a list to a binary file and upload to warroom |
ReadPDFFileV2 | Load a PDF file's content and metadata into context. Supports extraction of hashes, urls, and emails when available. |
CheckContextValue | This script checks that a context key exists (and contains data), and optionally checks the value of the context key for a match against an input value. If a regex is not supplied, the script checks that the key is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value. This scripts does not support a context key which holds a list of values. |
ContextContains | This script searches for a value in a context path. |
CompareIncidentsLabels | Compares the labels of two incidents. Returns the labels that are unique to each incident. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
CompareAlertsLabels | Compares the labels of two alerts. Returns the labels that are unique to each alert. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
PreProcessImage | This script pre-processes (resizes, sharpens, and grayscales) an image file from context, given an entry_id. |
VerifyJSON | Verifies if the supplied JSON string is valid and optionally verifies against a provided schema. The script utilizes Powershell's Test-JSON cmdlet. |
IncidentAddSystem | Add a remote system (such as a desktop under investigation) to an investigation (this will allow you to install and agent on the system) |
AlertAddSystem | Add a remote system (such as a desktop under investigation) to an investigation (this will allow you to install and agent on the system) |
ExtractDomainFromUrlAndEmail | Extract Domain(s) from URL(s) and/or Email(s) |
ContextGetIps | Gets all IP addresses in context, excluding ones given. |
StringLength | Returns the length of the string passed as argument |
ShowLocationOnMap | Show indicator geo location on map. |
SSDeepReputation | Calculate ssdeep reputation based on similar files (by ssdeep similarity) on the system. |
GetEnabledInstances | Gets all currently enabled integration instances. |
GridFieldSetup | Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. Instead of a value you can enter |
Sleep | Sleep for X seconds. |
RunPollingCommand | Runs a specified polling command one time. This is useful for initiating a local playbook context before running a polling scheduled task. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
IPReputation | A context script for IP entities. |
AddKeyToList | Adds/Replaces a key in key/value store backed by an XSOAR list. |
BinarySearchPy | Deprecated. No available replacement. Search for a binary on an endpoint using Carbon Black |
IncreaseIncidentSeverity | Optionally increases the incident severity to the new value if it is greater than the existing severity. |
IncreaseAlertSeverity | Optionally increases the alert severity to the new value if it is greater than the existing severity. |
JsonUnescape | Recursively un-escapes JSON data if escaped JSON is found |
GenerateInvestigationSummaryReport | A script to generate investigation summary report in an automated way |
FeedRelatedIndicatorsWidget | Widget script to view information about the relationship between an indicator, entity and other indicators and connect to indicators, if relevant. |
PDFUnlocker | Removing the password protection from a PDF file and adding a new file entry with the unlocked PDF. |
PublishEntriesToContext | Publish entries to incident's context |
RemoveKeyFromList | Removes a key in key/value store backed by an XSOAR list. |
MaliciousRatioReputation | Set indicator reputation to "suspicious" when malicious ratio is above threshold. |
FetchIndicatorsFromFile | Fetches indicators from a file. Supports TXT, XLS, XLSX, CSV, DOC and DOCX file types. |
RunDockerCommand | This command will allow you to run commands against a local Docker Container. You can run commands like wc for instance with word count, or other types of commands that you want on the docker container. We recommend for tools that you want to use that are not part of the default Docker container, to cope this Automation script and then create a customer docker container with /docker_image_create with a custom docker container to add any command level tool to Demisto and output the results directly to the context. |
DisableUserWrapper | This script allows disabling a specified user using one or more of the following integrations: SailPointIdentityIQ, ActiveDirectoryQuery, Okta, MicrosoftGraphUser, and IAM. |
UnzipFile | Unzip a file using fileName or entryID to specify a file. Unzipped files will be loaded to the War Room and names will be put into the context. |
LoadJSONFileToContext | Loads a JSON file from the war room to context. |
ShowOnMap | Returns a map entry with a marker on the given coordinates (lat,lng), or address (requires a configured GoogleMaps instance). |
LinkIncidentsButton | Incident action button script to link or unlink Incidents from an Incident |
LinkAlertsButton | Alert action button script to link or unlink Alerts from an Alert |
ExportAuditLogsToFile | Uses the Core REST API integration to query the server audit trail logs, and return back a CSV or JSON file. |
DeduplicateValuesbyKey | Given a list of objects and a key found in each of those objects, return a unique list of values associated with that key. Returns error if the objects provided do not contain the key of interest. |
BreachConfirmationHTML | |
GetIndicatorDBotScore | Add into the incident's context the system internal DBot score for the input indicator. |
GetFieldsByIncidentType | Returns the incident field names associated to the specified incident type. |
GetFieldsByAlertType | Returns the alert field names associated to the specified alert type. |
Name | Description |
---|---|
Attorney General Notification | |
Country where business has its main establishment | "‘main establishment’ means: as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment; as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;" - GDPR Art. 4 |
Individuals Notification | |
Media Notification | The status of the media notification |
Company Postal Code | |
Affected data | "‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;" - GDPR Art. 4 |
Health insurance breached | Is health insurance breached |
Contact Name | |
Telephone no. | |
Unique identification number breached | Is unique identification number breached |
Resident Notification Option | |
Company has Insurance for the Breach | |
Company Name | |
Postal Code | |
State where the breach took place | |
Size - turnover | |
Consumer Reporting Agencies Notification | |
E-mail Address | |
Contact Address | |
Company City | |
DPO Notification | |
Where is data hosted | |
Company Address | |
Malicious Cause (If the cause is a malicious attack) | |
Likely Impact | "A data protection impact assessment (…) shall in particular be required in the case of: (a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; (b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or (c) a systematic monitoring of a publicly accessible area on a large scale. - GDPR Art. 35 |
Affected Data Type | |
Secretary Notification | |
Affected Individuals Contact Information | |
Is the Data Subject to DPIA | |
Approximate number of affected data subjects | |
Financial information breached | Is financial information breached |
State CISO Notification | |
Residents Email Address | |
Contact Email address | |
Sector of Affected Party | |
Breach Confirmation | Is the DPO confirm the breach |
Medical Information breached | Is Medical Information breached |
PII Data Type | |
Contact Telephone number | |
Data Encryption Status | |
Management Notification | |
GDPR Notify Authorities | "In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons." - GDPR Art. 33 |
Possible Cause of the Breach | |
Other PII data breached | Is other PII data breached |
Measures to Mitigate | " (d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects." - GDPR Art. 33 |
DPO E-mail Address | |
Size - number of employees | |
Unique biometric data breached | Is unique biometric data breached |
Account information breached | Is account information breached |
Name | Description |
---|---|
PrivateIPs |
Pack Name | Pack By |
---|---|
Base | By: Cortex XSOAR |
Cortex REST API | By: Cortex XSOAR |
Pack Name | Pack By |
---|---|
US - Breach Notification | By: Cortex XSOAR |
Brute Force | By: Cortex XSOAR |
Elasticsearch | By: Cortex XSOAR |
MITRE ATT&CK | By: Cortex XSOAR |
GDPR | By: Cortex XSOAR |
Gmail | By: Cortex XSOAR |
Gmail Single User | By: Cortex XSOAR |
HIPAA - Breach Notification | By: Cortex XSOAR |
Mail Sender (New) | By: Cortex XSOAR |
Microsoft Graph Mail | By: Cortex XSOAR |
ProtectWise | By: Cortex XSOAR |
Remote Access | By: Cortex XSOAR |
Shodan | By: Cortex XSOAR |
Sumo Logic | By: Cortex XSOAR |
Pack Name | Pack By |
---|---|
Cortex REST API | By: Cortex XSOAR |
Base | By: Cortex XSOAR |
Scripts
ExtractDomainFromUrlAndEmail
- Updated the Docker image to: demisto/py3-tools:1.0.0.91504.
LanguageDetect
- Updated the Docker image to: demisto/py3-tools:1.0.0.91504.
ExifRead
- Updated the Docker image to: demisto/py3-tools:1.0.0.91504.
ParseExcel
- Updated the Docker image to: demisto/py3-tools:1.0.0.91504.
ZipFile
- Updated the Docker image to: demisto/py3-tools:1.0.0.91504.
ExtractFQDNFromUrlAndEmail
- Updated the Docker image to: demisto/py3-tools:1.0.0.91504.
- 33641
- 33516
- 33519
- 33515
- 33329
- 33314
- 33318
- 33328
- 33357
- 33344
- 33359
- 33458
- 33535
- 33534
- 33537
- 33552
- 33580
- 33553
- 33418
- 33583
- 33555
- 33556
- 33559
- 33560
- 33619
- 33591
- 33602
- 33600
- 33314
- 33318
- 33328
- 33357
- 33344
- 33359
- 33458
Download
Scripts
AquatoneDiscoverV2
- Updated the Docker image to: demisto/aquatone:2.0.0.89205.
FetchIndicatorsFromFile
- Updated the Docker image to: demisto/py3-tools:1.0.0.89345.
VerifyJSON
- Updated the Docker image to: demisto/powershell:7.4.0.80528.
- 33391
- 33314
- 33318
- 33328
- 33357
- 33344
- 33359
- 33348
Download
Scripts
ScheduleGenericPolling
- Added support for propagating the
auto-extract
argument in both the initial and subsequent executions by introducing the extractMode argument. - Updated the Docker image to: demisto/python3:3.10.13.89009.
GenericPollingScheduledTask
- Added support for propagating the
auto-extract
argument in both the initial and subsequent executions by introducing the extractMode argument.
- 33146
Download
Scripts
CertificateExtract
- New: Extract fields from a certificate file and return the standard context. (Available from Cortex XSOAR 6.0.0).
- Updated the Docker image to: demisto/crypto:1.0.0.88857.
New: CertificateReputation
- New: Enrich and calculate the reputation of a certificate indicator. (Available from Cortex XSOAR 6.0.0).
FileCreateAndUploadV2
- Updated the Docker image to: demisto/python3:3.10.13.89009.
- 31341
Download
Scripts
StixCreator
- Fixed an issue where Export Stix failed when exporting a not STIX compatible object of type
Report
. - Updated the Docker image to demisto/py3-tools:1.0.0.88283.
ScheduleGenericPolling
- Fixed an issue where a value was not sanitized.
- Updated the Docker image to: demisto/python3:3.10.13.87159.
- 32878
Download
Scripts
LinkIncidentsWithRetry
- Updated the Docker image to: demisto/python3:3.10.13.86272.
CVSSCalculator
- Updated the Docker image to: demisto/python3:3.10.13.86272.
ExportContextToJSONFile
- Updated the Docker image to: demisto/python3:3.10.13.86272.
displayUtilitiesResults
- Updated the Docker image to: demisto/python3:3.10.13.86272.
PopulateCriticalAssets
- Updated the Docker image to: demisto/python3:3.10.13.86272.
LinkIncidentsButton
- Updated the Docker image to: demisto/python3:3.10.13.86272.
ConvertDatetoUTC
- Updated the Docker image to: demisto/python3:3.10.13.86272.
AssignToMeButton
- Updated the Docker image to: demisto/python3:3.10.13.86272.
IsDomainInternal
- Updated the Docker image to: demisto/python3:3.10.13.86272.
IndicatorMaliciousRatioCalculation
- Updated the Docker image to: demisto/python3:3.10.13.86272.
IPToHost
- Updated the Docker image to: demisto/python3:3.10.13.86272.
MarkAsEvidenceByTag
- Updated the Docker image to: demisto/python3:3.10.13.86272.
CopyContextToField
- Updated the Docker image to: demisto/python3:3.10.13.86272.
AddDBotScoreToContext
- Updated the Docker image to: demisto/python3:3.10.13.86272.
CloseInvestigationAsDuplicate
- Updated the Docker image to: demisto/python3:3.10.13.86272.
SetDateField
- Updated the Docker image to: demisto/python3:3.10.13.86272.
CompareIncidentsLabels
- Updated the Docker image to: demisto/python3:3.10.13.86272.
ContextContains
- Updated the Docker image to: demisto/python3:3.10.13.86272.
GenerateSummaryReportButton
- Updated the Docker image to: demisto/python3:3.10.13.86272.
DemistoVersion
- Updated the Docker image to: demisto/python3:3.10.13.86272.
IsIPPrivate
- Updated the Docker image to: demisto/python3:3.10.13.86272.
GenerateRandomString
- Updated the Docker image to: demisto/python3:3.10.13.86272.
EncodeToAscii
- Updated the Docker image to: demisto/python3:3.10.13.86272.
LoadJSONFileToContext
- Updated the Docker image to: demisto/python3:3.10.13.86272.
CalculateTimeDifference
- Updated the Docker image to: demisto/python3:3.10.13.86272.
IdentifyAttachedEmail
- Fixed an issue where the script was erroring when there were no File entries in the warroom.
- Updated the Docker image to: demisto/python3:3.10.13.87159.
- 32966
Download
Scripts
ExportToXLSX
- Updated the Docker image to: demisto/xslxwriter:1.0.0.86441.
UnzipFile
- Updated the Docker image to: demisto/unzip:1.0.0.86000.
PcapHTTPExtractor
- Updated the Docker image to: demisto/pcap-http-extractor:1.0.0.85826.
Dig
- Updated the Docker image to: demisto/netutils:1.0.0.86390.
HTMLtoMD
- Updated the Docker image to: demisto/btfl-soup:1.0.1.86352.
JsonUnescape
- Updated the Docker image to: demisto/python3-deb:3.10.13.85666.
GetDomainDNSDetails
- Updated the Docker image to: demisto/netutils:1.0.0.86390.
Ping
- Updated the Docker image to: demisto/netutils:1.0.0.86390.
ParseHTMLIndicators
- Updated the Docker image to: demisto/bs4-tld:1.0.0.86470.
ConvertXmlFileToJson
- Updated the Docker image to: demisto/xml-feed:1.0.0.86490.
ExtractHTMLTables
- Updated the Docker image to: demisto/bs4-py3:1.0.0.86348.
WordTokenizer
- Updated the Docker image to: demisto/nltk:2.0.0.86396.
- 32938
- 32763
- 32762
- 32741
- 32744
- 32745
- 32752
- 32753
- 32754
- 32759
- 32761
Download
Scripts
GetIndicatorDBotScoreFromCache
- Fixed an issue where the GetIndicatorDBotScoreFromCache automation failed when no IOCs were returned from the cache.
- Updated the Docker image to demisto/python3:3.10.13.86272.
CompareLists
- Updated the Docker image to: demisto/python3:3.10.13.86272.
SSDeepReputation
- Updated the Docker image to: demisto/python3:3.10.13.86272.
IsInternalDomainName
- Updated the Docker image to: demisto/python3:3.10.13.86272.
ListUsedDockerImages
- Updated the Docker image to: demisto/python3:3.10.13.86272.
FilterByList
- Updated the Docker image to: demisto/python3:3.10.13.86272.
GenerateRandomUUID
- Updated the Docker image to: demisto/python3:3.10.13.86272.
NumberOfPhishingAttemptPerUser
- Updated the Docker image to: demisto/python3:3.10.13.86272.
DockerHardeningCheck
- Updated the Docker image to: demisto/python3:3.10.13.86272.
HttpV2
- Updated the Docker image to: demisto/python3:3.10.13.86272.
- 32445
Download
Scripts
DecodeMimeHeader
- Updated the Docker image to: demisto/python3:3.10.13.86272.
DisableUserWrapper
- Updated the Docker image to: demisto/python3:3.10.13.86272.
ParseYAML
- Updated the Docker image to: demisto/python3:3.10.13.86272.
GetInstances
- Updated the Docker image to: demisto/python3:3.10.13.86272.
PrettyPrint
- Updated the Docker image to: demisto/python3:3.10.13.86272.
Base64EncodeV2
- Updated the Docker image to: demisto/python3:3.10.13.86272.
DisplayHTML
- Updated the Docker image to: demisto/python3:3.10.13.86272.
SetByIncidentId
- Updated the Docker image to: demisto/python3:3.10.13.86272.
LookupCSV
- Updated the Docker image to: demisto/python3:3.10.13.86272.
FeedRelatedIndicatorsWidget
- Updated the Docker image to: demisto/python3:3.10.13.86272.
URLSSLVerification
- Updated the Docker image to: demisto/python3:3.10.13.86272.
ArrayToCSV
- Updated the Docker image to: demisto/python3:3.10.13.86272.
TimeStampCompare
- Updated the Docker image to: demisto/python3:3.10.13.86272.
IsListExist
- Updated the Docker image to: demisto/python3:3.10.13.86272.
MaliciousRatioReputation
- Updated the Docker image to: demisto/python3:3.10.13.86272.
SetMultipleValues
- Updated the Docker image to: demisto/python3:3.10.13.86272.
DomainReputation
- Updated the Docker image to: demisto/python3:3.10.13.86272.
DumpJSON
- Updated the Docker image to: demisto/python3:3.10.13.86272.
SearchIndicator
- Updated the Docker image to: demisto/python3:3.10.13.86272.
CheckFieldValue
- Updated the Docker image to: demisto/python3:3.10.13.86272.
IdentifyAttachedEmail
- Updated the Docker image to: demisto/python3:3.10.13.86272.
TopMaliciousRatioIndicators
- Updated the Docker image to: demisto/python3:3.10.13.86272.
GetLicenseID
- Updated the Docker image to: demisto/python3:3.10.13.86272.
Strings
- Updated the Docker image to: demisto/python3:3.10.13.86272.
CheckSenderDomainDistance
- Updated the Docker image to: demisto/python3:3.10.13.86272.
HTTPListRedirects
- Updated the Docker image to: demisto/python3:3.10.13.86272.
ConvertTimezoneFromUTC
- Updated the Docker image to: demisto/python3:3.10.13.86272.
SetWithTemplate
- Updated the Docker image to: demisto/python3:3.10.13.86272.
CheckIndicatorValue
- Updated the Docker image to: demisto/python3:3.10.13.86272.
RunPollingCommand
- Updated the Docker image to: demisto/python3:3.10.13.86272.
AddKeyToList
- Updated the Docker image to: demisto/python3:3.10.13.86272.
ResolveShortenedURL
- Updated the Docker image to: demisto/python3:3.10.13.86272.
ExtractAttackPattern
- Updated the Docker image to: demisto/python3:3.10.13.86272.
BreachConfirmationHTML
- Updated the Docker image to: demisto/python3:3.10.13.86272.
PortListenCheck
- Updated the Docker image to: demisto/python3:3.10.13.86272.
JSONtoCSV
- Updated the Docker image to: demisto/python3:3.10.13.86272.
ParseCSV
- Updated the Docker image to: demisto/python3:3.10.13.86272.
CalculateEntropy
- Updated the Docker image to: demisto/python3:3.10.13.86272.
CreateHash
- Updated the Docker image to: demisto/python3:3.10.13.86272.
SendEmailOnSLABreach
- Updated the Docker image to: demisto/python3:3.10.13.86272.
Base64ListToFile
- Updated the Docker image to: demisto/python3:3.10.13.86272.
PositiveDetectionsVSDetectionEngines
- Updated the Docker image to: demisto/python3:3.10.13.86272.
MatchRegexV2
- Updated the Docker image to: demisto/python3:3.10.13.86272.
RunDockerCommand
- Updated the Docker image to: demisto/python3:3.10.13.86272.
GetEntries
- Updated the Docker image to: demisto/python3:3.10.13.86272.
JSONFileToCSV
- Updated the Docker image to: demisto/python3:3.10.13.86272.
cveReputationV2
- Updated the Docker image to: demisto/python3:3.10.13.86272.
RepopulateFiles
- Updated the Docker image to: demisto/python3:3.10.13.86272.
SearchIncidentsSummary
- Updated the Docker image to: demisto/python3:3.10.13.86272.
StopScheduledTask
- Updated the Docker image to: demisto/python3:3.10.13.86272.
IsolationAssetWrapper
- Updated the Docker image to: demisto/python3:3.10.13.86272.
RemoveKeyFromList
- Updated the Docker image to: demisto/python3:3.10.13.86272.
VerifyIPv6Indicator
- Updated the Docker image to: demisto/python3:3.10.13.86272.
ReadFile
- Updated the Docker image to: demisto/python3:3.10.13.86272.
SetTime
- Updated the Docker image to: demisto/python3:3.10.13.86272.
- 32408
Download
Scripts
New: VerdictResult
New: This widget displays the incident verdict or the alert verdict based on the 'incident.verdict' or 'alert.verdict' field.
ParseEmailFilesV2
- Fixed a parsing issue when running on msg email files with headers only.
- Fixed an issue where EML multipart files were not parsed if they have a broken boundary.
- Updated the Docker image to: demisto/parse-emails:1.0.0.83945.
- 31683
Download
Scripts
IncidentFields
- Deprecated the demisto-api-* commands and replaced with the core-api-* commands. (Commands are identical, no effect is expected.)
ExportIndicatorsToCSV
- Deprecated the demisto-api-* commands and replaced with the core-api-* commands. (Commands are identical, no effect is expected.)
ExportIncidentsToCSV
- Deprecated the demisto-api-* commands and replaced with the core-api-* commands. (Commands are identical, no effect is expected.)
GetFieldsByIncidentType
- Deprecated the demisto-api-* commands and replaced with the core-api-* commands. (Commands are identical, no effect is expected.)
EditServerConfig
- Deprecated the demisto-api-* commands and replaced with the core-api-* commands. (Commands are identical, no effect is expected.)
- Updated the Docker image to: demisto/python3:3.10.13.83255.
GenerateAsBuilt
- Deprecated the demisto-api-* commands and replaced with the core-api-* commands. (Commands are identical, no effect is expected.)
ExportAuditLogsToFile
- Deprecated the demisto-api-* commands and replaced with the core-api-* commands. (Commands are identical, no effect is expected.)
- Updated the Docker image to: demisto/python3:3.10.13.83255.
ContentPackInstaller
- Deprecated the demisto-api-* commands and replaced with the core-api-* commands. (Commands are identical, no effect is expected.)
- Updated the Docker image to: demisto/xsoar-tools:1.0.0.83431.
ProvidesCommand
- Deprecated the demisto-api-* commands and replaced with the core-api-* commands. (Commands are identical, no effect is expected.)
- 31388
Download
Scripts
ConvertFile
- Updated the Docker image to: demisto/office-utils:2.0.0.82639.
ScheduleGenericPolling
- Updated the Docker image to: demisto/python3:3.10.13.83255.
ChangeContext
- Updated the Docker image to: demisto/python3:3.10.13.83255.
MarkAsNoteByTag
- Updated the Docker image to: demisto/python3:3.10.13.83255.
ExportIncidentsToCSV
- Updated the Docker image to: demisto/python3:3.10.13.83255.
EmailReputation
- Updated the Docker image to: demisto/python3:3.10.13.83255.
OnionURLReputation
- Updated the Docker image to: demisto/python3:3.10.13.83255.
FileCreateAndUploadV2
- Updated the Docker image to: demisto/python3:3.10.13.83255.
GetServerURL
- Updated the Docker image to: demisto/python3:3.10.13.83255.
ShowLocationOnMap
- Updated the Docker image to: demisto/python3:3.10.13.83255.
ExportIndicatorsToCSV
- Updated the Docker image to: demisto/python3:3.10.13.83255.
CheckContextValue
- Updated the Docker image to: demisto/python3:3.10.13.83255.
GetEnabledInstances
- Updated the Docker image to: demisto/python3:3.10.13.83255.
FileReputation
- Updated the Docker image to: demisto/python3:3.10.13.83255.
ConvertCountryCodeCountryName
- Updated the Docker image to: demisto/python3:3.10.13.83255.
IsUrlPartOfDomain
- Updated the Docker image to: demisto/python3:3.10.13.83255.
ServerLogs
- Updated the Docker image to: demisto/python3:3.10.13.83255.
PrintRaw
- Updated the Docker image to: demisto/python3:3.10.13.83255.
DisplayHTMLWithImages
- Updated the Docker image to: demisto/python3:3.10.13.83255.
SCPPullFiles
- Updated the Docker image to: demisto/python3:3.10.13.83255.
StopTimeToAssignOnOwnerChange
- Updated the Docker image to: demisto/python3:3.10.13.83255.
CreateIndicatorsFromSTIX
- Updated the Docker image to: demisto/python3:3.10.13.83255.
ShowIncidentIndicators
- Updated the Docker image to: demisto/python3:3.10.13.83255.
GetDataCollectionLink
- Updated the Docker image to: demisto/python3:3.10.13.83255.
PrintContext
- Updated the Docker image to: demisto/python3:3.10.13.83255.
ServerLogs_docker
- Updated the Docker image to: demisto/python3:3.10.13.83255.
GetStringsDistance
- Updated the Docker image to: demisto/python3:3.10.13.83255.
GetDockerImageLatestTag
- Updated the Docker image to: demisto/python3:3.10.13.83255.
GetIndicatorDBotScore
- Updated the Docker image to: demisto/python3:3.10.13.83255.
CreateNewIndicatorsOnly
- Updated the Docker image to: demisto/python3:3.10.13.83255.
ChangeRemediationSLAOnSevChange
- Updated the Docker image to: demisto/python3:3.10.13.83255.
DBotAverageScore
- Updated the Docker image to: demisto/python3:3.10.13.83255.
PrintErrorEntry
- Updated the Docker image to: demisto/python3:3.10.13.83255.
ExtractIndicatorsFromTextFile
- Updated the Docker image to: demisto/python3:3.10.13.83255.
UtilAnyResults
- Updated the Docker image to: demisto/python3:3.10.13.83255.
ZipStrings
- Updated the Docker image to: demisto/python3:3.10.13.83255.
GridFieldSetup
- Updated the Docker image to: demisto/python3:3.10.13.83255.
GetByIncidentId
- Updated the Docker image to: demisto/python3:3.10.13.83255.
ProvidesCommand
- Updated the Docker image to: demisto/python3:3.10.13.83255.
ReplaceMatchGroup
- Updated the Docker image to: demisto/python3:3.10.13.83255.
VerifyCIDR
- Updated the Docker image to: demisto/python3:3.10.13.83255.
AppendindicatorFieldWrapper
- Updated the Docker image to: demisto/python3:3.10.13.83255.
URLNumberOfAds
- Updated the Docker image to: demisto/python3:3.10.13.83255.
FileToBase64List
- Updated the Docker image to: demisto/python3:3.10.13.83255.
GetFieldsByIncidentType
- Updated the Docker image to: demisto/python3:3.10.13.83255.
LoadJSON
- Updated the Docker image to: demisto/python3:3.10.13.83255.
URLReputation
- Updated the Docker image to: demisto/python3:3.10.13.83255.
IncidentFields
- Updated the Docker image to: demisto/python3:3.10.13.83255.
hideFieldsOnNewIncident
- Updated the Docker image to: demisto/python3:3.10.13.83255.
IPReputation
- Updated the Docker image to: demisto/python3:3.10.13.83255.
DeduplicateValuesbyKey
- Updated the Docker image to: demisto/python3:3.10.13.83255.
GenerateAsBuilt
- Updated the Docker image to: demisto/teams:1.0.0.83464.
- 31448
Download
Scripts
New: ReadQRCode
- New: This script uses the open-source library OpenCV to extract text from QR codes. The output of this script includes the output of the script "extractIndicators" run on the text extracted from the QR code. (Available from Cortex XSOAR 6.10.0).
- 31323
Download
Scripts
FormatURL
- Improved error handling for better performance when the script fails.
- Updated the Docker image to: demisto/python3:3.10.13.80593.
ExtractDomainAndFQDNFromUrlAndEmail
- Improved error handling for better performance when the script fails.
- Updated the Docker image to: demisto/py3-tools:1.0.0.81280.
ExtractEmailV2
- Improved error handling for better performance when the script fails.
- Updated the Docker image to: demisto/python3:3.10.13.80593.
Sleep
Improved performance for longer sleep times. When seconds is greater than the configured threshold (5 minutes by default), sleep will switch to a polling state instead of waiting.
- 30661
Download
Scripts
IsIntegrationAvailable
- Improved implementation for better performance.
- Updated the Docker image to: demisto/python3:3.10.13.80593.
GetListRow
- Fixed an issue where sometimes a redundant
\r
would appear at the end of the line. - Updated the Docker image to: demisto/python3:3.10.13.80593.
- 31020
Download
Scripts
TextFromHTML
- Added the allow_body_fallback argument, which allows using the full html as the body in case the input html does not have a
body
tag. - Added the replace_line_breaks argument, which allows replacing
br
tags in the html with line breaks in the extracted text. - Added the trim_result argument, which allows replacing leading and trailing whitespaces as well as collapsing multiple empty lines in the extracted text to a single empty line.
- Added the output_to_context argument, which allows storing the extracted text in context.
- Updated the Docker image to: demisto/python3:3.10.13.75921.
- 30036
- 29836
Download
Scripts
cvss_color
Updated the Docker image to: demisto/python3:3.10.13.74666.
Fixed an issue where the script failed if the indicator had no custom fields.
StixCreator
- Fixed an issue where spec_version was empty when exporting more than one indicator.
- Updated the Docker image to: demisto/py3-tools:1.0.0.74403.
ExportAuditLogsToFile
- Added support to XSOAR 8.
- Updated the Docker image to: demisto/python3:3.10.13.74666.
- 29781
Download
Scripts
New: BMCTool
New: Parse RDP bitmap cache data into a single collage image file. (Available from Cortex XSOAR 6.9.0).
PreProcessImage
Updated the Docker image to: demisto/processing-image-file:1.0.0.64430.
New: StringSimilarity
New: This automation calculates the similarity ratio between text and a list of strings and outputs a decimal value between 0.0 and 1.0 (1.0 if the sequences are identical, and 0.0 if they don't have anything in common). (Available from Cortex XSOAR 6.9.0).
- 26053
Download
Scripts
CVSSCalculator
- Updated the Docker image to: demisto/python3:3.10.12.63474.
JSONFileToCSV
- Updated the Docker image to: demisto/python3:3.10.12.63474.
RepopulateFiles
- Updated the Docker image to: demisto/python3:3.10.12.63474.
RemoveKeyFromList
- Updated the Docker image to: demisto/python3:3.10.12.63474.
TopMaliciousRatioIndicators
- Updated the Docker image to: demisto/python3:3.10.12.63474.
BreachConfirmationHTML
- Updated the Docker image to: demisto/python3:3.10.12.63474.
URLSSLVerification
- Updated the Docker image to: demisto/python3:3.10.12.63474.
SendEmailOnSLABreach
- Updated the Docker image to: demisto/python3:3.10.12.63474.
SetTime
- Updated the Docker image to: demisto/python3:3.10.12.63474.
VerifyIPv6Indicator
- Updated the Docker image to: demisto/python3:3.10.12.63474.
DemistoVersion
- Updated the Docker image to: demisto/python3:3.10.12.63474.
ReadFile
- Updated the Docker image to: demisto/python3:3.10.12.63474.
SearchIncidentsV2
- Updated the Docker image to: demisto/python3:3.10.12.63474.
IndicatorMaliciousRatioCalculation
- Updated the Docker image to: demisto/python3:3.10.12.63474.
JSONtoCSV
- Updated the Docker image to: demisto/python3:3.10.12.63474.
CheckSenderDomainDistance
- Updated the Docker image to: demisto/python3:3.10.12.63474.
CalculateTimeDifference
- Updated the Docker image to: demisto/python3:3.10.12.63474.
PortListenCheck
- Updated the Docker image to: demisto/python3:3.10.12.63474.
ExportAuditLogsToFile
- Updated the Docker image to: demisto/python3:3.10.12.63474.
IsolationAssetWrapper
- Updated the Docker image to: demisto/python3:3.10.12.63474.
Base64ListToFile
- Updated the Docker image to: demisto/python3:3.10.12.63474.
RunDockerCommand
- Updated the Docker image to: demisto/python3:3.10.12.63474.
FeedRelatedIndicatorsWidget
- Updated the Docker image to: demisto/python3:3.10.12.63474.
IsListExist
- Updated the Docker image to: demisto/python3:3.10.12.63474.
- 28102
Download
Scripts
DBotAverageScore
- Migrated the script from JavaScript to Python.
- Fixed an issue where if all scores of an indicator are '0', a null value would be returned.
- Updated the script to ignore '0' values (which indicate an 'unknown' value) from average calculations.
- Updated the Docker image to: demisto/python3:3.10.12.63474.
AssignToMeButton
- Updated the Docker image to: demisto/python3:3.10.12.63474.
LinkIncidentsButton
- Updated the Docker image to: demisto/python3:3.10.12.63474.
NumberOfPhishingAttemptPerUser
- Updated the Docker image to: demisto/python3:3.10.12.63474.
CopyNotesToIncident
- Updated the Docker image to: demisto/python3:3.10.12.63474.
FormatURL
- Updated the Docker image to: demisto/python3:3.10.12.63474.
- Updated the Docker image to: demisto/python3:3.10.12.63474.
- Updated the regex for URL wrappers to allow safelinks without a scheme (i.e. - https).
DumpJSON
- Updated the Docker image to: demisto/python3:3.10.12.63474.
GetLicenseID
- Updated the Docker image to: demisto/python3:3.10.12.63474.
DecodeMimeHeader
- Updated the Docker image to: demisto/python3:3.10.12.63474.
LookupCSV
- Updated the Docker image to: demisto/python3:3.10.12.63474.
FilterByList
- Updated the Docker image to: demisto/python3:3.10.12.63474.
DockerHardeningCheck
- Updated the Docker image to: demisto/python3:3.10.12.63474.
DomainReputation
- Updated the Docker image to: demisto/python3:3.10.12.63474.
GetInstances
- Updated the Docker image to: demisto/python3:3.10.12.63474.
SetAndHandleEmpty
- Updated the Docker image to: demisto/python3:3.10.12.63474.
PrettyPrint
- Updated the Docker image to: demisto/python3:3.10.12.63474.
CreateHash
- Updated the Docker image to: demisto/python3:3.10.12.63474.
FindSimilarIncidents
- Updated the Docker image to: demisto/python3:3.10.12.63474.
ExtractEmailV2
- Updated the Docker image to: demisto/python3:3.10.12.63474.
ConvertTimezoneFromUTC
- Updated the Docker image to: demisto/python3:3.10.12.63474.
ArrayToCSV
- Updated the Docker image to: demisto/python3:3.10.12.63474.
MarkAsEvidenceByTag
- Updated the Docker image to: demisto/python3:3.10.12.63474.
IdentifyAttachedEmail
- Updated the Docker image to: demisto/python3:3.10.12.63474.
ExportContextToJSONFile
- Updated the Docker image to: demisto/python3:3.10.12.63474.
HttpV2
- Updated the Docker image to: demisto/python3:3.10.12.63474.
EncodeToAscii
- Updated the Docker image to: demisto/python3:3.10.12.63474.
DisplayHTML
- Updated the Docker image to: demisto/python3:3.10.12.63474.
CopyContextToField
- Updated the Docker image to: demisto/python3:3.10.12.63474.
GeneratePassword
- Updated the Docker image to: demisto/python3:3.10.12.63474.
RunPollingCommand
- Updated the Docker image to: demisto/python3:3.10.12.63474.
DisableUserWrapper
- Updated the Docker image to: demisto/python3:3.10.12.63474.
IsIntegrationAvailable
- Updated the Docker image to: demisto/python3:3.10.12.63474.
GetIndicatorDBotScoreFromCache
- Updated the Docker image to: demisto/python3:3.10.12.63474.
IsInternalHostName
- Updated the Docker image to: demisto/python3:3.10.12.63474.
IPToHost
- Updated the Docker image to: demisto/python3:3.10.12.63474.
Base64EncodeV2
- Updated the Docker image to: demisto/python3:3.10.12.63474.
ExtractAttackPattern
- Updated the Docker image to: demisto/python3:3.10.12.63474.
GetErrorsFromEntry
- Updated the Docker image to: demisto/python3:3.10.12.63474.
ParseCSV
- Updated the Docker image to: demisto/python3:3.10.12.63474.
PopulateCriticalAssets
- Updated the Docker image to: demisto/python3:3.10.12.63474.
AddKeyToList
- Updated the Docker image to: demisto/python3:3.10.12.63474.
TimeStampCompare
- Updated the Docker image to: demisto/python3:3.10.12.63474.
SearchIncidentsSummary
- Updated the Docker image to: demisto/python3:3.10.12.63474.
CheckIndicatorValue
- Updated the Docker image to: demisto/python3:3.10.12.63474.
SetWithTemplate
- Updated the Docker image to: demisto/python3:3.10.12.63474.
SetMultipleValues
- Updated the Docker image to: demisto/python3:3.10.12.63474.
PositiveDetectionsVSDetectionEngines
- Updated the Docker image to: demisto/python3:3.10.12.63474.
MaliciousRatioReputation
- Updated the Docker image to: demisto/python3:3.10.12.63474.
GetEntries
- Updated the Docker image to: demisto/python3:3.10.12.63474.
MatchRegexV2
- Updated the Docker image to: demisto/python3:3.10.12.63474.
Strings
- Updated the Docker image to: demisto/python3:3.10.12.63474.
- 26053
- 28060
- 28030
- 28032
Download
Scripts
EditServerConfig
- Updated the Docker image to: demisto/python3:3.10.12.63474.
StopTimeToAssignOnOwnerChange
- Updated the Docker image to: demisto/python3:3.10.12.63474.
CreateIndicatorsFromSTIX
- Updated the Docker image to: demisto/python3:3.10.12.63474.
ShowIncidentIndicators
- Updated the Docker image to: demisto/python3:3.10.12.63474.
GenerateRandomUUID
- Updated the Docker image to: demisto/python3:3.10.12.63474.
GetDataCollectionLink
- Updated the Docker image to: demisto/python3:3.10.12.63474.
LoadJSONFileToContext
- Updated the Docker image to: demisto/python3:3.10.12.63474.
PrintContext
- Updated the Docker image to: demisto/python3:3.10.12.63474.
ServerLogs_docker
- Updated the Docker image to: demisto/python3:3.10.12.63474.
IsInternalDomainName
- Updated the Docker image to: demisto/python3:3.10.12.63474.
IsDomainInternal
- Updated the Docker image to: demisto/python3:3.10.12.63474.
GetStringsDistance
- Updated the Docker image to: demisto/python3:3.10.12.63474.
GetIndicatorDBotScore
- Updated the Docker image to: demisto/python3:3.10.12.63474.
CreateNewIndicatorsOnly
- Updated the Docker image to: demisto/python3:3.10.12.63474.
IsEmailAddressInternal
- Updated the Docker image to: demisto/python3:3.10.12.63474.
ChangeRemediationSLAOnSevChange
- Updated the Docker image to: demisto/python3:3.10.12.63474.
ParseYAML
- Updated the Docker image to: demisto/python3:3.10.12.63474.
displayMappedFields
- Updated the Docker image to: demisto/python3:3.10.12.63474.
ListUsedDockerImages
- Updated the Docker image to: demisto/python3:3.10.12.63474.
ContextContains
- Updated the Docker image to: demisto/python3:3.10.12.63474.
IPNetwork
- Updated the Docker image to: demisto/python3:3.10.12.63474.
PrintErrorEntry
- Updated the Docker image to: demisto/python3:3.10.12.63474.
ExtractIndicatorsFromTextFile
- Updated the Docker image to: demisto/python3:3.10.12.63474.
CompareLists
- Updated the Docker image to: demisto/python3:3.10.12.63474.
IsIPPrivate
- Updated the Docker image to: demisto/python3:3.10.12.63474.
UtilAnyResults
- Updated the Docker image to: demisto/python3:3.10.12.63474.
ZipStrings
- Updated the Docker image to: demisto/python3:3.10.12.63474.
GridFieldSetup
- Updated the Docker image to: demisto/python3:3.10.12.63474.
GetByIncidentId
- Updated the Docker image to: demisto/python3:3.10.12.63474.
ProvidesCommand
- Updated the Docker image to: demisto/python3:3.10.12.63474.
ReplaceMatchGroup
- Updated the Docker image to: demisto/python3:3.10.12.63474.
ConvertDatetoUTC
- Updated the Docker image to: demisto/python3:3.10.12.63474.
VerifyCIDR
- Updated the Docker image to: demisto/python3:3.10.12.63474.
AppendindicatorFieldWrapper
- Updated the Docker image to: demisto/python3:3.10.12.63474.
LinkIncidentsWithRetry
- Updated the Docker image to: demisto/python3:3.10.12.63474.
URLNumberOfAds
- Updated the Docker image to: demisto/python3:3.10.12.63474.
FileToBase64List
- Updated the Docker image to: demisto/python3:3.10.12.63474.
SearchIndicator
- Updated the Docker image to: demisto/python3:3.10.12.63474.
GetFieldsByIncidentType
- Updated the Docker image to: demisto/python3:3.10.12.63474.
StopScheduledTask
- Updated the Docker image to: demisto/python3:3.10.12.63474.
LoadJSON
- Updated the Docker image to: demisto/python3:3.10.12.63474.
URLReputation
- Updated the Docker image to: demisto/python3:3.10.12.63474.
IncidentFields
- Updated the Docker image to: demisto/python3:3.10.12.63474.
hideFieldsOnNewIncident
- Updated the Docker image to: demisto/python3:3.10.12.63474.
IPReputation
- Updated the Docker image to: demisto/python3:3.10.12.63474.
DeduplicateValuesbyKey
- Updated the Docker image to: demisto/python3:3.10.12.63474.
ResolveShortenedURL
- Updated the Docker image to: demisto/python3:3.10.12.63474.
GenerateRandomString
- Updated the Docker image to: demisto/python3:3.10.12.63474.
CheckFieldValue
- Updated the Docker image to: demisto/python3:3.10.12.63474.
CalculateEntropy
- Updated the Docker image to: demisto/python3:3.10.12.63474.
- 28026
Download
Scripts
cvss_color
- Fixed an issue where the script didn't change the font color when in dark mode.
ScheduleGenericPolling
- Updated the Docker image to: demisto/python3:3.10.12.63474.
ChangeContext
- Updated the Docker image to: demisto/python3:3.10.12.63474.
MarkAsNoteByTag
- Updated the Docker image to: demisto/python3:3.10.12.63474.
ExportIncidentsToCSV
- Updated the Docker image to: demisto/python3:3.10.12.63474.
EmailReputation
- Updated the Docker image to: demisto/python3:3.10.12.63474.
OnionURLReputation
- Updated the Docker image to: demisto/python3:3.10.12.63474.
FileCreateAndUploadV2
- Updated the Docker image to: demisto/python3:3.10.12.63474.
SetDateField
- Updated the Docker image to: demisto/python3:3.10.12.63474.
GetServerURL
- Updated the Docker image to: demisto/python3:3.10.12.63474.
ShowLocationOnMap
- Updated the Docker image to: demisto/python3:3.10.12.63474.
ExportIndicatorsToCSV
- Updated the Docker image to: demisto/python3:3.10.12.63474.
SetByIncidentId
- Updated the Docker image to: demisto/python3:3.10.12.63474.
CheckContextValue
- Updated the Docker image to: demisto/python3:3.10.12.63474.
GetEnabledInstances
- Updated the Docker image to: demisto/python3:3.10.12.63474.
FileReputation
- Updated the Docker image to: demisto/python3:3.10.12.63474.
SSDeepReputation
- Updated the Docker image to: demisto/python3:3.10.12.63474.
ConvertCountryCodeCountryName
- Updated the Docker image to: demisto/python3:3.10.12.63474.
AddDBotScoreToContext
- Updated the Docker image to: demisto/python3:3.10.12.63474.
CloseInvestigationAsDuplicate
- Updated the Docker image to: demisto/python3:3.10.12.63474.
IsUrlPartOfDomain
- Updated the Docker image to: demisto/python3:3.10.12.63474.
HTTPListRedirects
- Updated the Docker image to: demisto/python3:3.10.12.63474.
ServerLogs
- Updated the Docker image to: demisto/python3:3.10.12.63474.
CompareIncidentsLabels
- Updated the Docker image to: demisto/python3:3.10.12.63474.
PrintRaw
- Updated the Docker image to: demisto/python3:3.10.12.63474.
DisplayHTMLWithImages
- Updated the Docker image to: demisto/python3:3.10.12.63474.
SCPPullFiles
- Updated the Docker image to: demisto/python3:3.10.12.63474.
displayUtilitiesResults
- Updated the Docker image to: demisto/python3:3.10.12.63474.
GenerateSummaryReportButton
- Updated the Docker image to: demisto/python3:3.10.12.63474.
- 28000
Download
Scripts
ParseEmailFilesV2
- Added a fix to an issue in MSG files with attachment, for the error TypeError: a bytes-like object is required, not 'str'.
- Updated the Docker image to: demisto/parse-emails:1.0.0.59897.
- Updated the Docker image to: demisto/parse-emails:1.0.0.60423.
GridFieldSetup
- Added support for five new grid fields keys (total is 10 keys supported).
- Added an option to submit
TIMESTAMP
as a value in order to import current timestamp in ISO format.
ExtractDomainAndFQDNFromUrlAndEmail
- Updated the Docker image to: demisto/py3-tools:1.0.0.61229.
- Added support for "zip" gTLD.
- 26702
Download
Scripts
ScheduleCommand
- Added the scheduledEntryGuid arguments to support the new GenericPolling playbook mechanism which improves the playbook performance.
GenericPollingScheduledTask
- Added the scheduledEntryGuid arguments to support the new GenericPolling playbook mechanism which improves the playbook performance.
ScheduleGenericPolling
- Updated the Docker image to: demisto/python3:3.10.11.57890.
- Added the scheduledEntryGuid arguments to support the new GenericPolling playbook mechanism which improves the playbook performance.
- 26372
Download
Scripts
StixCreator
- Added a flag for creating SCO indicators.
- Updated the process of generating IDs for SDO indicators such that a given indicator will have the same ID every run. This applies both when clicking on the button "Export (STIX)", and when running the script manually.
- Updated the Docker image to: demisto/py3-tools:1.0.0.58222.
- 26026
Download
Scripts
SetMultipleValues
- Fixed a library incompatibility by downgrading the Docker image to: demisto/python3:3.10.6.33415.
SearchIncidentsV2
- Fixed a library incompatibility by downgrading the Docker image to: demisto/python3:3.10.10.48392.
FormatURL
- Fixed a library incompatibility by downgrading the Docker image to: demisto/python3:3.10.11.54132.
ScheduleGenericPolling
- Fixed a library incompatibility by downgrading the Docker image to: demisto/python3:3.10.10.48392.
- 26405
Download
Scripts
SetMultipleValues
- Added support for passing the values parameter as arrays.
- Updated the Docker image to: demisto/python3:3.10.11.57293.
FormatURL
Updated the Docker image to: demisto/python3:3.10.11.57293.
Updated the script for better performance.
ScheduleGenericPolling
Reverted performance changes done in version 1.11.66
GenericPollingScheduledTask
Reverted performance changes done in version 1.11.66
- 26385
- 26325
Download
PUBLISHER
PLATFORMS
INFO
Certification | Certified | Read more |
Supported By | Cortex | |
Created | July 27, 2020 | |
Last Release | April 21, 2024 |