Pack Contributors:
- barpec12
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
Common Scripts
- Details
- Content
- Dependencies
- Version History
Frequently used scripts pack.
Pack Contributors:
- barpec12
Contributions are welcome and appreciated. For more info, visit our Contribution Guide.
Automations
| Name | Description |
|---|---|
| CompareIncidentsLabels | Compares the labels of two incidents. Returns the labels that are unique to each incident. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| LinkIncidentsWithRetry | Use this script to avoid DB version errors when simultaneously running multiple linked incidents. |
| CheckSenderDomainDistance | Get the string distance for the sender from our domain |
| Ping | Pings an IP or url address, to verify it's up. Note - On Cortex XSOAR 8 and Cortex XSIAM, the script can run only on a custom engine. |
| ExportContextToJSONFile | Exports the Context for the current Incident to a JSON file in the war room. |
| GenerateSummaryReportButton | This button will generate summary 'Case Report' template for a given Incident |
| SetByIncidentId | Works the same as the 'Set' command, but can work across incidents by specifying 'id' as an argument. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| PortListenCheck | Checks whether a port was open on given host. |
| Set | Set a value in context under the key you entered. |
| GetListRow | Parses a list by header and value. |
| emailFieldTriggered | Sends email to incident owner when selected field is triggered. |
| NotInContextVerification | Not in context verification is a script that executes the given command and verifies that the specified field is not in the context after execution. |
| GenerateRandomUUID | Generates a random UUID (UUID 4). |
| ShowIncidentIndicators | This script is used to display the indicators of an incident in an incident field of type Array. It can be used to select indicators from the incident in order to later perform some actions, like tagging the indicators for blocking via EDL. |
| ExifRead | Read image files metadata and provide Exif tags. |
| ConvertXmlFileToJson | Converts XML file entry to JSON format |
| CopyNotesToIncident | Copy all entries marked as notes from current incident to another incident. |
| Base64EncodeV2 | Encodes an input to Base64 format. |
| ShowOnMap | Returns a map entry with a marker on the given coordinates (lat,lng), or address (requires a configured GoogleMaps instance). |
| DisplayHTML | Display HTML in the War Room. |
| DockerHardeningCheck | Checks if the Docker container running this script has been hardened according to the recommended settings at:
|
| FeedRelatedIndicatorsWidget | Widget script to view information about the relationship between an indicator, entity and other indicators and connect to indicators, if relevant. |
| commentsToContext | Takes the comments of a given entry ID and stores them in the incident context, under a provided context key. |
| AnalyzeTimestampIntervals | Analyze a list of Unix timestamps in milliseconds, to detect simple patterns of consistency or high frequency. The script can aid in the investigation of multi-event alerts that contain a list of timestamps. |
| GeneratePassword | This function generates a password and allows various parameters to customize the properties of the password depending on the use case (e.g. password complexity requirements). The default behavior is to generate a password of random length including all four character classes (upper, lower, digits, symbols) with at least five and at most ten characters per class. The min_* values all default to 0. This means that if the command is executed in this way: The debug parameter will print certain properties of the command into the WarRoom for easy diagnostics. |
| ExtractEmailV2 | Verifies that an email address is valid and only returns the address if it is valid. |
| UtilAnyResults | Utility script to use in playbooks - returns "yes" if the input is non-empty. |
| ParseYAML | Parses a YAML string into context. |
| StringReplace | Replaces regex match/es in string. |
| StringLength | Returns the length of the string passed as argument |
| ListUsedDockerImages | List all Docker images that are in use by the installed integrations and automations. |
| RepopulateFiles | After running DeleteContext, this script can repopulate all the file entries in the ${File} context key |
| ReadQRCode | Extracts the text from a QR code. The output of this script includes the output of the script "extractIndicators" run on the text extracted from the QR code. |
| DumpJSON | Dumps a json from context key input, and returns a json object string result |
| GetIndicatorDBotScore | Add into the incident's context the system internal DBot score for the input indicator. |
GetDuplicatesMlv2 | Deprecated. Use the "PhishingDedupPreprocessingRule" script instead. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| ConvertTableToHTML | Converts a given array to an HTML table |
| Dig | DNS lookup utility to provide 'A' and 'PTR' record. |
| GenerateAsBuilt | Generate an as built document, as HTML, based on the running XSOAR instance. Requires an instance of the Demisto API integration configured. |
| EmailDomainSquattingReputation | Check if an email address's domain is trying to squat other domain using Levenshtein distance algorithm. |
| FailedInstances | Executes a test for all integration instances available and returns detailed information about succeeded and failed integration instances. |
| SSDeepReputation | Calculate ssdeep reputation based on similar files (by ssdeep similarity) on the system. |
| ZipStrings | Joins values from two lists by index according to a given format. |
| ScheduleGenericPolling | Called by the GenericPolling playbook, schedules the polling task. |
| IsIPInRanges | Returns yes if the IP is in one of the ranges provided, returns no otherwise. |
| GetDockerImageLatestTag | Gets docker image latest tag. Script simulates the docker pull flow but doesn't actually pull the image. Returns an entry with the docker image latest tag if all is good, otherwise will return an error. |
| StopScheduledTask | This stops the scheduled task whose ID is given in the taskID argument. |
| clear-user-session | This script clears user sessions across multiple integrations for a list of usernames. |
| IsInternalHostName | Checks if the supplied hostnames match either the organization's internal naming convention or the domain suffix. |
| PrintRaw | Prints a raw representation of a string or object, visualising things likes tabs and newlines. For instance, '\n' will be displayed instead of a newline character, or a Windows CR will be displayed as '\r\n'. This is useful for debugging issues where things aren't behaving as expected, such as when parsing a string with a regular expression. |
| ContentPackInstaller | Content packs installer from marketplace. |
| IdentifyAttachedEmail | Identify whether the incident includes an email message attached as an eml or msg file and return the answer to playbook. Also saves the identified entry ID to context for use for later. Commonly used in automated playbooks that handle phishing reports sent to a special phishing mailbox set up by the security team. |
| EmailAskUserResponse | Extract user's response from EmailAskUser reply. Returns the first textual response line of the provided entry that contains the reply body. Use ${lastCompletedTaskEntries} to analyze the previous playbook task containing the user's reply. |
| HTMLtoMD | Converts HTML to Markdown. |
| URLNumberOfAds | Fetches the numbers of ads in the given url. |
| SSDeepSimilarity | This script finds similar files that can be related to each other by fuzzy hash (SSDeep). |
| AddKeyToList | Adds/Replaces a key in key/value store backed by an XSOAR list. |
| GetTime | Retrieves the current date and time. |
| BreachConfirmationHTML | |
| UnEscapeIPs | Remove escaping chars from IP |
| NumberOfPhishingAttemptPerUser | Shows a bar chart of the number of incident the 'To' and 'From' email addresses. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| IsGreaterThan | Checks if one number(float) as bigger than the other(float) |
| ExtractIndicatorsFromWordFile | Used to extract indicators from Word files (DOC, DOCX). This automation runs using the default Limited User role, unless you explicitly change the permissions. |
| LessThanPercentage | Checks if one percentage is less than another |
| AssignToMeButton | Assigns the current Incident to the Cortex XSOAR user who clicked the button |
| FetchIndicatorsFromFile | Fetches indicators from a file. Supports TXT, XLS, XLSX, CSV, DOC and DOCX file types. |
| CheckPDFEncryptionAndValidity | Returns wether a PDF is both valid and encrypted. |
| IsolationAssetWrapper | This is a wrapper to isolate or unisolate hash lists from Cortex XDR, MSDE or CrowdStrike (Available from Cortex XSOAR 6.0.0). |
| MarkAsEvidenceByTag | Mark entries as evidence if they are tagged with given tag |
| EmailReputation | A context script for Email entities. |
| CloseInvestigationAsDuplicate | Close the current investigation as duplicate to other investigation. |
| MITRENameByID_Formatter | Get a MITRE ATT&CK object name by its ID. The script is using TIMs IOCs to find the correct name. (MITRE ATT&CK IOCs must exist in the Threat Intel data). |
| TimeStampCompare | Compares a single timestamp to a list of timestamps. |
| IsTrue | Check if a given value is true. Will return 'no' otherwise |
| IsMaliciousIndicatorFound | Checks if the investigation found any malicious indicators (file, URL, IP address, domain, or email). Returns "yes" if at least one malicious indicator is found. |
| GetErrorsFromEntry | Get the error(s) associated with a given entry/entries. Use ${lastCompletedTaskEntries} to check the previous task entries. The automation will return an array of the error contents from those entries. |
| ExtractAttackPattern | Extract Attack Pattern Threat Intel Object. After auto extract extracts the Attack Pattern IDs, this script is executed and extracts the value (name) of the Attack Pattern. |
| IsIntegrationAvailable | Returns 'yes' if integration brand is available. Otherwise returns 'no'. |
| findIncidentsWithIndicator | Lookup incidents with specified indicator. Use currentIncidentId to omit the existing incident from output. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| FileCreateAndUploadV2 | Creates a file (using the given data input or entry ID) and uploads it to the current investigation War Room. |
| DecodeMimeHeader | Decode MIME base64 headers. |
| ContextGetPathForString | Searches for string in context and returns context path, returns null if not found. |
| SearchIncidentsV2 | Searches Demisto incidents. A summarized version of this scrips is available with the summarizedversion argument. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| GetEntries | Collect entries matching to the conditions in the war room. |
| IsListExist | Check if list exist in demisto lists. |
| SearchIncidentsSummary | Searches Cortex XSOAR Incidents and returnrs the most relevant fields. Default search range is the last 30 days, if you want to change this, use the fromDate argument. Returns the id, name, type, severity, status, owner, and created/closed times to context. You can add additional fields using the add_field_to_context argument. This automation runs using the default Limited User role, unless you explicitly change the permissions. Based on the SearchIncidentsV2 from the Common Scripts pack, but more efficient. |
| FileReputation | A context script for hash entities. |
| hideFieldsOnNewIncident | When you apply this script to an incident field, that incident field is hidden for new incidents, and it displays in edit mode. |
| MarkAsNoteByTag | Mark entries as notes if they are tagged with given tag. |
| SCPPullFiles | Take a list of devices and pull a specific file (given by path) from each using SCP. |
| StopTimeToAssignOnOwnerChange | Stops the "Time To Assign" timer if the owner of the incident was changed. |
| ContextFilter | Filter context keys by applying one of the various available manipulations and storing in a new context key. Please notice that the resulting context key will not be available automatically as an option but you can still specify it. |
| FileToBase64List | Encode a file as base64 and store it in a Demisto list. |
| GetIndicatorDBotScoreFromCache | Get the overall score for the indicator as calculated by DBot. |
| IsEmailAddressInternal | Checks if the email address is part of the internal domains. |
| CheckContextValue | This script checks that a context key exists (and contains data), and optionally checks the value of the context key for a match against an input value. If a regex is not supplied, the script checks that the key is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value. This scripts does not support a context key which holds a list of values. |
| EncodeToAscii | Input Text Data to Encode as ASCII (Ignores any chars that aren't interpreted as ASCII) |
| ReadFile | Load the contents of a file into context. |
| ExportToCSV | Export given array to csv file. |
| ContextGetEmails | Gets all email addresses in context, excluding ones given. |
| ExtractDomainAndFQDNFromUrlAndEmail | Extracts domains and FQDNs from URLs and emails. |
| SendMessageToOnlineUsers | Send message to Demisto online users over Email, Slack, Mattermost or all. |
| RemoveKeyFromList | Removes a key in key/value store backed by an XSOAR list. |
| StringSimilarity | This automation calculates the similarity ratio between every string in 2 different arrays and outputs a decimal value between 0.0 and 1.0 (1.0 if the sequences are identical, and 0.0 if they don't have anything in common). |
| SendEmailOnSLABreach | Sends an email informing the user of an SLA breach. The email is sent to the user who is assigned to the incident. It includes the incident name, ID, name of the SLA field that was breached, duration of that SLA field, and the date and time when that SLA was started. |
| VerifyCIDR | Verify that the CIDRs are valid. |
| MatchRegex | Deprecated. Use the MatchRegexV2 script instead. |
| http | Sends http request. Returns the response as json. |
| MapValues | Map the given values to the translated values. If given values: a,b,c and translated: 1,2,3 then input is a will return 1 |
| displayUtilitiesResults | This script displays the execution results of the tab's buttons in an HTML table format. |
| ParseExcel | The automation takes Excel file (entryID) as an input and parses its content to the war room and context. |
| IPToHost | Try to get the hostname correlated with the input IP. |
| ContainsCreditCardInfo | Check if a given value is true. Will return 'no' otherwise |
| PcapHTTPExtractor | Allows to parse and extract http flows (requests & responses) from a pcap/pcapng file. |
| BinarySearchPy | Deprecated. No available replacement. Search for a binary on an endpoint using Carbon Black |
| URLSSLVerification | Verify URL SSL certificate. |
| ChangeRemediationSLAOnSevChange | Changes the remediation SLA once a change in incident severity occurs. |
| ExportIndicatorsToCSV | This automation uses the Core REST API Integration to batch export Indicators to CSV and return the resulting CSV file to the war room. |
| Base64Encode | Will encode an input using Base64 format. |
| RemoteExec | Execute a command on a remote machine (without installing a D2 agent) |
| ToTable | Convert an array to a nice table display. Usually, from the context. |
| MarkRelatedIncidents | Marks given incidents as related to current incident. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| ConvertCountryCodeCountryName | Convert country name to country code or country code to country name. |
| ParseEmailFilesV2 | Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook. This script is based on the parse-emails XSOAR python package, check the script documentation for more info. |
| IncidentAddSystem | Add a remote system (such as a desktop under investigation) to an investigation (this will allow you to install and agent on the system) |
| ShowLocationOnMap | Show indicator geo location on map. |
| DownloadAndArchivePythonLibrary | The script downloads a Python library using PIP, archives it, and returns the file to the war room. |
Prints text to war room (Markdown supported) | |
| PositiveDetectionsVSDetectionEngines | Shows a bar chart of the number of Positive Detections out of overall detections |
| PrintErrorEntry | Prints an error entry with a given message. |
| SetAndHandleEmpty | Set a value in context under the key you entered. If no value is entered, the script doesn't do anything. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| IsIPPrivate | The script takes one or more IP addresses and checks whether they're in the private IP ranges defined in the PrivateIPsListName argument. By default, the PrivateIPsListName argument will use the Cortex XSOAR list called "PrivateIPs".
|
| ReadPDFFileV2 | Load a PDF file's content and metadata into context. Supports extraction of hashes, urls, and emails when available. |
| IPReputation | A context script for IP entities. |
| SetIndicatorGridField | This script updates an indicator's grid field in Cortex XSOAR with provided row data. You can input the rows directly or extract them from the context. |
| IsPDFFileEncrypted | Checks whether the PDF file is encrypted. |
| MathUtil | Script will run the provided mathematical action on 2 provided values and produce a result. |
| ReplaceMatchGroup | Returns a string with all matches of a regex pattern groups replaced by a replacement. |
| PublishEntriesToContext | Publish entries to incident's context |
| checkValue | Gets a value and return it. This is to be used in playbook conditional tasks - get a value from incident field, label or context, and act accordingly. |
| JsonUnescape | Recursively un-escapes JSON data if escaped JSON is found |
| VerifyIPv6Indicator | Verify that the address is a valid IPv6 address. |
| GetServerURL | Get the Server URL. |
| FileCreateAndUpload | Deprecated. Use FileCreateAndUploadV2 instead. Will create a file (using the given data input or entry ID) and upload it to current investigation war room. |
| SetWithTemplate | Set a value built by a template in context under the key you entered. |
| JSONFileToCSV | Script to convert a War Room output JSON File to a CSV file. |
| GetInstances | Returns integration instances configured in Cortex XSOAR. You can filter by instance status and/or brand name (vendor). |
| ServerLogs | Uses the ssh integration to grab the host server logs. This script is supported only on Cortex XSOAR on-prem (version 6.X). |
| PrintContext | Pretty-print the contents of the playbook context. |
| GetFieldsByIncidentType | Returns the incident field names associated to the specified incident type. |
| GenerateInvestigationSummaryReport | A script to generate investigation summary report in an automated way |
| LinkIncidentsButton | Incident action button script to link or unlink Incidents from an Incident |
| LoadJSONFileToContext | Loads a JSON file from the war room to context. |
| DemistoVersion | Return the Demisto server version. |
| EditServerConfig | Edit the server configuration (under settings/troubleshooting). You can either add a new configuration or update and remove an existing one. |
| SetTime | Fill the current time in a custom incident field |
| StixCreator | Gets a list of indicators from the indicators argument, and generates a JSON file in STIX 2.1 format. |
| DeleteContext | Delete field from context. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| ContextContains | This script searches for a value in a context path. |
| CreateIndicatorsFromSTIX | Creates indicators from the submitted STIX file. Supports STIX 1.0 and STIX 2.x. This automation creates indicators and adds an indicator's relationships if available. |
| GridFieldSetup | Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. Instead of a value you can enter |
| ExportAuditLogsToFile | Uses the Core REST API integration to query the server audit trail logs, and return back a CSV or JSON file. |
| ResolveShortenedURL | This script resolves the original URL from a given shortened URL and places the resolved URL in the playbook context and output. |
| ExtractHyperlinksFromOfficeFiles | Extracts hyperlinks from office files. Supported file types are: xlsx, docx, pptx. |
| HttpV2 | Sends a HTTP request with advanced capabilities. |
| DisplayHTMLWithImages | Display HTML with embedded images. |
| IncreaseIncidentSeverity | Optionally increases the incident severity to the new value if it is greater than the existing severity. |
| get-endpoint-data | This script gathers endpoint data from multiple integrations and returns an endpoint entity with consolidated information to the context. |
| UnzipFile | Unzip a file using fileName or entryID to specify a file. Unzipped files will be loaded to the War Room and names will be put into the context. |
| ArrayToCSV | Converts a simple Array into a textual comma separated string |
| DeduplicateValuesbyKey | Given a list of objects and a key found in each of those objects, return a unique list of values associated with that key. Returns error if the objects provided do not contain the key of interest. |
| RunDockerCommand | This command will allow you to run commands against a local Docker Container. You can run commands like wc for instance with word count, or other types of commands that you want on the docker container. We recommend for tools that you want to use that are not part of the default Docker container, to cope this Automation script and then create a customer docker container with /docker_image_create with a custom docker container to add any command level tool to Demisto and output the results directly to the context. |
| isError | Check whether given entry/entries returned an error. Use ${lastCompletedTaskEntries} to check the previous task entries. If array is provided, will return yes if one of the entries returned an error. |
| CountArraySize | Count an array size |
| CreateNewIndicatorsOnly | Create indicators to the Threat Intel database only if they are not registered. All submitted indicators will be associated with the parent incident. When using the script with many indicators, or when the Threat Intel Management database is highly populated, this script may have low performance issue. |
| UnPackFile | Deprecated. Use the UnzipFile script instead. UnPack a file using fileName or entryID to specify a file. Files unpacked will be pushed to the war room and names will be pushed to the context. |
| DomainReputation | A context script for Domain entities |
| PopulateCriticalAssets | Populates critical assets in a grid field that has the section headers "Asset Type" and "Asset Name". |
| ConvertDatetoUTC | Converts a date from a different timezone to UTC timezone. |
| RunPollingCommand | Runs a specified polling command one time. This is useful for initiating a local playbook context before running a polling scheduled task. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| ServerLogs_docker | Uses the ssh integration to grab the host server logs. This script is supported only on Cortex XSOAR on-prem (version 6.X). |
| IsInternalDomainName | This script accepts multiple values for both arguments and will iterate through each of the domains to check if the specified subdomains are located in at least one of the specified main domains. If the tested subdomain is in one of the main domains, the result will be true. For example, if the domain_to_check values are apps.paloaltonetworks.com and apps.paloaltonetworks.bla and the domains_to_compare values are paloaltonetworks.com and demisto.com, the result for apps.paloaltonetworks.com will be true since it is a part of the paloaltonetworks.com domain. The result for apps.paloaltonetworks.bla will be false since it is not a part of the paloaltonetworks.com or demisto.com domain. |
| TextFromHTML | Extract regular text from the given HTML. |
| FilterByList | Checks whether the specified item is in a list. The default list is the Demisto Indicators Whitelist. |
| enrich_exclude_button | This script is only meant to be used to disable the Enrich Excluded button in an indicator. It should not be used otherwise. |
| CEFParser | Parse CEF data into the context. Please notice that outputs will display only the 7 mandatory fields even if the CEF event includes many other custom or extended fields. |
| IncidentFields | Returns a dict of all incident fields that exist in the system. |
| GetByIncidentId | Gets a value from the specified incident's context. |
| CreateHash | Creating a hash of a given input, support sha1, sha256, sha512, md5 and blake. Wrapper for https://docs.python.org/3/library/hashlib.html. |
| JSONDiff | compares two JSON files and returns their differences, such as added, removed, or changed fields, in a structured format. |
| DBotClosedIncidentsPercentage | Data output script for populating dashboard pie graph widget with the percentage of incidents closed by DBot vs. incidents closed by analysts. |
| AreValuesEqual | Check whether the values provided in arguments are equal. If either of the arguments are missing, no is returned. |
| ConvertFile | Converts a file from one format to a different format by using the convert-to function of Libre Office. For a list of supported input/output formats see: https://wiki.openoffice.org/wiki/Framework/Article/Filter/FilterList_OOo_3_0 |
| IndicatorMaliciousRatioCalculation | Return indicators appears in resolved incidents, and resolved incident ids. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| CalculateEntropy | Calculates the entropy for the given data. |
displayMappedFields | Display the mapped fields in a dynamic-section. |
| CommandLineAnalysis | This script evaluates command-line threats by analyzing both original and decoded inputs. It assigns weighted scores to detected patterns, such as AMSI bypass or credential dumping, and applies risk combination bonuses for multiple detections. The total score is normalized to a 0-100 scale, with risk levels categorized as follows:
The scoring mechanism provides a comprehensive risk assessment, considering both the severity and frequency of malicious behaviors. |
| AddEvidence | Adds provided entries to the incident Evidence Board. In playbook, can be positioned after a task to add the previous task's entries to Evidence Board automatically (with no need to provide arguments) |
| ShowScheduledEntries | Show all scheduled entries for specific incident. |
| PDFUnlocker | Removing the password protection from a PDF file and adding a new file entry with the unlocked PDF. |
| ScheduleCommand | Schedule a command to run inside the war room at a future time (once or reoccurring) |
| ExtractIndicatorsFromTextFile | Extract indicators from a text-based file.
This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| ContextGetIps | Gets all IP addresses in context, excluding ones given. |
| ConvertXmlToJson | Converts XML string to JSON format |
| CopyContextToField | Copy a context key to an incident field of multiple incidents, based on an incident query. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| HTTPListRedirects | List the redirects for a given URL |
| Strings | Extract strings from a file with optional filter - similar to binutils strings command |
| AppendindicatorFieldWrapper | A wrapper script to the 'AppendindicatorField' script that enables adding tags to certain indicators. |
| cveReputationV2 | Provides the severity of the CVE based on the CVSS score where available. |
| cvss_color | This dynamic automation parses the CVSS score of a CVE and presents it in the layout in color according to its score. |
| CertificateReputation | Enrich and calculate the reputation of a certificate indicator. |
| PCAPMiner | Deprecated. Use PCAPMinerV2 instead. PCAPMiner is a tool to parse PCAP files and will return things like extracted files that are found, HTTP flows, and a variety of other information. It is uses a docker instance located on docker hub trorabaugh/dempcap:1.0. To use simply upload a PCAP file and then run PCAPMiner entryId="<your_entry_id>". To get the entry id click on the link on the top right hand corner of a file attachment. |
| GetStringsDistance | Get the string distance between inputString and compareString (compareString can be a comma-separated list) based on Levenshtein Distance algorithm. |
| ExtractDomainFromUrlAndEmail | Extract Domain(s) from URL(s) and/or Email(s). |
| CVSSCalculator | This script calculates the CVSS Base Score, Temporal Score, and Environmental Score using either the CVSS 3.0 or CVSS 3.1 calculator according to https://www.first.org/cvss/ calculation documentation. |
| SetDateField | Sets a custom incident field with current date |
| SearchIndicator | Searches Cortex XSOAR Indicators. Search for XSOAR Indicators and returns the id, indicator_type, value, and score/verdict. You can add additional fields from the indicators using the add_field_to_context argument. |
| ParseCSV | This script will parse a CSV file and place the unique IPs, Domains and Hashes into the context. |
WordTokenizer | Deprecated. Use DBotPreProcessTextData instead. |
| get-user-data | This script gathers user data from multiple integrations and returns an Account entity with consolidated information to the context. |
| SetMultipleValues | Set multiple keys/values to the context. |
| SetGridField | Creates a Grid table from items or key-value pairs. |
| URLReputation | A context script for URL entities. |
| FindSimilarIncidents | Deprecated. Use DBotFindSimilarIncidents instead. Finds similar incidents by common incident keys, labels, custom fields or context keys. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| ExampleJSScript | This is only an example script, to showcase how to use and write JavaScript scripts |
| ProvidesCommand | Finds which integrations implement a specific Demisto command. The results will be returned as comma-separated values (CSV). The "Core REST API" integration must first be enabled. |
| CreateEmailHtmlBody | This script allows sending an HTML email, using a template stored as a list item under Lists (Settings -> Advanced -> Lists).
Note: Sending emails require an active Mail Sender integration instance. |
| CalculateTimeDifference | Calculate the time difference, in minutes |
| ExportToXLSX | Exports context data to a Microsoft Excel Open XML Spreadsheet (XLSX) file. |
| ChangeContext | Enables changing context in two ways. The first is to capitalize the first letter of each key in following level of the context key entered. The second is to change context keys to new values. |
| DBotAverageScore | The script calculates the average DBot score for each indicator in the context. |
| ticksToTime | Converting time in Ticks to readable time. Ticks are used to represent time by some vendors, most commonly by Microsoft. |
| ContextSearchForString | Searches for string in a path in context. If path is null, string will be searched in full context. |
| AssignAnalystToIncident | Assign analyst to incident. |
| OnionURLReputation | This script adds the reputation to Onion URL indicators. The script is automatically triggered when a Onion URL indicator is auto-extracted. For instance, if you run a Cortex XSOAR CLI on a valid Onion URL, the indicators are extracted automatically and this script is triggered for the extracted indicators. |
| TopMaliciousRatioIndicators | Find the top malicious ratio indicators. |
| VerdictResult | This widget displays the incident verdict or the alert verdict based on the 'incident.verdict' or 'alert.verdict' field. |
| IsDomainInternal | The script takes one or more domain names and checks whether they're in the Cortex XSOAR list defined in the InternalDomainsListName argument. By default, the InternalDomainsListName argument will use the Cortex XSOAR list called "InternalDomains". |
| ParseHTMLIndicators | This script will extract indicators from given HTML and will handle bad top-level domains to avoid false positives caused by file extensions. |
| GenerateRandomString | Generates random string |
| VerifyJSON | Verifies if the supplied JSON string is valid and optionally verifies against a provided schema. The script utilizes Powershell's Test-JSON cmdlet. |
| ExportIncidentsToCSV | This automation uses the Core REST API Integration to batch export Incidents to CSV and return the resulting CSV file to the war room. |
| GenerateSummaryReports | Generate report summaries for the passed incidents. |
| ContextGetHashes | Gets hashes (MD5,SHA1,SHA256) from context. |
| ConvertTimezoneFromUTC | Takes UTC and converts it to the specified timezone. Format must match the UTC date's format and output will be the same format. Can use in conjunction with ConvertDateToString |
| ExtractHTMLTables | Find tables inside HTML and extract the contents into objects using the following logic:
|
| CompareLists | Compare two lists and put the differences in context. |
| AquatoneDiscoverV2 | aquatone-discover will find the targets nameservers and shuffle DNS lookups between them. Should a lookup fail on the target domains nameservers, aquatone-discover will fall back to using Google public DNS servers to maximize discovery. |
| BMCTool | Parse RDP bitmap cache data into a single collage image file. |
| IsUrlPartOfDomain | Checks if the supplied URLs are in the specified domains. |
| UnEscapeURLs | Extract URLs redirected by security tools like Proofpoint. |
| LanguageDetect | Language detection based on Google's language-detection. |
| AddDBotScoreToContext | Add DBot score to context for indicators with custom vendor, score, reliability, and type. |
| IsValueInArray | Indicates whether a given value is a member of given array |
| EmailAskUser | Ask a user a question via email and process the reply directly into the investigation. |
| MaliciousRatioReputation | Set indicator reputation to "suspicious" when malicious ratio is above threshold. |
| Exists | Check if a given value exists in the context. Will return 'no' for empty empty arrays. To be used mostly with DQ and selectors. |
| LookupCSV | Parses a CSV and looks for a specific value in a specific column, returning a dict of the entire matching row. If no column value is specified, the entire CSV is read into the context. |
| GetDomainDNSDetails | Returns DNS details for a domain. |
| ParseEmailFiles | Deprecated. Use ParseEmailFilesV2 instead." Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook. |
| ZipFile | Zip a file and upload to war room. |
| listExecutedCommands | Lists executed commands in War Room |
| PrettyPrint | Pretty-print data using Python's pprint library. This is useful for seeing the structure of incident and context data. Here's how to use it: !PrettyPrint value=${incident} |
| GetDataCollectionLink | Generates the URL for a Data Collection Task into Context. Can be used to get the url for tasks send via Email, Slack, or even if you select "By Task Only". To generate links for specific users, add an array of users in the users argument. |
| GenerateAsBuiltConfiguration | Generate a JSON file that can be downloaded and used to create the As-Built document for Cortex XSOAR. |
| IPNetwork | Gather information regarding CIDR - |
| FormatURL | Strips, unquotes and unescapes URLs. If the URL is a Proofpoint or ATP URL, extracts its redirect URL. If more than one URL is passed to the formatter, the separator must be a pipe ("|"). |
| CheckFieldValue | This script checks that a field exists (and contains data), and optionally checks the value of the field for a match against an input value. If a regex is not supplied, the script checks that the field is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value. |
| LoadJSON | Loads a json from string input, and returns a json object result. |
| CertificateExtract | Extract fields from a certificate file and return the standard context. |
| CreateArray | Will create an array object in context from given string input |
| Sleep | Sleep for X seconds. |
| CheckIndicatorValue | Check if indicators exist in the Threat Intel database. |
| DisableUserWrapper | This script allows disabling a specified user using one or more of the following integrations: SailPointIdentityIQ, ActiveDirectoryQuery, Okta, MicrosoftGraphUser, and IAM. |
| Base64ListToFile | Converts Base64 file in a list to a binary file and upload to warroom |
| PreProcessImage | This script pre-processes (resizes, sharpens, and grayscales) an image file from context, given an entry_id. |
| ExtractFQDNFromUrlAndEmail | Extracts FQDNs from URLs and emails. |
| MatchRegexV2 | Extracts regex data from the provided text. The script support groups and looping. |
| GenericPollingScheduledTask | Runs the polling command repeatedly, completes a blocking manual task when polling is done. |
| GetLicenseID | Returns the license ID. |
| block-external-ip | The script blocks a list of IP addresses in supported integrations. |
| JSONtoCSV | Convert a JSON War Room output via EntryID to a CSV file. |
| ParseWordDoc | Takes an input docx file (entryID) as an input and saves an output text file (file entry) with the original file's contents. |
| ExposeIncidentOwner | Expose the incident owner into IncidentOwner context key |
| GetEnabledInstances | Gets all currently enabled integration instances. |
Incident Fields
| Name | Description |
|---|---|
Financial information breached | Is financial information breached |
Is the Data Subject to DPIA | |
Size - number of employees | |
Telephone no. | |
DPO E-mail Address | |
Affected Data Type | |
GDPR Notify Authorities | "In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons." - GDPR Art. 33 |
Company has Insurance for the Breach | |
Unique identification number breached | Is unique identification number breached |
Where is data hosted | |
Attorney General Notification | |
DPO Notification | |
E-mail Address | |
Company Country | |
Date/time of the breach | |
State CISO Notification | |
Breach Confirmation | Is the DPO confirm the breach |
State where the breach took place | |
PII Data Type | |
Contact Email address | |
Consumer Reporting Agencies Notification | |
Country where the breach took place | |
Company Address | |
Contact Telephone number | |
Approximate number of affected data subjects | |
Account information breached | Is account information breached |
Country where business has its main establishment | "‘main establishment’ means: as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment; as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;" - GDPR Art. 4 |
Size - turnover | |
Media Notification | The status of the media notification |
Contact Name | |
Health insurance breached | Is health insurance breached |
Company City | |
Company Postal Code | |
Residents Email Address | |
Affected data | "‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;" - GDPR Art. 4 |
Data Encryption Status | |
Possible Cause of the Breach | |
Secretary Notification | |
Resident Notification Option | |
Affected Individuals Contact Information | |
Other PII data breached | Is other PII data breached |
Postal Code | |
Company Name | |
Measures to Mitigate | " (d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects." - GDPR Art. 33 |
Malicious Cause (If the cause is a malicious attack) | |
Individuals Notification | |
Contact Address | |
Sector of Affected Party | |
Management Notification | |
Likely Impact | "A data protection impact assessment (…) shall in particular be required in the case of: (a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; (b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or (c) a systematic monitoring of a publicly accessible area on a large scale. - GDPR Art. 35 |
Unique biometric data breached | Is unique biometric data breached |
Medical Information breached | Is Medical Information breached |
Lists
| Name | Description |
|---|---|
InternalDomains | |
PrivateIPs |
Automations
| Name | Description |
|---|---|
| enrich_exclude_button | This script is only meant to be used to disable the Enrich Excluded button in an indicator. It should not be used otherwise. |
| DecodeMimeHeader | Decode MIME base64 headers. |
| ContextContains | This script searches for a value in a context path. |
| PrintErrorEntry | Prints an error entry with a given message. |
| DisableUserWrapper | This script allows disabling a specified user using one or more of the following integrations: SailPointIdentityIQ, ActiveDirectoryQuery, Okta, MicrosoftGraphUser, and IAM. |
| clear-user-session | This script clears user sessions across multiple integrations for a list of usernames. |
| MaliciousRatioReputation | Set indicator reputation to "suspicious" when malicious ratio is above threshold. |
| ZipFile | Zip a file and upload to war room. |
| NotInContextVerification | Not in context verification is a script that executes the given command and verifies that the specified field is not in the context after execution. |
| emailFieldTriggered | Sends email to incident owner when selected field is triggered. |
| GetLicenseID | Returns the license ID. |
| GeneratePassword | This function generates a password and allows various parameters to customize the properties of the password depending on the use case (e.g. password complexity requirements). The default behavior is to generate a password of random length including all four character classes (upper, lower, digits, symbols) with at least five and at most ten characters per class. The min_* values all default to 0. This means that if the command is executed in this way: The debug parameter will print certain properties of the command into the WarRoom for easy diagnostics. |
| GenericPollingScheduledTask | Runs the polling command repeatedly, completes a blocking manual task when polling is done. |
| CreateHash | Creating a hash of a given input, support sha1, sha256, sha512, md5 and blake. Wrapper for https://docs.python.org/3/library/hashlib.html. |
| SetGridField | Creates a Grid table from items or key-value pairs. |
| CloseInvestigationAsDuplicate | Close the current investigation as duplicate to other investigation. |
| GetTime | Retrieves the current date and time. |
| checkValue | Gets a value and return it. This is to be used in playbook conditional tasks - get a value from incident field, label or context, and act accordingly. |
| ContextGetPathForString | Searches for string in context and returns context path, returns null if not found. |
| URLNumberOfAds | Fetches the numbers of ads in the given url. |
| displayUtilitiesResults | This script displays the execution results of the tab's buttons in an HTML table format. |
| ContainsCreditCardInfo | Check if a given value is true. Will return 'no' otherwise |
| ExportAuditLogsToFile | Uses the Core REST API integration to query the server audit trail logs, and return back a CSV or JSON file. |
| PortListenCheck | Checks whether a port was open on given host. |
| FileReputation | A context script for hash entities. |
| MatchRegexV2 | Extracts regex data from the provided text. The script support groups and looping. |
| CalculateTimeDifference | Calculate the time difference, in minutes |
| SSDeepReputation | Calculate ssdeep reputation based on similar files (by ssdeep similarity) on the system. |
| ShowLocationOnMap | Show indicator geo location on map. |
| ExtractHyperlinksFromOfficeFiles | Extracts hyperlinks from office files. Supported file types are: xlsx, docx, pptx. |
| MathUtil | Script will run the provided mathematical action on 2 provided values and produce a result. |
| GetEntries | Collect entries matching to the conditions in the war room. |
| DeleteContext | Delete field from context. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| TextFromHTML | Extract regular text from the given HTML. |
| IncreaseIncidentSeverity | Optionally increases the incident severity to the new value if it is greater than the existing severity. |
IncreaseAlertSeverity | Optionally increases the alert severity to the new value if it is greater than the existing severity. |
| ToTable | Convert an array to a nice table display. Usually, from the context. |
| commentsToContext | Takes the comments of a given entry ID and stores them in the incident context, under a provided context key. |
| ExampleJSScript | This is only an example script, to showcase how to use and write JavaScript scripts |
| ExtractDomainAndFQDNFromUrlAndEmail | Extracts domains and FQDNs from URLs and emails. |
| ParseEmailFilesV2 | Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook. This script is based on the parse-emails XSOAR python package, check the script documentation for more info. |
| get-endpoint-data | This script gathers endpoint data from multiple integrations and returns an endpoint entity with consolidated information to the context. |
| SetByIncidentId | Works the same as the 'Set' command, but can work across incidents by specifying 'id' as an argument. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
SetByAlertId | Works the same as the 'Set' command, but can work across alerts by specifying 'id' as an argument. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| ShowIncidentIndicators | This script is used to display the indicators of an incident in an incident field of type Array. It can be used to select indicators from the incident in order to later perform some actions, like tagging the indicators for blocking via EDL. |
ShowAlertIndicators | This script is used to display the indicators of an alert in an alert field of type Array. It can be used to select indicators from the alert in order to later perform some actions, like tagging the indicators for blocking via EDL. |
| IsListExist | Check if list exist in demisto lists. |
| ContextGetIps | Gets all IP addresses in context, excluding ones given. |
| GetInstances | Returns integration instances configured in Cortex. You can filter by instance status and/or brand name (vendor). |
| IsGreaterThan | Checks if one number(float) as bigger than the other(float) |
| cveReputationV2 | Provides the severity of the CVE based on the CVSS score where available. |
| CVSSCalculator | This script calculates the CVSS Base Score, Temporal Score, and Environmental Score using either the CVSS 3.0 or CVSS 3.1 calculator according to https://www.first.org/cvss/ calculation documentation. |
| PCAPMiner | Deprecated. Use PCAPMinerV2 instead. PCAPMiner is a tool to parse PCAP files and will return things like extracted files that are found, HTTP flows, and a variety of other information. It is uses a docker instance located on docker hub trorabaugh/dempcap:1.0. To use simply upload a PCAP file and then run PCAPMiner entryId="<your_entry_id>". To get the entry id click on the link on the top right hand corner of a file attachment. |
| IncidentFields | Returns a dict of all incident fields that exist in the system. |
AlertFields | Returns a dict of all alert fields that exist in the system. |
| GetFieldsByIncidentType | Returns the incident field names associated to the specified incident type. |
GetFieldsByAlertType | Returns the alert field names associated to the specified alert type. |
| ConvertTimezoneFromUTC | Takes UTC and converts it to the specified timezone. Format must match the UTC date's format and output will be the same format. Can use in conjunction with ConvertDateToString |
GetDuplicatesMlv2 | Deprecated. Use the "PhishingDedupPreprocessingRule" script instead. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| block-external-ip | The script blocks a list of IP addresses in supported integrations. |
| hideFieldsOnNewIncident | When you apply this script to an incident field, that incident field is hidden for new incidents, and it displays in edit mode. |
hideFieldsOnNewAlert | When you apply this script to an alert field, that alert field is hidden for new alerts, and it displays in edit mode. |
| CertificateReputation | Enrich and calculate the reputation of a certificate indicator. |
| IsolationAssetWrapper | This is a wrapper to isolate or unisolate hash lists from Cortex XDR, MSDE or CrowdStrike (Available from Cortex). |
| TimeStampCompare | Compares a single timestamp to a list of timestamps. |
| DumpJSON | Dumps a json from context key input, and returns a json object string result |
| GridFieldSetup | Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. Instead of a value you can enter |
| BreachConfirmationHTML | |
| AddDBotScoreToContext | Add DBot score to context for indicators with custom vendor, score, reliability, and type. |
| ConvertCountryCodeCountryName | Convert country name to country code or country code to country name. |
| CommandLineAnalysis | This script evaluates command-line threats by analyzing both original and decoded inputs. It assigns weighted scores to detected patterns, such as AMSI bypass or credential dumping, and applies risk combination bonuses for multiple detections. The total score is normalized to a 0-100 scale, with risk levels categorized as follows:
The scoring mechanism provides a comprehensive risk assessment, considering both the severity and frequency of malicious behaviors. |
| VerdictResult | This widget displays the incident verdict or the alert verdict based on the 'incident.verdict' or 'alert.verdict' field. |
| CheckIndicatorValue | Check if indicators exist in the Threat Intel database. |
| LessThanPercentage | Checks if one percentage is less than another |
| IsEmailAddressInternal | Checks if the email address is part of the internal domains. |
| GetIndicatorDBotScoreFromCache | Get the overall score for the indicator as calculated by DBot. |
| SearchIncidentsV2 | Searches Demisto incidents. A summarized version of this scrips is available with the summarizedversion argument. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
SearchAlertsV2 | Searches Demisto alerts. A summarized version of this scrips is available with the summarizedversion argument. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
| IsTrue | Check if a given value is true. Will return 'no' otherwise |
| ParseYAML | Parses a YAML string into context. |
| ArrayToCSV | Converts a simple Array into a textual comma separated string |
| StringReplace | Replaces regex match/es in string. |
| JsonUnescape | Recursively un-escapes JSON data if escaped JSON is found |
| UnEscapeIPs | Remove escaping chars from IP |
| GenerateSummaryReportButton | This button will generate summary 'Case Report' template for a given Incident |
| CheckPDFEncryptionAndValidity | Returns wether a PDF is both valid and encrypted. |
| GenerateRandomUUID | Generates a random UUID (UUID 4). |
| ExtractIndicatorsFromWordFile | Used to extract indicators from Word files (DOC, DOCX). This automation runs using the default Limited User role, unless you explicitly change the permissions. |
| PrintToAlert | Prints a value to the specified alert's war-room. The alert must be in status "Under Investigation". |
| ReadQRCode | Extracts the text from a QR code. The output of this script includes the output of the script "extractIndicators" run on the text extracted from the QR code. |
| NumberOfPhishingAttemptPerUser | Shows a bar chart of the number of incident the 'To' and 'From' email addresses. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| IsUrlPartOfDomain | Checks if the supplied URLs are in the specified domains. |
| GetEnabledInstances | Gets all currently enabled integration instances. |
| LoadJSONFileToContext | Loads a JSON file from the war room to context. |
| AreValuesEqual | Check whether the values provided in arguments are equal. If either of the arguments are missing, no is returned. |
| EmailAskUser | Ask a user a question via email and process the reply directly into the investigation. |
| http | Sends http request. Returns the response as json. |
| ReplaceMatchGroup | Returns a string with all matches of a regex pattern groups replaced by a replacement. |
| ticksToTime | Converting time in Ticks to readable time. Ticks are used to represent time by some vendors, most commonly by Microsoft. |
| FormatURL | Strips, unquotes and unescapes URLs. If the URL is a Proofpoint or ATP URL, extracts its redirect URL. If more than one URL is passed to the formatter, the separator must be a pipe ("|"). |
| Ping | Pings an IP or url address, to verify it's up. Note - On Cortex and Cortex XSIAM, the script can run only on a custom engine. |
| GenerateAsBuilt | Generate an as built document, as HTML, based on the running XSOAR instance. Requires an instance of the Demisto API integration configured. |
| ExifRead | Read image files metadata and provide Exif tags. |
| JSONtoCSV | Convert a JSON War Room output via EntryID to a CSV file. |
Prints text to war room (Markdown supported) | |
| ExtractIndicatorsFromTextFile | Extract indicators from a text-based file.
This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| BinarySearchPy | Deprecated. No available replacement. Search for a binary on an endpoint using Carbon Black |
| ExportToCSV | Export given array to csv file. |
| Sleep | Sleep for X seconds. |
| CountArraySize | Count an array size |
| RepopulateFiles | After running DeleteContext, this script can repopulate all the file entries in the ${File} context key |
| GetByIncidentId | Gets a value from the specified incident's context. |
GetByAlertId | Gets a value from the specified alert's context. |
| ExtractHTMLTables | Find tables inside HTML and extract the contents into objects using the following logic:
|
| ContextFilter | Filter context keys by applying one of the various available manipulations and storing in a new context key. Please notice that the resulting context key will not be available automatically as an option but you can still specify it. |
| CreateArray | Will create an array object in context from given string input |
| DomainReputation | A context script for Domain entities |
| IsMaliciousIndicatorFound | Checks if the investigation found any malicious indicators (file, URL, IP address, domain, or email). Returns "yes" if at least one malicious indicator is found. |
| IndicatorMaliciousRatioCalculation | Return indicators appears in resolved incidents, and resolved incident ids. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| GetDockerImageLatestTag | Gets docker image latest tag. Script simulates the docker pull flow but doesn't actually pull the image. Returns an entry with the docker image latest tag if all is good, otherwise will return an error. |
| EmailReputation | A context script for Email entities. |
| VerifyIPv6Indicator | Verify that the address is a valid IPv6 address. |
| ChangeContext | Enables changing context in two ways. The first is to capitalize the first letter of each key in following level of the context key entered. The second is to change context keys to new values. |
| ExtractEmailV2 | Verifies that an email address is valid and only returns the address if it is valid. |
| UnPackFile | Deprecated. Use the UnzipFile script instead. UnPack a file using fileName or entryID to specify a file. Files unpacked will be pushed to the war room and names will be pushed to the context. |
| IsValueInArray | Indicates whether a given value is a member of given array |
| SearchIncidentsSummary | Searches Cortex Incidents and returnrs the most relevant fields. Default search range is the last 30 days, if you want to change this, use the fromDate argument. Returns the id, name, type, severity, status, owner, and created/closed times to context. You can add additional fields using the add_field_to_context argument. This automation runs using the default Limited User role, unless you explicitly change the permissions. Based on the SearchIncidentsV2 from the Common Scripts pack, but more efficient. |
SearchAlertsSummary | Searches Cortex Alerts and returnrs the most relevant fields. Default search range is the last 30 days, if you want to change this, use the fromDate argument. Returns the id, name, type, severity, status, owner, and created/closed times to context. You can add additional fields using the add_field_to_context argument. This automation runs using the default Limited User role, unless you explicitly change the permissions. Based on the SearchAlertsV2 from the Common Scripts pack, but more efficient. |
| EditServerConfig | Edit the server configuration (under settings/troubleshooting). You can either add a new configuration or update and remove an existing one. |
| GetErrorsFromEntry | Get the error(s) associated with a given entry/entries. Use ${lastCompletedTaskEntries} to check the previous task entries. The automation will return an array of the error contents from those entries. |
| ScheduleGenericPolling | Called by the GenericPolling playbook, schedules the polling task. |
| RemoveKeyFromList | Removes a key in key/value store backed by an XSOAR list. |
| SetTime | Fill the current time in a custom incident field |
| findIncidentsWithIndicator | Lookup incidents with specified indicator. Use currentIncidentId to omit the existing incident from output. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
findAlertsWithIndicator | Lookup alerts with specified indicator. Use currentAlertId to omit the existing alert from output. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| OnionURLReputation | This script adds the reputation to Onion URL indicators. The script is automatically triggered when a Onion URL indicator is auto-extracted. For instance, if you run a Cortex CLI on a valid Onion URL, the indicators are extracted automatically and this script is triggered for the extracted indicators. |
| UtilAnyResults | Utility script to use in playbooks - returns "yes" if the input is non-empty. |
| ShowScheduledEntries | Show all scheduled entries for specific incident. |
| IsIPInRanges | Returns yes if the IP is in one of the ranges provided, returns no otherwise. |
| FilterByList | Checks whether the specified item is in a list. The default list is the Demisto Indicators Whitelist. |
| EmailDomainSquattingReputation | Check if an email address's domain is trying to squat other domain using Levenshtein distance algorithm. |
| FetchIndicatorsFromFile | Fetches indicators from a file. Supports TXT, XLS, XLSX, CSV, DOC and DOCX file types. |
| ReadFile | Load the contents of a file into context. |
| StringSimilarity | This automation calculates the similarity ratio between every string in 2 different arrays and outputs a decimal value between 0.0 and 1.0 (1.0 if the sequences are identical, and 0.0 if they don't have anything in common). |
| ContentPackInstaller | Content packs installer from marketplace. |
| RunDockerCommand | This command will allow you to run commands against a local Docker Container. You can run commands like wc for instance with word count, or other types of commands that you want on the docker container. We recommend for tools that you want to use that are not part of the default Docker container, to cope this Automation script and then create a customer docker container with /docker_image_create with a custom docker container to add any command level tool to Demisto and output the results directly to the context. |
| GenerateInvestigationSummaryReport | A script to generate investigation summary report in an automated way |
| GetListRow | Parses a list by header and value. |
| GetServerURL | Get the Server URL. |
| PcapHTTPExtractor | Allows to parse and extract http flows (requests & responses) from a pcap/pcapng file. |
| GetDomainDNSDetails | Returns DNS details for a domain. |
| ContextGetEmails | Gets all email addresses in context, excluding ones given. |
| HTMLtoMD | Converts HTML to Markdown. |
| PrintRaw | Prints a raw representation of a string or object, visualising things likes tabs and newlines. For instance, '\n' will be displayed instead of a newline character, or a Windows CR will be displayed as '\r\n'. This is useful for debugging issues where things aren't behaving as expected, such as when parsing a string with a regular expression. |
| FileCreateAndUpload | Deprecated. Use FileCreateAndUploadV2 instead. Will create a file (using the given data input or entry ID) and upload it to current investigation war room. |
| PDFUnlocker | Removing the password protection from a PDF file and adding a new file entry with the unlocked PDF. |
| EncodeToAscii | Input Text Data to Encode as ASCII (Ignores any chars that aren't interpreted as ASCII) |
| ContextGetHashes | Gets hashes (MD5,SHA1,SHA256) from context. |
| GenerateSummaryReports | Generate report summaries for the passed incidents. |
| Exists | Check if a given value exists in the context. Will return 'no' for empty empty arrays. To be used mostly with DQ and selectors. |
| CopyNotesToIncident | Copy all entries marked as notes from current incident to another incident. |
CopyNotesToAlert | Copy all entries marked as notes from current alert to another alert. |
| CopyContextToField | Copy a context key to an incident field of multiple incidents, based on an incident query. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| SetAndHandleEmpty | Set a value in context under the key you entered. If no value is entered, the script doesn't do anything. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| DownloadAndArchivePythonLibrary | The script downloads a Python library using PIP, archives it, and returns the file to the war room. |
| LinkIncidentsButton | Incident action button script to link or unlink Incidents from an Incident |
LinkAlertsButton | Alert action button script to link or unlink Alerts from an Alert |
| ListUsedDockerImages | List all Docker images that are in use by the installed integrations and automations. |
| EmailAskUserResponse | Extract user's response from EmailAskUser reply. Returns the first textual response line of the provided entry that contains the reply body. Use ${lastCompletedTaskEntries} to analyze the previous playbook task containing the user's reply. |
| PrintContext | Pretty-print the contents of the playbook context. |
| AssignToMeButton | Assigns the current Incident to the Cortex user who clicked the button |
| VerifyJSON | Verifies if the supplied JSON string is valid and optionally verifies against a provided schema. The script utilizes Powershell's Test-JSON cmdlet. |
| SetMultipleValues | Set multiple keys/values to the context. |
| ParseEmailFiles | Deprecated. Use ParseEmailFilesV2 instead." Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook. |
| ShowOnMap | Returns a map entry with a marker on the given coordinates (lat,lng), or address (requires a configured GoogleMaps instance). |
| AssignAnalystToIncident | Assign analyst to incident. |
| ExposeIncidentOwner | Expose the incident owner into IncidentOwner context key |
ExposeAlertOwner | Expose the alert owner into AlertOwner context key |
| Set | Set a value in context under the key you entered. |
| URLSSLVerification | Verify URL SSL certificate. |
| BMCTool | Parse RDP bitmap cache data into a single collage image file. |
| CertificateExtract | Extract fields from a certificate file and return the standard context. |
| MatchRegex | Deprecated. Use the MatchRegexV2 script instead. |
| LookupCSV | Parses a CSV and looks for a specific value in a specific column, returning a dict of the entire matching row. If no column value is specified, the entire CSV is read into the context. |
| DockerHardeningCheck | Checks if the Docker container running this script has been hardened according to the recommended settings at:
|
| FindSimilarIncidents | Deprecated. Use DBotFindSimilarIncidents instead. Finds similar incidents by common incident keys, labels, custom fields or context keys. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
FindSimilarAlerts | Deprecated. Use DBotFindSimilarAlerts instead. Finds similar alerts by common alert keys, labels, custom fields or context keys. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
displayMappedFields | Display the mapped fields in a dynamic-section. |
| JSONDiff | compares two JSON files and returns their differences, such as added, removed, or changed fields, in a structured format. |
| ParseHTMLIndicators | This script will extract indicators from given HTML and will handle bad top-level domains to avoid false positives caused by file extensions. |
| ExportIndicatorsToCSV | This automation uses the Core REST API Integration to batch export Indicators to CSV and return the resulting CSV file to the war room. |
| ResolveShortenedURL | This script resolves the original URL from a given shortened URL and places the resolved URL in the playbook context and output. |
| HTTPListRedirects | List the redirects for a given URL |
| GenerateRandomString | Generates random string |
| SetIndicatorGridField | This script updates an indicator's grid field in Cortex with provided row data. You can input the rows directly or extract them from the context. |
| TopMaliciousRatioIndicators | Find the top malicious ratio indicators. |
| StixCreator | Gets a list of indicators from the indicators argument, and generates a JSON file in STIX 2.1 format. |
| SCPPullFiles | Take a list of devices and pull a specific file (given by path) from each using SCP. |
| CheckSenderDomainDistance | Get the string distance for the sender from our domain |
| VerifyCIDR | Verify that the CIDRs are valid. |
| ExportToXLSX | Exports context data to a Microsoft Excel Open XML Spreadsheet (XLSX) file. |
| ConvertXmlFileToJson | Converts XML file entry to JSON format |
| MapValues | Map the given values to the translated values. If given values: a,b,c and translated: 1,2,3 then input is a will return 1 |
| Base64EncodeV2 | Encodes an input to Base64 format. |
| IsInternalHostName | Checks if the supplied hostnames match either the organization's internal naming convention or the domain suffix. |
| SendMessageToOnlineUsers | Send message to Demisto online users over Email, Slack, Mattermost or all. |
| UnEscapeURLs | Extract URLs redirected by security tools like Proofpoint. |
| GetIndicatorDBotScore | Add into the incident's context the system internal DBot score for the input indicator. |
| ExportIncidentsToCSV | This automation uses the Core REST API Integration to batch export Incidents to CSV and return the resulting CSV file to the war room. |
ExportAlertsToCSV | This automation uses the Core REST API Integration to batch export Alerts to CSV and return the resulting CSV file to the war room. |
| HttpV2 | Sends a HTTP request with advanced capabilities. |
| IncidentAddSystem | Add a remote system (such as a desktop under investigation) to an investigation (this will allow you to install and agent on the system) |
AlertAddSystem | Add a remote system (such as a desktop under investigation) to an investigation (this will allow you to install and agent on the system) |
| GetStringsDistance | Get the string distance between inputString and compareString (compareString can be a comma-separated list) based on Levenshtein Distance algorithm. |
| DisplayHTMLWithImages | Display HTML with embedded images. |
| FileCreateAndUploadV2 | Creates a file (using the given data input or entry ID) and uploads it to the current investigation War Room. |
| PreProcessImage | This script pre-processes (resizes, sharpens, and grayscales) an image file from context, given an entry_id. |
| CreateEmailHtmlBody | This script allows sending an HTML email, using a template stored as a list item under Lists (Settings -> Advanced -> Lists).
Note: Sending emails require an active Mail Sender integration instance. |
| CompareLists | Compare two lists and put the differences in context. |
| ConvertXmlToJson | Converts XML string to JSON format |
| ExtractDomainFromUrlAndEmail | Extract Domain(s) from URL(s) and/or Email(s). |
| CalculateEntropy | Calculates the entropy for the given data. |
| SetDateField | Sets a custom incident field with current date |
| ExtractFQDNFromUrlAndEmail | Extracts FQDNs from URLs and emails. |
| PublishEntriesToContext | Publish entries to incident's context |
| cvss_color | This dynamic automation parses the CVSS score of a CVE and presents it in the layout in color according to its score. |
| StopScheduledTask | This stops the scheduled task whose ID is given in the taskID argument. |
| ExportContextToJSONFile | Exports the Context for the current Incident to a JSON file in the war room. |
| LoadJSON | Loads a json from string input, and returns a json object result. |
| ConvertDatetoUTC | Converts a date from a different timezone to UTC timezone. |
| RemoteExec | Execute a command on a remote machine (without installing a D2 agent) |
| PrintToParentIncident | Prints a value to the parent incident's war-room of the current alert. |
| IPReputation | A context script for IP entities. |
| LanguageDetect | Language detection based on Google's language-detection. |
| Base64Encode | Will encode an input using Base64 format. |
| ZipStrings | Joins values from two lists by index according to a given format. |
| IPNetwork | Gather information regarding CIDR - |
| ExtractAttackPattern | Extract Attack Pattern Threat Intel Object. After auto extract extracts the Attack Pattern IDs, this script is executed and extracts the value (name) of the Attack Pattern. |
| CheckContextValue | This script checks that a context key exists (and contains data), and optionally checks the value of the context key for a match against an input value. If a regex is not supplied, the script checks that the key is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value. This scripts does not support a context key which holds a list of values. |
| CompareIncidentsLabels | Compares the labels of two incidents. Returns the labels that are unique to each incident. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
CompareAlertsLabels | Compares the labels of two alerts. Returns the labels that are unique to each alert. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| PositiveDetectionsVSDetectionEngines | Shows a bar chart of the number of Positive Detections out of overall detections |
| MarkAsEvidenceByTag | Mark entries as evidence if they are tagged with given tag |
| ScheduleCommand | Schedule a command to run inside the war room at a future time (once or reoccurring) |
| PrintToIncident | Prints a value to the specified incident's war-room. |
| CheckFieldValue | This script checks that a field exists (and contains data), and optionally checks the value of the field for a match against an input value. If a regex is not supplied, the script checks that the field is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value. |
| IsPDFFileEncrypted | Checks whether the PDF file is encrypted. |
| GetDataCollectionLink | Generates the URL for a Data Collection Task into Context. Can be used to get the url for tasks send via Email, Slack, or even if you select "By Task Only". To generate links for specific users, add an array of users in the users argument. |
| ConvertTableToHTML | Converts a given array to an HTML table |
| ProvidesCommand | Finds which integrations implement a specific Demisto command. The results will be returned as comma-separated values (CSV). The "Core REST API" integration must first be enabled. |
| AddEvidence | Adds provided entries to the incident Evidence Board. In playbook, can be positioned after a task to add the previous task's entries to Evidence Board automatically (with no need to provide arguments) |
| SSDeepSimilarity | This script finds similar files that can be related to each other by fuzzy hash (SSDeep). |
| JSONFileToCSV | Script to convert a War Room output JSON File to a CSV file. |
| Dig | DNS lookup utility to provide 'A' and 'PTR' record. |
| IsIntegrationAvailable | Returns 'yes' if integration brand is available. Otherwise returns 'no'. |
| ReadPDFFileV2 | Load a PDF file's content and metadata into context. Supports extraction of hashes, urls, and emails when available. |
WordTokenizer | Deprecated. Use DBotPreProcessTextData instead. |
| UnzipFile | Unzip a file using fileName or entryID to specify a file. Unzipped files will be loaded to the War Room and names will be put into the context. |
| SetWithTemplate | Set a value built by a template in context under the key you entered. |
| PopulateCriticalAssets | Populates critical assets in a grid field that has the section headers "Asset Type" and "Asset Name". |
| IPToHost | Try to get the hostname correlated with the input IP. |
| FeedRelatedIndicatorsWidget | Widget script to view information about the relationship between an indicator, entity and other indicators and connect to indicators, if relevant. |
| FileToBase64List | Encode a file as base64 and store it in a Demisto list. |
| Base64ListToFile | Converts Base64 file in a list to a binary file and upload to warroom |
| CEFParser | Parse CEF data into the context. Please notice that outputs will display only the 7 mandatory fields even if the CEF event includes many other custom or extended fields. |
| AppendindicatorFieldWrapper | A wrapper script to the 'AppendindicatorField' script that enables adding tags to certain indicators. |
| listExecutedCommands | Lists executed commands in War Room |
| MarkAsNoteByTag | Mark entries as notes if they are tagged with given tag. |
| PrettyPrint | Pretty-print data using Python's pprint library. This is useful for seeing the structure of incident and context data. Here's how to use it: !PrettyPrint value=${incident} |
| AnalyzeTimestampIntervals | Analyze a list of Unix timestamps in milliseconds, to detect simple patterns of consistency or high frequency. The script can aid in the investigation of multi-event alerts that contain a list of timestamps. |
| IdentifyAttachedEmail | Identify whether the incident includes an email message attached as an eml or msg file and return the answer to playbook. Also saves the identified entry ID to context for use for later. Commonly used in automated playbooks that handle phishing reports sent to a special phishing mailbox set up by the security team. |
| AquatoneDiscoverV2 | aquatone-discover will find the targets nameservers and shuffle DNS lookups between them. Should a lookup fail on the target domains nameservers, aquatone-discover will fall back to using Google public DNS servers to maximize discovery. |
| ParseCSV | This script will parse a CSV file and place the unique IPs, Domains and Hashes into the context. |
| MITRENameByID_Formatter | Get a MITRE ATT&CK object name by its ID. The script is using TIMs IOCs to find the correct name. (MITRE ATT&CK IOCs must exist in the Threat Intel data). |
| DBotClosedIncidentsPercentage | Data output script for populating dashboard pie graph widget with the percentage of incidents closed by DBot vs. incidents closed by analysts. |
DBotClosedAlertsPercentage | Data output script for populating dashboard pie graph widget with the percentage of alerts closed by DBot vs. alerts closed by analysts. |
| ParseExcel | The automation takes Excel file (entryID) as an input and parses its content to the war room and context. |
| Strings | Extract strings from a file with optional filter - similar to binutils strings command |
| DeduplicateValuesbyKey | Given a list of objects and a key found in each of those objects, return a unique list of values associated with that key. Returns error if the objects provided do not contain the key of interest. |
| RunPollingCommand | Runs a specified polling command one time. This is useful for initiating a local playbook context before running a polling scheduled task. This automation runs using the default Limited User role, unless you explicitly change the permissions.
|
| DBotAverageScore | The script calculates the average DBot score for each indicator in the context. |
| ContextSearchForString | Searches for string in a path in context. If path is null, string will be searched in full context. |
| URLReputation | A context script for URL entities. |
| FailedInstances | Executes a test for all integration instances available and returns detailed information about succeeded and failed integration instances. |
| ConvertFile | Converts a file from one format to a different format by using the convert-to function of Libre Office. For a list of supported input/output formats see: https://wiki.openoffice.org/wiki/Framework/Article/Filter/FilterList_OOo_3_0 |
| DisplayHTML | Display HTML in the War Room. |
| ParseWordDoc | Takes an input docx file (entryID) as an input and saves an output text file (file entry) with the original file's contents. |
| CreateNewIndicatorsOnly | Create indicators to the Threat Intel database only if they are not registered. All submitted indicators will be associated with the parent incident. When using the script with many indicators, or when the Threat Intel Management database is highly populated, this script may have low performance issue. |
| IsInternalDomainName | This script accepts multiple values for both arguments and will iterate through each of the domains to check if the specified subdomains are located in at least one of the specified main domains. If the tested subdomain is in one of the main domains, the result will be true. For example, if the domain_to_check values are apps.paloaltonetworks.com and apps.paloaltonetworks.bla and the domains_to_compare values are paloaltonetworks.com and demisto.com, the result for apps.paloaltonetworks.com will be true since it is a part of the paloaltonetworks.com domain. The result for apps.paloaltonetworks.bla will be false since it is not a part of the paloaltonetworks.com or demisto.com domain. |
| CreateIndicatorsFromSTIX | Creates indicators from the submitted STIX file. Supports STIX 1.0 and STIX 2.x. This automation creates indicators and adds an indicator's relationships if available. |
| AddKeyToList | Adds/Replaces a key in key/value store backed by an XSOAR list. |
| SearchIndicator | Searches Cortex Indicators. Search for XSOAR Indicators and returns the id, indicator_type, value, and score/verdict. You can add additional fields from the indicators using the add_field_to_context argument. |
| isError | Check whether given entry/entries returned an error. Use ${lastCompletedTaskEntries} to check the previous task entries. If array is provided, will return yes if one of the entries returned an error. |
| StringLength | Returns the length of the string passed as argument |
| get-user-data | This script gathers user data from multiple integrations and returns an Account entity with consolidated information to the context. |
Incident Fields
| Name | Description |
|---|---|
Management Notification | |
Company Postal Code | |
E-mail Address | |
Approximate number of affected data subjects | |
Contact Telephone number | |
Health insurance breached | Is health insurance breached |
Data Encryption Status | |
Telephone no. | |
Possible Cause of the Breach | |
Company Address | |
Company has Insurance for the Breach | |
DPO Notification | |
Affected data | "‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;" - GDPR Art. 4 |
State CISO Notification | |
Size - turnover | |
DPO E-mail Address | |
State where the breach took place | |
Malicious Cause (If the cause is a malicious attack) | |
Residents Email Address | |
Country where business has its main establishment | "‘main establishment’ means: as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment; as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;" - GDPR Art. 4 |
Attorney General Notification | |
Sector of Affected Party | |
Breach Confirmation | Is the DPO confirm the breach |
Resident Notification Option | |
Consumer Reporting Agencies Notification | |
Where is data hosted | |
Is the Data Subject to DPIA | |
Secretary Notification | |
Unique identification number breached | Is unique identification number breached |
Account information breached | Is account information breached |
Company City | |
Affected Individuals Contact Information | |
Likely Impact | "A data protection impact assessment (…) shall in particular be required in the case of: (a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; (b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or (c) a systematic monitoring of a publicly accessible area on a large scale. - GDPR Art. 35 |
Size - number of employees | |
Media Notification | The status of the media notification |
Contact Name | |
Unique biometric data breached | Is unique biometric data breached |
Contact Address | |
PII Data Type | |
Medical Information breached | Is Medical Information breached |
Measures to Mitigate | " (d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects." - GDPR Art. 33 |
Contact Email address | |
Financial information breached | Is financial information breached |
Other PII data breached | Is other PII data breached |
Affected Data Type | |
Company Name | |
GDPR Notify Authorities | "In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons." - GDPR Art. 33 |
Postal Code | |
Individuals Notification |
Lists
| Name | Description |
|---|---|
PrivateIPs |
Required Content Packs (2)
| Pack Name | Pack By |
|---|---|
| Base | By: Cortex XSOAR |
| Cortex REST API | By: Cortex XSOAR |
Optional Content Packs (15)
| Pack Name | Pack By |
|---|---|
| US - Breach Notification | By: Cortex XSOAR |
| Brute Force | By: Cortex XSOAR |
| Elasticsearch | By: Cortex XSOAR |
| MITRE ATT&CK | By: Cortex XSOAR |
| GDPR | By: Cortex XSOAR |
| Gmail | By: Cortex XSOAR |
| Gmail Single User | By: Cortex XSOAR |
| HIPAA - Breach Notification | By: Cortex XSOAR |
| IBM Security QRadar SOAR | By: Cortex XSOAR |
| Mail Sender (New) | By: Cortex XSOAR |
| Microsoft Graph Mail | By: Cortex XSOAR |
| ProtectWise | By: Cortex XSOAR |
| Remote Access | By: Cortex XSOAR |
| Shodan | By: Cortex XSOAR |
| Sumo Logic | By: Cortex XSOAR |
All level dependencies (2)
| Pack Name | Pack By |
|---|---|
| Base | By: Cortex XSOAR |
| Cortex REST API | By: Cortex XSOAR |
1.19.63 - 3526238 (May 25, 2025)
- 39931
Download
Scripts
CheckFieldValue
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ShowLocationOnMap
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
MatchRegexV2
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
PrintContext
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
EmailReputation
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
SetIndicatorGridField
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
SetMultipleValues
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
GetLicenseID
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
GetDockerImageLatestTag
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
VerifyIPv6Indicator
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
FileToBase64List
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ProvidesCommand
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
cveReputationV2
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ExportIncidentsToCSV
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
URLNumberOfAds
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
SearchIncidentsSummary
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
GetListRow
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
SCPPullFiles
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
DBotAverageScore
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
SearchIndicator
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
VerifyCIDR
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
CreateHash
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
FileCreateAndUploadV2
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
DisableUserWrapper
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
CertificateReputation
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
get-user-data
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
TimeStampCompare
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ExtractIndicatorsFromTextFile
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ExportIndicatorsToCSV
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ExtractAttackPattern
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
AppendindicatorFieldWrapper
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
GetFieldsByIncidentType
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
CommandLineAnalysis
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ResolveShortenedURL
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
CreateIndicatorsFromSTIX
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
AnalyzeTimestampIntervals
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
FileReputation
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
FormatURL
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
HTTPListRedirects
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
PrintErrorEntry
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ChangeRemediationSLAOnSevChange
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
IPNetwork
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
MaliciousRatioReputation
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
LoadJSON
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
MarkAsNoteByTag
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
LookupCSV
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
clear-user-session
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
GridFieldSetup
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
VerdictResult
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
PrettyPrint
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
IncidentFields
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ParseYAML
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
GenerateAsBuiltConfiguration
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
DomainReputation
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
Base64ListToFile
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
MITRENameByID_Formatter
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ParseCSV
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
FilterByList
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
GetByIncidentId
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
NumberOfPhishingAttemptPerUser
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
IsUrlPartOfDomain
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
GetEnabledInstances
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ScheduleGenericPolling
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
BreachConfirmationHTML
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
OnionURLReputation
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
IdentifyAttachedEmail
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
TopMaliciousRatioIndicators
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ReplaceMatchGroup
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
RemoveKeyFromList
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
TextFromHTML
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
StopScheduledTask
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
URLReputation
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
hideFieldsOnNewIncident
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
PrintRaw
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
SetTime
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ArrayToCSV
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
JSONtoCSV
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
IsolationAssetWrapper
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
DisplayHTML
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
CheckIndicatorValue
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
Strings
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
IPReputation
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ShowIncidentIndicators
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ZipStrings
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
CheckContextValue
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
DeduplicateValuesbyKey
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
JSONFileToCSV
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
StringSimilarity
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
GetServerURL
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
SetWithTemplate
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ReadFile
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ConvertTimezoneFromUTC
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
URLSSLVerification
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
BMCTool
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
SearchIncidentsV2
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
AddKeyToList
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
RunPollingCommand
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
CheckSenderDomainDistance
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
StopTimeToAssignOnOwnerChange
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ConvertCountryCodeCountryName
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
PortListenCheck
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
GetEntries
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
PositiveDetectionsVSDetectionEngines
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
RunDockerCommand
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
get-endpoint-data
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
GeneratePassword
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
GetIndicatorDBotScoreFromCache
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
UtilAnyResults
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ChangeContext
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
DecodeMimeHeader
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
DumpJSON
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
cvss_color
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
RepopulateFiles
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
GetInstances
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
FeedRelatedIndicatorsWidget
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
CopyNotesToIncident
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
DisplayHTMLWithImages
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
IsListExist
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
GetErrorsFromEntry
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
SetByIncidentId
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
CreateNewIndicatorsOnly
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
GetIndicatorDBotScore
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
SendEmailOnSLABreach
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ExportAuditLogsToFile
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ExtractEmailV2
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
CalculateEntropy
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
GetStringsDistance
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
Base64EncodeV2
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
enrich_exclude_button
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
- 39931
Download
1.19.58 - 3398781 (May 13, 2025)
1.19.52 - 3318350 (May 6, 2025)
- 39723
Download
Scripts
ServerLogs
- Updated the ServerLogs script to support only Cortex XSOAR on-prem (version 6.X).
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ServerLogs_docker
- Updated the ServerLogsDocker script to support only Cortex XSOAR on-prem (version 6.X).
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
- 39723
Download
1.19.48 - 3217247 (April 24, 2025)
- 39683
Download
Scripts
ConvertFile
Updated the ConvertFile script to handle invalid files by returning a failure error within the file context instead of causing a script failure.
New: CheckPDFEncryptionAndValidity
New: Added a new script- CheckPDFEncryptionAndValidity that Returns if a PDF is valid and if it is encrypted.
PreProcessImage
- Updated the Docker image to: demisto/processing-image-file:1.0.0.3205446.
- 39683
Download
1.19.45 - 3161494 (April 17, 2025)
- 39533
Download
Scripts
URLSSLVerification
- Updated the SSL certificate verification for all redirect chain.
- If the initial URL is HTTP and redirects to HTTPS with a valid certificate, verified = True.
- If the entire redirect chain remains HTTP, verified = False.
- set_http_as_suspicious updated logics.
- if set_http_as_suspicious='true' and the URL is http then DbotScore = Suspicious.
- if set_http_as_suspicious='true' and the URL is https DbotScore = Unknown.
- Updated the Docker image to: demisto/python3:3.12.8.1983910.
- 39533
Download
1.19.44 - 3133732 (April 14, 2025)
- 39397
Download
Scripts
ExportIncidentsToCSV
- Fixed an issue where the script failed when no results were returned or when the number of results exceeded the defined limit.
- Updated the Docker image to: demisto/python3:3.12.8.1983910.
clear-user-session
- Changed the clear-user-session command context.
- The structure of the context output has been modified. from {'Message': str, 'Result': str, 'Source': list[str], 'Username': str} to {'Message': str, 'Result': str, 'Brand': str, 'Username': str}.
- Each user and brand will now have their own dictionary instead of one dictionary for each user with a list of sources/brands.
- Updated handling the get-user-data command context change.
- Updated the Docker image to: demisto/python3:3.12.8.1983910.
- 39397
Download
1.19.42 - 3079234 (April 7, 2025)
- 39489
- 37711
- 39497
- 38761
Download
Scripts
New: JSONDiff
New: Added a new script- JSONDiff that compares two JSON files and returns their differences, such as added, removed, or changed fields, in a structured format.
ExportAuditLogsToFile
- Fixed an issue that caused only 100 records to be retrieved.
- Updated the Docker image to: demisto/python3:3.12.8.1983910.
ContentPackInstaller
- Updated the Docker image to: demisto/xsoar-tools:1.0.0.2974997.
ProvidesCommand
- Updated the Docker image to: demisto/python3:3.12.8.1983910.
GenerateAsBuilt
- Updated the Docker image to: demisto/teams:1.0.0.2027266.
GetFieldsByIncidentType
- Updated the Docker image to: demisto/python3:3.12.8.1983910.
IncidentFields
- Updated the Docker image to: demisto/python3:3.12.8.1983910.
EditServerConfig
- Updated the Docker image to: demisto/python3:3.12.8.1983910.
ExportIndicatorsToCSV
- Updated the Docker image to: demisto/python3:3.12.8.1983910.
- 39489
- 37711
- 39497
- 38761
Download
1.19.38 - 3042633 (April 2, 2025)
- 39390
Download
Scripts
MaliciousRatioReputation
- - Documentation and metadata improvements.
VerifyIPv6Indicator
- - Documentation and metadata improvements.
cveReputationV2
- - Documentation and metadata improvements.
GetEnabledInstances
- - Documentation and metadata improvements.
HTTPListRedirects
- - Documentation and metadata improvements.
CheckFieldValue
- - Documentation and metadata improvements.
JSONtoCSV
- - Documentation and metadata improvements.
CloseInvestigationAsDuplicate
- - Documentation and metadata improvements.
displayMappedFields
- - Documentation and metadata improvements.
DecodeMimeHeader
- - Documentation and metadata improvements.
IPToHost
- - Documentation and metadata improvements.
PrintRaw
- - Documentation and metadata improvements.
AppendindicatorFieldWrapper
- - Documentation and metadata improvements.
ZipStrings
- - Documentation and metadata improvements.
SetGridField
- - Documentation and metadata improvements.
ConvertDatetoUTC
- - Documentation and metadata improvements.
ZipFile
- - Documentation and metadata improvements.
ChangeRemediationSLAOnSevChange
- - Documentation and metadata improvements.
GetLicenseID
- - Documentation and metadata improvements.
cvss_color
- - Documentation and metadata improvements.
GeneratePassword
- - Documentation and metadata improvements.
FormatURL
- - Documentation and metadata improvements.
SendEmailOnSLABreach
- - Documentation and metadata improvements.
GenerateSummaryReportButton
- - Documentation and metadata improvements.
SetTime
- - Documentation and metadata improvements.
GetEntries
- - Documentation and metadata improvements.
EncodeToAscii
- - Documentation and metadata improvements.
VerifyCIDR
- - Documentation and metadata improvements.
ExtractIndicatorsFromWordFile
- - Documentation and metadata improvements.
ExportAuditLogsToFile
- - Documentation and metadata improvements.
CertificateExtract
- - Documentation and metadata improvements.
enrich_exclude_button
- - Documentation and metadata improvements.
IncidentFields
- - Documentation and metadata improvements.
IPNetwork
- - Documentation and metadata improvements.
ExtractDomainAndFQDNFromUrlAndEmail
- - Documentation and metadata improvements.
SearchIncidentsSummary
- - Documentation and metadata improvements.
displayUtilitiesResults
- - Documentation and metadata improvements.
ExifRead
- - Documentation and metadata improvements.
ContentPackInstaller
- - Documentation and metadata improvements.
ContextContains
- - Documentation and metadata improvements.
GetStringsDistance
- - Documentation and metadata improvements.
GetFieldsByIncidentType
- - Documentation and metadata improvements.
ServerLogs_docker
- - Documentation and metadata improvements.
GetIndicatorDBotScoreFromCache
- - Documentation and metadata improvements.
DBotAverageScore
- - Documentation and metadata improvements.
UtilAnyResults
- - Documentation and metadata improvements.
NumberOfPhishingAttemptPerUser
- - Documentation and metadata improvements.
PreProcessImage
- - Documentation and metadata improvements.
FeedRelatedIndicatorsWidget
- - Documentation and metadata improvements.
LoadJSONFileToContext
- - Documentation and metadata improvements.
ExtractIndicatorsFromTextFile
- - Documentation and metadata improvements.
GetDataCollectionLink
- - Documentation and metadata improvements.
Ping
- - Documentation and metadata improvements.
ResolveShortenedURL
- - Documentation and metadata improvements.
StringSimilarity
- - Documentation and metadata improvements.
ReadFile
- - Documentation and metadata improvements.
Base64EncodeV2
- - Documentation and metadata improvements.
DockerHardeningCheck
- - Documentation and metadata improvements.
get-endpoint-data
- - Documentation and metadata improvements.
SetDateField
- - Documentation and metadata improvements.
ReadPDFFileV2
- - Documentation and metadata improvements.
FileReputation
- - Documentation and metadata improvements.
PrintErrorEntry
- - Documentation and metadata improvements.
RunPollingCommand
- - Documentation and metadata improvements.
GetErrorsFromEntry
- - Documentation and metadata improvements.
SearchIncidentsV2
- - Documentation and metadata improvements.
ShowIncidentIndicators
- - Documentation and metadata improvements.
HTMLtoMD
- - Documentation and metadata improvements.
GetDomainDNSDetails
- - Documentation and metadata improvements.
IPReputation
- - Documentation and metadata improvements.
Strings
- - Documentation and metadata improvements.
ParseWordDoc
- - Documentation and metadata improvements.
ProvidesCommand
- - Documentation and metadata improvements.
ReplaceMatchGroup
- - Documentation and metadata improvements.
GetIndicatorDBotScore
- - Documentation and metadata improvements.
ParseYAML
- - Documentation and metadata improvements.
OnionURLReputation
- - Documentation and metadata improvements.
ParseExcel
- - Documentation and metadata improvements.
SSDeepReputation
- - Documentation and metadata improvements.
DisplayHTMLWithImages
- - Documentation and metadata improvements.
DomainReputation
- - Documentation and metadata improvements.
LoadJSON
- - Documentation and metadata improvements.
IsDomainInternal
- - Documentation and metadata improvements.
SetByIncidentId
- - Documentation and metadata improvements.
CalculateEntropy
- - Documentation and metadata improvements.
SCPPullFiles
- - Documentation and metadata improvements.
AddKeyToList
- - Documentation and metadata improvements.
get-user-data
- - Documentation and metadata improvements.
ConvertXmlFileToJson
- - Documentation and metadata improvements.
StopTimeToAssignOnOwnerChange
- - Documentation and metadata improvements.
PDFUnlocker
- - Documentation and metadata improvements.
BreachConfirmationHTML
- - Documentation and metadata improvements.
ExtractDomainFromUrlAndEmail
- - Documentation and metadata improvements.
IsIPPrivate
- - Documentation and metadata improvements.
IndicatorMaliciousRatioCalculation
- - Documentation and metadata improvements.
EditServerConfig
- - Documentation and metadata improvements.
URLSSLVerification
- - Documentation and metadata improvements.
MITRENameByID_Formatter
- - Documentation and metadata improvements.
GenerateRandomString
- - Documentation and metadata improvements.
SetMultipleValues
- - Documentation and metadata improvements.
CompareLists
- - Documentation and metadata improvements.
StixCreator
- - Documentation and metadata improvements.
PopulateCriticalAssets
- - Documentation and metadata improvements.
TimeStampCompare
- - Documentation and metadata improvements.
ExtractAttackPattern
- - Documentation and metadata improvements.
ConvertFile
- - Documentation and metadata improvements.
SetWithTemplate
- - Documentation and metadata improvements.
JSONFileToCSV
- - Documentation and metadata improvements.
CommandLineAnalysis
- - Documentation and metadata improvements.
ExtractHTMLTables
- - Documentation and metadata improvements.
CertificateReputation
- - Documentation and metadata improvements.
FileCreateAndUploadV2
- - Documentation and metadata improvements.
AssignToMeButton
- - Documentation and metadata improvements.
Dig
- - Documentation and metadata improvements.
PcapHTTPExtractor
- - Documentation and metadata improvements.
JsonUnescape
- - Documentation and metadata improvements.
URLReputation
- - Documentation and metadata improvements.
VerdictResult
- - Documentation and metadata improvements.
ShowLocationOnMap
- - Documentation and metadata improvements.
LookupCSV
- - Documentation and metadata improvements.
DisplayHTML
- - Documentation and metadata improvements.
CheckSenderDomainDistance
- - Documentation and metadata improvements.
RunDockerCommand
- - Documentation and metadata improvements.
SetIndicatorGridField
- - Documentation and metadata improvements.
LanguageDetect
- - Documentation and metadata improvements.
EmailReputation
- - Documentation and metadata improvements.
clear-user-session
- - Documentation and metadata improvements.
AquatoneDiscoverV2
- - Documentation and metadata improvements.
ExportIncidentsToCSV
- - Documentation and metadata improvements.
IsInternalDomainName
- - Documentation and metadata improvements.
URLNumberOfAds
- - Documentation and metadata improvements.
FilterByList
- - Documentation and metadata improvements.
IsListExist
- - Documentation and metadata improvements.
DisableUserWrapper
- - Documentation and metadata improvements.
GetByIncidentId
- - Documentation and metadata improvements.
StopScheduledTask
- - Documentation and metadata improvements.
GenerateRandomUUID
- - Documentation and metadata improvements.
BMCTool
- - Documentation and metadata improvements.
UnzipFile
- - Documentation and metadata improvements.
- Fix an issue where the UnzipFile script incorrectly failed when extracting a file containing the word "Errors" in its name.
- Updated the Docker image to: demisto/unzip:1.0.0.2038416.
SSDeepSimilarity
- - Documentation and metadata improvements.
AddDBotScoreToContext
- - Documentation and metadata improvements.
MarkAsEvidenceByTag
- - Documentation and metadata improvements.
DumpJSON
- - Documentation and metadata improvements.
IsUrlPartOfDomain
- - Documentation and metadata improvements.
IsPDFFileEncrypted
- - Documentation and metadata improvements.
GetServerURL
- - Documentation and metadata improvements.
ConvertCountryCodeCountryName
- - Documentation and metadata improvements.
PrettyPrint
- - Documentation and metadata improvements.
CopyNotesToIncident
- - Documentation and metadata improvements.
DownloadAndArchivePythonLibrary
- - Documentation and metadata improvements.
CheckIndicatorValue
- - Documentation and metadata improvements.
TextFromHTML
- - Documentation and metadata improvements.
CreateIndicatorsFromSTIX
- - Documentation and metadata improvements.
ExportContextToJSONFile
- - Documentation and metadata improvements.
MatchRegexV2
- - Documentation and metadata improvements.
TopMaliciousRatioIndicators
- - Documentation and metadata improvements.
LinkIncidentsButton
- - Documentation and metadata improvements.
CompareIncidentsLabels
- - Documentation and metadata improvements.
CreateHash
- - Documentation and metadata improvements.
IsInternalHostName
- - Documentation and metadata improvements.
ReadQRCode
- - Documentation and metadata improvements.
ParseCSV
- - Documentation and metadata improvements.
ExtractHyperlinksFromOfficeFiles
- - Documentation and metadata improvements.
ExportIndicatorsToCSV
- - Documentation and metadata improvements.
ConvertTimezoneFromUTC
- - Documentation and metadata improvements.
IsolationAssetWrapper
- - Documentation and metadata improvements.
FileToBase64List
- - Documentation and metadata improvements.
hideFieldsOnNewIncident
- - Documentation and metadata improvements.
GenerateAsBuilt
- - Documentation and metadata improvements.
RepopulateFiles
- - Documentation and metadata improvements.
Base64ListToFile
- - Documentation and metadata improvements.
GenerateAsBuiltConfiguration
- - Documentation and metadata improvements.
ListUsedDockerImages
- - Documentation and metadata improvements.
GetListRow
- - Documentation and metadata improvements.
ParseEmailFilesV2
- - Documentation and metadata improvements.
ParseHTMLIndicators
- - Documentation and metadata improvements.
ServerLogs
- - Documentation and metadata improvements.
DeduplicateValuesbyKey
- - Documentation and metadata improvements.
CopyContextToField
- - Documentation and metadata improvements.
SearchIndicator
- - Documentation and metadata improvements.
GetInstances
- - Documentation and metadata improvements.
RemoveKeyFromList
- - Documentation and metadata improvements.
ScheduleGenericPolling
- - Documentation and metadata improvements.
IdentifyAttachedEmail
- - Documentation and metadata improvements.
HttpV2
- - Documentation and metadata improvements.
FetchIndicatorsFromFile
- - Documentation and metadata improvements.
ExtractFQDNFromUrlAndEmail
- - Documentation and metadata improvements.
CheckContextValue
- - Documentation and metadata improvements.
PrintContext
- - Documentation and metadata improvements.
PositiveDetectionsVSDetectionEngines
- - Documentation and metadata improvements.
CreateNewIndicatorsOnly
- - Documentation and metadata improvements.
GetDockerImageLatestTag
- - Documentation and metadata improvements.
MarkAsNoteByTag
- - Documentation and metadata improvements.
CalculateTimeDifference
- - Documentation and metadata improvements.
CVSSCalculator
- - Documentation and metadata improvements.
ExtractEmailV2
- - Documentation and metadata improvements.
ArrayToCSV
- - Documentation and metadata improvements.
ChangeContext
- - Documentation and metadata improvements.
ExportToXLSX
- - Documentation and metadata improvements.
GridFieldSetup
- - Documentation and metadata improvements.
AnalyzeTimestampIntervals
- - Documentation and metadata improvements.
PortListenCheck
- - Documentation and metadata improvements.
- 39390
Download
1.19.34 - 2929110 (March 20, 2025)
1.19.25 - 2438447 (February 11, 2025)
- 38349
Download
Scripts
ParseEmailFilesV2
- Fixed an issue where the ParseEmailFilesV2 script failed parsing a file contains BOM.
StixCreator
Fixed an issue where under specific conditions the exported times of the indicators were presented as UTC when they were actually in local time. All the exported times are now correctly parsed into UTC the time zone.
- 38349
Download
1.19.22 - 2306914 (February 9, 2025)
- 38535
- 38429
Download
Scripts
CloseInvestigationAsDuplicate
- Added support for raise_error argument, which allows raising an error in case of unclosed incident.
- Updated the Docker image to: demisto/python3:3.12.8.1983910.
CreateNewIndicatorsOnly
- Fixed an issue where the value of an existing indicator had a different letter case than the indicator on input.
- Fixed an issue where the script tried to associate to the incident an indicator that was not created, as it might have been excluded.
- Updated the Docker image to: demisto/python3:3.11.11.1940698.
- 38535
- 38429
Download
1.19.18 - 2134850 (February 4, 2025)
- 38462
Download
Scripts
ParseEmailFilesV2
- Fixed an issue that prevented the headers from being parsed correctly for eml files (unknown-8bit encoding).
- Fixed an issue that email with attachment was parsed incorrectly for eml files.
- Updated the Docker image to: demisto/parse-emails:1.0.0.2128577.
- 38462
Download
1.19.17 - 2110804 (January 30, 2025)
- 38325
Download
Scripts
CommandLineAnalysis
- Fixed an issue in CommandLineAnalysis where the original command was analyzed as part of the decoded command analysis.
- Updated the output format of the extracted indicators.
- Added the patterns to detect macOS Applescript suspicious command lines.
- 38325
Download
1.19.14 - 2081957 (January 27, 2025)
- 38318
- 38316
Download
Scripts
ExtractIndicatorsFromWordFile
- Updated the Docker image to: demisto/office-utils:2.0.0.2020302.
ConvertFile
- Updated the Docker image to: demisto/office-utils:2.0.0.2020302.
ParseWordDoc
- Updated the Docker image to: demisto/office-utils:2.0.0.2020302.
ExtractHyperlinksFromOfficeFiles
- Updated the Docker image to: demisto/office-utils:2.0.0.2020302.
ReadPDFFileV2
- Updated the Docker image to: demisto/readpdf:1.0.0.2034953.
PDFUnlocker
- Updated the Docker image to: demisto/readpdf:1.0.0.2034953.
- 38318
- 38316
Download
1.19.10 - R1989294 (January 14, 2025)
- 38109
Download
Scripts
GetDomainDNSDetails
- Updated the Docker image to: demisto/netutils:1.0.0.118055.
Ping
- Updated the Docker image to: demisto/netutils:1.0.0.118055.
HttpV2
Fixed an issue where the timeout_between_retries argument was treated as a string instead of being converted to a number.
- 38109
Download
1.19.8 - 1953876 (January 9, 2025)
- 38043
Download
Scripts
LookupCSV
Updated the Docker image to: demisto/python3:3.11.11.1940698.
CreateHash
Updated the Docker image to: demisto/python3:3.11.11.1940698.
BMCTool
- Code functionality improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
CertificateReputation
- Code functionality improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
clear-user-session
- Code functionality improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
GenerateAsBuiltConfiguration
- Code functionality improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
GetDockerImageLatestTag
- Code functionality improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
ResolveShortenedURL
- Code functionality improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
UnzipFile
- Code functionality improvements.
- Updated the Docker image to: demisto/unzip:1.0.0.117525.
- 38043
Download
1.19.6 - 1950870 (January 8, 2025)
- 38045
Download
Scripts
ExtractDomainAndFQDNFromUrlAndEmail
Updated the Docker image to: demisto/py3-tools:1.0.0.117220.
IPToHost
- Updated the script to display a clear message when no hostname is found, instead of returning the IP address.
- Updated the Docker image to: demisto/python3:3.11.11.1940698.
- 38045
Download
1.19.3 - 1935630 (January 6, 2025)
- 37472
Download
Scripts
AddKeyToList
- Code functionality improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
CVSSCalculator
- Code functionality improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
Dig
- Code functionality and documentation improvements.
- Updated the Docker image to: demisto/netutils:1.0.0.118055.
ExtractHTMLTables
Code functionality and documentation improvements.
IndicatorMaliciousRatioCalculation
- Code functionality and documentation improvements.
ParseYAML
- Code functionality and documentation improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
RemoveKeyFromList
- Code functionality improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
SSDeepReputation
- Code functionality improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
- 37472
Download
1.18.5 - 1841503 (December 19, 2024)
- 37611
Download
Scripts
SearchIncidentsV2
- Documentation and metadata improvements.
CopyNotesToIncident
- Fixed an issue where indicators were auto-extracted from the copied notes regardless of the value of the auto_extract argument.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
New: CommandLineAnalysis
- New: This script evaluates command-line threats by analyzing both original and decoded inputs. It assigns weighted scores to detected patterns, such as AMSI bypass or credential dumping, and applies risk combination bonuses for multiple detections. The total score is normalized to a 0-100 scale, with risk levels categorized as follows:
- 0-25: Low Risk
- 26-50: Medium Risk
- 51-90: High Risk
- 91-100: Critical Risk
The scoring mechanism provides a comprehensive risk assessment, considering both the severity and frequency of malicious behaviors.
- 37611
Download
1.18.2 - 1834150 (December 18, 2024)
- 37760
Download
Scripts
New: MITRENameByID_Formatter
New: Get a MITRE ATT&CK object name by its ID. The script is using TIMs IOCs to find the correct name. (MITRE ATT&CK IOCs must exist in the Threat Intel data).
IndicatorMaliciousRatioCalculation
- Documentation and metadata improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
RunPollingCommand
- Documentation and metadata improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
ExtractIndicatorsFromTextFile
- Documentation and metadata improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
NumberOfPhishingAttemptPerUser
- Documentation and metadata improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
DeleteContext
- Documentation and metadata improvements.
CopyContextToField
- Documentation and metadata improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
ExtractIndicatorsFromWordFile
- Documentation and metadata improvements.
SetAndHandleEmpty
- Documentation and metadata improvements.
CompareIncidentsLabels
- Documentation and metadata improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
findIncidentsWithIndicator
- Documentation and metadata improvements.
MarkRelatedIncidents
- Documentation and metadata improvements.
DockerHardeningCheck
- Documentation and metadata improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
GetDuplicatesMlv2
- Documentation and metadata improvements.
SetByIncidentId
- Documentation and metadata improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
SearchIncidentsV2
- Documentation and metadata improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
FindSimilarIncidents
- Documentation and metadata improvements.
- 37760
Download
1.17.6 - 1793696 (December 11, 2024)
- 37639
Download
Scripts
FormatURL
Fixed an issue where URLs were not parsed correctly when handling nested parenthesis in the URL query.
ExportToXLSX
- Updated the Docker image to: demisto/xslxwriter:1.0.0.117330.
AquatoneDiscoverV2
- Updated the Docker image to: demisto/aquatone:2.0.0.117469.
ReadQRCode
- Updated the Docker image to: demisto/qrcode:1.0.0.117542.
- 37639
Download
1.17.4 - 1780397 (December 9, 2024)
- 37620
- 37619
- 37618
- 37617
Download
Scripts
ParseWordDoc
- Updated the Docker image to: demisto/office-utils:2.0.0.117810.
ParseHTMLIndicators
- Updated the Docker image to: demisto/bs4-tld:1.0.0.117606.
ExtractIndicatorsFromWordFile
- Updated the Docker image to: demisto/office-utils:2.0.0.117810.
ConvertFile
- Updated the Docker image to: demisto/office-utils:2.0.0.117810.
ExtractHyperlinksFromOfficeFiles
- Updated the Docker image to: demisto/office-utils:2.0.0.117810.
- 37620
- 37619
- 37618
- 37617
Download
1.17.0 - 1745299 (December 3, 2024)
- 37431
Download
Scripts
get-user-data
- Updated the script to ensure that all data returned from each command is also returned to the context.
- Updated the script to include the source of the data in the context for each field.
ExtractIndicatorsFromWordFile
Internal code improvements.
- 37431
Download
1.15.98 - 1738579 (December 2, 2024)
- 37425
- 37421
- 37419
- 37422
- 37418
- 37420
Download
Scripts
ExportToCSV
Improved consistency of the script output by removing carriage return (\r) characters from the end of lines.
SetGridField
- Updated the Docker image to: demisto/pandas:1.0.0.117209.
GenerateAsBuilt
- Updated the Docker image to: demisto/teams:1.0.0.116912.
- 37425
- 37421
- 37419
- 37422
- 37418
- 37420
Download
1.15.93 - 1699115 (November 25, 2024)
- 37378
- 37355
- 37356
- 37357
Download
Scripts
ExtractHyperlinksFromOfficeFiles
- Updated the Docker image to: demisto/office-utils:2.0.0.117112.
ParseWordDoc
- Updated the Docker image to: demisto/office-utils:2.0.0.117112.
ExtractIndicatorsFromWordFile
- Updated the Docker image to: demisto/office-utils:2.0.0.117112.
ExtractHTMLTables
- Updated the Docker image to: demisto/bs4-py3:1.0.0.117152.
ConvertFile
- Updated the Docker image to: demisto/office-utils:2.0.0.117112.
- 37378
- 37355
- 37356
- 37357
Download
1.15.88 - 1647729 (November 14, 2024)
- 37147
- 37137
- 37136
- 37140
- 37138
- 37139
Download
Scripts
DeduplicateValuesbyKey
- Updated the Docker image to: demisto/python3:3.11.10.115186.
SendEmailOnSLABreach
- Updated the Docker image to: demisto/python3:3.11.10.115186.
TimeStampCompare
- Updated the Docker image to: demisto/python3:3.11.10.115186.
URLNumberOfAds
- Updated the Docker image to: demisto/python3:3.11.10.115186.
DisplayHTML
- Updated the Docker image to: demisto/python3:3.11.10.115186.
VerdictResult
- Updated the Docker image to: demisto/python3:3.11.10.115186.
IsListExist
- Updated the Docker image to: demisto/python3:3.11.10.115186.
LookupCSV
- Updated the Docker image to: demisto/python3:3.11.10.115186.
GetIndicatorDBotScore
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ZipStrings
- Updated the Docker image to: demisto/python3:3.11.10.115186.
CreateIndicatorsFromSTIX
- Updated the Docker image to: demisto/python3:3.11.10.115186.
GetLicenseID
- Updated the Docker image to: demisto/python3:3.11.10.115186.
hideFieldsOnNewIncident
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ExportIncidentsToCSV
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ResolveShortenedURL
- Updated the Docker image to: demisto/python3:3.11.10.115186.
SearchIndicator
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ExtractIndicatorsFromTextFile
- Updated the Docker image to: demisto/python3:3.11.10.115186.
Base64EncodeV2
- Updated the Docker image to: demisto/python3:3.11.10.115186.
VerifyIPv6Indicator
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ReadFile
- Updated the Docker image to: demisto/python3:3.11.10.115186.
PrintErrorEntry
- Updated the Docker image to: demisto/python3:3.11.10.115186.
SCPPullFiles
- Updated the Docker image to: demisto/python3:3.11.10.115186.
DecodeMimeHeader
- Updated the Docker image to: demisto/python3:3.11.10.115186.
HTTPListRedirects
- Updated the Docker image to: demisto/python3:3.11.10.115186.
StopTimeToAssignOnOwnerChange
- Updated the Docker image to: demisto/python3:3.11.10.115186.
SetMultipleValues
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ConvertCountryCodeCountryName
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ParseCSV
- Updated the Docker image to: demisto/python3:3.11.10.115186.
SearchIncidentsSummary
- Updated the Docker image to: demisto/python3:3.11.10.115186.
CertificateReputation
- Updated the Docker image to: demisto/python3:3.11.10.115186.
BMCTool
- Updated the Docker image to: demisto/python3:3.11.10.115186.
CheckIndicatorValue
- Updated the Docker image to: demisto/python3:3.11.10.115186.
AddKeyToList
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ChangeRemediationSLAOnSevChange
- Updated the Docker image to: demisto/python3:3.11.10.115186.
GetInstances
- Updated the Docker image to: demisto/python3:3.11.10.115186.
IdentifyAttachedEmail
- Updated the Docker image to: demisto/python3:3.11.10.115186.
JSONtoCSV
- Updated the Docker image to: demisto/python3:3.11.10.115186.
CreateHash
- Updated the Docker image to: demisto/python3:3.11.10.115186.
DumpJSON
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ServerLogs_docker
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ScheduleGenericPolling
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ConvertTimezoneFromUTC
- Updated the Docker image to: demisto/python3:3.11.10.115186.
GridFieldSetup
- Updated the Docker image to: demisto/python3:3.11.10.115186.
TextFromHTML
- Updated the Docker image to: demisto/python3:3.11.10.115186.
SetIndicatorGridField
- Updated the Docker image to: demisto/python3:3.11.10.115186.
enrich_exclude_button
- Updated the Docker image to: demisto/python3:3.11.10.115186.
PrettyPrint
- Updated the Docker image to: demisto/python3:3.11.10.115186.
CheckSenderDomainDistance
- Updated the Docker image to: demisto/python3:3.11.10.115186.
Base64ListToFile
- Updated the Docker image to: demisto/python3:3.11.10.115186.
DomainReputation
- Updated the Docker image to: demisto/python3:3.11.10.115186.
CopyNotesToIncident
- Updated the Docker image to: demisto/python3:3.11.10.115186.
SetWithTemplate
- Updated the Docker image to: demisto/python3:3.11.10.115186.
UtilAnyResults
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ChangeContext
- Updated the Docker image to: demisto/python3:3.11.10.115186.
cveReputationV2
- Updated the Docker image to: demisto/python3:3.11.10.115186.
MaliciousRatioReputation
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ExtractEmailV2
- Updated the Docker image to: demisto/python3:3.11.10.115186.
FeedRelatedIndicatorsWidget
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ArrayToCSV
- Updated the Docker image to: demisto/python3:3.11.10.115186.
DisplayHTMLWithImages
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ParseYAML
- Updated the Docker image to: demisto/python3:3.11.10.115186.
IsolationAssetWrapper
- Updated the Docker image to: demisto/python3:3.11.10.115186.
GeneratePassword
- Updated the Docker image to: demisto/python3:3.11.10.115186.
DisableUserWrapper
- Updated the Docker image to: demisto/python3:3.11.10.115186.
StringSimilarity
- Updated the Docker image to: demisto/python3:3.11.10.115186.
PortListenCheck
- Updated the Docker image to: demisto/python3:3.11.10.115186.
PrintContext
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ShowIncidentIndicators
- Updated the Docker image to: demisto/python3:3.11.10.115186.
JSONFileToCSV
- Updated the Docker image to: demisto/python3:3.11.10.115186.
CheckContextValue
- Updated the Docker image to: demisto/python3:3.11.10.115186.
GetStringsDistance
- Updated the Docker image to: demisto/python3:3.11.10.115186.
GetServerURL
- Updated the Docker image to: demisto/python3:3.11.10.115186.
IPReputation
- Updated the Docker image to: demisto/python3:3.11.10.115186.
OnionURLReputation
- Updated the Docker image to: demisto/python3:3.11.10.115186.
URLSSLVerification
- Updated the Docker image to: demisto/python3:3.11.10.115186.
AppendindicatorFieldWrapper
- Updated the Docker image to: demisto/python3:3.11.10.115186.
StopScheduledTask
- Updated the Docker image to: demisto/python3:3.11.10.115186.
URLReputation
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ServerLogs
- Updated the Docker image to: demisto/python3:3.11.10.115186.
get-user-data
- Updated the Docker image to: demisto/python3:3.11.10.115186.
PositiveDetectionsVSDetectionEngines
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ExportAuditLogsToFile
- Updated the Docker image to: demisto/python3:3.11.10.115186.
RunPollingCommand
- Updated the Docker image to: demisto/python3:3.11.10.115186.
RunDockerCommand
- Updated the Docker image to: demisto/python3:3.11.10.115186.
DBotAverageScore
- Updated the Docker image to: demisto/python3:3.11.10.115186.
FilterByList
- Updated the Docker image to: demisto/python3:3.11.10.115186.
RemoveKeyFromList
- Updated the Docker image to: demisto/python3:3.11.10.115186.
CalculateEntropy
- Updated the Docker image to: demisto/python3:3.11.10.115186.
GenerateAsBuiltConfiguration
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ExtractAttackPattern
- Updated the Docker image to: demisto/python3:3.11.10.115186.
GetEnabledInstances
- Updated the Docker image to: demisto/python3:3.11.10.115186.
SearchIncidentsV2
- Updated the Docker image to: demisto/python3:3.11.10.115186.
EmailReputation
- Updated the Docker image to: demisto/python3:3.11.10.115186.
FileCreateAndUploadV2
- Updated the Docker image to: demisto/python3:3.11.10.115186.
PrintRaw
- Updated the Docker image to: demisto/python3:3.11.10.115186.
IsUrlPartOfDomain
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ProvidesCommand
- Updated the Docker image to: demisto/python3:3.11.10.115186.
GetFieldsByIncidentType
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ReplaceMatchGroup
- Updated the Docker image to: demisto/python3:3.11.10.115186.
VerifyCIDR
- Updated the Docker image to: demisto/python3:3.11.10.115186.
MatchRegexV2
- Updated the Docker image to: demisto/python3:3.11.10.115186.
GetByIncidentId
- Updated the Docker image to: demisto/python3:3.11.10.115186.
cvss_color
- Updated the Docker image to: demisto/python3:3.11.10.115186.
Strings
- Updated the Docker image to: demisto/python3:3.11.10.115186.
GetListRow
- Updated the Docker image to: demisto/python3:3.11.10.115186.
IncidentFields
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ShowLocationOnMap
- Updated the Docker image to: demisto/python3:3.11.10.115186.
GetIndicatorDBotScoreFromCache
- Updated the Docker image to: demisto/python3:3.11.10.115186.
FileReputation
- Updated the Docker image to: demisto/python3:3.11.10.115186.
GetEntries
- Updated the Docker image to: demisto/python3:3.11.10.115186.
CheckFieldValue
- Updated the Docker image to: demisto/python3:3.11.10.115186.
RepopulateFiles
- Updated the Docker image to: demisto/python3:3.11.10.115186.
GetDockerImageLatestTag
- Updated the Docker image to: demisto/python3:3.11.10.115186.
AnalyzeTimestampIntervals
- Updated the Docker image to: demisto/python3:3.11.10.115186.
LoadJSON
- Updated the Docker image to: demisto/python3:3.11.10.115186.
TopMaliciousRatioIndicators
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ExportIndicatorsToCSV
- Updated the Docker image to: demisto/python3:3.11.10.115186.
BreachConfirmationHTML
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ListUsedDockerImages
- Updated the Docker image to: demisto/python3:3.11.10.115186.
SetByIncidentId
- Updated the Docker image to: demisto/python3:3.11.10.115186.
GetDataCollectionLink
- Updated the Docker image to: demisto/python3:3.11.10.115186.
SetTime
- Updated the Docker image to: demisto/python3:3.11.10.115186.
GetErrorsFromEntry
- Updated the Docker image to: demisto/python3:3.11.10.115186.
FormatURL
- Updated the Docker image to: demisto/python3:3.11.10.115186.
CreateNewIndicatorsOnly
- Updated the Docker image to: demisto/python3:3.11.10.115186.
FileToBase64List
- Updated the Docker image to: demisto/python3:3.11.10.115186.
MarkAsNoteByTag
- Updated the Docker image to: demisto/python3:3.11.10.115186.
- 37147
- 37137
- 37136
- 37140
- 37138
- 37139
Download
1.15.83 - 1615839 (November 10, 2024)
- 37108
- 37122
- 37109
- 37115
- 37124
- 37111
Download
Scripts
Ping
- Updated the Docker image to: demisto/netutils:1.0.0.115452.
Dig
- Updated the Docker image to: demisto/netutils:1.0.0.115452.
GetDomainDNSDetails
- Updated the Docker image to: demisto/netutils:1.0.0.115452.
HTMLtoMD
- Updated the Docker image to: demisto/btfl-soup:1.0.1.115405.
ContentPackInstaller
- Updated the Docker image to: demisto/xsoar-tools:1.0.0.115559.
- 37108
- 37122
- 37109
- 37115
- 37124
- 37111
Download
1.15.80 - 1602991 (November 6, 2024)
- 36995
- 37051
- 37052
- 36992
- 37006
- 36997
- 36994
- 36998
- 36993
- 37059
Download
Scripts
ParseExcel
- Updated the Docker image to: demisto/py3-tools:1.0.0.114656.
DownloadAndArchivePythonLibrary
- Updated the Docker image to: demisto/py3-tools:1.0.0.114656.
FetchIndicatorsFromFile
- Updated the Docker image to: demisto/py3-tools:1.0.0.114656.
ExtractFQDNFromUrlAndEmail
- Updated the Docker image to: demisto/py3-tools:1.0.0.114656.
ZipFile
- Updated the Docker image to: demisto/py3-tools:1.0.0.114656.
StixCreator
- Updated the Docker image to: demisto/py3-tools:1.0.0.114656.
ExifRead
- Updated the Docker image to: demisto/py3-tools:1.0.0.114656.
ExtractDomainFromUrlAndEmail
- Updated the Docker image to: demisto/py3-tools:1.0.0.114656.
LanguageDetect
- Updated the Docker image to: demisto/py3-tools:1.0.0.114656.
ExtractDomainAndFQDNFromUrlAndEmail
- Updated the Docker image to: demisto/py3-tools:1.0.0.114656.
cvss_color
- Updated the Docker image to: demisto/python3:3.11.10.113941.
CheckSenderDomainDistance
- Updated the Docker image to: demisto/python3:3.11.10.113941.
DisplayHTMLWithImages
- Updated the Docker image to: demisto/python3:3.11.10.113941.
Base64EncodeV2
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ResolveShortenedURL
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GetByIncidentId
- Updated the Docker image to: demisto/python3:3.11.10.113941.
CloseInvestigationAsDuplicate
- Updated the Docker image to: demisto/python3:3.11.10.113941.
Strings
- Updated the Docker image to: demisto/python3:3.11.10.113941.
CheckIndicatorValue
- Updated the Docker image to: demisto/python3:3.11.10.113941.
DisableUserWrapper
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ChangeContext
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GetDockerImageLatestTag
- Updated the Docker image to: demisto/python3:3.11.10.113941.
AnalyzeTimestampIntervals
- Updated the Docker image to: demisto/python3:3.11.10.113941.
IPToHost
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ShowLocationOnMap
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ExportIndicatorsToCSV
- Updated the Docker image to: demisto/python3:3.11.10.113941.
StopTimeToAssignOnOwnerChange
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ChangeRemediationSLAOnSevChange
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GetDataCollectionLink
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GenerateAsBuiltConfiguration
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ExtractAttackPattern
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GenerateRandomString
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ExportContextToJSONFile
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ReadFile
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ScheduleGenericPolling
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ContextContains
- Updated the Docker image to: demisto/python3:3.11.10.113941.
CreateHash
- Updated the Docker image to: demisto/python3:3.11.10.113941.
IsolationAssetWrapper
- Updated the Docker image to: demisto/python3:3.11.10.113941.
SearchIncidentsV2
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GeneratePassword
- Updated the Docker image to: demisto/python3:3.11.10.113941.
HTTPListRedirects
- Updated the Docker image to: demisto/python3:3.11.10.113941.
LoadJSONFileToContext
- Updated the Docker image to: demisto/python3:3.11.10.113941.
CreateNewIndicatorsOnly
- Updated the Docker image to: demisto/python3:3.11.10.113941.
AddDBotScoreToContext
- Updated the Docker image to: demisto/python3:3.11.10.113941.
SetMultipleValues
- Updated the Docker image to: demisto/python3:3.11.10.113941.
FeedRelatedIndicatorsWidget
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GenerateRandomUUID
- Updated the Docker image to: demisto/python3:3.11.10.113941.
SetTime
- Updated the Docker image to: demisto/python3:3.11.10.113941.
PrettyPrint
- Updated the Docker image to: demisto/python3:3.11.10.113941.
cveReputationV2
- Updated the Docker image to: demisto/python3:3.11.10.113941.
VerifyCIDR
- Updated the Docker image to: demisto/python3:3.11.10.113941.
IsListExist
- Updated the Docker image to: demisto/python3:3.11.10.113941.
get-user-data
- Updated the Docker image to: demisto/python3:3.11.10.113941.
LookupCSV
- Updated the Docker image to: demisto/python3:3.11.10.113941.
DomainReputation
- Updated the Docker image to: demisto/python3:3.11.10.113941.
SCPPullFiles
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ParseCSV
- Updated the Docker image to: demisto/python3:3.11.10.113941.
AppendindicatorFieldWrapper
- Updated the Docker image to: demisto/python3:3.11.10.113941.
CVSSCalculator
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GetEntries
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ExportAuditLogsToFile
- Updated the Docker image to: demisto/python3:3.11.10.113941.
MaliciousRatioReputation
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ZipStrings
- Updated the Docker image to: demisto/python3:3.11.10.113941.
CheckContextValue
- Updated the Docker image to: demisto/python3:3.11.10.113941.
displayUtilitiesResults
- Updated the Docker image to: demisto/python3:3.11.10.113941.
RepopulateFiles
- Updated the Docker image to: demisto/python3:3.11.10.113941.
CheckFieldValue
- Updated the Docker image to: demisto/python3:3.11.10.113941.
IsUrlPartOfDomain
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ConvertCountryCodeCountryName
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GenerateSummaryReportButton
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ConvertDatetoUTC
- Updated the Docker image to: demisto/python3:3.11.10.113941.
IsDomainInternal
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GetEnabledInstances
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GetServerURL
- Updated the Docker image to: demisto/python3:3.11.10.113941.
DumpJSON
- Updated the Docker image to: demisto/python3:3.11.10.113941.
TimeStampCompare
- Updated the Docker image to: demisto/python3:3.11.10.113941.
SetByIncidentId
- Updated the Docker image to: demisto/python3:3.11.10.113941.
CompareLists
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ConvertTimezoneFromUTC
- Updated the Docker image to: demisto/python3:3.11.10.113941.
TextFromHTML
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ServerLogs_docker
- Updated the Docker image to: demisto/python3:3.11.10.113941.
CalculateEntropy
- Updated the Docker image to: demisto/python3:3.11.10.113941.
DockerHardeningCheck
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ListUsedDockerImages
- Updated the Docker image to: demisto/python3:3.11.10.113941.
IncidentFields
- Updated the Docker image to: demisto/python3:3.11.10.113941.
FilterByList
- Updated the Docker image to: demisto/python3:3.11.10.113941.
FileReputation
- Updated the Docker image to: demisto/python3:3.11.10.113941.
URLSSLVerification
- Updated the Docker image to: demisto/python3:3.11.10.113941.
NumberOfPhishingAttemptPerUser
- Updated the Docker image to: demisto/python3:3.11.10.113941.
PortListenCheck
- Updated the Docker image to: demisto/python3:3.11.10.113941.
URLReputation
- Updated the Docker image to: demisto/python3:3.11.10.113941.
IsInternalHostName
- Updated the Docker image to: demisto/python3:3.11.10.113941.
URLNumberOfAds
- Updated the Docker image to: demisto/python3:3.11.10.113941.
JSONtoCSV
- Updated the Docker image to: demisto/python3:3.11.10.113941.
IPReputation
- Updated the Docker image to: demisto/python3:3.11.10.113941.
PrintContext
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ReplaceMatchGroup
- Updated the Docker image to: demisto/python3:3.11.10.113941.
TopMaliciousRatioIndicators
- Updated the Docker image to: demisto/python3:3.11.10.113941.
UtilAnyResults
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ServerLogs
- Updated the Docker image to: demisto/python3:3.11.10.113941.
OnionURLReputation
- Updated the Docker image to: demisto/python3:3.11.10.113941.
enrich_exclude_button
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GetFieldsByIncidentType
- Updated the Docker image to: demisto/python3:3.11.10.113941.
SetDateField
- Updated the Docker image to: demisto/python3:3.11.10.113941.
AssignToMeButton
- Updated the Docker image to: demisto/python3:3.11.10.113941.
AddKeyToList
- Updated the Docker image to: demisto/python3:3.11.10.113941.
PopulateCriticalAssets
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ExtractEmailV2
- Updated the Docker image to: demisto/python3:3.11.10.113941.
SearchIncidentsSummary
- Updated the Docker image to: demisto/python3:3.11.10.113941.
IsIPPrivate
- Updated the Docker image to: demisto/python3:3.11.10.113941.
FileToBase64List
- Updated the Docker image to: demisto/python3:3.11.10.113941.
IsInternalDomainName
- Updated the Docker image to: demisto/python3:3.11.10.113941.
FileCreateAndUploadV2
- Updated the Docker image to: demisto/python3:3.11.10.113941.
RemoveKeyFromList
- Updated the Docker image to: demisto/python3:3.11.10.113941.
DecodeMimeHeader
- Updated the Docker image to: demisto/python3:3.11.10.113941.
DeduplicateValuesbyKey
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ExtractIndicatorsFromTextFile
- Updated the Docker image to: demisto/python3:3.11.10.113941.
LoadJSON
- Updated the Docker image to: demisto/python3:3.11.10.113941.
BreachConfirmationHTML
- Updated the Docker image to: demisto/python3:3.11.10.113941.
DBotAverageScore
- Updated the Docker image to: demisto/python3:3.11.10.113941.
CalculateTimeDifference
- Updated the Docker image to: demisto/python3:3.11.10.113941.
SSDeepReputation
- Updated the Docker image to: demisto/python3:3.11.10.113941.
MarkAsNoteByTag
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ShowIncidentIndicators
- Updated the Docker image to: demisto/python3:3.11.10.113941.
displayMappedFields
- Updated the Docker image to: demisto/python3:3.11.10.113941.
MarkAsEvidenceByTag
- Updated the Docker image to: demisto/python3:3.11.10.113941.
EncodeToAscii
- Updated the Docker image to: demisto/python3:3.11.10.113941.
PrintRaw
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GetStringsDistance
- Updated the Docker image to: demisto/python3:3.11.10.113941.
HttpV2
- Updated the Docker image to: demisto/python3:3.11.10.113941.
SetIndicatorGridField
- Updated the Docker image to: demisto/python3:3.11.10.113941.
IndicatorMaliciousRatioCalculation
- Updated the Docker image to: demisto/python3:3.11.10.113941.
EmailReputation
- Updated the Docker image to: demisto/python3:3.11.10.113941.
PrintErrorEntry
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GridFieldSetup
- Updated the Docker image to: demisto/python3:3.11.10.113941.
JSONFileToCSV
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GetIndicatorDBotScore
- Updated the Docker image to: demisto/python3:3.11.10.113941.
CopyNotesToIncident
- Updated the Docker image to: demisto/python3:3.11.10.113941.
MatchRegexV2
- Updated the Docker image to: demisto/python3:3.11.10.113941.
IdentifyAttachedEmail
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GetInstances
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ArrayToCSV
- Updated the Docker image to: demisto/python3:3.11.10.113941.
EditServerConfig
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GetErrorsFromEntry
- Updated the Docker image to: demisto/python3:3.11.10.113941.
CopyContextToField
- Updated the Docker image to: demisto/python3:3.11.10.113941.
DisplayHTML
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GetLicenseID
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GetIndicatorDBotScoreFromCache
- Updated the Docker image to: demisto/python3:3.11.10.113941.
DemistoVersion
- Updated the Docker image to: demisto/python3:3.11.10.113941.
StringSimilarity
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ParseYAML
- Updated the Docker image to: demisto/python3:3.11.10.113941.
VerifyIPv6Indicator
- Updated the Docker image to: demisto/python3:3.11.10.113941.
StopScheduledTask
- Updated the Docker image to: demisto/python3:3.11.10.113941.
RunDockerCommand
- Updated the Docker image to: demisto/python3:3.11.10.113941.
RunPollingCommand
- Updated the Docker image to: demisto/python3:3.11.10.113941.
BMCTool
- Updated the Docker image to: demisto/python3:3.11.10.113941.
VerdictResult
- Updated the Docker image to: demisto/python3:3.11.10.113941.
hideFieldsOnNewIncident
- Updated the Docker image to: demisto/python3:3.11.10.113941.
CompareIncidentsLabels
- Updated the Docker image to: demisto/python3:3.11.10.113941.
PositiveDetectionsVSDetectionEngines
- Updated the Docker image to: demisto/python3:3.11.10.113941.
SetWithTemplate
- Updated the Docker image to: demisto/python3:3.11.10.113941.
Base64ListToFile
- Updated the Docker image to: demisto/python3:3.11.10.113941.
SearchIndicator
- Updated the Docker image to: demisto/python3:3.11.10.113941.
CreateIndicatorsFromSTIX
- Updated the Docker image to: demisto/python3:3.11.10.113941.
FormatURL
- Updated the Docker image to: demisto/python3:3.11.10.113941.
SendEmailOnSLABreach
- Updated the Docker image to: demisto/python3:3.11.10.113941.
LinkIncidentsButton
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GetListRow
- Updated the Docker image to: demisto/python3:3.11.10.113941.
CertificateReputation
- Updated the Docker image to: demisto/python3:3.11.10.113941.
LinkIncidentsWithRetry
- Updated the Docker image to: demisto/python3:3.11.10.113941.
- 36995
- 37051
- 37052
- 36992
- 37006
- 36997
- 36994
- 36998
- 36993
- 37059
Download
1.15.75 - 1537605 (October 22, 2024)
- 36780
- 36769
- 36784
- 36766
- 36771
- 36498
- 36747
- 36773
- 36759
- 36725
- 36774
- 35865
Download
Scripts
PreProcessImage
- Updated the Docker image to: demisto/processing-image-file:1.0.0.113909.
PcapHTTPExtractor
- Updated the Docker image to: demisto/pcap-http-extractor:1.0.0.113908.
- 36780
- 36769
- 36784
- 36766
- 36771
- 36498
- 36747
- 36773
- 36759
- 36725
- 36774
- 35865
Download
1.15.73 - 1504524 (October 14, 2024)
- 36505
- 36495
- 36494
- 36493
- 36492
- 36491
- 36490
- 36489
- 36486
- 36485
- 36484
- 36483
- 36488
- 36487
Download
Scripts
SSDeepSimilarity
- Updated the Docker image to: demisto/ssdeep:1.0.0.112284.
PDFUnlocker
- Updated the Docker image to: demisto/readpdf:1.0.0.112283.
JsonUnescape
- Updated the Docker image to: demisto/python3-deb:3.11.10.112166.
ReadPDFFileV2
- Updated the Docker image to: demisto/readpdf:1.0.0.112283.
UnzipFile
- Updated the Docker image to: demisto/unzip:1.0.0.112289.
PcapHTTPExtractor
- Updated the Docker image to: demisto/pcap-http-extractor:1.0.0.112272.
ReadQRCode
- Updated the Docker image to: demisto/qrcode:1.0.0.112357.
- 36505
- 36495
- 36494
- 36493
- 36492
- 36491
- 36490
- 36489
- 36486
- 36485
- 36484
- 36483
- 36488
- 36487
Download
1.15.70 - 1480610 (October 8, 2024)
- 36260
- 36657
Download
Scripts
New: get-user-data
New: This script gathers user data from multiple integrations and returns an Account entity with consolidated information to the context. (Available from Cortex XSOAR 6.10.0).
ShowIncidentIndicators
- Fixed an issue with ShowIncidentIndicators fetching indicators with the same IDs.
- Updated the Docker image to: demisto/python3:3.11.10.111526.
- 36260
- 36657
Download
1.15.64 - 1434344 (September 25, 2024)
1.15.56 - R1340401 (September 3, 2024)
- 36053
Download
Scripts
ExtractFQDNFromUrlAndEmail
- Documentation and metadata improvements.
- Updated the Docker image to: demisto/py3-tools:1.0.0.108682.
ExtractDomainAndFQDNFromUrlAndEmail
- Documentation and metadata improvements.
- Updated the Docker image to: demisto/py3-tools:1.0.0.108682.
- 36053
Download
1.15.54 - 1311942 (August 26, 2024)
- 35995
Download
Scripts
ScheduleGenericPolling
- Fixed an issue where the script failed when given values containing quotation marks.
- Updated the Docker image to: demisto/python3:3.11.9.107902.
GenericPollingScheduledTask
- Fixed an issue where the script failed when given values containing quotation marks.
- 35995
Download
1.15.50 - 1265696 (August 12, 2024)
- 35403
Download
Scripts
ExtractIndicatorsFromWordFile
- Updated the Docker image to: demisto/office-utils:2.0.0.107687.
ExtractHyperlinksFromOfficeFiles
- Updated the Docker image to: demisto/office-utils:2.0.0.107687.
ConvertFile
- Updated the Docker image to: demisto/office-utils:2.0.0.107687.
ParseWordDoc
- Updated the Docker image to: demisto/office-utils:2.0.0.107687.
- 35403
Download
1.15.38 - 1218660 (July 28, 2024)
1.15.29 - 1175817 (July 14, 2024)
- 35178
- 35115
Download
Scripts
DBotUpdateLogoURLPhishing
Updated the Docker image to: demisto/mlurlphishing:1.0.0.103417.
New: GenerateAsBuiltConfiguration
- New: Generate a JSON file that can be downloaded and used to create the As-Built document for Cortex XSOAR. (Available from Cortex XSOAR 6.10.0).
- 35178
- 35115
Download
1.15.26 - 1169083 (July 11, 2024)
- 35135
Download
Scripts
VerifyIPv6Indicator
- Updated the IPv6 formatter to remove unneeded prefixed characters.
- Updated the Docker image to: demisto/python3:3.10.14.101217.
DisplayHTMLWithImages
- Fixed an issue where embedded images not appear in the Email Body section in the Phishing incident layout.
- Updated the Docker image to: demisto/python3:3.10.14.99474.
- 35135
Download
1.15.17 - 1126229 (June 26, 2024)
- 34579
Download
Scripts
ReadQRCode
- Improved implementation of
stderrredirection by removingwurlitzer.pipes()and redirectingstderrto a temporary file. - The automation now extracts QR codes exclusively to improve performance.
- Updated the Docker image to: demisto/qrcode:1.0.0.98232.
- 34579
Download
1.15.4 - 1063016 (June 2, 2024)
- 34465
- 33830
- 33831
- 33828
- 33825
- 33805
- 33871
Download
Scripts
FetchIndicatorsFromFile
- Updated the Docker image to: demisto/py3-tools:1.0.0.96102.
ExifRead
- Updated the Docker image to: demisto/py3-tools:1.0.0.96102.
ExtractDomainAndFQDNFromUrlAndEmail
- Updated the Docker image to: demisto/py3-tools:1.0.0.96102.
ExtractFQDNFromUrlAndEmail
- Updated the Docker image to: demisto/py3-tools:1.0.0.96102.
LanguageDetect
- Updated the Docker image to: demisto/py3-tools:1.0.0.96102.
StixCreator
- Updated the Docker image to: demisto/py3-tools:1.0.0.96102.
ExtractDomainFromUrlAndEmail
- Updated the Docker image to: demisto/py3-tools:1.0.0.96102.
ParseExcel
- Updated the Docker image to: demisto/py3-tools:1.0.0.96102.
- 34465
- 33830
- 33831
- 33828
- 33825
- 33805
- 33871
Download
1.19.63 - 3526238 (May 25, 2025)
- 39931
Download
Scripts
CheckFieldValue
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ShowLocationOnMap
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
MatchRegexV2
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
PrintContext
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
EmailReputation
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
SetIndicatorGridField
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
SetMultipleValues
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
GetLicenseID
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
GetDockerImageLatestTag
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
VerifyIPv6Indicator
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
FileToBase64List
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ProvidesCommand
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
cveReputationV2
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ExportIncidentsToCSV
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
URLNumberOfAds
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
SearchIncidentsSummary
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
GetListRow
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
SCPPullFiles
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
DBotAverageScore
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
SearchIndicator
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
VerifyCIDR
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
CreateHash
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
FileCreateAndUploadV2
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
DisableUserWrapper
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
CertificateReputation
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
get-user-data
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
TimeStampCompare
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ExtractIndicatorsFromTextFile
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ExportIndicatorsToCSV
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ExtractAttackPattern
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
AppendindicatorFieldWrapper
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
GetFieldsByIncidentType
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
CommandLineAnalysis
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ResolveShortenedURL
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
PrintToAlert
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
CreateIndicatorsFromSTIX
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
AnalyzeTimestampIntervals
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
FileReputation
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
FormatURL
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
HTTPListRedirects
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
PrintErrorEntry
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
IPNetwork
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
MaliciousRatioReputation
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
LoadJSON
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
MarkAsNoteByTag
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
LookupCSV
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
clear-user-session
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
GridFieldSetup
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
VerdictResult
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
PrettyPrint
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
PrintToParentIncident
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
PrintToIncident
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
IncidentFields
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ParseYAML
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
DomainReputation
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
Base64ListToFile
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
MITRENameByID_Formatter
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ParseCSV
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
FilterByList
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
GetByIncidentId
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
NumberOfPhishingAttemptPerUser
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
IsUrlPartOfDomain
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
GetEnabledInstances
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ScheduleGenericPolling
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
BreachConfirmationHTML
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
OnionURLReputation
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
IdentifyAttachedEmail
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
TopMaliciousRatioIndicators
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ReplaceMatchGroup
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
RemoveKeyFromList
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
TextFromHTML
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
StopScheduledTask
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
URLReputation
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
hideFieldsOnNewIncident
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
PrintRaw
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
SetTime
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ArrayToCSV
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
JSONtoCSV
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
IsolationAssetWrapper
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
DisplayHTML
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
CheckIndicatorValue
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
Strings
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
IPReputation
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ShowIncidentIndicators
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ZipStrings
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
CheckContextValue
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
DeduplicateValuesbyKey
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
JSONFileToCSV
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
StringSimilarity
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
GetServerURL
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
SetWithTemplate
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ReadFile
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ConvertTimezoneFromUTC
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
URLSSLVerification
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
BMCTool
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
SearchIncidentsV2
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
AddKeyToList
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
RunPollingCommand
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
CheckSenderDomainDistance
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ConvertCountryCodeCountryName
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
PortListenCheck
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
GetEntries
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
PositiveDetectionsVSDetectionEngines
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
RunDockerCommand
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
get-endpoint-data
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
GeneratePassword
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
GetIndicatorDBotScoreFromCache
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
UtilAnyResults
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ChangeContext
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
DecodeMimeHeader
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
DumpJSON
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
cvss_color
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
RepopulateFiles
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
GetInstances
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
FeedRelatedIndicatorsWidget
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
CopyNotesToIncident
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
DisplayHTMLWithImages
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
IsListExist
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
GetErrorsFromEntry
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
SetByIncidentId
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
CreateNewIndicatorsOnly
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
GetIndicatorDBotScore
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ExportAuditLogsToFile
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
ExtractEmailV2
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
CalculateEntropy
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
GetStringsDistance
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
Base64EncodeV2
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
enrich_exclude_button
- Updated the Docker image to: demisto/python3:3.12.8.3296088.
- 39931
Download
1.19.58 - 3398781 (May 13, 2025)
1.19.56 - 3386461 (May 12, 2025)
- 39878
Download
Scripts
HTMLtoMD
- Added the escape_misc argument. Set this argument to False if you wish to skip escaping miscellaneous punctuation characters.
- Updated the Docker image to: demisto/btfl-soup:1.0.1.3150379.
ReadQRCode
- Documentation and metadata improvements.
- Updated the Docker image to: demisto/qrcode:1.0.0.3254386.
- 39878
Download
1.19.48 - 3217247 (April 24, 2025)
- 39683
Download
Scripts
ConvertFile
Updated the ConvertFile script to handle invalid files by returning a failure error within the file context instead of causing a script failure.
New: CheckPDFEncryptionAndValidity
New: Added a new script- CheckPDFEncryptionAndValidity that Returns if a PDF is valid and if it is encrypted.
PreProcessImage
- Updated the Docker image to: demisto/processing-image-file:1.0.0.3205446.
- 39683
Download
1.19.45 - 3161494 (April 17, 2025)
- 39533
Download
Scripts
URLSSLVerification
- Updated the SSL certificate verification for all redirect chain.
- If the initial URL is HTTP and redirects to HTTPS with a valid certificate, verified = True.
- If the entire redirect chain remains HTTP, verified = False.
- set_http_as_suspicious updated logics.
- if set_http_as_suspicious='true' and the URL is http then DbotScore = Suspicious.
- if set_http_as_suspicious='true' and the URL is https DbotScore = Unknown.
- Updated the Docker image to: demisto/python3:3.12.8.1983910.
- 39533
Download
1.19.44 - 3133732 (April 14, 2025)
- 39397
Download
Scripts
ExportIncidentsToCSV
- Fixed an issue where the script failed when no results were returned or when the number of results exceeded the defined limit.
- Updated the Docker image to: demisto/python3:3.12.8.1983910.
clear-user-session
- Changed the clear-user-session command context.
- The structure of the context output has been modified. from {'Message': str, 'Result': str, 'Source': list[str], 'Username': str} to {'Message': str, 'Result': str, 'Brand': str, 'Username': str}.
- Each user and brand will now have their own dictionary instead of one dictionary for each user with a list of sources/brands.
- Updated handling the get-user-data command context change.
- Updated the Docker image to: demisto/python3:3.12.8.1983910.
- 39397
Download
1.19.42 - 3079234 (April 7, 2025)
- 39489
- 37711
- 39497
- 38761
Download
Scripts
New: JSONDiff
New: Added a new script- JSONDiff that compares two JSON files and returns their differences, such as added, removed, or changed fields, in a structured format.
ExportAuditLogsToFile
- Fixed an issue that caused only 100 records to be retrieved.
- Updated the Docker image to: demisto/python3:3.12.8.1983910.
ContentPackInstaller
- Updated the Docker image to: demisto/xsoar-tools:1.0.0.2974997.
ProvidesCommand
- Updated the Docker image to: demisto/python3:3.12.8.1983910.
GenerateAsBuilt
- Updated the Docker image to: demisto/teams:1.0.0.2027266.
GetFieldsByIncidentType
- Updated the Docker image to: demisto/python3:3.12.8.1983910.
IncidentFields
- Updated the Docker image to: demisto/python3:3.12.8.1983910.
EditServerConfig
- Updated the Docker image to: demisto/python3:3.12.8.1983910.
ExportIndicatorsToCSV
- Updated the Docker image to: demisto/python3:3.12.8.1983910.
- 39489
- 37711
- 39497
- 38761
Download
1.19.38 - 3042633 (April 2, 2025)
- 39390
Download
Scripts
MaliciousRatioReputation
- - Documentation and metadata improvements.
VerifyIPv6Indicator
- - Documentation and metadata improvements.
cveReputationV2
- - Documentation and metadata improvements.
GetEnabledInstances
- - Documentation and metadata improvements.
HTTPListRedirects
- - Documentation and metadata improvements.
CheckFieldValue
- - Documentation and metadata improvements.
JSONtoCSV
- - Documentation and metadata improvements.
CloseInvestigationAsDuplicate
- - Documentation and metadata improvements.
displayMappedFields
- - Documentation and metadata improvements.
DecodeMimeHeader
- - Documentation and metadata improvements.
IPToHost
- - Documentation and metadata improvements.
PrintToParentIncident
- - Documentation and metadata improvements.
PrintRaw
- - Documentation and metadata improvements.
AppendindicatorFieldWrapper
- - Documentation and metadata improvements.
ZipStrings
- - Documentation and metadata improvements.
SetGridField
- - Documentation and metadata improvements.
ConvertDatetoUTC
- - Documentation and metadata improvements.
ZipFile
- - Documentation and metadata improvements.
GetLicenseID
- - Documentation and metadata improvements.
cvss_color
- - Documentation and metadata improvements.
GeneratePassword
- - Documentation and metadata improvements.
FormatURL
- - Documentation and metadata improvements.
GenerateSummaryReportButton
- - Documentation and metadata improvements.
SetTime
- - Documentation and metadata improvements.
GetEntries
- - Documentation and metadata improvements.
EncodeToAscii
- - Documentation and metadata improvements.
VerifyCIDR
- - Documentation and metadata improvements.
ExtractIndicatorsFromWordFile
- - Documentation and metadata improvements.
ExportAuditLogsToFile
- - Documentation and metadata improvements.
CertificateExtract
- - Documentation and metadata improvements.
enrich_exclude_button
- - Documentation and metadata improvements.
IncidentFields
- - Documentation and metadata improvements.
IPNetwork
- - Documentation and metadata improvements.
PrintToIncident
- - Documentation and metadata improvements.
ExtractDomainAndFQDNFromUrlAndEmail
- - Documentation and metadata improvements.
SearchIncidentsSummary
- - Documentation and metadata improvements.
displayUtilitiesResults
- - Documentation and metadata improvements.
ExifRead
- - Documentation and metadata improvements.
ContentPackInstaller
- - Documentation and metadata improvements.
ContextContains
- - Documentation and metadata improvements.
GetStringsDistance
- - Documentation and metadata improvements.
GetFieldsByIncidentType
- - Documentation and metadata improvements.
ServerLogs_docker
- - Documentation and metadata improvements.
GetIndicatorDBotScoreFromCache
- - Documentation and metadata improvements.
DBotAverageScore
- - Documentation and metadata improvements.
UtilAnyResults
- - Documentation and metadata improvements.
NumberOfPhishingAttemptPerUser
- - Documentation and metadata improvements.
PreProcessImage
- - Documentation and metadata improvements.
FeedRelatedIndicatorsWidget
- - Documentation and metadata improvements.
LoadJSONFileToContext
- - Documentation and metadata improvements.
ExtractIndicatorsFromTextFile
- - Documentation and metadata improvements.
GetDataCollectionLink
- - Documentation and metadata improvements.
Ping
- - Documentation and metadata improvements.
ResolveShortenedURL
- - Documentation and metadata improvements.
StringSimilarity
- - Documentation and metadata improvements.
ReadFile
- - Documentation and metadata improvements.
Base64EncodeV2
- - Documentation and metadata improvements.
DockerHardeningCheck
- - Documentation and metadata improvements.
get-endpoint-data
- - Documentation and metadata improvements.
SetDateField
- - Documentation and metadata improvements.
ReadPDFFileV2
- - Documentation and metadata improvements.
FileReputation
- - Documentation and metadata improvements.
PrintErrorEntry
- - Documentation and metadata improvements.
RunPollingCommand
- - Documentation and metadata improvements.
GetErrorsFromEntry
- - Documentation and metadata improvements.
SearchIncidentsV2
- - Documentation and metadata improvements.
ShowIncidentIndicators
- - Documentation and metadata improvements.
HTMLtoMD
- - Documentation and metadata improvements.
GetDomainDNSDetails
- - Documentation and metadata improvements.
IPReputation
- - Documentation and metadata improvements.
Strings
- - Documentation and metadata improvements.
ParseWordDoc
- - Documentation and metadata improvements.
ProvidesCommand
- - Documentation and metadata improvements.
ReplaceMatchGroup
- - Documentation and metadata improvements.
GetIndicatorDBotScore
- - Documentation and metadata improvements.
ParseYAML
- - Documentation and metadata improvements.
OnionURLReputation
- - Documentation and metadata improvements.
ParseExcel
- - Documentation and metadata improvements.
SSDeepReputation
- - Documentation and metadata improvements.
DisplayHTMLWithImages
- - Documentation and metadata improvements.
DomainReputation
- - Documentation and metadata improvements.
LoadJSON
- - Documentation and metadata improvements.
SetByIncidentId
- - Documentation and metadata improvements.
CalculateEntropy
- - Documentation and metadata improvements.
SCPPullFiles
- - Documentation and metadata improvements.
AddKeyToList
- - Documentation and metadata improvements.
get-user-data
- - Documentation and metadata improvements.
ConvertXmlFileToJson
- - Documentation and metadata improvements.
PDFUnlocker
- - Documentation and metadata improvements.
BreachConfirmationHTML
- - Documentation and metadata improvements.
ExtractDomainFromUrlAndEmail
- - Documentation and metadata improvements.
IndicatorMaliciousRatioCalculation
- - Documentation and metadata improvements.
EditServerConfig
- - Documentation and metadata improvements.
URLSSLVerification
- - Documentation and metadata improvements.
MITRENameByID_Formatter
- - Documentation and metadata improvements.
GenerateRandomString
- - Documentation and metadata improvements.
SetMultipleValues
- - Documentation and metadata improvements.
CompareLists
- - Documentation and metadata improvements.
StixCreator
- - Documentation and metadata improvements.
PopulateCriticalAssets
- - Documentation and metadata improvements.
TimeStampCompare
- - Documentation and metadata improvements.
ExtractAttackPattern
- - Documentation and metadata improvements.
ConvertFile
- - Documentation and metadata improvements.
SetWithTemplate
- - Documentation and metadata improvements.
JSONFileToCSV
- - Documentation and metadata improvements.
CommandLineAnalysis
- - Documentation and metadata improvements.
ExtractHTMLTables
- - Documentation and metadata improvements.
CertificateReputation
- - Documentation and metadata improvements.
FileCreateAndUploadV2
- - Documentation and metadata improvements.
AssignToMeButton
- - Documentation and metadata improvements.
Dig
- - Documentation and metadata improvements.
PcapHTTPExtractor
- - Documentation and metadata improvements.
JsonUnescape
- - Documentation and metadata improvements.
URLReputation
- - Documentation and metadata improvements.
VerdictResult
- - Documentation and metadata improvements.
ShowLocationOnMap
- - Documentation and metadata improvements.
LookupCSV
- - Documentation and metadata improvements.
DisplayHTML
- - Documentation and metadata improvements.
CheckSenderDomainDistance
- - Documentation and metadata improvements.
RunDockerCommand
- - Documentation and metadata improvements.
SetIndicatorGridField
- - Documentation and metadata improvements.
LanguageDetect
- - Documentation and metadata improvements.
EmailReputation
- - Documentation and metadata improvements.
clear-user-session
- - Documentation and metadata improvements.
AquatoneDiscoverV2
- - Documentation and metadata improvements.
ExportIncidentsToCSV
- - Documentation and metadata improvements.
IsInternalDomainName
- - Documentation and metadata improvements.
URLNumberOfAds
- - Documentation and metadata improvements.
FilterByList
- - Documentation and metadata improvements.
IsListExist
- - Documentation and metadata improvements.
DisableUserWrapper
- - Documentation and metadata improvements.
GetByIncidentId
- - Documentation and metadata improvements.
StopScheduledTask
- - Documentation and metadata improvements.
GenerateRandomUUID
- - Documentation and metadata improvements.
BMCTool
- - Documentation and metadata improvements.
UnzipFile
- - Documentation and metadata improvements.
- Fix an issue where the UnzipFile script incorrectly failed when extracting a file containing the word "Errors" in its name.
- Updated the Docker image to: demisto/unzip:1.0.0.2038416.
SSDeepSimilarity
- - Documentation and metadata improvements.
AddDBotScoreToContext
- - Documentation and metadata improvements.
MarkAsEvidenceByTag
- - Documentation and metadata improvements.
DumpJSON
- - Documentation and metadata improvements.
IsUrlPartOfDomain
- - Documentation and metadata improvements.
IsPDFFileEncrypted
- - Documentation and metadata improvements.
GetServerURL
- - Documentation and metadata improvements.
ConvertCountryCodeCountryName
- - Documentation and metadata improvements.
PrettyPrint
- - Documentation and metadata improvements.
CopyNotesToIncident
- - Documentation and metadata improvements.
DownloadAndArchivePythonLibrary
- - Documentation and metadata improvements.
CheckIndicatorValue
- - Documentation and metadata improvements.
TextFromHTML
- - Documentation and metadata improvements.
CreateIndicatorsFromSTIX
- - Documentation and metadata improvements.
ExportContextToJSONFile
- - Documentation and metadata improvements.
MatchRegexV2
- - Documentation and metadata improvements.
TopMaliciousRatioIndicators
- - Documentation and metadata improvements.
LinkIncidentsButton
- - Documentation and metadata improvements.
CompareIncidentsLabels
- - Documentation and metadata improvements.
CreateHash
- - Documentation and metadata improvements.
PrintToAlert
- - Documentation and metadata improvements.
IsInternalHostName
- - Documentation and metadata improvements.
ReadQRCode
- - Documentation and metadata improvements.
ParseCSV
- - Documentation and metadata improvements.
ExtractHyperlinksFromOfficeFiles
- - Documentation and metadata improvements.
ExportIndicatorsToCSV
- - Documentation and metadata improvements.
ConvertTimezoneFromUTC
- - Documentation and metadata improvements.
IsolationAssetWrapper
- - Documentation and metadata improvements.
FileToBase64List
- - Documentation and metadata improvements.
hideFieldsOnNewIncident
- - Documentation and metadata improvements.
GenerateAsBuilt
- - Documentation and metadata improvements.
RepopulateFiles
- - Documentation and metadata improvements.
Base64ListToFile
- - Documentation and metadata improvements.
ListUsedDockerImages
- - Documentation and metadata improvements.
GetListRow
- - Documentation and metadata improvements.
ParseEmailFilesV2
- - Documentation and metadata improvements.
ParseHTMLIndicators
- - Documentation and metadata improvements.
ServerLogs
- - Documentation and metadata improvements.
DeduplicateValuesbyKey
- - Documentation and metadata improvements.
CopyContextToField
- - Documentation and metadata improvements.
SearchIndicator
- - Documentation and metadata improvements.
GetInstances
- - Documentation and metadata improvements.
RemoveKeyFromList
- - Documentation and metadata improvements.
ScheduleGenericPolling
- - Documentation and metadata improvements.
IdentifyAttachedEmail
- - Documentation and metadata improvements.
HttpV2
- - Documentation and metadata improvements.
FetchIndicatorsFromFile
- - Documentation and metadata improvements.
ExtractFQDNFromUrlAndEmail
- - Documentation and metadata improvements.
CheckContextValue
- - Documentation and metadata improvements.
PrintContext
- - Documentation and metadata improvements.
PositiveDetectionsVSDetectionEngines
- - Documentation and metadata improvements.
CreateNewIndicatorsOnly
- - Documentation and metadata improvements.
GetDockerImageLatestTag
- - Documentation and metadata improvements.
MarkAsNoteByTag
- - Documentation and metadata improvements.
CalculateTimeDifference
- - Documentation and metadata improvements.
CVSSCalculator
- - Documentation and metadata improvements.
ExtractEmailV2
- - Documentation and metadata improvements.
ArrayToCSV
- - Documentation and metadata improvements.
ChangeContext
- - Documentation and metadata improvements.
ExportToXLSX
- - Documentation and metadata improvements.
GridFieldSetup
- - Documentation and metadata improvements.
AnalyzeTimestampIntervals
- - Documentation and metadata improvements.
PortListenCheck
- - Documentation and metadata improvements.
- 39390
Download
1.19.25 - 2438447 (February 11, 2025)
- 38349
Download
Scripts
ParseEmailFilesV2
- Fixed an issue where the ParseEmailFilesV2 script failed parsing a file contains BOM.
StixCreator
Fixed an issue where under specific conditions the exported times of the indicators were presented as UTC when they were actually in local time. All the exported times are now correctly parsed into UTC the time zone.
- 38349
Download
1.19.22 - 2306914 (February 9, 2025)
- 38535
- 38429
Download
Scripts
CloseInvestigationAsDuplicate
- Added support for raise_error argument, which allows raising an error in case of unclosed incident.
- Updated the Docker image to: demisto/python3:3.12.8.1983910.
CreateNewIndicatorsOnly
- Fixed an issue where the value of an existing indicator had a different letter case than the indicator on input.
- Fixed an issue where the script tried to associate to the incident an indicator that was not created, as it might have been excluded.
- Updated the Docker image to: demisto/python3:3.11.11.1940698.
- 38535
- 38429
Download
1.19.18 - 2134850 (February 4, 2025)
- 38462
Download
Scripts
ParseEmailFilesV2
- Fixed an issue that prevented the headers from being parsed correctly for eml files (unknown-8bit encoding).
- Fixed an issue that email with attachment was parsed incorrectly for eml files.
- Updated the Docker image to: demisto/parse-emails:1.0.0.2128577.
- 38462
Download
1.19.17 - 2110804 (January 30, 2025)
- 38325
Download
Scripts
CommandLineAnalysis
- Fixed an issue in CommandLineAnalysis where the original command was analyzed as part of the decoded command analysis.
- Updated the output format of the extracted indicators.
- Added the patterns to detect macOS Applescript suspicious command lines.
- 38325
Download
1.19.14 - 2081957 (January 27, 2025)
- 38318
- 38316
Download
Scripts
ExtractIndicatorsFromWordFile
- Updated the Docker image to: demisto/office-utils:2.0.0.2020302.
ConvertFile
- Updated the Docker image to: demisto/office-utils:2.0.0.2020302.
ParseWordDoc
- Updated the Docker image to: demisto/office-utils:2.0.0.2020302.
ExtractHyperlinksFromOfficeFiles
- Updated the Docker image to: demisto/office-utils:2.0.0.2020302.
ReadPDFFileV2
- Updated the Docker image to: demisto/readpdf:1.0.0.2034953.
PDFUnlocker
- Updated the Docker image to: demisto/readpdf:1.0.0.2034953.
- 38318
- 38316
Download
1.19.10 - R1989294 (January 14, 2025)
- 38109
Download
Scripts
GetDomainDNSDetails
- Updated the Docker image to: demisto/netutils:1.0.0.118055.
Ping
- Updated the Docker image to: demisto/netutils:1.0.0.118055.
HttpV2
Fixed an issue where the timeout_between_retries argument was treated as a string instead of being converted to a number.
- 38109
Download
1.19.8 - 1953876 (January 9, 2025)
- 38043
Download
Scripts
LookupCSV
Updated the Docker image to: demisto/python3:3.11.11.1940698.
CreateHash
Updated the Docker image to: demisto/python3:3.11.11.1940698.
BMCTool
- Code functionality improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
CertificateReputation
- Code functionality improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
clear-user-session
- Code functionality improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
GetDockerImageLatestTag
- Code functionality improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
ResolveShortenedURL
- Code functionality improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
UnzipFile
- Code functionality improvements.
- Updated the Docker image to: demisto/unzip:1.0.0.117525.
- 38043
Download
1.19.6 - 1950870 (January 8, 2025)
- 38045
Download
Scripts
ExtractDomainAndFQDNFromUrlAndEmail
Updated the Docker image to: demisto/py3-tools:1.0.0.117220.
IPToHost
- Updated the script to display a clear message when no hostname is found, instead of returning the IP address.
- Updated the Docker image to: demisto/python3:3.11.11.1940698.
- 38045
Download
1.19.3 - 1935630 (January 6, 2025)
- 37472
Download
Scripts
AddKeyToList
- Code functionality improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
CVSSCalculator
- Code functionality improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
Dig
- Code functionality and documentation improvements.
- Updated the Docker image to: demisto/netutils:1.0.0.118055.
ExtractHTMLTables
Code functionality and documentation improvements.
IndicatorMaliciousRatioCalculation
- Code functionality and documentation improvements.
ParseYAML
- Code functionality and documentation improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
RemoveKeyFromList
- Code functionality improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
SSDeepReputation
- Code functionality improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
- 37472
Download
1.18.5 - 1841503 (December 19, 2024)
- 37611
Download
Scripts
SearchIncidentsV2
- Documentation and metadata improvements.
CopyNotesToIncident
- Fixed an issue where indicators were auto-extracted from the copied notes regardless of the value of the auto_extract argument.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
New: CommandLineAnalysis
- New: This script evaluates command-line threats by analyzing both original and decoded inputs. It assigns weighted scores to detected patterns, such as AMSI bypass or credential dumping, and applies risk combination bonuses for multiple detections. The total score is normalized to a 0-100 scale, with risk levels categorized as follows:
- 0-25: Low Risk
- 26-50: Medium Risk
- 51-90: High Risk
- 91-100: Critical Risk
The scoring mechanism provides a comprehensive risk assessment, considering both the severity and frequency of malicious behaviors.
- 37611
Download
1.18.2 - 1834150 (December 18, 2024)
- 37760
Download
Scripts
New: MITRENameByID_Formatter
New: Get a MITRE ATT&CK object name by its ID. The script is using TIMs IOCs to find the correct name. (MITRE ATT&CK IOCs must exist in the Threat Intel data).
IndicatorMaliciousRatioCalculation
- Documentation and metadata improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
RunPollingCommand
- Documentation and metadata improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
ExtractIndicatorsFromTextFile
- Documentation and metadata improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
NumberOfPhishingAttemptPerUser
- Documentation and metadata improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
DeleteContext
- Documentation and metadata improvements.
CopyContextToField
- Documentation and metadata improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
ExtractIndicatorsFromWordFile
- Documentation and metadata improvements.
SetAndHandleEmpty
- Documentation and metadata improvements.
CompareIncidentsLabels
- Documentation and metadata improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
findIncidentsWithIndicator
- Documentation and metadata improvements.
DockerHardeningCheck
- Documentation and metadata improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
GetDuplicatesMlv2
- Documentation and metadata improvements.
SetByIncidentId
- Documentation and metadata improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
SearchIncidentsV2
- Documentation and metadata improvements.
- Updated the Docker image to: demisto/python3:3.11.10.116949.
FindSimilarIncidents
- Documentation and metadata improvements.
- 37760
Download
1.17.6 - 1793696 (December 11, 2024)
- 37639
Download
Scripts
FormatURL
Fixed an issue where URLs were not parsed correctly when handling nested parenthesis in the URL query.
ExportToXLSX
- Updated the Docker image to: demisto/xslxwriter:1.0.0.117330.
AquatoneDiscoverV2
- Updated the Docker image to: demisto/aquatone:2.0.0.117469.
ReadQRCode
- Updated the Docker image to: demisto/qrcode:1.0.0.117542.
- 37639
Download
1.17.4 - 1780397 (December 9, 2024)
- 37620
- 37619
- 37618
- 37617
Download
Scripts
ParseWordDoc
- Updated the Docker image to: demisto/office-utils:2.0.0.117810.
ParseHTMLIndicators
- Updated the Docker image to: demisto/bs4-tld:1.0.0.117606.
ExtractIndicatorsFromWordFile
- Updated the Docker image to: demisto/office-utils:2.0.0.117810.
ConvertFile
- Updated the Docker image to: demisto/office-utils:2.0.0.117810.
ExtractHyperlinksFromOfficeFiles
- Updated the Docker image to: demisto/office-utils:2.0.0.117810.
- 37620
- 37619
- 37618
- 37617
Download
1.17.0 - 1745299 (December 3, 2024)
- 37431
Download
Scripts
get-user-data
- Updated the script to ensure that all data returned from each command is also returned to the context.
- Updated the script to include the source of the data in the context for each field.
ExtractIndicatorsFromWordFile
Internal code improvements.
- 37431
Download
1.15.98 - 1738579 (December 2, 2024)
- 37425
- 37421
- 37419
- 37422
- 37418
- 37420
Download
Scripts
ExportToCSV
Improved consistency of the script output by removing carriage return (\r) characters from the end of lines.
SetGridField
- Updated the Docker image to: demisto/pandas:1.0.0.117209.
GenerateAsBuilt
- Updated the Docker image to: demisto/teams:1.0.0.116912.
- 37425
- 37421
- 37419
- 37422
- 37418
- 37420
Download
1.15.93 - 1699115 (November 25, 2024)
- 37378
- 37355
- 37356
- 37357
Download
Scripts
ExtractHyperlinksFromOfficeFiles
- Updated the Docker image to: demisto/office-utils:2.0.0.117112.
ParseWordDoc
- Updated the Docker image to: demisto/office-utils:2.0.0.117112.
ExtractIndicatorsFromWordFile
- Updated the Docker image to: demisto/office-utils:2.0.0.117112.
ExtractHTMLTables
- Updated the Docker image to: demisto/bs4-py3:1.0.0.117152.
ConvertFile
- Updated the Docker image to: demisto/office-utils:2.0.0.117112.
- 37378
- 37355
- 37356
- 37357
Download
1.15.88 - 1647729 (November 14, 2024)
- 37147
- 37137
- 37136
- 37140
- 37138
- 37139
Download
Scripts
DeduplicateValuesbyKey
- Updated the Docker image to: demisto/python3:3.11.10.115186.
TimeStampCompare
- Updated the Docker image to: demisto/python3:3.11.10.115186.
URLNumberOfAds
- Updated the Docker image to: demisto/python3:3.11.10.115186.
DisplayHTML
- Updated the Docker image to: demisto/python3:3.11.10.115186.
VerdictResult
- Updated the Docker image to: demisto/python3:3.11.10.115186.
IsListExist
- Updated the Docker image to: demisto/python3:3.11.10.115186.
LookupCSV
- Updated the Docker image to: demisto/python3:3.11.10.115186.
GetIndicatorDBotScore
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ZipStrings
- Updated the Docker image to: demisto/python3:3.11.10.115186.
CreateIndicatorsFromSTIX
- Updated the Docker image to: demisto/python3:3.11.10.115186.
GetLicenseID
- Updated the Docker image to: demisto/python3:3.11.10.115186.
hideFieldsOnNewIncident
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ExportIncidentsToCSV
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ResolveShortenedURL
- Updated the Docker image to: demisto/python3:3.11.10.115186.
SearchIndicator
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ExtractIndicatorsFromTextFile
- Updated the Docker image to: demisto/python3:3.11.10.115186.
Base64EncodeV2
- Updated the Docker image to: demisto/python3:3.11.10.115186.
VerifyIPv6Indicator
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ReadFile
- Updated the Docker image to: demisto/python3:3.11.10.115186.
PrintErrorEntry
- Updated the Docker image to: demisto/python3:3.11.10.115186.
SCPPullFiles
- Updated the Docker image to: demisto/python3:3.11.10.115186.
DecodeMimeHeader
- Updated the Docker image to: demisto/python3:3.11.10.115186.
HTTPListRedirects
- Updated the Docker image to: demisto/python3:3.11.10.115186.
SetMultipleValues
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ConvertCountryCodeCountryName
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ParseCSV
- Updated the Docker image to: demisto/python3:3.11.10.115186.
SearchIncidentsSummary
- Updated the Docker image to: demisto/python3:3.11.10.115186.
CertificateReputation
- Updated the Docker image to: demisto/python3:3.11.10.115186.
BMCTool
- Updated the Docker image to: demisto/python3:3.11.10.115186.
CheckIndicatorValue
- Updated the Docker image to: demisto/python3:3.11.10.115186.
AddKeyToList
- Updated the Docker image to: demisto/python3:3.11.10.115186.
GetInstances
- Updated the Docker image to: demisto/python3:3.11.10.115186.
IdentifyAttachedEmail
- Updated the Docker image to: demisto/python3:3.11.10.115186.
JSONtoCSV
- Updated the Docker image to: demisto/python3:3.11.10.115186.
CreateHash
- Updated the Docker image to: demisto/python3:3.11.10.115186.
DumpJSON
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ServerLogs_docker
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ScheduleGenericPolling
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ConvertTimezoneFromUTC
- Updated the Docker image to: demisto/python3:3.11.10.115186.
GridFieldSetup
- Updated the Docker image to: demisto/python3:3.11.10.115186.
TextFromHTML
- Updated the Docker image to: demisto/python3:3.11.10.115186.
SetIndicatorGridField
- Updated the Docker image to: demisto/python3:3.11.10.115186.
enrich_exclude_button
- Updated the Docker image to: demisto/python3:3.11.10.115186.
PrettyPrint
- Updated the Docker image to: demisto/python3:3.11.10.115186.
CheckSenderDomainDistance
- Updated the Docker image to: demisto/python3:3.11.10.115186.
Base64ListToFile
- Updated the Docker image to: demisto/python3:3.11.10.115186.
DomainReputation
- Updated the Docker image to: demisto/python3:3.11.10.115186.
CopyNotesToIncident
- Updated the Docker image to: demisto/python3:3.11.10.115186.
SetWithTemplate
- Updated the Docker image to: demisto/python3:3.11.10.115186.
UtilAnyResults
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ChangeContext
- Updated the Docker image to: demisto/python3:3.11.10.115186.
cveReputationV2
- Updated the Docker image to: demisto/python3:3.11.10.115186.
MaliciousRatioReputation
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ExtractEmailV2
- Updated the Docker image to: demisto/python3:3.11.10.115186.
FeedRelatedIndicatorsWidget
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ArrayToCSV
- Updated the Docker image to: demisto/python3:3.11.10.115186.
DisplayHTMLWithImages
- Updated the Docker image to: demisto/python3:3.11.10.115186.
PrintToAlert
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ParseYAML
- Updated the Docker image to: demisto/python3:3.11.10.115186.
IsolationAssetWrapper
- Updated the Docker image to: demisto/python3:3.11.10.115186.
GeneratePassword
- Updated the Docker image to: demisto/python3:3.11.10.115186.
DisableUserWrapper
- Updated the Docker image to: demisto/python3:3.11.10.115186.
StringSimilarity
- Updated the Docker image to: demisto/python3:3.11.10.115186.
PortListenCheck
- Updated the Docker image to: demisto/python3:3.11.10.115186.
PrintContext
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ShowIncidentIndicators
- Updated the Docker image to: demisto/python3:3.11.10.115186.
JSONFileToCSV
- Updated the Docker image to: demisto/python3:3.11.10.115186.
CheckContextValue
- Updated the Docker image to: demisto/python3:3.11.10.115186.
GetStringsDistance
- Updated the Docker image to: demisto/python3:3.11.10.115186.
GetServerURL
- Updated the Docker image to: demisto/python3:3.11.10.115186.
IPReputation
- Updated the Docker image to: demisto/python3:3.11.10.115186.
OnionURLReputation
- Updated the Docker image to: demisto/python3:3.11.10.115186.
URLSSLVerification
- Updated the Docker image to: demisto/python3:3.11.10.115186.
AppendindicatorFieldWrapper
- Updated the Docker image to: demisto/python3:3.11.10.115186.
StopScheduledTask
- Updated the Docker image to: demisto/python3:3.11.10.115186.
URLReputation
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ServerLogs
- Updated the Docker image to: demisto/python3:3.11.10.115186.
get-user-data
- Updated the Docker image to: demisto/python3:3.11.10.115186.
PositiveDetectionsVSDetectionEngines
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ExportAuditLogsToFile
- Updated the Docker image to: demisto/python3:3.11.10.115186.
RunPollingCommand
- Updated the Docker image to: demisto/python3:3.11.10.115186.
RunDockerCommand
- Updated the Docker image to: demisto/python3:3.11.10.115186.
DBotAverageScore
- Updated the Docker image to: demisto/python3:3.11.10.115186.
FilterByList
- Updated the Docker image to: demisto/python3:3.11.10.115186.
RemoveKeyFromList
- Updated the Docker image to: demisto/python3:3.11.10.115186.
CalculateEntropy
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ExtractAttackPattern
- Updated the Docker image to: demisto/python3:3.11.10.115186.
GetEnabledInstances
- Updated the Docker image to: demisto/python3:3.11.10.115186.
SearchIncidentsV2
- Updated the Docker image to: demisto/python3:3.11.10.115186.
EmailReputation
- Updated the Docker image to: demisto/python3:3.11.10.115186.
FileCreateAndUploadV2
- Updated the Docker image to: demisto/python3:3.11.10.115186.
PrintRaw
- Updated the Docker image to: demisto/python3:3.11.10.115186.
IsUrlPartOfDomain
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ProvidesCommand
- Updated the Docker image to: demisto/python3:3.11.10.115186.
GetFieldsByIncidentType
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ReplaceMatchGroup
- Updated the Docker image to: demisto/python3:3.11.10.115186.
VerifyCIDR
- Updated the Docker image to: demisto/python3:3.11.10.115186.
MatchRegexV2
- Updated the Docker image to: demisto/python3:3.11.10.115186.
GetByIncidentId
- Updated the Docker image to: demisto/python3:3.11.10.115186.
cvss_color
- Updated the Docker image to: demisto/python3:3.11.10.115186.
Strings
- Updated the Docker image to: demisto/python3:3.11.10.115186.
GetListRow
- Updated the Docker image to: demisto/python3:3.11.10.115186.
IncidentFields
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ShowLocationOnMap
- Updated the Docker image to: demisto/python3:3.11.10.115186.
GetIndicatorDBotScoreFromCache
- Updated the Docker image to: demisto/python3:3.11.10.115186.
FileReputation
- Updated the Docker image to: demisto/python3:3.11.10.115186.
GetEntries
- Updated the Docker image to: demisto/python3:3.11.10.115186.
CheckFieldValue
- Updated the Docker image to: demisto/python3:3.11.10.115186.
RepopulateFiles
- Updated the Docker image to: demisto/python3:3.11.10.115186.
GetDockerImageLatestTag
- Updated the Docker image to: demisto/python3:3.11.10.115186.
AnalyzeTimestampIntervals
- Updated the Docker image to: demisto/python3:3.11.10.115186.
PrintToParentIncident
- Updated the Docker image to: demisto/python3:3.11.10.115186.
LoadJSON
- Updated the Docker image to: demisto/python3:3.11.10.115186.
TopMaliciousRatioIndicators
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ExportIndicatorsToCSV
- Updated the Docker image to: demisto/python3:3.11.10.115186.
BreachConfirmationHTML
- Updated the Docker image to: demisto/python3:3.11.10.115186.
ListUsedDockerImages
- Updated the Docker image to: demisto/python3:3.11.10.115186.
PrintToIncident
- Updated the Docker image to: demisto/python3:3.11.10.115186.
SetByIncidentId
- Updated the Docker image to: demisto/python3:3.11.10.115186.
GetDataCollectionLink
- Updated the Docker image to: demisto/python3:3.11.10.115186.
SetTime
- Updated the Docker image to: demisto/python3:3.11.10.115186.
GetErrorsFromEntry
- Updated the Docker image to: demisto/python3:3.11.10.115186.
FormatURL
- Updated the Docker image to: demisto/python3:3.11.10.115186.
CreateNewIndicatorsOnly
- Updated the Docker image to: demisto/python3:3.11.10.115186.
FileToBase64List
- Updated the Docker image to: demisto/python3:3.11.10.115186.
MarkAsNoteByTag
- Updated the Docker image to: demisto/python3:3.11.10.115186.
- 37147
- 37137
- 37136
- 37140
- 37138
- 37139
Download
1.15.83 - 1615839 (November 10, 2024)
- 37124
- 37115
- 37122
- 37108
- 37111
- 37109
Download
Scripts
Ping
- Updated the Docker image to: demisto/netutils:1.0.0.115452.
Dig
- Updated the Docker image to: demisto/netutils:1.0.0.115452.
GetDomainDNSDetails
- Updated the Docker image to: demisto/netutils:1.0.0.115452.
HTMLtoMD
- Updated the Docker image to: demisto/btfl-soup:1.0.1.115405.
ContentPackInstaller
- Updated the Docker image to: demisto/xsoar-tools:1.0.0.115559.
- 37124
- 37115
- 37122
- 37108
- 37111
- 37109
Download
1.15.80 - 1602991 (November 6, 2024)
- 36997
- 36994
- 37006
- 36993
- 36998
- 37059
- 37052
- 36995
- 37051
- 36992
Download
Scripts
ParseExcel
- Updated the Docker image to: demisto/py3-tools:1.0.0.114656.
DownloadAndArchivePythonLibrary
- Updated the Docker image to: demisto/py3-tools:1.0.0.114656.
FetchIndicatorsFromFile
- Updated the Docker image to: demisto/py3-tools:1.0.0.114656.
ExtractFQDNFromUrlAndEmail
- Updated the Docker image to: demisto/py3-tools:1.0.0.114656.
ZipFile
- Updated the Docker image to: demisto/py3-tools:1.0.0.114656.
StixCreator
- Updated the Docker image to: demisto/py3-tools:1.0.0.114656.
ExifRead
- Updated the Docker image to: demisto/py3-tools:1.0.0.114656.
ExtractDomainFromUrlAndEmail
- Updated the Docker image to: demisto/py3-tools:1.0.0.114656.
LanguageDetect
- Updated the Docker image to: demisto/py3-tools:1.0.0.114656.
ExtractDomainAndFQDNFromUrlAndEmail
- Updated the Docker image to: demisto/py3-tools:1.0.0.114656.
cvss_color
- Updated the Docker image to: demisto/python3:3.11.10.113941.
CheckSenderDomainDistance
- Updated the Docker image to: demisto/python3:3.11.10.113941.
DisplayHTMLWithImages
- Updated the Docker image to: demisto/python3:3.11.10.113941.
Base64EncodeV2
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ResolveShortenedURL
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GetByIncidentId
- Updated the Docker image to: demisto/python3:3.11.10.113941.
CloseInvestigationAsDuplicate
- Updated the Docker image to: demisto/python3:3.11.10.113941.
Strings
- Updated the Docker image to: demisto/python3:3.11.10.113941.
CheckIndicatorValue
- Updated the Docker image to: demisto/python3:3.11.10.113941.
DisableUserWrapper
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ChangeContext
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GetDockerImageLatestTag
- Updated the Docker image to: demisto/python3:3.11.10.113941.
AnalyzeTimestampIntervals
- Updated the Docker image to: demisto/python3:3.11.10.113941.
IPToHost
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ShowLocationOnMap
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ExportIndicatorsToCSV
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GetDataCollectionLink
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ExtractAttackPattern
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GenerateRandomString
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ExportContextToJSONFile
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ReadFile
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ScheduleGenericPolling
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ContextContains
- Updated the Docker image to: demisto/python3:3.11.10.113941.
CreateHash
- Updated the Docker image to: demisto/python3:3.11.10.113941.
IsolationAssetWrapper
- Updated the Docker image to: demisto/python3:3.11.10.113941.
SearchIncidentsV2
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GeneratePassword
- Updated the Docker image to: demisto/python3:3.11.10.113941.
HTTPListRedirects
- Updated the Docker image to: demisto/python3:3.11.10.113941.
LoadJSONFileToContext
- Updated the Docker image to: demisto/python3:3.11.10.113941.
CreateNewIndicatorsOnly
- Updated the Docker image to: demisto/python3:3.11.10.113941.
AddDBotScoreToContext
- Updated the Docker image to: demisto/python3:3.11.10.113941.
SetMultipleValues
- Updated the Docker image to: demisto/python3:3.11.10.113941.
FeedRelatedIndicatorsWidget
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GenerateRandomUUID
- Updated the Docker image to: demisto/python3:3.11.10.113941.
SetTime
- Updated the Docker image to: demisto/python3:3.11.10.113941.
PrettyPrint
- Updated the Docker image to: demisto/python3:3.11.10.113941.
cveReputationV2
- Updated the Docker image to: demisto/python3:3.11.10.113941.
VerifyCIDR
- Updated the Docker image to: demisto/python3:3.11.10.113941.
IsListExist
- Updated the Docker image to: demisto/python3:3.11.10.113941.
get-user-data
- Updated the Docker image to: demisto/python3:3.11.10.113941.
LookupCSV
- Updated the Docker image to: demisto/python3:3.11.10.113941.
DomainReputation
- Updated the Docker image to: demisto/python3:3.11.10.113941.
SCPPullFiles
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ParseCSV
- Updated the Docker image to: demisto/python3:3.11.10.113941.
AppendindicatorFieldWrapper
- Updated the Docker image to: demisto/python3:3.11.10.113941.
CVSSCalculator
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GetEntries
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ExportAuditLogsToFile
- Updated the Docker image to: demisto/python3:3.11.10.113941.
MaliciousRatioReputation
- Updated the Docker image to: demisto/python3:3.11.10.113941.
PrintToIncident
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ZipStrings
- Updated the Docker image to: demisto/python3:3.11.10.113941.
CheckContextValue
- Updated the Docker image to: demisto/python3:3.11.10.113941.
displayUtilitiesResults
- Updated the Docker image to: demisto/python3:3.11.10.113941.
RepopulateFiles
- Updated the Docker image to: demisto/python3:3.11.10.113941.
CheckFieldValue
- Updated the Docker image to: demisto/python3:3.11.10.113941.
IsUrlPartOfDomain
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ConvertCountryCodeCountryName
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GenerateSummaryReportButton
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ConvertDatetoUTC
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GetEnabledInstances
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GetServerURL
- Updated the Docker image to: demisto/python3:3.11.10.113941.
DumpJSON
- Updated the Docker image to: demisto/python3:3.11.10.113941.
TimeStampCompare
- Updated the Docker image to: demisto/python3:3.11.10.113941.
SetByIncidentId
- Updated the Docker image to: demisto/python3:3.11.10.113941.
CompareLists
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ConvertTimezoneFromUTC
- Updated the Docker image to: demisto/python3:3.11.10.113941.
TextFromHTML
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ServerLogs_docker
- Updated the Docker image to: demisto/python3:3.11.10.113941.
CalculateEntropy
- Updated the Docker image to: demisto/python3:3.11.10.113941.
DockerHardeningCheck
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ListUsedDockerImages
- Updated the Docker image to: demisto/python3:3.11.10.113941.
IncidentFields
- Updated the Docker image to: demisto/python3:3.11.10.113941.
FilterByList
- Updated the Docker image to: demisto/python3:3.11.10.113941.
FileReputation
- Updated the Docker image to: demisto/python3:3.11.10.113941.
URLSSLVerification
- Updated the Docker image to: demisto/python3:3.11.10.113941.
NumberOfPhishingAttemptPerUser
- Updated the Docker image to: demisto/python3:3.11.10.113941.
PortListenCheck
- Updated the Docker image to: demisto/python3:3.11.10.113941.
URLReputation
- Updated the Docker image to: demisto/python3:3.11.10.113941.
IsInternalHostName
- Updated the Docker image to: demisto/python3:3.11.10.113941.
URLNumberOfAds
- Updated the Docker image to: demisto/python3:3.11.10.113941.
JSONtoCSV
- Updated the Docker image to: demisto/python3:3.11.10.113941.
PrintToAlert
- Updated the Docker image to: demisto/python3:3.11.10.113941.
IPReputation
- Updated the Docker image to: demisto/python3:3.11.10.113941.
PrintContext
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ReplaceMatchGroup
- Updated the Docker image to: demisto/python3:3.11.10.113941.
TopMaliciousRatioIndicators
- Updated the Docker image to: demisto/python3:3.11.10.113941.
UtilAnyResults
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ServerLogs
- Updated the Docker image to: demisto/python3:3.11.10.113941.
OnionURLReputation
- Updated the Docker image to: demisto/python3:3.11.10.113941.
enrich_exclude_button
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GetFieldsByIncidentType
- Updated the Docker image to: demisto/python3:3.11.10.113941.
SetDateField
- Updated the Docker image to: demisto/python3:3.11.10.113941.
AssignToMeButton
- Updated the Docker image to: demisto/python3:3.11.10.113941.
AddKeyToList
- Updated the Docker image to: demisto/python3:3.11.10.113941.
PopulateCriticalAssets
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ExtractEmailV2
- Updated the Docker image to: demisto/python3:3.11.10.113941.
SearchIncidentsSummary
- Updated the Docker image to: demisto/python3:3.11.10.113941.
FileToBase64List
- Updated the Docker image to: demisto/python3:3.11.10.113941.
IsInternalDomainName
- Updated the Docker image to: demisto/python3:3.11.10.113941.
FileCreateAndUploadV2
- Updated the Docker image to: demisto/python3:3.11.10.113941.
RemoveKeyFromList
- Updated the Docker image to: demisto/python3:3.11.10.113941.
DecodeMimeHeader
- Updated the Docker image to: demisto/python3:3.11.10.113941.
DeduplicateValuesbyKey
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ExtractIndicatorsFromTextFile
- Updated the Docker image to: demisto/python3:3.11.10.113941.
LoadJSON
- Updated the Docker image to: demisto/python3:3.11.10.113941.
BreachConfirmationHTML
- Updated the Docker image to: demisto/python3:3.11.10.113941.
DBotAverageScore
- Updated the Docker image to: demisto/python3:3.11.10.113941.
CalculateTimeDifference
- Updated the Docker image to: demisto/python3:3.11.10.113941.
SSDeepReputation
- Updated the Docker image to: demisto/python3:3.11.10.113941.
MarkAsNoteByTag
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ShowIncidentIndicators
- Updated the Docker image to: demisto/python3:3.11.10.113941.
displayMappedFields
- Updated the Docker image to: demisto/python3:3.11.10.113941.
MarkAsEvidenceByTag
- Updated the Docker image to: demisto/python3:3.11.10.113941.
EncodeToAscii
- Updated the Docker image to: demisto/python3:3.11.10.113941.
PrintRaw
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GetStringsDistance
- Updated the Docker image to: demisto/python3:3.11.10.113941.
HttpV2
- Updated the Docker image to: demisto/python3:3.11.10.113941.
SetIndicatorGridField
- Updated the Docker image to: demisto/python3:3.11.10.113941.
IndicatorMaliciousRatioCalculation
- Updated the Docker image to: demisto/python3:3.11.10.113941.
EmailReputation
- Updated the Docker image to: demisto/python3:3.11.10.113941.
PrintErrorEntry
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GridFieldSetup
- Updated the Docker image to: demisto/python3:3.11.10.113941.
JSONFileToCSV
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GetIndicatorDBotScore
- Updated the Docker image to: demisto/python3:3.11.10.113941.
CopyNotesToIncident
- Updated the Docker image to: demisto/python3:3.11.10.113941.
MatchRegexV2
- Updated the Docker image to: demisto/python3:3.11.10.113941.
IdentifyAttachedEmail
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GetInstances
- Updated the Docker image to: demisto/python3:3.11.10.113941.
PrintToParentIncident
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ArrayToCSV
- Updated the Docker image to: demisto/python3:3.11.10.113941.
EditServerConfig
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GetErrorsFromEntry
- Updated the Docker image to: demisto/python3:3.11.10.113941.
CopyContextToField
- Updated the Docker image to: demisto/python3:3.11.10.113941.
DisplayHTML
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GetLicenseID
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GetIndicatorDBotScoreFromCache
- Updated the Docker image to: demisto/python3:3.11.10.113941.
StringSimilarity
- Updated the Docker image to: demisto/python3:3.11.10.113941.
ParseYAML
- Updated the Docker image to: demisto/python3:3.11.10.113941.
VerifyIPv6Indicator
- Updated the Docker image to: demisto/python3:3.11.10.113941.
StopScheduledTask
- Updated the Docker image to: demisto/python3:3.11.10.113941.
RunDockerCommand
- Updated the Docker image to: demisto/python3:3.11.10.113941.
RunPollingCommand
- Updated the Docker image to: demisto/python3:3.11.10.113941.
BMCTool
- Updated the Docker image to: demisto/python3:3.11.10.113941.
VerdictResult
- Updated the Docker image to: demisto/python3:3.11.10.113941.
hideFieldsOnNewIncident
- Updated the Docker image to: demisto/python3:3.11.10.113941.
CompareIncidentsLabels
- Updated the Docker image to: demisto/python3:3.11.10.113941.
PositiveDetectionsVSDetectionEngines
- Updated the Docker image to: demisto/python3:3.11.10.113941.
SetWithTemplate
- Updated the Docker image to: demisto/python3:3.11.10.113941.
Base64ListToFile
- Updated the Docker image to: demisto/python3:3.11.10.113941.
SearchIndicator
- Updated the Docker image to: demisto/python3:3.11.10.113941.
CreateIndicatorsFromSTIX
- Updated the Docker image to: demisto/python3:3.11.10.113941.
FormatURL
- Updated the Docker image to: demisto/python3:3.11.10.113941.
LinkIncidentsButton
- Updated the Docker image to: demisto/python3:3.11.10.113941.
GetListRow
- Updated the Docker image to: demisto/python3:3.11.10.113941.
CertificateReputation
- Updated the Docker image to: demisto/python3:3.11.10.113941.
- 36997
- 36994
- 37006
- 36993
- 36998
- 37059
- 37052
- 36995
- 37051
- 36992
Download
1.15.75 - 1537605 (October 22, 2024)
- 36780
- 36769
- 36784
- 36766
- 36771
- 36498
- 36747
- 36773
- 36759
- 36725
- 36774
- 35865
Download
Scripts
PreProcessImage
- Updated the Docker image to: demisto/processing-image-file:1.0.0.113909.
PcapHTTPExtractor
- Updated the Docker image to: demisto/pcap-http-extractor:1.0.0.113908.
- 36780
- 36769
- 36784
- 36766
- 36771
- 36498
- 36747
- 36773
- 36759
- 36725
- 36774
- 35865
Download
1.15.73 - 1504524 (October 14, 2024)
- 36505
- 36495
- 36494
- 36493
- 36492
- 36491
- 36490
- 36489
- 36486
- 36485
- 36484
- 36483
- 36488
- 36487
Download
Scripts
SSDeepSimilarity
- Updated the Docker image to: demisto/ssdeep:1.0.0.112284.
PDFUnlocker
- Updated the Docker image to: demisto/readpdf:1.0.0.112283.
JsonUnescape
- Updated the Docker image to: demisto/python3-deb:3.11.10.112166.
ReadPDFFileV2
- Updated the Docker image to: demisto/readpdf:1.0.0.112283.
UnzipFile
- Updated the Docker image to: demisto/unzip:1.0.0.112289.
PcapHTTPExtractor
- Updated the Docker image to: demisto/pcap-http-extractor:1.0.0.112272.
ReadQRCode
- Updated the Docker image to: demisto/qrcode:1.0.0.112357.
- 36505
- 36495
- 36494
- 36493
- 36492
- 36491
- 36490
- 36489
- 36486
- 36485
- 36484
- 36483
- 36488
- 36487
Download
1.15.70 - 1480610 (October 8, 2024)
- 36260
- 36657
Download
Scripts
New: get-user-data
New: This script gathers user data from multiple integrations and returns an Account entity with consolidated information to the context.##### ShowIncidentIndicators
- Fixed an issue with ShowIncidentIndicators fetching indicators with the same IDs.
- Updated the Docker image to: demisto/python3:3.11.10.111526.
- 36260
- 36657
Download
1.15.64 - 1434344 (September 25, 2024)
1.15.56 - R1340401 (September 3, 2024)
- 36053
Download
Scripts
ExtractFQDNFromUrlAndEmail
- Documentation and metadata improvements.
- Updated the Docker image to: demisto/py3-tools:1.0.0.108682.
ExtractDomainAndFQDNFromUrlAndEmail
- Documentation and metadata improvements.
- Updated the Docker image to: demisto/py3-tools:1.0.0.108682.
- 36053
Download
1.15.54 - 1311942 (August 26, 2024)
- 35995
Download
Scripts
ScheduleGenericPolling
- Fixed an issue where the script failed when given values containing quotation marks.
- Updated the Docker image to: demisto/python3:3.11.9.107902.
GenericPollingScheduledTask
- Fixed an issue where the script failed when given values containing quotation marks.
- 35995
Download
1.15.50 - 1265696 (August 12, 2024)
- 35403
Download
Scripts
ExtractIndicatorsFromWordFile
- Updated the Docker image to: demisto/office-utils:2.0.0.107687.
ExtractHyperlinksFromOfficeFiles
- Updated the Docker image to: demisto/office-utils:2.0.0.107687.
ConvertFile
- Updated the Docker image to: demisto/office-utils:2.0.0.107687.
ParseWordDoc
- Updated the Docker image to: demisto/office-utils:2.0.0.107687.
- 35403
Download
1.15.38 - 1218660 (July 28, 2024)
1.15.26 - 1169083 (July 11, 2024)
- 35135
Download
Scripts
VerifyIPv6Indicator
- Updated the IPv6 formatter to remove unneeded prefixed characters.
- Updated the Docker image to: demisto/python3:3.10.14.101217.
DisplayHTMLWithImages
- Fixed an issue where embedded images not appear in the Email Body section in the Phishing incident layout.
- Updated the Docker image to: demisto/python3:3.10.14.99474.
- 35135
Download
1.15.17 - 1126229 (June 26, 2024)
- 34579
Download
Scripts
ReadQRCode
- Improved implementation of
stderrredirection by removingwurlitzer.pipes()and redirectingstderrto a temporary file. - The automation now extracts QR codes exclusively to improve performance.
- Updated the Docker image to: demisto/qrcode:1.0.0.98232.
- 34579
Download
1.15.14 - 1109876 (June 21, 2024)
- 34966
Download
Scripts
PrintToParentIncident
- Fixed an issue where the misnamed, recently-released PrintToParentAlert script was uploaded. It is no longer available, use PrintToParentIncident instead.
- - Updated the Docker image to: demisto/python3:3.10.14.98471.
CreateEmailHtmlBody
Fixed an issue where the alerts field was not mapped in Cortex XSIAM.
- 34966
Download
1.15.4 - 1063016 (June 2, 2024)
- 34465
- 33830
- 33831
- 33828
- 33825
- 33805
- 33871
Download
Scripts
FetchIndicatorsFromFile
- Updated the Docker image to: demisto/py3-tools:1.0.0.96102.
ExifRead
- Updated the Docker image to: demisto/py3-tools:1.0.0.96102.
ExtractDomainAndFQDNFromUrlAndEmail
- Updated the Docker image to: demisto/py3-tools:1.0.0.96102.
ExtractFQDNFromUrlAndEmail
- Updated the Docker image to: demisto/py3-tools:1.0.0.96102.
LanguageDetect
- Updated the Docker image to: demisto/py3-tools:1.0.0.96102.
StixCreator
- Updated the Docker image to: demisto/py3-tools:1.0.0.96102.
ExtractDomainFromUrlAndEmail
- Updated the Docker image to: demisto/py3-tools:1.0.0.96102.
ParseExcel
- Updated the Docker image to: demisto/py3-tools:1.0.0.96102.
- 34465
- 33830
- 33831
- 33828
- 33825
- 33805
- 33871
Download
PUBLISHER
PLATFORMS
Cortex XSOARCortex XSIAM
INFO
| Certification | Certified | Read more |
| Supported By | Cortex | |
| Created | July 27, 2020 | |
| Last Release | May 28, 2025 |
WORKS WITH THE FOLLOWING INTEGRATIONS:
