Common Scripts

Details
Content
Dependencies
Version History

Frequently used scripts pack.

Automations

Name	Description
JsonUnescape	Recursively un-escapes JSON data if escaped JSON is found
cveReputationV2	Provides the severity of the CVE based on the CVSS score where available.
ContainsCreditCardInfo	Check if a given value is true. Will return 'no' otherwise
checkValue	Gets a value and return it. This is to be used in playbook conditional tasks - get a value from incident field, label or context, and act accordingly. If an array is returned. the first value will be the decision making value.
IsValueInArray	Indicates whether a given value is a member of given array
GenerateSummaryReportButton	This button will generate summary 'Case Report' template for a given Incident
StopTimeToAssignOnOwnerChange	Stops the "Time To Assign" timer if the owner of the incident was changed.
URLReputation	A context script for URL entities
ShowIncidentIndicators	This script is used to display the indicators of an incident in an incident field of type Array. It can be used to select indicators from the incident in order to later perform some actions, like tagging the indicators for blocking via EDL. This script is a field-display script, so it needs to be configured as such, when editing the incident field that will be used to display the indicators.
HttpV2	Sends a HTTP request with advanced capabilities
LinkIncidentsButton	Incident action button script to link or unlink Incidents from an Incident
IPReputation	A context script for IP entities
AddEvidence	Adds provided entries to the incident Evidence Board. In playbook, can be positioned after a task to add the previous task's entries to Evidence Board automatically (with no need to provide arguments)
DisplayHTMLWithImages	Display HTML with embedded images.
SendEmailOnSLABreach	Sends an email informing the user of an SLA breach. The email is sent to the user who is assigned to the incident. It includes the incident name, ID, name of the SLA field that was breached, duration of that SLA field, and the date and time when that SLA was started. In order to run successfully, the script should be configured to trigger on SLA breach, through field edit mode.
ReadFile	Load the contents of a file into context.
VerifyCIDR	Verify that the CIDRs are valid.
StringSimilarity	This automation calculates the similarity ratio between every string in 2 different arrays and outputs a decimal value between 0.0 and 1.0 (1.0 if the sequences are identical, and 0.0 if they don't have anything in common).
WordTokenizer	Tokenize the words in a input text.
PreProcessImage	This script pre-processes (resizes, sharpens, and grayscales) an image file from context, given an entry_id.
SearchIncidentsSummary	Searches Cortex XSOAR Incidents and returnrs the most relevant fields. Default search range is the last 30 days, if you want to change this, use the fromDate argument. Returns the id, name, type, severity, status, owner, and created/closed times to context. You can add additional fields using the add_field_to_context argument. This automation runs using the default Limited User role, unless you explicitly change the permissions. Based on the SearchIncidentsV2 from the Common Scripts pack, but more efficient.
IsInternalDomainName	This script accepts multiple values for both arguments and will iterate through each of the domains to check if the specified subdomains are located in at least one of the specified main domains. If the tested subdomain is in one of the main domains, the result will be true. For example, if the domain_to_check values are apps.paloaltonetworks.com and apps.paloaltonetworks.bla and the domains_to_compare values are paloaltonetworks.com and demisto.com, the result for apps.paloaltonetworks.com will be true since it is a part of the paloaltonetworks.com domain. The result for apps.paloaltonetworks.bla will be false since it is not a part of the paloaltonetworks.com or demisto.com domain.
LookupCSV	Parses a CSV and looks for a specific value in a specific column, returning a dict of the entire matching row. If no column value is specified, the entire CSV is read into the context.
GetFieldsByIncidentType	Returns the incident field names associated to the specified incident type.
ProvidesCommand	Finds which integrations implement a specific Demisto command. The results will be returned as comma-separated values (CSV). The "Demisto REST API" integration must first be enabled.
StopScheduledTask	This stops the scheduled task whose ID is given in the taskID argument.
GetByIncidentId	Gets a value from the specified incident's context.
ConvertXmlFileToJson	Converts XML file entry to JSON format
ScheduleGenericPolling	Called by the GenericPolling playbook, schedules the polling task.
GridFieldSetup	Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. Instead of a value you can enter `TIMESTAMP` to get the current timestamp in ISO format. For example: `!GridFieldSetup keys=ip,src,timestamp val1=${AWS.EC2.Instances.NetworkInterfaces.PrivateIpAddress} val2="AWS" val3="TIMESTAMP" gridfiled="gridfield"`
RunDockerCommand	This command will allow you to run commands against a local Docker Container. You can run commands like wc for instance with word count, or other types of commands that you want on the docker container. We recommend for tools that you want to use that are not part of the default Docker container, to cope this Automation script and then create a customer docker container with /docker_image_create with a custom docker container to add any command level tool to Demisto and output the results directly to the context.
DBotAverageScore	The script calculates the average DBot score for each indicator in the context.
BMCTool	Parse RDP bitmap cache data into a single collage image file.
UnPackFile	Deprecated. Use the UnzipFile script instead. UnPack a file using fileName or entryID to specify a file. Files unpacked will be pushed to the war room and names will be pushed to the context. supported types are: 7z (.7z), ACE (.ace), ALZIP (.alz), AR (.a), ARC (.arc), ARJ (.arj), BZIP2 (.bz2), CAB (.cab), compress (.Z), CPIO (.cpio), DEB (.deb), DMS (.dms), GZIP (.gz), LRZIP (.lrz), LZH (.lha, .lzh), LZIP (.lz), LZMA (.lzma), LZOP (.lzo), RPM (.rpm), RAR (.rar), RZIP (.rz), TAR (.tar), XZ (.xz), ZIP (.zip, .jar) and ZOO (.zoo)
IPNetwork	Gather information regarding CIDR - 1. Broadcast_address 2. CIDR 3. First_address 4. Last address 5. Max prefix len 6. Num addresses 7. Private 8. Version
MarkAsEvidenceByTag	Mark entries as evidence if they are tagged with given tag
CheckIndicatorValue	Check if indicators exist in the Threat Intel database.
SetDateField	Sets a custom incident field with current date
SearchIndicator	Searches Cortex XSOAR Indicators. Search for XSOAR Indicators and returns the id, indicator_type, value, and score/verdict. You can add additional fields from the indicators using the add_field_to_context argument.
CopyContextToField	Copy a context key to an incident field of multiple incidents, based on an incident query. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
ResolveShortenedURL	This script resolves the original URL from a given shortened URL and places the resolved URL in the playbook context and output.
ExportToCSV	Export given array to csv file
SetMultipleValues	Set multiple keys/values to the context.
UtilAnyResults	Utility script to use in playbooks - returns "yes" if the input is non-empty.
PrintErrorEntry	Prints an error entry with a given message
GetErrorsFromEntry	Get the error(s) associated with a given entry/entries. Use ${lastCompletedTaskEntries} to check the previous task entries. The automation will return an array of the error contents from those entries.
IsMaliciousIndicatorFound	Checks if the investigation found any malicious indicators (file, URL, IP address, domain, or email). Returns "yes" if at least one malicious indicator is found.
ZipFile	Zip a file and upload to war room
commentsToContext	Takes the comments of a given entry ID and stores them in the incident context, under a provided context key. For accessing the last executed task's comments, provide ${lastCompletedTaskEntries.[0]} as the value for the entryId input parameter.
PositiveDetectionsVSDetectionEngines	Shows a bar chart of the number of Positive Detections out of overall detections
ContextGetPathForString	Searches for string in context and returns context path, returns null if not found.
JSONFileToCSV	Script to convert a War Room output JSON File to a CSV file.
IncreaseIncidentSeverity	Optionally increases the incident severity to the new value if it is greater than the existing severity.
ServerLogs_docker	Uses the ssh integration to grab the host server logs
Set	Set a value in context under the key you entered.
CreateNewIndicatorsOnly	Create indicators to the Threat Intel database only if they are not registered. When using the script with many indicators, or when the Threat Intel Management database is highly populated, this script may have low performance issue.
FormatURL	Strips, unquotes and unescapes URLs. If the URL is a Proofpoint or ATP URL, extracts its redirect URL. If more than one URL is passed to the formatter, the separator must be a pipe ("\|").
HTTPListRedirects	List the redirects for a given URL
CEFParser	Parse CEF data into the context. Please notice that outputs will display only the 7 mandatory fields even if the CEF event includes many other custom or extended fields.
ticksToTime	Converting time in Ticks to readable time. Ticks are used to represent time by some vendors, most commonly by Microsoft.
UnEscapeIPs	Remove escaping chars from IP 127[.]0[.]0[.]1 -> 127.0.0.1
IncidentAddSystem	Add a remote system (such as a desktop under investigation) to an investigation (this will allow you to install and agent on the system)
EncodeToAscii	Input Text Data to Encode as ASCII (Ignores any chars that aren't interpreted as ASCII)
ScheduleCommand	Schedule a command to run inside the war room at a future time (once or reoccurring)
IsGreaterThan	Checks if one number(float) as bigger than the other(float) Returns yes: if first > second Returns no: if first <= second Returns exception if one of the inputs is not a number
DisplayHTML	Display HTML in the War Room.
ParseYAML	Parses a YAML string into context
MarkAsNoteByTag	Mark entries as notes if they are tagged with given tag
SetAndHandleEmpty	Set a value in context under the key you entered. If no value is entered, the script doesn't do anything. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
ShowOnMap	Returns a map entry with a marker on the given coordinates (lat,lng), or address (requires a configured GoogleMaps instance).
ZipStrings	Joins values from two lists by index according to a given format.
RemoveKeyFromList	Removes a key in key/value store backed by an XSOAR list.
CompareLists	Compare two lists and put the differences in context.
ServerLogs	Uses the ssh integration to grab the host server logs
CVSSCalculator	This script calculates the CVSS Base Score, Temporal Score, and Environmental Score using either the CVSS 3.0 or CVSS 3.1 calculator according to https://www.first.org/cvss/ calculation documentation.
Exists	Check if a given value exists in the context. Will return 'no' for empty empty arrays. To be used mostly with DQ and selectors.
GenerateInvestigationSummaryReport	A script to generate investigation summary report in an automated way Can be used in post-processing flow as well.
EditServerConfig	Edit the server configuration (under settings/troubleshooting). You can either add a new configuration or update and remove an existing one.
RepopulateFiles	After running DeleteContext, this script can repopulate all the file entries in the ${File} context key
MathUtil	Script will run the provided mathematical action on 2 provided values and produce a result. The result can be stored on the context using the contextKey argument
MatchRegexV2	Extracts regex data from the provided text. The script support groups and looping.
CheckSenderDomainDistance	Get the string distance for the sender from our domain
StringLength	Returns the length of the string passed as argument
CheckContextValue	This script checks that a context key exists (and contains data), and optionally checks the value of the context key for a match against an input value. If a regex is not supplied, the script checks that the key is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value. This scripts does not support a context key which holds a list of values.
MatchRegex	Deprecated. Use the MatchRegexV2 script instead.
ContentPackInstaller	Content packs installer from marketplace.
SetTime	Fill the current time in a custom incident field
SetByIncidentId	Works the same as the 'Set' command, but can work across incidents by specifying 'id' as an argument. Sets a value into the context with the given context key. Doesn't append by default. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
IsIPInRanges	Returns yes if the IP is in one of the ranges provided, returns no otherwise.
UnzipFile	Unzip a file using fileName or entryID to specify a file. Unzipped files will be loaded to the War Room and names will be put into the context.
ConvertXmlToJson	Converts XML string to JSON format
EmailAskUser	Ask a user a question via email and process the reply directly into the investigation.
MarkRelatedIncidents	Marks given incidents as related to current incident. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
Strings	Extract strings from a file with optional filter - similar to binutils strings command
HTMLtoMD	Converts HTML to Markdown.
ExtractFQDNFromUrlAndEmail	Extracts FQDNs from URLs and emails.
hideFieldsOnNewIncident	When you apply this script to an incident field, that incident field is hidden for new incidents, and it displays in edit mode.
IsDomainInternal	The script takes one or more domain names and checks whether they're in the Cortex XSOAR list defined in the InternalDomainsListName argument. By default, the InternalDomainsListName argument will use the Cortex XSOAR list called "InternalDomains". The list can be customized by the user. It should contain the organization's internal domain names, separated by new lines. Subdomains are also supported in the list. The results of the script are tagged with the "Internal_Domain_Check_Results" tag, so they can be displayed in the War Room entry sections in incident layouts.
VerifyIPv6Indicator	Verify that the address is a valid IPv6 address.
ConvertDatetoUTC	Converts a date from a different timezone to UTC timezone.
ExifRead	Read image files metadata and provide Exif tags
IndicatorMaliciousRatioCalculation	Return indicators appears in resolved incidents, and resolved incident ids. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
TextFromHTML	Extract regular text from the given HTML.
IsUrlPartOfDomain	Checks if the supplied URLs are in the specified domains.
ReplaceMatchGroup	Returns a string with all matches of a regex pattern groups replaced by a replacement.
RunPollingCommand	Runs a specified polling command one time. This is useful for initiating a local playbook context before running a polling scheduled task. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
Ping	Pings an IP or url address, to verify it's up
AddKeyToList	Adds/Replaces a key in key/value store backed by an XSOAR list.
ParseCSV	This script will parse a CSV file and place the unique IPs, Domains and Hashes into the context.
FeedRelatedIndicatorsWidget	Widget script to view information about the relationship between an indicator, entity and other indicators and connect to indicators, if relevant.
StringReplace	Replaces regex match/es in string. Returns the string after replace was preformed.
CompareIncidentsLabels	Compares the labels of two incidents. Returns the labels that are unique to each incident. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
CreateIndicatorsFromSTIX	Creates indicators from the submitted STIX file. Supports STIX 1.0 and STIX 2.x. This automation creates indicators and adds an indicator's relationships if available.
FileCreateAndUpload	Deprecated. Use FileCreateAndUploadV2 instead. Will create a file (using the given data input or entry ID) and upload it to current investigation war room.
GetStringsDistance	Get the string distance between inputString and compareString (compareString can be a comma-separated list) based on Levenshtein Distance algorithm.
FindSimilarIncidents	Finds similar incidents by common incident keys, labels, custom fields or context keys. It's highly recommended to use incident keys if possible (e.g., "type" for the same incident type). For best performance, it's recommended to avoid using context keys if possible (for example, if the value also appears in a label key, use label). This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
PrettyPrint	Pretty-print data using Python's pprint library. This is useful for seeing the structure of incident and context data. Here's how to use it: !PrettyPrint value=${incident}
AquatoneDiscoverV2	aquatone-discover will find the targets nameservers and shuffle DNS lookups between them. Should a lookup fail on the target domains nameservers, aquatone-discover will fall back to using Google public DNS servers to maximize discovery.
PDFUnlocker	Removing the password protection from a PDF file and adding a new file entry with the unlocked PDF.
ContextSearchForString	Searches for string in a path in context. If path is null, string will be searched in full context.
AssignToMeButton	Assigns the current Incident to the Cortex XSOAR user who clicked the button
ConvertCountryCodeCountryName	Convert country name to country code or country code to country name. Only one of 'country_code' or 'country_name' can be provided. Example: Input: { "country_code": "US" } Output: { "United States" } Another Example: Input: { "country_name": "United States" } Output: { "US" }
ShowLocationOnMap	Show indicator geo location on map
FileCreateAndUploadV2	Creates a file (using the given data input or entry ID) and uploads it to the current investigation War Room.
UnEscapeURLs	Extract URLs redirected by security tools like Proofpoint. Changes https://urldefense.proofpoint.com/v2/url?u=https-3A__example.com_something.html -> https://example.com/something.html Also, un-escape URLs that are escaped for safety with formats like hxxps://www[.]demisto[.]com
GetDomainDNSDetails	Returns DNS details for a domain.
EmailReputation	A context script for Email entities
FailedInstances	Executes a test for all integration instances available and returns detailed information about succeeded and failed integration instances.
DeduplicateValuesbyKey	Given a list of objects and a key found in each of those objects, return a unique list of values associated with that key. Returns error if the objects provided do not contain the key of interest.
SetWithTemplate	Set a value built by a template in context under the key you entered.
GetTime	Retrieves the current date and time.
DisableUserWrapper	This script allows disabling a specified user using one or more of the following integrations: SailPointIdentityIQ, ActiveDirectoryQuery, Okta, MicrosoftGraphUser, and IAM.
CheckFieldValue	This script checks that a field exists (and contains data), and optionally checks the value of the field for a match against an input value. If a regex is not supplied, the script checks that the field is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value.
AddDBotScoreToContext	Add DBot score to context for indicators with custom vendor, score, reliability, and type.
IPToHost	Try to get the hostname correlated with the input IP.
IncidentFields	Returns a dict of all incident fields that exist in the system.
GetDockerImageLatestTag	Gets docker image latest tag. Script simulates the docker pull flow but doesn't actually pull the image. Returns an entry with the docker image latest tag if all is good, otherwise will return an error.
CreateArray	Will create an array object in context from given string input
ParseExcel	The automation takes Excel file (entryID) as an input and parses its content to the war room and context
IsListExist	Check if list exist in demisto lists.
ParseHTMLIndicators	This script will extract indicators from given HTML and will handle bad top-level domains to avoid false positives caused by file extensions.
LanguageDetect	Language detection based on Google's language-detection.
DumpJSON	Dumps a json from context key input, and returns a json object string result
ExtractIndicatorsFromWordFile	Used to extract indicators from Word files (DOC, DOCX). The script does not extract data from macros (e.g., embedded code). This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
ArrayToCSV	Converts a simple Array into a textual comma separated string
ShowScheduledEntries	Show all scheduled entries for specific incident.
ExportToXLSX	Exports context data to a Microsoft Excel Open XML Spreadsheet (XLSX) file.
DomainReputation	A context script for Domain entities
BinarySearchPy	Deprecated. No available replacement. Search for a binary on an endpoint using Carbon Black
http	Sends http request. Returns the response as json.
DemistoVersion	Return the Demisto server version.
isError	Check whether given entry/entries returned an error. Use ${lastCompletedTaskEntries} to check the previous task entries. If array is provided, will return yes if one of the entries returned an error.
ExportIndicatorsToCSV	This automation uses the Demisto REST API Integration to batch export Indicators to CSV and return the resulting CSV file to the war room.
listExecutedCommands	Lists executed commands in War Room
PCAPMiner	Deprecated. Use PCAPMinerV2 instead. PCAPMiner is a tool to parse PCAP files and will return things like extracted files that are found, HTTP flows, and a variety of other information. It is uses a docker instance located on docker hub trorabaugh/dempcap:1.0. To use simply upload a PCAP file and then run PCAPMiner entryId="<your_entry_id>". To get the entry id click on the link on the top right hand corner of a file attachment.
GetEntries	Collect entries matching to the conditions in the war room
TopMaliciousRatioIndicators	Find the top malicious ratio indicators. Malicious ratio is defined by the ratio between the number of "bad" incidents divided by the number of total number of incidents that the indicators appears in.
ContextGetEmails	Gets all email addresses in context, excluding ones given.
DecodeMimeHeader	Decode MIME base64 headers.
emailFieldTriggered	Sends email to incident owner when selected field is triggered.
CreateHash	Creating a hash of a given input, support sha1, sha256, sha512, md5 and blake. Wrapper for https://docs.python.org/3/library/hashlib.html.
Sleep	Sleep for X seconds.
ExtractAttackPattern	Extract Attack Pattern Threat Intel Object. After auto extract extracts the Attack Pattern IDs, this script is executed and extracts the value (name) of the Attack Pattern.
EmailAskUserResponse	Extract user's response from EmailAskUser reply. Returns the first textual response line of the provided entry that contains the reply body. Use ${lastCompletedTaskEntries} to analyze the previous playbook task containing the user's reply.
PortListenCheck	Checks whether a port was open on given host.
GetDataCollectionLink	Generates the URL for a Data Collection Task into Context. Can be used to get the url for tasks send via Email, Slack, or even if you select "By Task Only". To generate links for specific users, add an array of users in the users argument.
ConvertTimezoneFromUTC	Takes UTC and converts it to the specified timezone. Format must match the UTC date's format and output will be the same format. Can use in conjunction with ConvertDateToString
MapValues	Map the given values to the translated values. If given values: a,b,c and translated: 1,2,3 then input is a will return 1
ContextGetIps	Gets all IP addresses in context, excluding ones given.
ExportContextToJSONFile	Exports the Context for the current Incident to a JSON file in the war room.
PopulateCriticalAssets	Populates critical assets in a grid field that has the section headers "Asset Type" and "Asset Name".
ExtractEmailV2	Verifies that an email address is valid and only returns the address if it is valid.
StixCreator	Gets a list of indicators from the indicators argument, and generates a JSON file in STIX 2.1 format.
SCPPullFiles	Take a list of devices and pull a specific file (given by path) from each using SCP
CloseInvestigationAsDuplicate	Close the current investigation as duplicate to other investigation.
Base64Encode	Will encode an input using Base64 format.
GetDuplicatesMlv2	Deprecated. Use the "PhishingDedupPreprocessingRule" script instead. Find duplicate incidents candidates. Using machine learning techniques with pre-defined data (can also use data from the local environment), this script takes into consideration different features such as: labels comparison, email labels (relevant for phishing), incident time difference and shared indicators, which can be customized by the arguments. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
DBotClosedIncidentsPercentage	Data output script for populating dashboard pie graph widget with the percentage of incidents closed by DBot vs. incidents closed by analysts.
GetLicenseID	Returns the license ID.
PrintContext	Pretty-print the contents of the playbook context
NumberOfPhishingAttemptPerUser	Shows a bar chart of the number of incident the 'To' and 'From' email addresses. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
URLNumberOfAds	Fetches the numbers of ads in the given url
ParseWordDoc	Takes an input docx file (entryID) as an input and saves an output text file (file entry) with the original file's contents.
displayUtilitiesResults	This script displays the execution results of the tab's buttons in an HTML table format.
ToTable	Convert an array to a nice table display. Usually, from the context.
LoadJSON	Loads a json from string input, and returns a json object result
findIncidentsWithIndicator	Lookup incidents with specified indicator. Use currentIncidentId to omit the existing incident from output. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
IdentifyAttachedEmail	Identify whether the incident includes an email message attached as an eml or msg file and return the answer to playbook. Also saves the identified entry ID to context for use for later. Commonly used in automated playbooks that handle phishing reports sent to a special phishing mailbox set up by the security team.
JSONtoCSV	Convert a JSON War Room output via EntryID to a CSV file.
ParseEmailFiles	Deprecated. Use ParseEmailFilesV2 instead." Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook.
FileToBase64List	Encode a file as base64 and store it in a Demisto list.
CalculateTimeDifference	Calculate the time difference, in minutes
AppendindicatorFieldWrapper	A wrapper script to the 'AppendindicatorField' script that enables adding tags to certain indicators. Note: You can use this script in an incident Layout button to allow tags to be added to indicators through the incident.
GenerateRandomString	Generates random string
GenerateSummaryReports	Generate report summaries for the passed incidents.
displayMappedFields	Display the mapped fields in a dynamic-section
ReadPDFFileV2	Load a PDF file's content and metadata into context.
NotInContextVerification	Not in context verification is a script that executes the given command and verifies that the specified field is not in the context after execution.
GetIndicatorDBotScore	Add into the incident's context the system internal DBot score for the input indicator.
CreateEmailHtmlBody	This script allows sending an HTML email, using a template stored as a list item under Lists (Settings -> Advanced -> Lists). Placeholders are marked in DT format (i.e. ${incident.id} for incident ID). Available placeholders for example: ${incident.labels.Email/from} ${incident.name} ${object.value} See incident Context Data menu for available placeholders Note: Sending emails require an active Mail Sender integration instance.
URLSSLVerification	Verify URL SSL certificate
DeleteContext	Delete field from context. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
GenericPollingScheduledTask	Runs the polling command repeatedly, completes a blocking manual task when polling is done.
SearchIncidentsV2	Searches Demisto incidents. A summarized version of this scrips is avilable with the summarizedversion argument. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
ConvertFile	Converts a file from one format to a different format by using the convert-to function of Libre Office. For a list of supported input/output formats see: https://wiki.openoffice.org/wiki/Framework/Article/Filter/FilterList_OOo_3_0
FileReputation	A context script for hash entities
GenerateAsBuilt	Generate an as built document, as HTML, based on the running XSOAR instance. Requires an instance of the Demisto API integration configured.
PcapHTTPExtractor	Allows to parse and extract http flows (requests & responses) from a pcap/pcapng file.
FetchIndicatorsFromFile	Fetches indicators from a file. Supports TXT, XLS, XLSX, CSV, DOC and DOCX file types.
IsIntegrationAvailable	Returns 'yes' if integration brand is available. Otherwise returns 'no'.
ConvertTableToHTML	Converts a given array to an HTML table
SetGridField	Creates a Grid table from items or key-value pairs.
GetEnabledInstances	Gets all currently enabled integration instances.
SSDeepReputation	Calculate ssdeep reputation based on similar files (by ssdeep similarity) on the system.
DockerHardeningCheck	Checks if the Docker container running this script has been hardened according to the recommended settings at: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Docker-Hardening-Guide
GetIndicatorDBotScoreFromCache	Get the overall score for the indicator as calculated by DBot.
MaliciousRatioReputation	Set indicator reputation to "suspicious" when malicious ratio is above threshold. Malicious ratio is the ration between number of "bad" incidents to total number of incidents the indicator appears in.
ExportIncidentsToCSV	This automation uses the Demisto REST API Integration to batch export Incidents to CSV and return the resulting CSV file to the war room.
VerifyJSON	Verifies if the supplied JSON string is valid and optionally verifies against a provided schema. The script utilizes Powershell's Test-JSON cmdlet.
ParseEmailFilesV2	Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook. This script is based on the parse-emails XSOAR python package, check the script documentation for more info.
RemoteExec	Execute a command on a remote machine (without installing a D2 agent)
ExampleJSScript	This is only an example script, to showcase how to use and write JavaScript scripts
LessThanPercentage	Checks if one percentage is less than another Returns less: if firstPercentage < secondPercentage Returns more: if firstPercentage >= secondPercentage Returns exception if one of the inputs is not a float
IsInternalHostName	Checks if the supplied hostnames match either the organization's internal naming convention or the domain suffix.
cvss_color	This dynamic automation parses the CVSS score of a CVE and presents it in the layout in color according to its score.
ChangeRemediationSLAOnSevChange	Changes the remediation SLA once a change in incident severity occurs. This is done automatically and the changes can be configured to your needs.
ContextGetHashes	Gets hashes (MD5,SHA1,SHA256) from context.
CalculateEntropy	Calculates the entropy for the given data.
OnionURLReputation	This script adds the reputation to Onion URL indicators. The script is automatically triggered when a Onion URL indicator is auto-extracted. For instance, if you run a Cortex XSOAR CLI on a valid Onion URL, the indicators are extracted automatically and this script is triggered for the extracted indicators.
ExtractIndicatorsFromTextFile	Extract indicators from a text-based file. Indicators that can be extracted: IP Domain URL File Hash Email Address This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
GetServerURL	Get the Server URL.
DBotUpdateLogoURLPhishing	Add, remove, or modify logos from the URL Phishing model.
Print	Prints text to war room (Markdown supported)
GeneratePassword	This function generates a password and allows various parameters to customize the properties of the password depending on the use case (e.g. password complexity requirements). The default behavior is to generate a password of random length including all four character classes (upper, lower, digits, symbols) with at least five and at most ten characters per class. The min_* values all default to 0. This means that if the command is executed in this way: !GeneratePassword max_lcase=10 It is possible that a password of length zero could be generated. It is therefore recommended to always include a min_* parameter that matches. The debug parameter will print certain properties of the command into the WarRoom for easy diagnostics.
CountArraySize	Count an array size
IsTrue	Check if a given value is true. Will return 'no' otherwise
ExtractDomainAndFQDNFromUrlAndEmail	Extracts domains and FQDNs from URLs and emails.
ExtractHTMLTables	Find tables inside HTML and extract the contents into objects using the following logic: If table has a single column, just create an array of strings from the values If table has 2 columns and has no header row, treat the first column as key and second as value and create a table of key/value If table has a header row, create a table of objects where attribute names are the headers If table does not have a header row, create table of objects where attribute names are cell1, cell2, cell3…
PrintRaw	Prints a raw representation of a string or object, visualising things likes tabs and newlines. For instance, '\n' will be displayed instead of a newline character, or a Windows CR will be displayed as '\r\n'. This is useful for debugging issues where things aren't behaving as expected, such as when parsing a string with a regular expression.
AreValuesEqual	Check whether the values provided in arguments are equal. If either of the arguments are missing, no is returned.
PublishEntriesToContext	Publish entries to incident's context
ExtractDomainFromUrlAndEmail	Extract Domain(s) from URL(s) and/or Email(s)
Base64EncodeV2	Encodes an input to Base64 format.
SSDeepSimilarity	This script finds similar files that can be related to each other by fuzzy hash (SSDeep).
SendMessageToOnlineUsers	Send message to Demisto online users over Email, Slack, Mattermost or all.
IsEmailAddressInternal	Checks if the email address is part of the internal domains
TimeStampCompare	Compares a single timestamp to a list of timestamps.
ContextContains	This script searches for a value in a context path.
BreachConfirmationHTML
Dig	DNS lookup utility to provide 'A' and 'PTR' record
LinkIncidentsWithRetry	Use this script to avoid DB version errors when simultaneously running multiple linked incidents.
CopyNotesToIncident	Copy all entries marked as notes from current incident to another incident.
ChangeContext	Enables changing context in two ways. The first is to capitalize the first letter of each key in following level of the context key entered. The second is to change context keys to new values.
GetInstances	Returns integration instances configured in Cortex XSOAR. You can filter by instance status and/or brand name (vendor).
GetListRow	Parses a list by header and value.
ExportAuditLogsToFile	Uses the Demisto REST API integration to query the server audit trail logs, and return back a CSV or JSON file.
ExposeIncidentOwner	Expose the incident owner into IncidentOwner context key
EmailDomainSquattingReputation	Check if an email address's domain is trying to squat other domain using Levenshtein distance algorithm.
ContextFilter	Filter context keys by applying one of the various available manipulations and storing in a new context key. Please notice that the resulting context key will not be available automatically as an option but you can still specify it.
IsolationAssetWrapper	This is a wrapper to isolate or unisolate hash lists from Cortex XDR, MSDE or CrowdStrike (Available from Cortex XSOAR 6.0.0).
ListUsedDockerImages	List all Docker images that are in use by the installed integrations and automations.
GenerateRandomUUID	Generates a random UUID (UUID 4).
FilterByList	Checks whether the specified item is in a list. The default list is the Demisto Indicators Whitelist.
LoadJSONFileToContext	Loads a JSON file from the war room to context.
Base64ListToFile	Converts Base64 file in a list to a binary file and upload to warroom
IsIPPrivate	The script takes one or more IP addresses and checks whether they're in the private IP ranges defined in the PrivateIPsListName argument. By default, the PrivateIPsListName argument will use the Cortex XSOAR list called "PrivateIPs". The list can be modified, and by default uses the ranges defined by the Internet Assigned Numbers Authority (IANA). The following are the default CIDR ranges for private IPv4 addresses: 10.0.0.0/8 (range: 10.0.0.0 to 10.255.255.255) 172.16.0.0/12 (range: 172.16.0.0 to 172.31.255.255) 192.168.0.0/16 (range: 192.168.0.0 to 192.168.255.255) In addition to ranges, it's also possible to add specific IP addresses to the list. You may also tag IPs or IP ranges by adding a comma after the IP or range, and then adding the tag that you want to tag the corresponding IP indicators with.
AssignAnalystToIncident	Assign analyst to incident. By default, the analyst is picked randomly from the available users, according to the provided roles (if no roles provided, will fetch all users). Otherwise, the analyst will be picked according to the 'assignBy' arguments. machine-learning: DBot will calculated and decide who is the best analyst for the job. top-user: The user that is most commonly owns this type of incident less-busy-user: The less busy analyst will be picked to be the incident owner. online: The analyst is picked randomly from all online analysts, according to the provided roles (if no roles provided, will fetch all users). current: The user that executed the command

Incident Fields

Name	Description
E-mail Address
Measures to Mitigate	" (d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects." - GDPR Art. 33
Malicious Cause (If the cause is a malicious attack)
Size - number of employees
Media Notification	The status of the media notification
Breach Confirmation	Is the DPO confirm the breach
Country where business has its main establishment	"‘main establishment’ means: as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment; as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;" - GDPR Art. 4
Financial information breached	Is financial information breached
Medical Information breached	Is Medical Information breached
Size - turnover
Company Name
Consumer Reporting Agencies Notification
Management Notification
Secretary Notification
Is the Data Subject to DPIA
Unique identification number breached	Is unique identification number breached
Contact Name
DPO E-mail Address
Company Country
Postal Code
Affected Data Type
Attorney General Notification
Other PII data breached	Is other PII data breached
Possible Cause of the Breach
Affected Individuals Contact Information
Approximate number of affected data subjects
Date/time of the breach
Data Encryption Status
Contact Email address
Account information breached	Is account information breached
Residents Email Address
Sector of Affected Party
State CISO Notification
Contact Telephone number
Health insurance breached	Is health insurance breached
Where is data hosted
Individuals Notification
Contact Address
GDPR Notify Authorities	"In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons." - GDPR Art. 33
Company Address
Country where the breach took place
Unique biometric data breached	Is unique biometric data breached
Company City
Affected data	"‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;" - GDPR Art. 4
DPO Notification
Likely Impact	"A data protection impact assessment (…) shall in particular be required in the case of: (a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; (b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or (c) a systematic monitoring of a publicly accessible area on a large scale. - GDPR Art. 35
Resident Notification Option
State where the breach took place
Company has Insurance for the Breach
Company Postal Code
Telephone no.
PII Data Type

Lists

Name	Description
InternalDomains
PrivateIPs

Automations

Name	Description
CheckSenderDomainDistance	Get the string distance for the sender from our domain
CreateArray	Will create an array object in context from given string input
PopulateCriticalAssets	Populates critical assets in a grid field that has the section headers "Asset Type" and "Asset Name".
ContextContains	This script searches for a value in a context path.
checkValue	Gets a value and return it. This is to be used in playbook conditional tasks - get a value from incident field, label or context, and act accordingly. If an array is returned. the first value will be the decision making value.
UnPackFile	Deprecated. Use the UnzipFile script instead. UnPack a file using fileName or entryID to specify a file. Files unpacked will be pushed to the war room and names will be pushed to the context. supported types are: 7z (.7z), ACE (.ace), ALZIP (.alz), AR (.a), ARC (.arc), ARJ (.arj), BZIP2 (.bz2), CAB (.cab), compress (.Z), CPIO (.cpio), DEB (.deb), DMS (.dms), GZIP (.gz), LRZIP (.lrz), LZH (.lha, .lzh), LZIP (.lz), LZMA (.lzma), LZOP (.lzo), RPM (.rpm), RAR (.rar), RZIP (.rz), TAR (.tar), XZ (.xz), ZIP (.zip, .jar) and ZOO (.zoo)
CreateNewIndicatorsOnly	Create indicators to the Threat Intel database only if they are not registered. When using the script with many indicators, or when the Threat Intel Management database is highly populated, this script may have low performance issue.
emailFieldTriggered	Sends email to incident owner when selected field is triggered.
MathUtil	Script will run the provided mathematical action on 2 provided values and produce a result. The result can be stored on the context using the contextKey argument
StixCreator	Gets a list of indicators from the indicators argument, and generates a JSON file in STIX 2.1 format.
IsListExist	Check if list exist in demisto lists.
URLReputation	A context script for URL entities
GetErrorsFromEntry	Get the error(s) associated with a given entry/entries. Use ${lastCompletedTaskEntries} to check the previous task entries. The automation will return an array of the error contents from those entries.
CountArraySize	Count an array size
IsIPInRanges	Returns yes if the IP is in one of the ranges provided, returns no otherwise.
TopMaliciousRatioIndicators	Find the top malicious ratio indicators. Malicious ratio is defined by the ratio between the number of "bad" incidents divided by the number of total number of incidents that the indicators appears in.
ConvertXmlFileToJson	Converts XML file entry to JSON format
PositiveDetectionsVSDetectionEngines	Shows a bar chart of the number of Positive Detections out of overall detections
LoadJSONFileToContext	Loads a JSON file from the war room to context.
UnzipFile	Unzip a file using fileName or entryID to specify a file. Unzipped files will be loaded to the War Room and names will be put into the context.
SetWithTemplate	Set a value built by a template in context under the key you entered.
GetServerURL	Get the Server URL.
PcapHTTPExtractor	Allows to parse and extract http flows (requests & responses) from a pcap/pcapng file.
ParseExcel	The automation takes Excel file (entryID) as an input and parses its content to the war room and context
GenericPollingScheduledTask	Runs the polling command repeatedly, completes a blocking manual task when polling is done.
CompareLists	Compare two lists and put the differences in context.
SetTime	Fill the current time in a custom incident field
GetStringsDistance	Get the string distance between inputString and compareString (compareString can be a comma-separated list) based on Levenshtein Distance algorithm.
CheckIndicatorValue	Check if indicators exist in the Threat Intel database.
CheckFieldValue	This script checks that a field exists (and contains data), and optionally checks the value of the field for a match against an input value. If a regex is not supplied, the script checks that the field is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value.
DisplayHTMLWithImages	Display HTML with embedded images.
URLSSLVerification	Verify URL SSL certificate
AssignToMeButton	Assigns the current Incident to the Cortex XSIAM user who clicked the button
BreachConfirmationHTML
RunDockerCommand	This command will allow you to run commands against a local Docker Container. You can run commands like wc for instance with word count, or other types of commands that you want on the docker container. We recommend for tools that you want to use that are not part of the default Docker container, to cope this Automation script and then create a customer docker container with /docker_image_create with a custom docker container to add any command level tool to Demisto and output the results directly to the context.
Exists	Check if a given value exists in the context. Will return 'no' for empty empty arrays. To be used mostly with DQ and selectors.
Base64ListToFile	Converts Base64 file in a list to a binary file and upload to warroom
ServerLogs_docker	Uses the ssh integration to grab the host server logs
findIncidentsWithIndicator	Lookup incidents with specified indicator. Use currentIncidentId to omit the existing incident from output. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
findAlertsWithIndicator	Lookup alerts with specified indicator. Use currentAlertId to omit the existing alert from output. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
ExtractEmailV2	Verifies that an email address is valid and only returns the address if it is valid.
VerifyJSON	Verifies if the supplied JSON string is valid and optionally verifies against a provided schema. The script utilizes Powershell's Test-JSON cmdlet.
GenerateRandomUUID	Generates a random UUID (UUID 4).
IsGreaterThan	Checks if one number(float) as bigger than the other(float) Returns yes: if first > second Returns no: if first <= second Returns exception if one of the inputs is not a number
ParseYAML	Parses a YAML string into context
DomainReputation	A context script for Domain entities
ScheduleGenericPolling	Called by the GenericPolling playbook, schedules the polling task.
ParseCSV	This script will parse a CSV file and place the unique IPs, Domains and Hashes into the context.
PublishEntriesToContext	Publish entries to incident's context
ExtractFQDNFromUrlAndEmail	Extracts FQDNs from URLs and emails.
GeneratePassword	This function generates a password and allows various parameters to customize the properties of the password depending on the use case (e.g. password complexity requirements). The default behavior is to generate a password of random length including all four character classes (upper, lower, digits, symbols) with at least five and at most ten characters per class. The min_* values all default to 0. This means that if the command is executed in this way: !GeneratePassword max_lcase=10 It is possible that a password of length zero could be generated. It is therefore recommended to always include a min_* parameter that matches. The debug parameter will print certain properties of the command into the WarRoom for easy diagnostics.
GetTime	Retrieves the current date and time.
ticksToTime	Converting time in Ticks to readable time. Ticks are used to represent time by some vendors, most commonly by Microsoft.
SetGridField	Creates a Grid table from items or key-value pairs.
GenerateAsBuilt	Generate an as built document, as HTML, based on the running XSOAR instance. Requires an instance of the Demisto API integration configured.
IncidentAddSystem	Add a remote system (such as a desktop under investigation) to an investigation (this will allow you to install and agent on the system)
AlertAddSystem	Add a remote system (such as a desktop under investigation) to an investigation (this will allow you to install and agent on the system)
ResolveShortenedURL	This script resolves the original URL from a given shortened URL and places the resolved URL in the playbook context and output.
ParseWordDoc	Takes an input docx file (entryID) as an input and saves an output text file (file entry) with the original file's contents.
GetIndicatorDBotScoreFromCache	Get the overall score for the indicator as calculated by DBot.
ServerLogs	Uses the ssh integration to grab the host server logs
IsUrlPartOfDomain	Checks if the supplied URLs are in the specified domains.
NumberOfPhishingAttemptPerUser	Shows a bar chart of the number of incident the 'To' and 'From' email addresses. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
displayMappedFields	Display the mapped fields in a dynamic-section
JsonUnescape	Recursively un-escapes JSON data if escaped JSON is found
PrintRaw	Prints a raw representation of a string or object, visualising things likes tabs and newlines. For instance, '\n' will be displayed instead of a newline character, or a Windows CR will be displayed as '\r\n'. This is useful for debugging issues where things aren't behaving as expected, such as when parsing a string with a regular expression.
ExportIncidentsToCSV	This automation uses the Demisto REST API Integration to batch export Incidents to CSV and return the resulting CSV file to the war room.
ExportAlertsToCSV	This automation uses the Demisto REST API Integration to batch export Alerts to CSV and return the resulting CSV file to the war room.
MapValues	Map the given values to the translated values. If given values: a,b,c and translated: 1,2,3 then input is a will return 1
ContentPackInstaller	Content packs installer from marketplace.
FetchIndicatorsFromFile	Fetches indicators from a file. Supports TXT, XLS, XLSX, CSV, DOC and DOCX file types.
ArrayToCSV	Converts a simple Array into a textual comma separated string
FileCreateAndUpload	Deprecated. Use FileCreateAndUploadV2 instead. Will create a file (using the given data input or entry ID) and upload it to current investigation war room.
CreateIndicatorsFromSTIX	Creates indicators from the submitted STIX file. Supports STIX 1.0 and STIX 2.x. This automation creates indicators and adds an indicator's relationships if available.
IsInternalHostName	Checks if the supplied hostnames match either the organization's internal naming convention or the domain suffix.
ConvertXmlToJson	Converts XML string to JSON format
GetListRow	Parses a list by header and value.
ExposeIncidentOwner	Expose the incident owner into IncidentOwner context key
ExposeAlertOwner	Expose the alert owner into AlertOwner context key
ConvertTableToHTML	Converts a given array to an HTML table
MarkAsNoteByTag	Mark entries as notes if they are tagged with given tag
ShowOnMap	Returns a map entry with a marker on the given coordinates (lat,lng), or address (requires a configured GoogleMaps instance).
CalculateEntropy	Calculates the entropy for the given data.
PCAPMiner	Deprecated. Use PCAPMinerV2 instead. PCAPMiner is a tool to parse PCAP files and will return things like extracted files that are found, HTTP flows, and a variety of other information. It is uses a docker instance located on docker hub trorabaugh/dempcap:1.0. To use simply upload a PCAP file and then run PCAPMiner entryId="<your_entry_id>". To get the entry id click on the link on the top right hand corner of a file attachment.
UnEscapeURLs	Extract URLs redirected by security tools like Proofpoint. Changes https://urldefense.proofpoint.com/v2/url?u=https-3A__example.com_something.html -> https://example.com/something.html Also, un-escape URLs that are escaped for safety with formats like hxxps://www[.]demisto[.]com
UtilAnyResults	Utility script to use in playbooks - returns "yes" if the input is non-empty.
LanguageDetect	Language detection based on Google's language-detection.
ShowIncidentIndicators	This script is used to display the indicators of an incident in an incident field of type Array. It can be used to select indicators from the incident in order to later perform some actions, like tagging the indicators for blocking via EDL. This script is a field-display script, so it needs to be configured as such, when editing the incident field that will be used to display the indicators.
ShowAlertIndicators	This script is used to display the indicators of an alert in an alert field of type Array. It can be used to select indicators from the alert in order to later perform some actions, like tagging the indicators for blocking via EDL. This script is a field-display script, so it needs to be configured as such, when editing the alert field that will be used to display the indicators.
LessThanPercentage	Checks if one percentage is less than another Returns less: if firstPercentage < secondPercentage Returns more: if firstPercentage >= secondPercentage Returns exception if one of the inputs is not a float
ContainsCreditCardInfo	Check if a given value is true. Will return 'no' otherwise
ReadFile	Load the contents of a file into context.
ShowScheduledEntries	Show all scheduled entries for specific incident.
SetMultipleValues	Set multiple keys/values to the context.
IsValueInArray	Indicates whether a given value is a member of given array
IPToHost	Try to get the hostname correlated with the input IP.
DBotClosedIncidentsPercentage	Data output script for populating dashboard pie graph widget with the percentage of incidents closed by DBot vs. incidents closed by analysts.
DBotClosedAlertsPercentage	Data output script for populating dashboard pie graph widget with the percentage of alerts closed by DBot vs. alerts closed by analysts.
EmailAskUserResponse	Extract user's response from EmailAskUser reply. Returns the first textual response line of the provided entry that contains the reply body. Use ${lastCompletedTaskEntries} to analyze the previous playbook task containing the user's reply.
cvss_color	This dynamic automation parses the CVSS score of a CVE and presents it in the layout in color according to its score.
StringLength	Returns the length of the string passed as argument
FileToBase64List	Encode a file as base64 and store it in a Demisto list.
ExportContextToJSONFile	Exports the Context for the current Incident to a JSON file in the war room.
AddKeyToList	Adds/Replaces a key in key/value store backed by an XSOAR list.
URLNumberOfAds	Fetches the numbers of ads in the given url
cveReputationV2	Provides the severity of the CVE based on the CVSS score where available.
LoadJSON	Loads a json from string input, and returns a json object result
CloseInvestigationAsDuplicate	Close the current investigation as duplicate to other investigation.
GetDockerImageLatestTag	Gets docker image latest tag. Script simulates the docker pull flow but doesn't actually pull the image. Returns an entry with the docker image latest tag if all is good, otherwise will return an error.
DeduplicateValuesbyKey	Given a list of objects and a key found in each of those objects, return a unique list of values associated with that key. Returns error if the objects provided do not contain the key of interest.
LinkIncidentsButton	Incident action button script to link or unlink Incidents from an Incident
LinkAlertsButton	Alert action button script to link or unlink Alerts from an Alert
Base64Encode	Will encode an input using Base64 format.
ExtractHTMLTables	Find tables inside HTML and extract the contents into objects using the following logic: If table has a single column, just create an array of strings from the values If table has 2 columns and has no header row, treat the first column as key and second as value and create a table of key/value If table has a header row, create a table of objects where attribute names are the headers If table does not have a header row, create table of objects where attribute names are cell1, cell2, cell3…
StopScheduledTask	This stops the scheduled task whose ID is given in the taskID argument.
GetFieldsByIncidentType	Returns the incident field names associated to the specified incident type.
GetFieldsByAlertType	Returns the alert field names associated to the specified alert type.
SCPPullFiles	Take a list of devices and pull a specific file (given by path) from each using SCP
Strings	Extract strings from a file with optional filter - similar to binutils strings command
FeedRelatedIndicatorsWidget	Widget script to view information about the relationship between an indicator, entity and other indicators and connect to indicators, if relevant.
TextFromHTML	Extract regular text from the given HTML.
LookupCSV	Parses a CSV and looks for a specific value in a specific column, returning a dict of the entire matching row. If no column value is specified, the entire CSV is read into the context.
DBotAverageScore	The script calculates the average DBot score for each indicator in the context.
ExtractDomainFromUrlAndEmail	Extract Domain(s) from URL(s) and/or Email(s)
hideFieldsOnNewIncident	When you apply this script to an incident field, that incident field is hidden for new incidents, and it displays in edit mode.
hideFieldsOnNewAlert	When you apply this script to an alert field, that alert field is hidden for new alerts, and it displays in edit mode.
MarkAsEvidenceByTag	Mark entries as evidence if they are tagged with given tag
PreProcessImage	This script pre-processes (resizes, sharpens, and grayscales) an image file from context, given an entry_id.
ListUsedDockerImages	List all Docker images that are in use by the installed integrations and automations.
WordTokenizer	Tokenize the words in a input text.
RemoteExec	Execute a command on a remote machine (without installing a D2 agent)
GetDuplicatesMlv2	Deprecated. Use the "PhishingDedupPreprocessingRule" script instead. Find duplicate incidents candidates. Using machine learning techniques with pre-defined data (can also use data from the local environment), this script takes into consideration different features such as: labels comparison, email labels (relevant for phishing), incident time difference and shared indicators, which can be customized by the arguments. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
ExtractIndicatorsFromTextFile	Extract indicators from a text-based file. Indicators that can be extracted: IP Domain URL File Hash Email Address This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
EncodeToAscii	Input Text Data to Encode as ASCII (Ignores any chars that aren't interpreted as ASCII)
CEFParser	Parse CEF data into the context. Please notice that outputs will display only the 7 mandatory fields even if the CEF event includes many other custom or extended fields.
IncreaseIncidentSeverity	Optionally increases the incident severity to the new value if it is greater than the existing severity.
IncreaseAlertSeverity	Optionally increases the alert severity to the new value if it is greater than the existing severity.
FilterByList	Checks whether the specified item is in a list. The default list is the Demisto Indicators Whitelist.
GetByIncidentId	Gets a value from the specified incident's context.
GetByAlertId	Gets a value from the specified alert's context.
BMCTool	Parse RDP bitmap cache data into a single collage image file.
IsMaliciousIndicatorFound	Checks if the investigation found any malicious indicators (file, URL, IP address, domain, or email). Returns "yes" if at least one malicious indicator is found.
ScheduleCommand	Schedule a command to run inside the war room at a future time (once or reoccurring)
AddEvidence	Adds provided entries to the incident Evidence Board. In playbook, can be positioned after a task to add the previous task's entries to Evidence Board automatically (with no need to provide arguments)
ExportToXLSX	Exports context data to a Microsoft Excel Open XML Spreadsheet (XLSX) file.
JSONFileToCSV	Script to convert a War Room output JSON File to a CSV file.
ConvertTimezoneFromUTC	Takes UTC and converts it to the specified timezone. Format must match the UTC date's format and output will be the same format. Can use in conjunction with ConvertDateToString
AppendindicatorFieldWrapper	A wrapper script to the 'AppendindicatorField' script that enables adding tags to certain indicators. Note: You can use this script in an incident Layout button to allow tags to be added to indicators through the incident.
DisplayHTML	Display HTML in the War Room.
ChangeContext	Enables changing context in two ways. The first is to capitalize the first letter of each key in following level of the context key entered. The second is to change context keys to new values.
StringReplace	Replaces regex match/es in string. Returns the string after replace was preformed.
commentsToContext	Takes the comments of a given entry ID and stores them in the incident context, under a provided context key. For accessing the last executed task's comments, provide ${lastCompletedTaskEntries.[0]} as the value for the entryId input parameter.
GetDataCollectionLink	Generates the URL for a Data Collection Task into Context. Can be used to get the url for tasks send via Email, Slack, or even if you select "By Task Only". To generate links for specific users, add an array of users in the users argument.
AssignAnalystToIncident	Assign analyst to incident. By default, the analyst is picked randomly from the available users, according to the provided roles (if no roles provided, will fetch all users). Otherwise, the analyst will be picked according to the 'assignBy' arguments. machine-learning: DBot will calculated and decide who is the best analyst for the job. top-user: The user that is most commonly owns this type of incident less-busy-user: The less busy analyst will be picked to be the incident owner. online: The analyst is picked randomly from all online analysts, according to the provided roles (if no roles provided, will fetch all users). current: The user that executed the command
Ping	Pings an IP or url address, to verify it's up
BinarySearchPy	Deprecated. No available replacement. Search for a binary on an endpoint using Carbon Black
FailedInstances	Executes a test for all integration instances available and returns detailed information about succeeded and failed integration instances.
DecodeMimeHeader	Decode MIME base64 headers.
SendMessageToOnlineUsers	Send message to Demisto online users over Email, Slack, Mattermost or all.
NotInContextVerification	Not in context verification is a script that executes the given command and verifies that the specified field is not in the context after execution.
Set	Set a value in context under the key you entered.
ParseHTMLIndicators	This script will extract indicators from given HTML and will handle bad top-level domains to avoid false positives caused by file extensions.
IsIntegrationAvailable	Returns 'yes' if integration brand is available. Otherwise returns 'no'.
CalculateTimeDifference	Calculate the time difference, in minutes
GetDomainDNSDetails	Returns DNS details for a domain.
SetAndHandleEmpty	Set a value in context under the key you entered. If no value is entered, the script doesn't do anything. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
JSONtoCSV	Convert a JSON War Room output via EntryID to a CSV file.
PrettyPrint	Pretty-print data using Python's pprint library. This is useful for seeing the structure of incident and context data. Here's how to use it: !PrettyPrint value=${incident}
CVSSCalculator	This script calculates the CVSS Base Score, Temporal Score, and Environmental Score using either the CVSS 3.0 or CVSS 3.1 calculator according to https://www.first.org/cvss/ calculation documentation.
ZipFile	Zip a file and upload to war room
IndicatorMaliciousRatioCalculation	Return indicators appears in resolved incidents, and resolved incident ids. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
ExampleJSScript	This is only an example script, to showcase how to use and write JavaScript scripts
Print	Prints text to war room (Markdown supported)
CompareIncidentsLabels	Compares the labels of two incidents. Returns the labels that are unique to each incident. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
CompareAlertsLabels	Compares the labels of two alerts. Returns the labels that are unique to each alert. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
AreValuesEqual	Check whether the values provided in arguments are equal. If either of the arguments are missing, no is returned.
PDFUnlocker	Removing the password protection from a PDF file and adding a new file entry with the unlocked PDF.
ExifRead	Read image files metadata and provide Exif tags
VerifyIPv6Indicator	Verify that the address is a valid IPv6 address.
ContextSearchForString	Searches for string in a path in context. If path is null, string will be searched in full context.
PortListenCheck	Checks whether a port was open on given host.
CreateHash	Creating a hash of a given input, support sha1, sha256, sha512, md5 and blake. Wrapper for https://docs.python.org/3/library/hashlib.html.
ExportIndicatorsToCSV	This automation uses the Demisto REST API Integration to batch export Indicators to CSV and return the resulting CSV file to the war room.
ReadPDFFileV2	Load a PDF file's content and metadata into context.
ContextGetPathForString	Searches for string in context and returns context path, returns null if not found.
DeleteContext	Delete field from context. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
MatchRegex	Deprecated. Use the MatchRegexV2 script instead.
SSDeepReputation	Calculate ssdeep reputation based on similar files (by ssdeep similarity) on the system.
ShowLocationOnMap	Show indicator geo location on map
GridFieldSetup	Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. Instead of a value you can enter `TIMESTAMP` to get the current timestamp in ISO format. For example: `!GridFieldSetup keys=ip,src,timestamp val1=${AWS.EC2.Instances.NetworkInterfaces.PrivateIpAddress} val2="AWS" val3="TIMESTAMP" gridfiled="gridfield"`
FindSimilarIncidents	Finds similar incidents by common incident keys, labels, custom fields or context keys. It's highly recommended to use incident keys if possible (e.g., "type" for the same incident type). For best performance, it's recommended to avoid using context keys if possible (for example, if the value also appears in a label key, use label). This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
FindSimilarAlerts	Finds similar alerts by common alert keys, labels, custom fields or context keys. It's highly recommended to use alert keys if possible (e.g., "type" for the same alert type). For best performance, it's recommended to avoid using context keys if possible (for example, if the value also appears in a label key, use label). This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
ConvertCountryCodeCountryName	Convert country name to country code or country code to country name. Only one of 'country_code' or 'country_name' can be provided. Example: Input: { "country_code": "US" } Output: { "United States" } Another Example: Input: { "country_name": "United States" } Output: { "US" }
SetByIncidentId	Works the same as the 'Set' command, but can work across incidents by specifying 'id' as an argument. Sets a value into the context with the given context key. Doesn't append by default. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
SetByAlertId	Works the same as the 'Set' command, but can work across alerts by specifying 'id' as an argument. Sets a value into the context with the given context key. Doesn't append by default. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
SearchIndicator	Searches Cortex XSIAM Indicators. Search for XSOAR Indicators and returns the id, indicator_type, value, and score/verdict. You can add additional fields from the indicators using the add_field_to_context argument.
RemoveKeyFromList	Removes a key in key/value store backed by an XSOAR list.
ReplaceMatchGroup	Returns a string with all matches of a regex pattern groups replaced by a replacement.
ExportToCSV	Export given array to csv file
SearchIncidentsSummary	Searches Cortex XSIAM Incidents and returnrs the most relevant fields. Default search range is the last 30 days, if you want to change this, use the fromDate argument. Returns the id, name, type, severity, status, owner, and created/closed times to context. You can add additional fields using the add_field_to_context argument. This automation runs using the default Limited User role, unless you explicitly change the permissions. Based on the SearchIncidentsV2 from the Common Scripts pack, but more efficient.
SearchAlertsSummary	Searches Cortex XSIAM Alerts and returnrs the most relevant fields. Default search range is the last 30 days, if you want to change this, use the fromDate argument. Returns the id, name, type, severity, status, owner, and created/closed times to context. You can add additional fields using the add_field_to_context argument. This automation runs using the default Limited User role, unless you explicitly change the permissions. Based on the SearchAlertsV2 from the Common Scripts pack, but more efficient.
GenerateSummaryReports	Generate report summaries for the passed incidents.
CreateEmailHtmlBody	This script allows sending an HTML email, using a template stored as a list item under Lists (Settings -> Advanced -> Lists). Placeholders are marked in DT format (i.e. ${incident.id} for incident ID). Available placeholders for example: ${incident.labels.Email/from} ${incident.name} ${object.value} See incident Context Data menu for available placeholders Note: Sending emails require an active Mail Sender integration instance.
IPNetwork	Gather information regarding CIDR - 1. Broadcast_address 2. CIDR 3. First_address 4. Last address 5. Max prefix len 6. Num addresses 7. Private 8. Version
isError	Check whether given entry/entries returned an error. Use ${lastCompletedTaskEntries} to check the previous task entries. If array is provided, will return yes if one of the entries returned an error.
FileCreateAndUploadV2	Creates a file (using the given data input or entry ID) and uploads it to the current investigation War Room.
GetIndicatorDBotScore	Add into the incident's context the system internal DBot score for the input indicator.
GenerateRandomString	Generates random string
OnionURLReputation	This script adds the reputation to Onion URL indicators. The script is automatically triggered when a Onion URL indicator is auto-extracted. For instance, if you run a Cortex XSIAM CLI on a valid Onion URL, the indicators are extracted automatically and this script is triggered for the extracted indicators.
Sleep	Sleep for X seconds.
FileReputation	A context script for hash entities
ExtractIndicatorsFromWordFile	Used to extract indicators from Word files (DOC, DOCX). The script does not extract data from macros (e.g., embedded code). This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
IsEmailAddressInternal	Checks if the email address is part of the internal domains
ContextGetHashes	Gets hashes (MD5,SHA1,SHA256) from context.
CopyNotesToIncident	Copy all entries marked as notes from current incident to another incident.
CopyNotesToAlert	Copy all entries marked as notes from current alert to another alert.
RepopulateFiles	After running DeleteContext, this script can repopulate all the file entries in the ${File} context key
FormatURL	Strips, unquotes and unescapes URLs. If the URL is a Proofpoint or ATP URL, extracts its redirect URL. If more than one URL is passed to the formatter, the separator must be a pipe ("\|").
http	Sends http request. Returns the response as json.
DumpJSON	Dumps a json from context key input, and returns a json object string result
GetLicenseID	Returns the license ID.
VerifyCIDR	Verify that the CIDRs are valid.
UnEscapeIPs	Remove escaping chars from IP 127[.]0[.]0[.]1 -> 127.0.0.1
PrintErrorEntry	Prints an error entry with a given message
ExportAuditLogsToFile	Uses the Demisto REST API integration to query the server audit trail logs, and return back a CSV or JSON file.
MatchRegexV2	Extracts regex data from the provided text. The script support groups and looping.
GetInstances	Returns integration instances configured in Cortex XSIAM. You can filter by instance status and/or brand name (vendor).
GenerateInvestigationSummaryReport	A script to generate investigation summary report in an automated way Can be used in post-processing flow as well.
ContextGetEmails	Gets all email addresses in context, excluding ones given.
EditServerConfig	Edit the server configuration (under settings/troubleshooting). You can either add a new configuration or update and remove an existing one.
HttpV2	Sends a HTTP request with advanced capabilities
CopyContextToField	Copy a context key to an incident field of multiple incidents, based on an incident query. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
IsInternalDomainName	This script accepts multiple values for both arguments and will iterate through each of the domains to check if the specified subdomains are located in at least one of the specified main domains. If the tested subdomain is in one of the main domains, the result will be true. For example, if the domain_to_check values are apps.paloaltonetworks.com and apps.paloaltonetworks.bla and the domains_to_compare values are paloaltonetworks.com and demisto.com, the result for apps.paloaltonetworks.com will be true since it is a part of the paloaltonetworks.com domain. The result for apps.paloaltonetworks.bla will be false since it is not a part of the paloaltonetworks.com or demisto.com domain.
IsolationAssetWrapper	This is a wrapper to isolate or unisolate hash lists from Cortex XDR, MSDE or CrowdStrike (Available from Cortex XSIAM 6.0.0).
IncidentFields	Returns a dict of all incident fields that exist in the system.
AlertFields	Returns a dict of all alert fields that exist in the system.
SendEmailOnSLABreach	Sends an email informing the user of an SLA breach. The email is sent to the user who is assigned to the incident. It includes the incident name, ID, name of the SLA field that was breached, duration of that SLA field, and the date and time when that SLA was started. In order to run successfully, the script should be configured to trigger on SLA breach, through field edit mode.
SetDateField	Sets a custom incident field with current date
GetEntries	Collect entries matching to the conditions in the war room
ExtractAttackPattern	Extract Attack Pattern Threat Intel Object. After auto extract extracts the Attack Pattern IDs, this script is executed and extracts the value (name) of the Attack Pattern.
listExecutedCommands	Lists executed commands in War Room
ZipStrings	Joins values from two lists by index according to a given format.
ExtractDomainAndFQDNFromUrlAndEmail	Extracts domains and FQDNs from URLs and emails.
SSDeepSimilarity	This script finds similar files that can be related to each other by fuzzy hash (SSDeep).
IsTrue	Check if a given value is true. Will return 'no' otherwise
ConvertFile	Converts a file from one format to a different format by using the convert-to function of Libre Office. For a list of supported input/output formats see: https://wiki.openoffice.org/wiki/Framework/Article/Filter/FilterList_OOo_3_0
TimeStampCompare	Compares a single timestamp to a list of timestamps.
EmailReputation	A context script for Email entities
CheckContextValue	This script checks that a context key exists (and contains data), and optionally checks the value of the context key for a match against an input value. If a regex is not supplied, the script checks that the key is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value. This scripts does not support a context key which holds a list of values.
StringSimilarity	This automation calculates the similarity ratio between every string in 2 different arrays and outputs a decimal value between 0.0 and 1.0 (1.0 if the sequences are identical, and 0.0 if they don't have anything in common).
DockerHardeningCheck	Checks if the Docker container running this script has been hardened according to the recommended settings at: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Docker-Hardening-Guide
DisableUserWrapper	This script allows disabling a specified user using one or more of the following integrations: SailPointIdentityIQ, ActiveDirectoryQuery, Okta, MicrosoftGraphUser, and IAM.
ContextGetIps	Gets all IP addresses in context, excluding ones given.
ContextFilter	Filter context keys by applying one of the various available manipulations and storing in a new context key. Please notice that the resulting context key will not be available automatically as an option but you can still specify it.
EmailDomainSquattingReputation	Check if an email address's domain is trying to squat other domain using Levenshtein distance algorithm.
MaliciousRatioReputation	Set indicator reputation to "suspicious" when malicious ratio is above threshold. Malicious ratio is the ration between number of "bad" incidents to total number of incidents the indicator appears in.
PrintContext	Pretty-print the contents of the playbook context
IdentifyAttachedEmail	Identify whether the incident includes an email message attached as an eml or msg file and return the answer to playbook. Also saves the identified entry ID to context for use for later. Commonly used in automated playbooks that handle phishing reports sent to a special phishing mailbox set up by the security team.
RunPollingCommand	Runs a specified polling command one time. This is useful for initiating a local playbook context before running a polling scheduled task. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
ParseEmailFiles	Deprecated. Use ParseEmailFilesV2 instead." Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook.
ParseEmailFilesV2	Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook. This script is based on the parse-emails XSOAR python package, check the script documentation for more info.
GetEnabledInstances	Gets all currently enabled integration instances.
ToTable	Convert an array to a nice table display. Usually, from the context.
IPReputation	A context script for IP entities
AquatoneDiscoverV2	aquatone-discover will find the targets nameservers and shuffle DNS lookups between them. Should a lookup fail on the target domains nameservers, aquatone-discover will fall back to using Google public DNS servers to maximize discovery.
ConvertDatetoUTC	Converts a date from a different timezone to UTC timezone.
ProvidesCommand	Finds which integrations implement a specific Demisto command. The results will be returned as comma-separated values (CSV). The "Demisto REST API" integration must first be enabled.
HTTPListRedirects	List the redirects for a given URL
SearchIncidentsV2	Searches Demisto incidents. A summarized version of this scrips is avilable with the summarizedversion argument. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
SearchAlertsV2	Searches Demisto alerts. A summarized version of this scrips is avilable with the summarizedversion argument. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
HTMLtoMD	Converts HTML to Markdown.
displayUtilitiesResults	This script displays the execution results of the tab's buttons in an HTML table format.
Dig	DNS lookup utility to provide 'A' and 'PTR' record
GenerateSummaryReportButton	This button will generate summary 'Case Report' template for a given Incident
EmailAskUser	Ask a user a question via email and process the reply directly into the investigation.
AddDBotScoreToContext	Add DBot score to context for indicators with custom vendor, score, reliability, and type.
Base64EncodeV2	Encodes an input to Base64 format.

Incident Fields

Name	Description
Approximate number of affected data subjects
Unique biometric data breached	Is unique biometric data breached
PII Data Type
Contact Name
Where is data hosted
Company has Insurance for the Breach
E-mail Address
Country where business has its main establishment	"‘main establishment’ means: as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment; as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;" - GDPR Art. 4
Consumer Reporting Agencies Notification
Breach Confirmation	Is the DPO confirm the breach
Is the Data Subject to DPIA
Medical Information breached	Is Medical Information breached
Management Notification
Sector of Affected Party
Financial information breached	Is financial information breached
Individuals Notification
DPO E-mail Address
Likely Impact	"A data protection impact assessment (…) shall in particular be required in the case of: (a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; (b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or (c) a systematic monitoring of a publicly accessible area on a large scale. - GDPR Art. 35
Postal Code
Telephone no.
Secretary Notification
Resident Notification Option
Company Name
Size - turnover
Data Encryption Status
Malicious Cause (If the cause is a malicious attack)
Attorney General Notification
Health insurance breached	Is health insurance breached
GDPR Notify Authorities	"In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons." - GDPR Art. 33
Residents Email Address
Other PII data breached	Is other PII data breached
Affected Individuals Contact Information
Media Notification	The status of the media notification
State CISO Notification
Company Postal Code
Unique identification number breached	Is unique identification number breached
Contact Address
Account information breached	Is account information breached
Company Address
Company City
Measures to Mitigate	" (d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects." - GDPR Art. 33
DPO Notification
Affected data	"‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;" - GDPR Art. 4
Affected Data Type
Possible Cause of the Breach
Size - number of employees
Contact Email address
Contact Telephone number
State where the breach took place

Required Content Packs (3)

Pack Name	Pack By
Base	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
MITRE ATT&CK	By: Cortex XSOAR

Optional Content Packs (13)

Pack Name	Pack By
US - Breach Notification	By: Cortex XSOAR
Brute Force	By: Cortex XSOAR
Elasticsearch	By: Cortex XSOAR
GDPR	By: Cortex XSOAR
Gmail	By: Cortex XSOAR
Gmail Single User	By: Cortex XSOAR
HIPAA - Breach Notification	By: Cortex XSOAR
Mail Sender (New)	By: Cortex XSOAR
Microsoft Graph Mail	By: Cortex XSOAR
ProtectWise	By: Cortex XSOAR
Remote Access	By: Cortex XSOAR
Shodan	By: Cortex XSOAR
Sumo Logic	By: Cortex XSOAR

All level dependencies (3)

Pack Name	Pack By
Base	By: Cortex XSOAR
MITRE ATT&CK	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR

1.12.51 - 7012606 (November 28, 2023)

Scripts

FormatURL

Improved error handling for better performance when the script fails.
Updated the Docker image to: demisto/python3:3.10.13.80593.

ExtractDomainAndFQDNFromUrlAndEmail

Improved error handling for better performance when the script fails.
Updated the Docker image to: demisto/py3-tools:1.0.0.81280.

ExtractEmailV2

Improved error handling for better performance when the script fails.
Updated the Docker image to: demisto/python3:3.10.13.80593.

Sleep

Improved performance for longer sleep times. When seconds is greater than the configured threshold (5 minutes by default), sleep will switch to a polling state instead of waiting.

Related pull requests:
- 30661

Download

1.12.49 - 7001088 (November 27, 2023)

Scripts

GetIndicatorDBotScoreFromCache

Fixed an issue where the script failed when providing indicator values with special characters.
Updated the Docker image to: demisto/python3:3.10.13.80593.

Related pull requests:
- 31070

Download

1.12.48 - 6992191 (November 26, 2023)

Scripts

DBotClosedIncidentsPercentage

Updated the query in theDBotClosedIncidentsPercentage script to status:closed and closingUser:DBot.

Related pull requests:
- 31093

Download

1.12.47 - 6989486 (November 26, 2023)

Scripts

IsIntegrationAvailable

Fixed an issue where the outputs for Conditional Tasks were not 'yes' or 'no' (issue was introduced in 1.12.46).

Related pull requests:
- 31107

Download

1.12.46 - 6965450 (November 22, 2023)

Scripts

IsIntegrationAvailable

Improved implementation for better performance.
Updated the Docker image to: demisto/python3:3.10.13.80593.

GetListRow

Fixed an issue where sometimes a redundant \r would appear at the end of the line.
Updated the Docker image to: demisto/python3:3.10.13.80593.

Related pull requests:
- 31020

Download

1.12.44 - 6910634 (November 16, 2023)

Scripts

GetErrorsFromEntry

The script will now use the getEntriesByIDs command instead of getEntry command to get entries by ID in XSIAM and XSOAR SAAS.

Related pull requests:
- 30930

Download

1.12.43 - 6906425 (November 16, 2023)

Scripts

ReadPDFFileV2

Updated the docker image to demisto/readpdf:1.0.0.78799.
Added support for opening PDF files with owner passwords.

Related pull requests:
- 30927

Download

1.12.42 - 6887992 (November 14, 2023)

Scripts

GetIndicatorDBotScoreFromCache

Added support for providing multiple indicators in a single run of the script.
Updated the Docker image to: demisto/python3:3.10.13.80014.

Related pull requests:
- 30865

Download

1.12.41 - R6834680 (November 8, 2023)

Scripts

GetDataCollectionLink

Updated the Docker image to: demisto/python3:3.10.13.80014.
Added support for XSOAR 8.4.0+ and XSIAM.

Related pull requests:
- 30336

Download

1.12.40 - R6819164 (November 7, 2023)

Scripts

EmailDomainSquattingReputation

Improved implementation and the performance of the script by using native JavaScript code.

Related pull requests:
- 30615

Download

1.12.39 - 6800291 (November 5, 2023)

Scripts

StringSimilarity

The script now supports comparing every string between two arrays of strings.

Related pull requests:
- 30364

Download

1.12.38 - 6704012 (October 25, 2023)

Scripts

PreProcessImage

Updated the Docker image to: demisto/processing-image-file:1.0.0.78798.

Related pull requests:
- 30225

Download

1.12.37 - 6674581 (October 22, 2023)

Scripts

GetDockerImageLatestTag

Updated the Docker image to: demisto/python3:3.10.13.78623.

BMCTool

Updated the Docker image to: demisto/python3:3.10.13.78623.

Related pull requests:
- 30290

Download

1.12.36 - 6671974 (October 22, 2023)

Scripts

ExtractIndicatorsFromWordFile

Updated the Docker image to: demisto/office-utils:2.0.0.78144.

ConvertFile

Updated the Docker image to: demisto/office-utils:2.0.0.78144.

Related pull requests:
- 30277

Download

1.12.35 - 6657279 (October 20, 2023)

Scripts

ParseEmailFilesV2

Updated the Docker image to: demisto/parse-emails:1.0.0.78248.

Related pull requests:
- 30284
- 30277

Download

1.12.34 - 6606453 (October 15, 2023)

Scripts

PDFUnlocker

Updated to use the pikepdf library instead of PyPDF2 in order to unlock more types of encryption.
Updated the Docker image to: demisto/readpdf:1.0.0.77212.

Related pull requests:
- 30129

Download

1.12.33 - 6580543 (October 12, 2023)

Scripts

ScheduleGenericPolling

Fixed an issue where a value was not sanitized.
Updated the Docker image to: demisto/python3:3.10.13.75921.

Related pull requests:
- 30123

Download

1.12.32 - 6564291 (October 10, 2023)

Scripts

SetGridField

Fixed an issue where the automation failed when setting empty grid fields on XSIAM.

Related pull requests:
- 30107

Download

1.12.31 - 6527890 (October 6, 2023)

Scripts

SetGridField

Updated the Docker image to: demisto/pandas:1.0.0.76121.
Fixed an issue where the automation failed when setting empty grid fields on XSIAM.

Related pull requests:
- 30032

Download

1.12.30 - 6521786 (October 5, 2023)

Scripts

TextFromHTML

Added the allow_body_fallback argument, which allows using the full html as the body in case the input html does not have a body tag.
Added the replace_line_breaks argument, which allows replacing br tags in the html with line breaks in the extracted text.
Added the trim_result argument, which allows replacing leading and trailing whitespaces as well as collapsing multiple empty lines in the extracted text to a single empty line.
Added the output_to_context argument, which allows storing the extracted text in context.
Updated the Docker image to: demisto/python3:3.10.13.75921.

Related pull requests:
- 30036
- 29836

Download

1.12.29 - 6437102 (September 27, 2023)

Scripts

Ping

Updated the Docker image to: demisto/netutils:1.0.0.74582.

Dig

Updated the Docker image to: demisto/netutils:1.0.0.74582.

GetDomainDNSDetails

Updated the Docker image to: demisto/netutils:1.0.0.74582.

Related pull requests:
- 29576

Download

1.12.28 - 6429983 (September 26, 2023)

Scripts

ParseEmailFilesV2

Updated the Docker image to: demisto/parse-emails:1.0.0.75644.

GetDockerImageLatestTag

Updated the Docker image to: demisto/python3:3.10.13.74666.

Related pull requests:
- 29799

Download

1.12.26 - 6389447 (September 21, 2023)

Scripts

cvss_color

Updated the Docker image to: demisto/python3:3.10.13.74666.
Fixed an issue where the script failed if the indicator had no custom fields.

StixCreator

Fixed an issue where spec_version was empty when exporting more than one indicator.
Updated the Docker image to: demisto/py3-tools:1.0.0.74403.

ExportAuditLogsToFile

Added support to XSOAR 8.
Updated the Docker image to: demisto/python3:3.10.13.74666.

Related pull requests:
- 29781

Download

1.12.23 - 6303396 (September 12, 2023)

Scripts

GetDomainDNSDetails

Updated the Docker image to: demisto/dnspython:1.0.0.73453.

Related pull requests:
- 29611

Download

1.12.22 - 6285754 (September 10, 2023)

Scripts

StixCreator

Updated the Docker image to: demisto/py3-tools:1.0.0.72621.
Fixed an issue where Report indicator was not exported in STIX format.
Fixed an issue where exporting failed when non STIX compatible indicators were present in XSOAR.

Related pull requests:
- 29466

Download

1.12.20 - 6234071 (September 4, 2023)

Scripts

SetGridField

Updated the Docker image to: demisto/pandas:1.0.0.72335.
Added the keys_from_nested argument to support dictionary and array fields under the provided context path.

Related pull requests:
- 29137

Download

1.12.19 - 6200580 (August 31, 2023)

Scripts

IsInternalHostName

Updated the Docker image to: demisto/python3:3.10.13.72123.

Related pull requests:
- 29351

Download

1.12.18 - 6174567 (August 28, 2023)

Scripts

ParseEmailFilesV2

Fixed an issue where several unicode spaces weren't parsed as expected.
Updated the Docker image to: demisto/parse-emails:1.0.0.72707.

Related pull requests:
- 29283

Download

1.12.17 - 6158432 (August 26, 2023)

Scripts

GeneratePassword

Fixed an issue where the min_ and max_ arguments were not correctly assigned to the value 0 when provided.
Updated the Docker image to: demisto/python3:3.10.12.68714.

Related pull requests:
- 29203

Download

1.12.16 - R6143763 (August 24, 2023)

Scripts

ParseEmailFilesV2

Updated the Docker image to: demisto/parse-emails:1.0.0.71712.
Added support for Macintosh HFS file type.

Related pull requests:
- 28987

Download

1.12.15 - R6076227 (August 17, 2023)

Scripts

ParseEmailFilesV2

Updated the Docker image to: demisto/parse-emails:1.0.0.69980.

Related pull requests:
- 28946

Download

1.12.14 - 6038506 (August 13, 2023)

Scripts

StringSimilarity

Fixed an issue where the the script errored instead of returning None when no similarity was found.
Updated the Docker image to: demisto/python3:3.10.12.68714.

Related pull requests:
- 28889

Download

1.12.13 - 6010750 (August 10, 2023)

Scripts

CreateNewIndicatorsOnly

Fixed an issue where the indicator_value was not properly escaped before being used in the 'findIndicators' command.
Updated the Docker image to: demisto/python3:3.10.12.68300.

Related pull requests:
- 28803

Download

1.12.12 - 5991552 (August 8, 2023)

Scripts

AssignAnalystToIncident

Fixed an issue where this script was shown as AssignAnalystToAlert in XSIAM. Script functionality is unchanged (Assigns analyst to an incident. XSIAM alerts cannot be assigned.)

Related pull requests:
- 28839

Download

1.12.11 - 5969979 (August 6, 2023)

CommonScripts

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 28753

Download

1.12.10 - R5946331 (August 3, 2023)

Scripts

StringSimilarity

Fixed an issue with the script handling lists as input

Related pull requests:
- 28598

Download

1.12.9 - 5918814 (July 31, 2023)

Scripts

GeneratePassword

Updated the Docker image to: demisto/python3:3.10.12.66339.
Breaking Changes: Fixed an issue where the script accepted and failed on a length zero passwords.

Related pull requests:
- 28599

Download

1.12.8 - 5914533 (July 31, 2023)

Scripts

ParseEmailFilesV2

Fixed an issue where attachments were not being saved to the War Room when uploading S/MIME files that lacked the To/From/Subject fields.
Updated the Docker image to: demisto/parse-emails:1.0.0.67069.

Related pull requests:
- 28442

Download

1.12.7 - 5887180 (July 27, 2023)

Scripts

New: BMCTool

New: Parse RDP bitmap cache data into a single collage image file. (Available from Cortex XSOAR 6.9.0).

PreProcessImage

Updated the Docker image to: demisto/processing-image-file:1.0.0.64430.

New: StringSimilarity

New: This automation calculates the similarity ratio between text and a list of strings and outputs a decimal value between 0.0 and 1.0 (1.0 if the sequences are identical, and 0.0 if they don't have anything in common). (Available from Cortex XSOAR 6.9.0).

Related pull requests:
- 26053

Download

1.12.6 - 5866730 (July 25, 2023)

Scripts

IPNetwork

Added support for raw_result to IPNetwork automation.
Updated the Docker image to: demisto/python3:3.10.12.66339.

Related pull requests:
- 27913
- 28489

Download

1.12.5 - 5823450 (July 20, 2023)

Scripts

GetListRow

Fixed an issue when using \t as a separator didn't parse tabs as expected.
Updated the docker image to: demisto/python3:3.10.12.65389.

Related pull requests:
- 28348

Download

1.12.4 - 5801668 (July 18, 2023)

Scripts

ParseEmailFilesV2

Updated the Docker image to: demisto/parse-emails:1.0.0.65301.

ConvertXmlFileToJson

Migrated the script from JavaScript to Python.
Fixed an issue where the script failed to parse large XML files.

Related pull requests:
- 28134

Download

1.12.2 - 5780572 (July 16, 2023)

Scripts

ScheduleGenericPolling

Documentation and metadata improvements.

Related pull requests:
- 28070

Download

1.12.1 - 5760561 (July 13, 2023)

Scripts

GetListRow

Added support for using tab character as separator.

Related pull requests:
- 28066

Download

1.12.0 - 5750551 (July 12, 2023)

Scripts

CVSSCalculator

Updated the Docker image to: demisto/python3:3.10.12.63474.

JSONFileToCSV

Updated the Docker image to: demisto/python3:3.10.12.63474.

RepopulateFiles

Updated the Docker image to: demisto/python3:3.10.12.63474.

RemoveKeyFromList

Updated the Docker image to: demisto/python3:3.10.12.63474.

TopMaliciousRatioIndicators

Updated the Docker image to: demisto/python3:3.10.12.63474.

BreachConfirmationHTML

Updated the Docker image to: demisto/python3:3.10.12.63474.

URLSSLVerification

Updated the Docker image to: demisto/python3:3.10.12.63474.

SendEmailOnSLABreach

Updated the Docker image to: demisto/python3:3.10.12.63474.

SetTime

Updated the Docker image to: demisto/python3:3.10.12.63474.

VerifyIPv6Indicator

Updated the Docker image to: demisto/python3:3.10.12.63474.

DemistoVersion

Updated the Docker image to: demisto/python3:3.10.12.63474.

ReadFile

Updated the Docker image to: demisto/python3:3.10.12.63474.

SearchIncidentsV2

Updated the Docker image to: demisto/python3:3.10.12.63474.

IndicatorMaliciousRatioCalculation

Updated the Docker image to: demisto/python3:3.10.12.63474.

JSONtoCSV

Updated the Docker image to: demisto/python3:3.10.12.63474.

CheckSenderDomainDistance

Updated the Docker image to: demisto/python3:3.10.12.63474.

CalculateTimeDifference

Updated the Docker image to: demisto/python3:3.10.12.63474.

PortListenCheck

Updated the Docker image to: demisto/python3:3.10.12.63474.

ExportAuditLogsToFile

Updated the Docker image to: demisto/python3:3.10.12.63474.

IsolationAssetWrapper

Updated the Docker image to: demisto/python3:3.10.12.63474.

Base64ListToFile

Updated the Docker image to: demisto/python3:3.10.12.63474.

RunDockerCommand

Updated the Docker image to: demisto/python3:3.10.12.63474.

FeedRelatedIndicatorsWidget

Updated the Docker image to: demisto/python3:3.10.12.63474.

IsListExist

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 28102

Download

1.11.99 - 5740912 (July 11, 2023)

Scripts

DBotAverageScore

Migrated the script from JavaScript to Python.
Fixed an issue where if all scores of an indicator are '0', a null value would be returned.
Updated the script to ignore '0' values (which indicate an 'unknown' value) from average calculations.
Updated the Docker image to: demisto/python3:3.10.12.63474.

AssignToMeButton

Updated the Docker image to: demisto/python3:3.10.12.63474.

LinkIncidentsButton

Updated the Docker image to: demisto/python3:3.10.12.63474.

NumberOfPhishingAttemptPerUser

Updated the Docker image to: demisto/python3:3.10.12.63474.

CopyNotesToIncident

Updated the Docker image to: demisto/python3:3.10.12.63474.

FormatURL

Updated the Docker image to: demisto/python3:3.10.12.63474.
Updated the Docker image to: demisto/python3:3.10.12.63474.
Updated the regex for URL wrappers to allow safelinks without a scheme (i.e. - https).

DumpJSON

Updated the Docker image to: demisto/python3:3.10.12.63474.

GetLicenseID

Updated the Docker image to: demisto/python3:3.10.12.63474.

DecodeMimeHeader

Updated the Docker image to: demisto/python3:3.10.12.63474.

LookupCSV

Updated the Docker image to: demisto/python3:3.10.12.63474.

FilterByList

Updated the Docker image to: demisto/python3:3.10.12.63474.

DockerHardeningCheck

Updated the Docker image to: demisto/python3:3.10.12.63474.

DomainReputation

Updated the Docker image to: demisto/python3:3.10.12.63474.

GetInstances

Updated the Docker image to: demisto/python3:3.10.12.63474.

SetAndHandleEmpty

Updated the Docker image to: demisto/python3:3.10.12.63474.

PrettyPrint

Updated the Docker image to: demisto/python3:3.10.12.63474.

CreateHash

Updated the Docker image to: demisto/python3:3.10.12.63474.

FindSimilarIncidents

Updated the Docker image to: demisto/python3:3.10.12.63474.

ExtractEmailV2

Updated the Docker image to: demisto/python3:3.10.12.63474.

ConvertTimezoneFromUTC

Updated the Docker image to: demisto/python3:3.10.12.63474.

ArrayToCSV

Updated the Docker image to: demisto/python3:3.10.12.63474.

MarkAsEvidenceByTag

Updated the Docker image to: demisto/python3:3.10.12.63474.

IdentifyAttachedEmail

Updated the Docker image to: demisto/python3:3.10.12.63474.

ExportContextToJSONFile

Updated the Docker image to: demisto/python3:3.10.12.63474.

HttpV2

Updated the Docker image to: demisto/python3:3.10.12.63474.

EncodeToAscii

Updated the Docker image to: demisto/python3:3.10.12.63474.

DisplayHTML

Updated the Docker image to: demisto/python3:3.10.12.63474.

CopyContextToField

Updated the Docker image to: demisto/python3:3.10.12.63474.

GeneratePassword

Updated the Docker image to: demisto/python3:3.10.12.63474.

RunPollingCommand

Updated the Docker image to: demisto/python3:3.10.12.63474.

DisableUserWrapper

Updated the Docker image to: demisto/python3:3.10.12.63474.

IsIntegrationAvailable

Updated the Docker image to: demisto/python3:3.10.12.63474.

GetIndicatorDBotScoreFromCache

Updated the Docker image to: demisto/python3:3.10.12.63474.

IsInternalHostName

Updated the Docker image to: demisto/python3:3.10.12.63474.

IPToHost

Updated the Docker image to: demisto/python3:3.10.12.63474.

Base64EncodeV2

Updated the Docker image to: demisto/python3:3.10.12.63474.

ExtractAttackPattern

Updated the Docker image to: demisto/python3:3.10.12.63474.

GetErrorsFromEntry

Updated the Docker image to: demisto/python3:3.10.12.63474.

ParseCSV

Updated the Docker image to: demisto/python3:3.10.12.63474.

PopulateCriticalAssets

Updated the Docker image to: demisto/python3:3.10.12.63474.

AddKeyToList

Updated the Docker image to: demisto/python3:3.10.12.63474.

TimeStampCompare

Updated the Docker image to: demisto/python3:3.10.12.63474.

SearchIncidentsSummary

Updated the Docker image to: demisto/python3:3.10.12.63474.

CheckIndicatorValue

Updated the Docker image to: demisto/python3:3.10.12.63474.

SetWithTemplate

Updated the Docker image to: demisto/python3:3.10.12.63474.

SetMultipleValues

Updated the Docker image to: demisto/python3:3.10.12.63474.

PositiveDetectionsVSDetectionEngines

Updated the Docker image to: demisto/python3:3.10.12.63474.

MaliciousRatioReputation

Updated the Docker image to: demisto/python3:3.10.12.63474.

GetEntries

Updated the Docker image to: demisto/python3:3.10.12.63474.

MatchRegexV2

Updated the Docker image to: demisto/python3:3.10.12.63474.

Strings

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 26053
- 28060
- 28030
- 28032

Download

1.11.96 - R5736856 (July 11, 2023)

Scripts

EditServerConfig

Updated the Docker image to: demisto/python3:3.10.12.63474.

StopTimeToAssignOnOwnerChange

Updated the Docker image to: demisto/python3:3.10.12.63474.

CreateIndicatorsFromSTIX

Updated the Docker image to: demisto/python3:3.10.12.63474.

ShowIncidentIndicators

Updated the Docker image to: demisto/python3:3.10.12.63474.

GenerateRandomUUID

Updated the Docker image to: demisto/python3:3.10.12.63474.

GetDataCollectionLink

Updated the Docker image to: demisto/python3:3.10.12.63474.

LoadJSONFileToContext

Updated the Docker image to: demisto/python3:3.10.12.63474.

PrintContext

Updated the Docker image to: demisto/python3:3.10.12.63474.

ServerLogs_docker

Updated the Docker image to: demisto/python3:3.10.12.63474.

IsInternalDomainName

Updated the Docker image to: demisto/python3:3.10.12.63474.

IsDomainInternal

Updated the Docker image to: demisto/python3:3.10.12.63474.

GetStringsDistance

Updated the Docker image to: demisto/python3:3.10.12.63474.

GetIndicatorDBotScore

Updated the Docker image to: demisto/python3:3.10.12.63474.

CreateNewIndicatorsOnly

Updated the Docker image to: demisto/python3:3.10.12.63474.

IsEmailAddressInternal

Updated the Docker image to: demisto/python3:3.10.12.63474.

ChangeRemediationSLAOnSevChange

Updated the Docker image to: demisto/python3:3.10.12.63474.

ParseYAML

Updated the Docker image to: demisto/python3:3.10.12.63474.

displayMappedFields

Updated the Docker image to: demisto/python3:3.10.12.63474.

ListUsedDockerImages

Updated the Docker image to: demisto/python3:3.10.12.63474.

ContextContains

Updated the Docker image to: demisto/python3:3.10.12.63474.

IPNetwork

Updated the Docker image to: demisto/python3:3.10.12.63474.

PrintErrorEntry

Updated the Docker image to: demisto/python3:3.10.12.63474.

ExtractIndicatorsFromTextFile

Updated the Docker image to: demisto/python3:3.10.12.63474.

CompareLists

Updated the Docker image to: demisto/python3:3.10.12.63474.

IsIPPrivate

Updated the Docker image to: demisto/python3:3.10.12.63474.

UtilAnyResults

Updated the Docker image to: demisto/python3:3.10.12.63474.

ZipStrings

Updated the Docker image to: demisto/python3:3.10.12.63474.

GridFieldSetup

Updated the Docker image to: demisto/python3:3.10.12.63474.

GetByIncidentId

Updated the Docker image to: demisto/python3:3.10.12.63474.

ProvidesCommand

Updated the Docker image to: demisto/python3:3.10.12.63474.

ReplaceMatchGroup

Updated the Docker image to: demisto/python3:3.10.12.63474.

ConvertDatetoUTC

Updated the Docker image to: demisto/python3:3.10.12.63474.

VerifyCIDR

Updated the Docker image to: demisto/python3:3.10.12.63474.

AppendindicatorFieldWrapper

Updated the Docker image to: demisto/python3:3.10.12.63474.

LinkIncidentsWithRetry

Updated the Docker image to: demisto/python3:3.10.12.63474.

URLNumberOfAds

Updated the Docker image to: demisto/python3:3.10.12.63474.

FileToBase64List

Updated the Docker image to: demisto/python3:3.10.12.63474.

SearchIndicator

Updated the Docker image to: demisto/python3:3.10.12.63474.

GetFieldsByIncidentType

Updated the Docker image to: demisto/python3:3.10.12.63474.

StopScheduledTask

Updated the Docker image to: demisto/python3:3.10.12.63474.

LoadJSON

Updated the Docker image to: demisto/python3:3.10.12.63474.

URLReputation

Updated the Docker image to: demisto/python3:3.10.12.63474.

IncidentFields

Updated the Docker image to: demisto/python3:3.10.12.63474.

hideFieldsOnNewIncident

Updated the Docker image to: demisto/python3:3.10.12.63474.

IPReputation

Updated the Docker image to: demisto/python3:3.10.12.63474.

DeduplicateValuesbyKey

Updated the Docker image to: demisto/python3:3.10.12.63474.

ResolveShortenedURL

Updated the Docker image to: demisto/python3:3.10.12.63474.

GenerateRandomString

Updated the Docker image to: demisto/python3:3.10.12.63474.

CheckFieldValue

Updated the Docker image to: demisto/python3:3.10.12.63474.

CalculateEntropy

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 28026

Download

1.11.95 - 5723074 (July 9, 2023)

Scripts

cvss_color

Fixed an issue where the script didn't change the font color when in dark mode.

ScheduleGenericPolling

Updated the Docker image to: demisto/python3:3.10.12.63474.

ChangeContext

Updated the Docker image to: demisto/python3:3.10.12.63474.

MarkAsNoteByTag

Updated the Docker image to: demisto/python3:3.10.12.63474.

ExportIncidentsToCSV

Updated the Docker image to: demisto/python3:3.10.12.63474.

EmailReputation

Updated the Docker image to: demisto/python3:3.10.12.63474.

OnionURLReputation

Updated the Docker image to: demisto/python3:3.10.12.63474.

FileCreateAndUploadV2

Updated the Docker image to: demisto/python3:3.10.12.63474.

SetDateField

Updated the Docker image to: demisto/python3:3.10.12.63474.

GetServerURL

Updated the Docker image to: demisto/python3:3.10.12.63474.

ShowLocationOnMap

Updated the Docker image to: demisto/python3:3.10.12.63474.

ExportIndicatorsToCSV

Updated the Docker image to: demisto/python3:3.10.12.63474.

SetByIncidentId

Updated the Docker image to: demisto/python3:3.10.12.63474.

CheckContextValue

Updated the Docker image to: demisto/python3:3.10.12.63474.

GetEnabledInstances

Updated the Docker image to: demisto/python3:3.10.12.63474.

FileReputation

Updated the Docker image to: demisto/python3:3.10.12.63474.

SSDeepReputation

Updated the Docker image to: demisto/python3:3.10.12.63474.

ConvertCountryCodeCountryName

Updated the Docker image to: demisto/python3:3.10.12.63474.

AddDBotScoreToContext

Updated the Docker image to: demisto/python3:3.10.12.63474.

CloseInvestigationAsDuplicate

Updated the Docker image to: demisto/python3:3.10.12.63474.

IsUrlPartOfDomain

Updated the Docker image to: demisto/python3:3.10.12.63474.

HTTPListRedirects

Updated the Docker image to: demisto/python3:3.10.12.63474.

ServerLogs

Updated the Docker image to: demisto/python3:3.10.12.63474.

CompareIncidentsLabels

Updated the Docker image to: demisto/python3:3.10.12.63474.

PrintRaw

Updated the Docker image to: demisto/python3:3.10.12.63474.

DisplayHTMLWithImages

Updated the Docker image to: demisto/python3:3.10.12.63474.

SCPPullFiles

Updated the Docker image to: demisto/python3:3.10.12.63474.

displayUtilitiesResults

Updated the Docker image to: demisto/python3:3.10.12.63474.

GenerateSummaryReportButton

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 28000

Download

1.11.93 - 5702009 (July 6, 2023)

Scripts

cveReputationV2

Fixed an issue where the script failed when cvss was None.

Related pull requests:
- 27938

Download

1.11.92 - R5692327 (July 5, 2023)

Scripts

GetListRow

Fixed an issue where the results put in wrong context path.
Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 26053
- 27847

Download

1.11.91 - 5649943 (June 29, 2023)

Scripts

New: cveReputationV2

New: Provides the severity of the CVE based on the CVSS score where available.

New: cvss_color

- New: This dynamic automation parses the CVSS score of a CVE and presents it in the layout in color according to its score.

Related pull requests:
- 26486

Download

1.11.90 - 5646075 (June 29, 2023)

Scripts

TextFromHTML

Added an optional argument html_tag to extract text from within this tag.
Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 27575
- 27790

Download

1.11.89 - 5620796 (June 26, 2023)

Scripts

ParseEmailFilesV2

Updated the Docker image to: demisto/parse-emails:1.0.0.64190.
Fixed an issue where a Subject containing special characters was not decoded correctly.

Related pull requests:
- 27737

Download

1.11.88 - 5574470 (June 20, 2023)

Scripts

ExtractDomainAndFQDNFromUrlAndEmail

Updated the Docker image to: demisto/py3-tools:1.0.0.63856.
Updated the formatter to remove all characters except for "-" from the parts of the domain.

Related pull requests:
- 27569

Download

1.11.87 - 5540680 (June 15, 2023)

Scripts

DockerHardeningCheck

Added an error message when running on Podman, where this script is not supported.
Updated the Docker image to: demisto/python3:3.10.12.62631.

Related pull requests:
- 27394

Download

1.11.86 - 5527167 (June 14, 2023)

Scripts

EmailAskUser

Fixed an issue where additional arguments were not passed on to the send-mail command.

Related pull requests:
- 27401

Download

1.11.85 - R5517995 (June 13, 2023)

Scripts

UnzipFile

Fixed an issue where the script failed running on password-protected files, when using the zipfile tool.
Updated the Docker image to: demisto/unzip:1.0.0.61858.

Related pull requests:
- 27283

Download

1.11.84 - 5460239 (June 6, 2023)

Scripts

DBotUpdateLogoURLPhishing

Updated the Docker image to: demisto/mlurlphishing:1.0.0.61412.
Removed the script from XSIAM, which does not yet support getMLModel.

Related pull requests:
- 26967

Download

1.11.83 - R5450895 (June 5, 2023)

Scripts

GeneratePassword

Migrated to Python 3. The script is now using the secrets Python package to create more secure passwords.

Related pull requests:
- 27134

Download

1.11.82 - 5422508 (June 1, 2023)

Scripts

ParseEmailFilesV2

The automation will no longer embed the base64 of an image in the returned HTML.
Updated the Docker image to: demisto/parse-emails:1.0.0.62142.

Related pull requests:
- 27098

Download

1.11.81 - 5390938 (May 29, 2023)

Scripts

New: DisplayHTMLWithImages

Script for dynamic-section to display HTML with embedded images. (Available from Cortex XSOAR 6.5.0).

Related pull requests:
- 26945

Download

1.11.80 - 5356324 (May 24, 2023)

Scripts

ParseEmailFilesV2

Added a fix to an issue in MSG files with attachment, for the error TypeError: a bytes-like object is required, not 'str'.
Updated the Docker image to: demisto/parse-emails:1.0.0.59897.
Updated the Docker image to: demisto/parse-emails:1.0.0.60423.

GridFieldSetup

Added support for five new grid fields keys (total is 10 keys supported).
Added an option to submit TIMESTAMP as a value in order to import current timestamp in ISO format.

ExtractDomainAndFQDNFromUrlAndEmail

Updated the Docker image to: demisto/py3-tools:1.0.0.61229.
Added support for "zip" gTLD.

Related pull requests:
- 26702

Download

1.11.76 - 5318720 (May 21, 2023)

Transform automation names from "incident" to "alert" in XSIAM.

Related pull requests:
- 26365

Download

1.11.75 - 5297274 (May 18, 2023)

Scripts

EmailAskUser

Fixed a bug that caused duplicates in the email subject.

Related pull requests:
- 26518

Download

1.11.74 - 5289877 (May 17, 2023)

Scripts

SendMessageToOnlineUsers

Updated the script to use the send-notification command instead of the deprecated slack-send command.

Related pull requests:
- 26468

Download

1.11.73 - R5277943 (May 16, 2023)

Scripts

ScheduleCommand

Added the scheduledEntryGuid arguments to support the new GenericPolling playbook mechanism which improves the playbook performance.

GenericPollingScheduledTask

Added the scheduledEntryGuid arguments to support the new GenericPolling playbook mechanism which improves the playbook performance.

ScheduleGenericPolling

Updated the Docker image to: demisto/python3:3.10.11.57890.
Added the scheduledEntryGuid arguments to support the new GenericPolling playbook mechanism which improves the playbook performance.

Related pull requests:
- 26372

Download

1.11.72 - 5232355 (May 10, 2023)

Scripts

StixCreator

Added a flag for creating SCO indicators.
Updated the process of generating IDs for SDO indicators such that a given indicator will have the same ID every run. This applies both when clicking on the button "Export (STIX)", and when running the script manually.
Updated the Docker image to: demisto/py3-tools:1.0.0.58222.

Related pull requests:
- 26026

Download

1.11.71 - 5226855 (May 9, 2023)

Scripts

SetMultipleValues

Fixed a library incompatibility by downgrading the Docker image to: demisto/python3:3.10.6.33415.

SearchIncidentsV2

Fixed a library incompatibility by downgrading the Docker image to: demisto/python3:3.10.10.48392.

FormatURL

Fixed a library incompatibility by downgrading the Docker image to: demisto/python3:3.10.11.54132.

ScheduleGenericPolling

Fixed a library incompatibility by downgrading the Docker image to: demisto/python3:3.10.10.48392.

Related pull requests:
- 26405

Download

1.11.70 - 5216377 (May 8, 2023)

Scripts

SetMultipleValues

Added support for passing the values parameter as arrays.
Updated the Docker image to: demisto/python3:3.10.11.57293.

FormatURL

Updated the Docker image to: demisto/python3:3.10.11.57293.
Updated the script for better performance.

ScheduleGenericPolling

Reverted performance changes done in version 1.11.66

GenericPollingScheduledTask

Reverted performance changes done in version 1.11.66

Related pull requests:
- 26385
- 26325

Download

1.11.67 - 5210973 (May 7, 2023)

Scripts

SearchIncidentsV2

Fixed an issue where the limit argument didn't work correctly when trying to filter by the type argument.
Updated the Docker image to: demisto/python3:3.10.11.57293.

Related pull requests:
- 26317

Download

1.11.66 - 5206003 (May 6, 2023)

Scripts

ScheduleGenericPolling

Performance improvements.
Updated the Docker image to: demisto/python3:3.10.11.57293.

GenericPollingScheduledTask

Performance improvements.

Related pull requests:
- 26325

Download

1.11.65 - R5170573 (May 2, 2023)

Scripts

ExtractDomainAndFQDNFromUrlAndEmail

Fixed an issue where domain where not extracted properly in case of encoded "@" in the text.
Updated the Docker image to: demisto/py3-tools:1.0.0.56465.

Related pull requests:
- 26068

Download

1.11.64 - 5136717 (April 27, 2023)

Scripts

EmailAskUser

Added the support to show html body in send-mail response.

Related pull requests:
- 25226

Download

1.11.63 - 5108885 (April 24, 2023)

Scripts

FormatURL

Updated the playbook tests for the script.

Related pull requests:
- 26038

Download

1.11.62 - 5104594 (April 23, 2023)

Scripts

ResolveShortenedURL

Added the use_system_proxy parameter, which if set, will use the configured system proxy when sending requests.
Updated the Docker image to: demisto/python3:3.10.11.54132.

Related pull requests:
- 25968

Download

1.11.61 - 5069026 (April 18, 2023)

Scripts

FormatURL

Updated the Docker image to: demisto/python3:3.10.11.54132.
Updated the URL formatter to filter URLs with invalid TLDs.

Related pull requests:
- 25859

Download

1.11.60 - 5053542 (April 16, 2023)

Scripts

ConvertFile

Updated the Docker image to: demisto/office-utils:2.0.0.54910.

Related pull requests:
- 25850

Download

1.11.59 - 4960979 (April 3, 2023)

Scripts

ParseEmailFilesV2

Fixed an issue where an eml file containing chinese characters encoded with iso-2022-jp, big5 and gbk was not decoded correctly.
Updated the Docker image to: demisto/parse-emails:1.0.0.52789.

Related pull requests:
- 25700

Download

1.11.58 - R4954430 (April 2, 2023)

Scripts

ExtractDomainAndFQDNFromUrlAndEmail

Updated the Docker image to: demisto/py3-tools:1.0.0.52351.
Fixed an issue where hxxp or meow prefixes of URLs were incorrectly modified to http.

FormatURL

Updated the Docker image to: demisto/python3:3.10.10.51930.
Fixed an issue where hxxp or meow prefixes of URLs were incorrectly modified to http.

Related pull requests:
- 25517

Download

1.11.57 - R4927074 (March 29, 2023)

Scripts

PDFUnlocker

Updated the Docker image to: demisto/readpdf:1.0.0.50963.

Related pull requests:
- 25480

Download

1.11.56 - 4885523 (March 23, 2023)

Scripts

FormatURL

Updated the Docker image to: demisto/python3:3.10.10.49934.
Fixed an issue where the formatter mishandled URLs with commas.

Related pull requests:
- 25430

Download

1.11.55 - 4876645 (March 22, 2023)

Scripts

ExtractIndicatorsFromTextFile

Updated the Docker image to: demisto/python3:3.10.10.49934.
Updated the code for a better human readable response.

ExtractDomainAndFQDNFromUrlAndEmail

Updated the Docker image to: demisto/py3-tools:1.0.0.50499.

Related pull requests:
- 25332

Download

1.11.54 - 4830321 (March 16, 2023)

Scripts

DBotUpdateLogoURLPhishing

Updated the Docker image to: demisto/mlurlphishing:1.0.0.28347.

Related pull requests:
- 25326

Download

1.11.53 - 4822012 (March 15, 2023)

Scripts

ShowLocationOnMap

Updated the Docker image to: demisto/python3:3.10.10.49934.

RepopulateFiles

Updated the Docker image to: demisto/python3:3.10.10.49934.

Related pull requests:
- 25242

Download

1.11.52 - 4818573 (March 15, 2023)

Scripts

ExtractEmailV2

Fixed an issue where the formatter failed to extract the email if it was part of a URL query.

Related pull requests:
- 25134

Download

1.11.51 - 4804558 (March 13, 2023)

Scripts

ExtractIndicatorsFromWordFile

Updated the Docker image to: demisto/office-utils:2.0.0.49835.

ConvertFile

Updated the Docker image to: demisto/office-utils:2.0.0.49835.

Related pull requests:
- 25239

Download

1.11.49 - 4801189 (March 13, 2023)

Scripts

Strings

Updated the Docker image to: demisto/python3:3.10.10.48392.
Fixed an issue where non text files (e.g. pdf, exe) could not be parsed.

Related pull requests:
- 25232

Download

1.11.48 - 4797511 (March 12, 2023)

Scripts

ParseCSV

Fixed an issue in the markdown output where multiple IOC types are in same column.

FormatURL

Fixed an issue that caused the script to enter into an infinite loop.

Related pull requests:
- 25216

Download

1.11.46 - 4771215 (March 8, 2023)

Scripts

ParseEmailFilesV2

Fixed an issue where an eml file containing chinese characters was not decoded correctly.
Updated the Docker image to: demisto/parse-emails:1.0.0.49746.

ExtractIndicatorsFromTextFile

Updated the Docker image to: demisto/python3:3.10.10.48392.
Documentation and metadata improvements.

FindSimilarIncidents

Updated the Docker image to: demisto/python3:3.10.10.48392.
Documentation and metadata improvements.

MarkRelatedIncidents

Documentation and metadata improvements.

SetByIncidentId

Updated the Docker image to: demisto/python3:3.10.10.48392.
Documentation and metadata improvements.

ExtractIndicatorsFromWordFile

Updated the Docker image to: demisto/office-utils:2.0.0.49357.
Documentation and metadata improvements.

CopyContextToField

Updated the Docker image to: demisto/python3:3.10.10.48392.
Documentation and metadata improvements.

SetAndHandleEmpty

Updated the Docker image to: demisto/python3:3.10.10.48392.
Documentation and metadata improvements.

CompareIncidentsLabels

Updated the Docker image to: demisto/python3:3.10.10.48392.
Documentation and metadata improvements.

SearchIncidentsV2

Documentation and metadata improvements.

NumberOfPhishingAttemptPerUser

Updated the Docker image to: demisto/python3:3.10.10.48392.
Documentation and metadata improvements.

GetDuplicatesMlv2

Documentation and metadata improvements.

RunPollingCommand

Updated the Docker image to: demisto/python3:3.10.10.48392.
Documentation and metadata improvements.

IndicatorMaliciousRatioCalculation

Updated the Docker image to: demisto/python3:3.10.10.48392.
Documentation and metadata improvements.

DeleteContext

Documentation and metadata improvements.

findIncidentsWithIndicator

Documentation and metadata improvements.

Related pull requests:
- 23716

Download

1.11.44 - 4763226 (March 7, 2023)

Scripts

SearchIncidentsV2

Deprecated the size and page arguments.
Added the limit argument.
Fixed an issue where all incidents were fetched in case the size argument was not provided.

Related pull requests:
- 25056

Download

1.11.43 - 4760018 (March 7, 2023)

Scripts

FormatURL

Updated the valid code points in the formatter to better handle characters.
Fixed an issue that caused the formatter to crash with an IndexError when URL ended with a "\".

ParseCSV

Updated the Docker image to: demisto/python3:3.10.10.48392.
Fixed an issue where domains were calculated as IPs in context.

Related pull requests:
- 25098

Download

1.11.40 - 4746941 (March 5, 2023)

Scripts

ScheduleGenericPolling

Converted the script from python 2 to python 3.
Updated the Docker image to: demisto/python3:3.10.10.48392.

Related pull requests:
- 24945

Download

1.11.39 - 4722159 (March 1, 2023)

Scripts

SearchIncidentsV2

Fixed an issue where pagination didn't work properly.

Related pull requests:
- 24965

Download

1.11.38 - 4718798 (March 1, 2023)

Scripts

New: displayUtilitiesResults

This script displays the execution results of the tab's buttons in an HTML table format. (Available from Cortex XSOAR 6.10.0).

SearchIncidentsV2

Fix max page for paging
Updated the Docker image to: demisto/python3:3.10.10.48392.

Related pull requests:
- 24955
- 24954

Download

1.11.36 - 4697603 (February 26, 2023)

Scripts

SearchIncidentsV2

Fixed an issue when searching for an incident which did not return all results. Implementation of auto pagination to get all results .
Update docker image to 3.10.10.48392

SetDateField

Updated the Docker image to: demisto/python3:3.10.10.48392.

Related pull requests:
- 24775

Download

1.11.34 - 4676080 (February 23, 2023)

Scripts

ParseEmailFilesV2

Updated the Docker image to: demisto/parse-emails:1.0.0.48881.
Fixed an issue where the script returned a timeout error when the EML file contained an empty HTM attachment.

Related pull requests:
- 24721

Download

1.11.33 - 4671518 (February 22, 2023)

Scripts

ReadFile

Updated the script to print the file content to the War Room.

ShowIncidentIndicators

Fixed an issue where the script would show unrelated indicators in Cortex XSOAR 8.0+.

Related pull requests:
- 24754

Download

1.11.32 - 4661811 (February 21, 2023)

Lists

InternalDomains

Fixed an issue where the list was not properly marked as system content.

PrivateIPs

Fixed an issue where the list was not properly marked as system content.

Related pull requests:
- 24783

Download

1.11.31 - 4654658 (February 21, 2023)

Scripts

FormatURL

Updated the Docker image to: demisto/python3:3.10.10.48392.
Updated the URL formatter to better handle quoted URLs.

Related pull requests:
- 24634

Download

1.11.30 - 4651406 (February 20, 2023)

Lists

New: InternalDomains

The list is used by the IsDomainInternal script to determine whether domains are internal or external. The list can be modified by the user to contain a list of internal domains belonging to the organization, separated by new lines.

New: PrivateIPs

Added a new list that contains the private IP ranges defined by the IANA. The list is used by the IsIPPrivate script.
New IP ranges or exact IPs can be added to the list.

Scripts

New: IsDomainInternal

The script takes one or more domain names and checks whether they're in the XSOAR list defined in the InternalDomainsListName argument. by default, the InternalDomainsListName argument will use the XSOAR list called "InternalDomains".
The list can be customized by the user. It should contain the organization's internal domain names, separated by new lines. Subdomains are also supported in the list.
The results of the script are tagged with the "Internal_Domain_Check_Results" tag, so they can be displayed in the War Room entry sections in incident layouts. (Available from Cortex XSOAR 6.5.0).

New: IsIPPrivate

The script takes one or more IP addresses and checks whether they're in the private IP ranges defined in the PrivateIPsListName argument. By default, the PrivateIPsListName argument will use the Cortex XSOAR list called "PrivateIPs".
The list can be modified, and by default uses the ranges defined by the Internet Assigned Numbers Authority (IANA). The following are the default CIDR ranges for private IPv4 addresses:

10.0.0.0/8 (range: 10.0.0.0 to 10.255.255.255)
172.16.0.0/12 (range: 172.16.0.0 to 172.31.255.255)
192.168.0.0/16 (range: 192.168.0.0 to 192.168.255.255)
In addition to ranges, it's also possible to add specific IP addresses to the list. You may also tag IPs or IP ranges by adding a comma after the IP or range, and then adding the tag that you want to tag the corresponding IP indicators with. (Available from Cortex XSOAR 6.5.0).

New: ShowIncidentIndicators

This script is used to display the indicators of an incident in an incident field of type Array. It can be used to select indicators from the incident in order to later perform some actions, like tagging the indicators for blocking via EDL.
This script is a field-display script, so it needs to be configured as such, when editing the incident field that will be used to display the indicators. (Available from Cortex XSOAR 6.5.0).

ExtractEmailV2

Fixed an issue where the formatter would trim a double tld in emails.
Updated the Docker image to: demisto/python3:3.10.10.48392.

Related pull requests:
- 24669

Download

1.11.26 - R4646022 (February 19, 2023)

Scripts

New: displayMappedFields

Display the mapped fields in a dynamic-section (Available from Cortex XSOAR 6.8.0).

Related pull requests:
- 24678

Download

1.11.25 - 4621433 (February 16, 2023)

Scripts

ShowScheduledEntries

Fixed an issue where the script failed on invalid (undefined) entries in context.

Related pull requests:
- 24595
- 24634

Download

1.11.24 - R4618697 (February 15, 2023)

Scripts

SearchIncidentsV2

Updated the Docker image to: demisto/python3:3.10.10.47713.
Hid the trimevents argument. This argument is not supported in XSOAR.

EmailAskUser

Added support for the XPANSE marketplace.

Related pull requests:
- 24575
- 24490

Download

1.11.22 - 4560457 (February 8, 2023)

Scripts

ParseEmailFiles

Deprecated. Use the ParseEmailFilesV2 automation instead.

ParseEmailFilesV2

Updated the Docker image to: demisto/parse-emails:1.0.0.47381.

EmailReputation

This script is no longer supported in XPANSE.

DomainReputation

This script is no longer supported in XPANSE.

emailFieldTriggered

This script is no longer supported in XPANSE.

IPReputation

This script is no longer supported in XPANSE.

SendEmailOnSLABreach

This script is no longer supported in XPANSE.
This script is no longer supported in XPANSE.

EmailAskUser

This script is no longer supported in XPANSE.

ExportAuditLogsToFile

This script is no longer supported in XPANSE.

ExportIncidentsToCSV

This script is no longer supported in XPANSE.

ExportIndicatorsToCSV

This script is no longer supported in XPANSE.

ServerLogs

This script is no longer supported in XPANSE.

ServerLogs_docker

This script is no longer supported in XPANSE.

Related pull requests:
- 24307

Download

1.11.20 - 4514603 (February 1, 2023)

Scripts

New: ContentPackInstaller

Note: Moved from ContentInstallation.
Updated the Docker image to 1.0.0.45779

New: ExifRead

Note: Moved from ExifRead.
Updated the Docker image to demisto/py3-tools:1.0.0.46035

New: FetchIndicatorsFromFile

Note: Moved from FetchIndicatorsFromFile.
Updated the Docker image to demisto/py3-tools:1.0.0.46591

New: GetLicenseID

Note: Moved from GetLicenseID.
Updated the Docker image to demisto/python3:3.10.9.45313

New: DBotUpdateLogoURLPhishing

Note: Moved from Phishing URL.
Updated the Docker image to demisto/mlurlphishing:1.0.0.45023

New: ServerLogs_docker

Uses the ssh integration to grab the host server logs (Available from Cortex XSOAR 6.0.0).
Updated the Docker image to: demisto/python3:3.10.9.45313.

New: ServerLogs

Uses the ssh integration to grab the host server logs (Available from Cortex XSOAR 6.0.0).
Updated the Docker image to: demisto/python3:3.10.9.46032.

New: ParseYAML

Parses a YAML string into context (Available from Cortex XSOAR 6.0.0).
Updated the Docker image to: demisto/python3:3.10.9.46032.

PDFUnlocker

Updated the Docker image to: demisto/readpdf:1.0.0.46461.

ContentPackInstaller

Updated the Docker image to: demisto/xsoar-tools:1.0.0.46482.

Related pull requests:
- 24258

Download

1.11.17 - 4501922 (January 30, 2023)

Scripts

FormatURL

Updated the URL formatter to ignore quotes at the end of a URL if those quotes were not opened prior to that.

Related pull requests:
- 24161

Download

1.11.16 - 4494864 (January 30, 2023)

Scripts

GetTime

Documentation and metadata improvements.

Base64EncodeV2

Updated the Docker image to: demisto/python3:3.10.9.45313.

AssignToMeButton

Note: Moved from the CaseManagement-Generic pack to this pack.
Updated the Docker image to: demisto/python3:3.10.9.42476.

GenerateSummaryReportButton

Note: Moved from the CaseManagement-Generic pack to this pack.
Updated the Docker image to: demisto/python3:3.10.9.42476.

LinkIncidentsButton

Note: Moved from the CaseManagement-Generic pack to this pack.
Updated the Docker image to: demisto/python3:3.10.9.42476.

IsolationAssetWrapper

Note: Moved from the Malware pack to this pack.
Updated the Docker image to: demisto/python3:3.10.9.45313.

SearchIncidentsV2

Added a couple of new scripts.
Updated the Docker image to: demisto/python3:3.10.9.45313.

New: ExportAuditLogsToFile

Uses the Demisto REST API integration to query the server audit trail logs, and return back a CSV or JSON file. (Available from Cortex XSOAR 6.5.0).

New: SearchIndicator

Searches Cortex XSOAR Indicators.
Search for XSOAR Indicators and returns the id, indicator_type, value, and score/verdict.
You can add additional fields from the indicators using the add_field_to_context argument. (Available from Cortex XSOAR 6.5.0).

New: ExportIndicatorsToCSV

This automation uses the Demisto REST API Integration to batch export Indicators to CSV and return the resulting CSV file to the war room. (Available from Cortex XSOAR 6.5.0).

New: LoadJSONFileToContext

Loads a JSON file from the war room to context. (Available from Cortex XSOAR 6.5.0).

New: ExportIncidentsToCSV

This automation uses the Demisto REST API Integration to batch export Incidents to CSV and return the resulting CSV file to the war room. (Available from Cortex XSOAR 6.5.0).

New: MarkAsEvidenceByTag

Mark entries as evidence if they are tagged with given tag (Available from Cortex XSOAR 6.0.0).

New: SearchIncidentsSummary

Searches Cortex XSOAR Incidents and returnrs the most relevant fields. Default search range is the last 30 days, if you want to change this, use the fromDate argument.
Returns the id, name, type, severity, status, owner, and created/closed times to context. You can add additional fields using the add_field_to_context argument.
This automation runs using the default Limited User role, unless you explicitly change the permissions. Based on the SearchIncidentsV2 from the Common Scripts pack, but more efficient. (Available from Cortex XSOAR 6.0.0).

New: ExportContextToJSONFile

Exports the Context for the current Incident to a JSON file in the war room. (Available from Cortex XSOAR 6.5.0).

New: GetDataCollectionLink

Generates the URL for a Data Collection Task into Context. Can be used to get the url for tasks send via Email, Slack, or even if you select "By Task Only".
To generate links for specific users, add an array of users in the users argument. (Available from Cortex XSOAR 6.5.0).

Related pull requests:
- 24019
- 22715

Download

1.11.13 - 4477986 (January 27, 2023)

Scripts

ExtractIndicatorsFromTextFile

Updated the Docker image to: demisto/python3:3.10.9.45313.
Added support for Latin-1 encoded text files.

Related pull requests:
- 24032

Download

1.11.12 - 4462378 (January 24, 2023)

Scripts

ConvertTimezoneFromUTC

Fixed an issue that occurred when using this script in Playbooks.
Updated the Docker image to: demisto/python3:3.10.9.45313.

ArrayToCSV

Fixed an issue that occurred when using this script in Playbooks.
Updated the Docker image to: demisto/python3:3.10.9.45313.

Related pull requests:
- 24055

Download

1.11.11 - 4458364 (January 24, 2023)

Scripts

DockerHardeningCheck

Documentation and metadata improvements.
Updated the Docker image to: demisto/python3:3.10.9.44472

Related pull requests:
- 23715

Download

1.11.10 - 4427603 (January 19, 2023)

Scripts

ExportToXLSX

Added the validation to the filename.
Updated the docker to demisto/xslxwriter:1.0.0.45070.

UnzipFile

Fixed an issue where warnings were returned as errors when running this script on certain files.
Updated the Docker image to: demisto/unzip:1.0.0.44723.

Related pull requests:
- 23745

Download

1.11.8 - 4413860 (January 17, 2023)

Scripts

FormatURL

Updated the formatter to support defanged colons.
Updated the docker to demisto/python3:3.10.9.44472.

http

Fixed an issue where the request failed if the scheme was not provided.

Related pull requests:
- 23888

Download

1.11.6 - 4410080 (January 17, 2023)

Scripts

ReadFile

Added "gbk" encoding type option to the input_encoding argument.
Updated the Docker image to: demisto/python3:3.10.9.44472.

Related pull requests:
- 23715
- 23847

Download

1.11.5 - 4404274 (January 16, 2023)

Scripts

ParseEmailFilesV2

Updated the Docker image to: demisto/parse-emails:1.0.0.44859.

Related pull requests:
- 23828

Download

1.11.4 - 4401483 (January 15, 2023)

Scripts

New: ArrayToCSV

Added this script to allow users to convert an array of strings, to a textual comma separated string.
Updated the Docker image to demisto/python3:3.10.9.42476

New: ConvertTimezoneFromUTC

Added this script to allow users to convert a UTC time format to a specified timezone.
Updated the Docker image to demisto/python3:3.10.9.44472

Related pull requests:
- 23553
- 23716

Download

1.11.3 - 4384217 (January 12, 2023)

Scripts

IgnoreFieldsFromJson

Note: Moved to the FiltersAndTransformers pack.

GetRange

Note: Moved to the FiltersAndTransformers pack.

GetValuesOfMultipleFields

Note: Moved to the FiltersAndTransformers pack.

If-Then-Else

Note: Moved to the FiltersAndTransformers pack.

ModifyDateTime

Note: Moved to the FiltersAndTransformers pack.

ProductJoin

Note: Moved to the FiltersAndTransformers pack.

PadZeros

Note: Moved to the FiltersAndTransformers pack.

MapValuesTransformer

Note: Moved to the FiltersAndTransformers pack.

ParseJSON

Note: Moved to the FiltersAndTransformers pack.

LastArrayElement

Note: Moved to the FiltersAndTransformers pack.

IPv4Blacklist

Note: Moved to the FiltersAndTransformers pack.

IPv4Whitelist

Note: Moved to the FiltersAndTransformers pack.

JoinIfSingleElementOnly

Note: Moved to the FiltersAndTransformers pack.

jmespath

Note: Moved to the FiltersAndTransformers pack.

JsonToTable

Note: Moved to the FiltersAndTransformers pack.

SetIfEmpty

Note: Moved to the FiltersAndTransformers pack.

StringToArray

Note: Moved to the FiltersAndTransformers pack.

StripChars

Note: Moved to the FiltersAndTransformers pack.

ReverseList

Note: Moved to the FiltersAndTransformers pack.

RegexGroups

Note: Moved to the FiltersAndTransformers pack.

RegexExtractAll

Note: Moved to the FiltersAndTransformers pack.

New: GenerateAsBuilt

Generate an as built document, as HTML, based on the running XSOAR instance. Requires an instance of the Demisto API integration configured. (Available from Cortex XSOAR 6.0.0).
Updated the Docker image to: demisto/teams:1.0.0.43500.

New: JsonUnescape

Recursively un-escapes JSON data if escaped JSON is found (Available from Cortex XSOAR 6.0.0).
Updated the Docker image to: demisto/python3-deb:3.10.9.43863.

New: DeduplicateValuesbyKey

Given a list of objects and a key found in each of those objects, return a unique list of values associated with that key. Returns error if the objects provided do not contain the key of interest. (Available from Cortex XSOAR 6.0.0).
Updated the Docker image to: demisto/python3:3.10.9.43882.

New: CreateHash

Creating a hash of a given input, support sha1, sha256, sha512, md5 and blake. Wrapper for https://docs.python.org/3/library/hashlib.html. (Available from Cortex XSOAR 6.0.0).
- Updated the Docker image to: demisto/python3:3.10.9.43882.

Related pull requests:
- 23672

Download

1.10.49 - 4380193 (January 12, 2023)

Scripts

FormatURL

Updated the Docker image to: demisto/python3:3.10.9.42476.
Fixed an issue where the formatter mishandled quotes in the path and query parts of the URL.
Fixed an issue where Proofpoint wrappers were not escaped correctly.

Related pull requests:
- 23305

Download

1.10.48 - 4376356 (January 11, 2023)

Incident Fields

Account information breached
Affected Data Type
Affected Individuals Contact Information
Affected data
Approximate number of affected data subjects
Attorney General Notification
Breach Confirmation
Company Address
Company City
Company Country
Company Name
Company Postal Code
Company has Insurance for the Breach
Consumer Reporting Agencies Notification
Contact Address
Contact Email address
Contact Name
Contact Telephone number
Country where business has its main establishment
Country where the breach took place
DPO E-mail Address
DPO Notification
Data Encryption Status
Date/time of the breach
E-mail Address
Financial information breached
GDPR Notify Authorities
Health insurance breached
Individuals Notification
Is the Data Subject to DPIA
Likely Impact
Malicious Cause (If the cause is a malicious attack)
Management Notification
Measures to Mitigate
Media Notification
Medical Information breached
Other PII data breached
PII Data Type
Possible Cause of the Breach
Postal Code
Resident Notification Option
Residents Email Address
Secretary Notification
Sector of Affected Party
Size - number of employees
Size - turnover
State CISO Notification
State where the breach took place
Telephone no.
Unique biometric data breached
Unique identification number breached
Where is data hosted
Is the Data Subject to DPIA

Scripts

FormattedDateToEpoch

Note: Moved to FiltersAndTransformers pack.

EmailDomainBlacklist

Note: Moved to FiltersAndTransformers pack.

EmailDomainWhitelist

Note: Moved to FiltersAndTransformers pack.

FirstArrayElement

Note: Moved to FiltersAndTransformers pack.

ExtractInbetween

Note: Moved to FiltersAndTransformers pack.

New: ExportToXLSX

Note: Moved from ExportToXLSX.

New: CVSSCalculator

Updated the Docker image to: demisto/python3:3.9.8.24399.
Note: Moved from CVSS.

New: GetInstances

Updated the Docker image to: demisto/python3:3.9.7.24076.
Note: Moved from ModulesManagement.

New: GetServerURL

Updated the Docker image to: demisto/python3:3.9.7.24076.
Note: Moved from GetServerURL.

New: ReplaceMatchGroup

Updated the Docker image to: demisto/python3:3.9.7.24076.
Note: Moved from ReplaceMatchGroup.

New: BreachConfirmationHTML

Note: Moved from Compliance.

Related pull requests:
- 23499

Download

1.10.46 - 4372591 (January 11, 2023)

Scripts

New: Dig

DNS lookup utility to provide 'A' and 'PTR' record (Available from Cortex XSOAR 6.0.0).
Updated the Docker image to demisto/netutils:1.0.0.43061.

WhereFieldEquals

Moved to the FiltersAndTransformers pack.

SumList

Moved to the FiltersAndTransformers pack.

URLEncode

Moved to the FiltersAndTransformers pack.

URLDecode

Moved to the FiltersAndTransformers pack.

TimeStampToDate

Moved to the FiltersAndTransformers pack.

Related pull requests:
- 23695

Download

1.10.44 - 4368875 (January 10, 2023)

Scripts

Cut

Moved to the FiltersAndTransformers pack.

ConvertKeysToTableFieldFormat

Moved to the FiltersAndTransformers pack.

ConvertToSingleElementArray

Moved to the FiltersAndTransformers pack.

DT

Moved to the FiltersAndTransformers pack.

DateStringToISOFormat

Moved to the FiltersAndTransformers pack.

Related pull requests:
- 23477

Download

1.10.43 - 4366177 (January 10, 2023)

Scripts

BetweenDates

Note: Moved to FiltersAndTransformers pack.

Base64Decode

Note: Moved to FiltersAndTransformers pack.

ConvertAllExcept

Note: Moved to FiltersAndTransformers pack.

BetweenHours

Note: Moved to FiltersAndTransformers pack.

ReadPDFFileV2

Updated the Docker image to: demisto/readpdf:1.0.0.43274.
Fixed an issue where some warnings returned from the package PyPDF2 would be returned as errors instead of to server logs.

Related pull requests:
- 23674

Download

1.10.41 - R4361094 (January 9, 2023)

Scripts

ResolveShortenedURL

Added support for resolving recursively shortened URLs, which can be adjusted using a new redirect_limit parameter.
Added support for a built-in unshortening service (which will use Python's requests lib to follow the redirects).
Added support for a new online unshortening service: longurl.in (previously only unshortened.me was used).
Added a new service parameter, which allows you to choose the unshortening service to use.
Updated the Docker image to: demisto/python3:3.10.9.42476.

LinkIncidentsWithRetry

Updated the Docker image to: demisto/python3:3.10.9.42476.
Updated script metadata.

MarkRelatedIncidents

Updated script metadata.

Related pull requests:
- 23551

Download

1.10.39 - 4335398 (January 5, 2023)

Scripts

ConvertTableToHTML

Added the context_key argument so you can set your own context output key.

Related pull requests:
- 23352

Download

1.10.37 - 4331864 (January 4, 2023)

Scripts

New: ConvertCountryCodeCountryName

Convert country name to country code or country code to country name. Only one of country_code or country_name can be provided.

CIDRBiggerThanPrefix

Moved to the FiltersAndTransformers pack.

CheckIfSubdomain

Moved to the FiltersAndTransformers pack.

GreaterCidrNumAddresses

Moved to the FiltersAndTransformers pack.

InRange

Moved to the FiltersAndTransformers pack.

AfterRelativeDate

Moved to the FiltersAndTransformers pack.

IsInCidrRanges

Moved to the FiltersAndTransformers pack.

IsNotInCidrRanges

Moved to the FiltersAndTransformers pack.

IsRFC1918Address

Moved to the FiltersAndTransformers pack.

LowerCidrNumAddresses

Moved to the FiltersAndTransformers pack.

StringContainsArray

Moved to the FiltersAndTransformers pack.

Related pull requests:
- 23237
- 23434
- 23577
- 23445

Download

1.10.34 - 4290509 (December 28, 2022)

Scripts

ParseEmailFilesV2

Fixed an issue where parsing files that uploaded from the DataCollection task, failed.

Related pull requests:
- 23286

Download

1.10.33 - 4285391 (December 27, 2022)

Scripts

New: CreateNewIndicatorsOnly

Added this script to allow users to only create indicators that are not already present in the database. (Available from Cortex XSOAR 6.5.0).

DemistoVersion

Updated the Docker image to: demisto/python3:3.10.9.40422.
Updated the script to support XSOAR only.

Related pull requests:
- 23267

Download

1.10.31 - 4280857 (December 26, 2022)

Scripts

ParseEmailFilesV2

Fixed an issue where parsing numbers failed.
Updated the Docker image to: demisto/parse-emails:1.0.0.41885.

Related pull requests:
- 23266

Download

1.10.30 - 4278710 (December 25, 2022)

Scripts

BetweenHours

Updated the Docker image to: demisto/python3:3.10.9.40422.
Fixed an issue in which the BetweenHours script was printing deprecated logs.

Related pull requests:
- 23203

Download

1.10.29 - 4261791 (December 22, 2022)

Scripts

SetWithTemplate

Added the template_type parameter to build data from a JSON text.

Related pull requests:
- 23174
- 23106

Download

1.10.28 - 4258430 (December 21, 2022)

Scripts

FormatURL

Updated the Docker image to: demisto/python3:3.10.9.40422.
Updated the URL Formatter to ignore valid CIDRs.

Related pull requests:
- 23120

Download

1.10.27 - 4244055 (December 19, 2022)

Scripts

ExtractEmailV2

Updated the Docker image to: demisto/python3:3.10.9.40422.
Fixed an issue where the JSON returned to XSOAR was invalid.

Related pull requests:
- 23112

Download

1.10.26 - 4241798 (December 19, 2022)

Scripts

ExtractDomainAndFQDNFromUrlAndEmail

Updated the Docker image to: demisto/py3-tools:1.0.0.41100.
Updated the indicator domain type regex to avoid catching HTML tags in extracted domains.

Related pull requests:
- 23047

Download

1.10.25 - 4220433 (December 15, 2022)

Scripts

ReadFile

Added the following arguments:
- input_encoding
- output_data_type
- output_meta_data
Updated the Docker image to: demisto/python3:3.10.8.39276.

Related pull requests:
- 22692

Download

1.10.24 - 4202753 (December 12, 2022)

Scripts

DockerHardeningCheck

Update to include a network hardening check according to the Network Hardening Guide.
Updated the Docker image to: demisto/python3:3.10.9.40422.

Related pull requests:
- 22612
- 23715

Download

1.10.23 - 4197844 (December 12, 2022)

Scripts

URLReputation

Fixed an issue where using the script together with integrations implementing API Execution Metric Reporting would return an error.
Updated the Docker image to: demisto/python3:3.10.9.40422.

FileReputation

Fixed an issue where using the script together with integrations implementing API Execution Metric Reporting would return an error.
Updated the Docker image to: demisto/python3:3.10.9.40422.

DomainReputation

Fixed an issue where using the script together with integrations implementing API Execution Metric Reporting would return an error.
Updated the Docker image to: demisto/python3:3.10.9.40422.

Related pull requests:
- 22941

Download

1.10.22 - 4183367 (December 9, 2022)

Scripts

StixCreator

Updated the Docker image to: demisto/py3-tools:1.0.0.40800

Related pull requests:
- 22856

Download

1.10.21 - 4172596 (December 8, 2022)

Scripts

ExtractEmailV2

Updated the Docker image to: demisto/python3:3.10.8.39276.
Fixed an issue of emails containing parts of encoded unicode points.
Updated the Email formatter
- Removes unicode points from address.
- returns value to context.
- Better handles quotes and brackets.

Related pull requests:
- 22399

Download

1.10.20 - 4169624 (December 7, 2022)

Scripts

StixCreator

Fixed an issue where the script was missing a parameter when exporting malware types.

ParseWordDoc

The script is now extracting URLs from the document.
Updated the Docker image to: demisto/docxpy:1.0.0.40261.

Related pull requests:
- 21907

Download

1.10.18 - 4158369 (December 6, 2022)

Scripts

New: SetWithTemplate

Set a value built by a template in context under the key you entered. (Available from Cortex XSOAR 6.5.0).

Related pull requests:
- 22654
- 21497

Download

1.10.17 - 4152557 (December 5, 2022)

Scripts

IgnoreFieldsFromJson

Fixed an issue where it doesn't take value parameter.
Updated the Docker image to: demisto/python3:3.10.8.39276.

Related pull requests:
- 21877
- 22640

Download

1.10.16 - 4137548 (December 1, 2022)

Scripts

FormatURL

Updated the Docker image to: demisto/python3:3.10.8.39276.
Updated the formatter to allow escape chars at the end of the URL.
Updated the formatter to return case sensitive output.

Related pull requests:
- 22588

Download

1.10.15 - 4123091 (November 29, 2022)

Scripts

New: CheckIndicatorValue

Check if indicators exist in the Threat Intel database. (Available from Cortex XSOAR 6.5.0).

ParseEmailFilesV2

Updated the Docker image to: demisto/parse-emails:1.0.0.38879.

Related pull requests:
- 22550

Download

1.10.13 - 4116031 (November 28, 2022)

Scripts

ParseEmailFilesV2

Fixed an issue where ParseEmailFilesV2 would throw an exception when parsing p7m files.
Updated the Docker image to: demisto/parse-emails:1.0.0.38804.

ReadPDFFileV2

Fixed an issue where ReadPDFFileV2 could not handle corrupted/damaged pdf files.
Updated the Docker image to: demisto/readpdf:1.0.0.38617.

SearchIncidentsV2

Fixed an issue where XSIAM alerts links were not accessible.
Updated the Docker image to: demisto/python3:3.10.8.37753.

Related pull requests:
- 22230

Download

PUBLISHER

Cortex

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	July 27, 2020
Last Release	November 28, 2023

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.