Identify whether the incident includes an email message attached as an eml or msg file and return the answer to playbook. Also saves the identified entry ID to context for use for later. Commonly used in automated playbooks that handle phishing reports sent to a special phishing mailbox set up by the security team.

Converts a date from a different timezone to UTC timezone.

Prints a raw representation of a string or object, visualising things likes tabs and newlines. For instance, '\n' will be displayed instead of a newline character, or a Windows CR will be displayed as '\r\n'. This is useful for debugging issues where things aren't behaving as expected, such as when parsing a string with a regular expression.

Prints an error entry with a given message

Delete field from context.

This automation runs using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html

Accepts a json object and returns a markdown.

Converts
https:%2F%2Fexample.com
into
https://example.com

Adds/Replaces a key in key/value store backed by an XSOAR list.

Set multiple keys/values to the context.

Checks if one number(float) as bigger than the other(float)
Returns yes: if first > second
Returns no: if first <= second
Returns exception if one of the inputs is not a number

Verifies if the supplied JSON string is valid and optionally verifies against a provided schema. The script utilizes Powershell's Test-JSON cmdlet.

Generate report summaries for the passed incidents.

Extract indicators from a text-based file.
Indicators that can be extracted:

• IP
• Domain
• URL
• File Hash
• Email Address

This automation runs using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html

Remove escaping chars from IP
127[.]0[.]0[.]1 -> 127.0.0.1

Get the string distance for the sender from our domain

Encodes a URL string by replacing special characters in the string using the %xx escape. For example: https://example.com converts to https:%2F%2Fexample.com.

Finds which integrations implement a specific Demisto command. The results will be returned as comma-separated values (CSV). The "Demisto REST API" integration must first be enabled.

Deprecated. Use the MatchRegexV2 script instead.

This script checks that a field exists (and contains data), and optionally checks the value of the field for a match against an input value. If a regex is not supplied, the script checks that the field is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value.

Replaces regex match/es in string.
Returns the string after replace was preformed.

Assign analyst to incident.
By default, the analyst is picked randomly from the available users, according to the provided roles (if no roles provided, will fetch all users).
Otherwise, the analyst will be picked according to the 'assignBy' arguments.
machine-learning: DBot will calculated and decide who is the best analyst for the job.
top-user: The user that is most commonly owns this type of incident
less-busy-user: The less busy analyst will be picked to be the incident owner.
online: The analyst is picked randomly from all online analysts, according to the provided roles (if no roles provided, will fetch all users).
current: The user that executed the command

This script converts the input value into another value using two lists. The input value is searched in the first list (input_values).
If it exists, the value from the second list (mapped_values) at the same index is retutrned. If there is no match, the original value is returned.
If the original input is a dictionary, then the script will look for a "stringified" version of the key/:/value pair in the input_values and then map the result in the output_values into the original "value".

Example 1:

input_values = "1,2,3,4"
mapper_values = "4,3,2,1"
value = 3

Output would be "2"

Example 2:

input_values ="firstkey: datahere,secondkey: datathere"
mapper_values = "datathere,datahere"
value(dict)= {
"firstkey": "datahere"
}

Output would be:
{
"firstkey": "datathere"
}

The reason for matching the key AND value pair in a dictionary is to allow the mappig of values that have a specific key name. In most cases, dictionaries will continan key-value pairs in which the values are the same. You might want to change the value of KeyA, but not the value of KeyB. This method gives control over which key is changed.

When the input is a dict, str , int, or list, the output is ALWAYS returned as a string.

Determines whether an IPv4 address is contained in at least one of the comma-delimited CIDR ranges. Multiple IPv4 addresses can be passed comma-delimited and each will be tested.

Checks if the Docker container running this script has been hardened according to the recommended settings at: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/docker/docker-hardening-guide.html

Decode MIME base64 headers.

A script to generate investigation summary report in an automated way
Can be used in post-processing flow as well.

This automation allows the usage of DT scripts within playbooks transformers

When you apply this script to an incident field, that incident field is hidden for new incidents, and it displays in edit mode.

Returns the first element of an array. If the value passed is not an array, it returns the original value that was passed.

Language detection based on Google's language-detection.

Verifies that an email address is valid and only returns the address if it is valid.

Removing the password protection from a PDF file and adding a new file entry with the unlocked PDF.

Collect entries matching to the conditions in the war room

Extract user's response from EmailAskUser reply. Returns the first textual response line of the provided entry that contains the reply body. Use ${lastCompletedTaskEntries} to analyze the previous playbook task containing the user's reply.

Return all items from the list where their given 'field' attribute is equal to 'equalTo' argument

E.g. !WhereFieldEquals with the following arguments:

• value=[{ "name": "192.1,0.82", "type": "IP" }, { "name": "myFile.txt", "type": "File" }, { "name": "172.0.0.2", "type": "IP" }]
• field='type'
• equalTo='IP'
• getField='name'

Will return all items names where field 'type' equals 'IP' - ['192.1,0.82', '172.0.0.2']

Converts string to array.
For example: http://example.com/?score:1,4,time:55 will be transformed to ["http://example.com/?score:1,4,time:55"].

Returns the length of the string passed as argument

This script accepts multiple values for both arguments and will iterate through each of the domains to check if the specified subdomains are located in at least one of the specified main domains. If the tested subdomain is in one of the main domains, the result will be true. For example, if the domain_to_check values are apps.paloaltonetworks.com and apps.paloaltonetworks.bla and the domains_to_compare values are paloaltonetworks.com and demisto.com, the result for apps.paloaltonetworks.com will be true since it is a part of the paloaltonetworks.com domain. The result for apps.paloaltonetworks.bla will be false since it is not a part of the paloaltonetworks.com or demisto.com domain.

Gets a value and return it. This is to be used in playbook conditional tasks - get a value from incident field, label or context, and act accordingly.
If an array is returned. the first value will be the decision making value.

Calculate ssdeep reputation based on similar files (by ssdeep similarity) on the system.

Get the string distance between inputString and compareString (compareString can be a comma-separated list) based on Levenshtein Distance algorithm.

Edit the server configuration (under settings/troubleshooting). You can either add a new configuration or update and remove an existing one.

Converts UNIX Epoch time stamp to a simplified extended ISO format string. Use it to convert time stamp to Demisto date field

e.g. 1525006939 will return '2018-04-29T13:02:19.000Z'

Verify URL SSL certificate

Schedule a command to run inside the war room at a future time (once or reoccurring)

Try to get the hostname correlated with the input IP.

Takes an input docx file (entryID) as an input and saves an output text file (file entry) with the original file's contents.

Lookup incidents with specified indicator. Use currentIncidentId to omit the existing incident from output.

This automation runs using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html

Gets docker image latest tag. Script simulates the docker pull flow but doesn't actually pull the image. Returns an entry with the docker image latest tag if all is good, otherwise will return an error.

Add into the incident's context the system internal DBot score for the input indicator.

This stops the scheduled task whose ID is given in the taskID argument.

Cut a string by delimiter and return specific fields.

Example

input: "A-B-C-D-E"
delimiter: "-"
fields: "1,5"

return: "A-E"

Zip a file and upload to war room

Extracts FQDNs from URLs and emails.

Add a remote system (such as a desktop under investigation) to an investigation (this will allow you to install and agent on the system)

Convert a JSON War Room output via EntryID to a CSV file.

Use this script to avoid DB version errors when simultaneously running multiple linked incidents.

Checks an object for an empty value and returns a pre-set default value.

This script allows sending an HTML email, using a template stored as a list item under Lists (Settings -> Advanced -> Lists).
Placeholders are marked in DT format (i.e. ${incident.id} for incident ID).
Available placeholders for example:

• ${incident.labels.Email/from}
• ${incident.name}
• ${object.value}
  See incident Context Data menu for available placeholders

Note: Sending emails require an active Mail Sender integration instance.

Close the current investigation as duplicate to other investigation.

This script will parse a CSV file and place the unique IPs, Domains and Hashes into the context.

Will create an array object in context from given string input

Returns a map entry with a marker on the given coordinates (lat,lng), or address (requires a configured GoogleMaps instance).

Converts HTML to Markdown.

Mark entries as notes if they are tagged with given tag

Checks whether a substring or an array of substrings is within a string array(each item will be checked). Supports single strings as well. For example, for substrings ['a','b','c'] in a string 'a' the script will return true.

Creates a Grid table from items or key-value pairs.

This command will allow you to run commands against a local Docker Container. You can run commands like wc for instance with word count, or other types of commands that you want on the docker container.

We recommend for tools that you want to use that are not part of the default Docker container, to cope this Automation script and then create a customer docker container with /docker_image_create with a custom docker container to add any command level tool to Demisto and output the results directly to the context.

Check whether given entry/entries returned an error. Use ${lastCompletedTaskEntries} to check the previous task entries. If array is provided, will return yes if one of the entries returned an error.

Converts Base64 file in a list to a binary file and upload to warroom

Deprecated. Use the UnzipFile script instead. UnPack a file using fileName or entryID to specify a file. Files unpacked will be pushed to the war room and names will be pushed to the context.
supported types are:
7z (.7z), ACE (.ace), ALZIP (.alz), AR (.a), ARC (.arc), ARJ (.arj), BZIP2 (.bz2), CAB (.cab), compress (.Z), CPIO (.cpio), DEB (.deb), DMS (.dms), GZIP (.gz), LRZIP (.lrz), LZH (.lha, .lzh), LZIP (.lz), LZMA (.lzma), LZOP (.lzo), RPM (.rpm), RAR (.rar), RZIP (.rz), TAR (.tar), XZ (.xz), ZIP (.zip, .jar) and ZOO (.zoo)

Extract strings from a file with optional filter - similar to binutils strings command

Parse CEF data into the context. Please notice that outputs will display only the 7 mandatory fields even if the CEF event includes many other custom or extended fields.

Check if list exist in demisto lists.

Check if a given value is true. Will return 'no' otherwise

Runs a specified polling command one time. This is useful for initiating a local playbook context before running a polling scheduled task.

This automation runs using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html

Compares the labels of two incidents. Returns the labels that are unique to each incident.

This automation runs using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html

Verify that the address is a valid IPv6 address.

Returns yes if the IP is in one of the ranges provided, returns no otherwise.

Creates indicators from the submitted STIX file. Supports STIX 1.0 and STIX 2.x. This automation creates indicators and adds an indicator's relationships if available.

Strips, unquotes and unescapes URLs. If the URL is a Proofpoint or ATP URL, extracts its redirect URL.

Deprecated. Use FileCreateAndUploadV2 instead. Will create a file (using the given data input or entry ID) and upload it to current investigation war room.

This function generates a password and allows various parameters to customize the properties of the password depending on the use case (e.g. password complexity requirements). The default behavior is to generate a password of random length including all four character classes (upper, lower, digits, symbols) with at least five and at most ten characters per class.

The min_* values all default to 0. This means that if the command is executed in this way:
!GeneratePassword max_lcase=10
It is possible that a password of length zero could be generated. It is therefore recommended to always include a min_* parameter that matches.

The debug parameter will print certain properties of the command into the WarRoom for easy diagnostics.

Checks whether a port was open on given host.

Check if a given value exists in the context. Will return 'no' for empty empty arrays. To be used mostly with DQ and selectors.

Gather information regarding CIDR -
1. Broadcast_address
2. CIDR
3. First_address
4. Last address
5. Max prefix len
6. Num addresses
7. Private
8. Version

Returns the last element of an array. If the value passed is not an array, it returns the original value that was passed.

Checks if the investigation found any malicious indicators (file, URL, IP address, domain, or email). Returns "yes" if at least one malicious indicator is found.

Works the same as the 'Set' command, but can work across incidents by specifying 'id' as an argument.
Sets a value into the context with the given context key. Doesn't append by default.

This automation runs using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html

Allows to parse and extract http flows (requests & responses) from a pcap/pcapng file.

Gets all IP addresses in context, excluding ones given.

This script adds the reputation to Onion URL indicators. The script is automatically triggered when a Onion URL indicator is auto-extracted. For instance, if you run a Cortex XSOAR CLI on a valid Onion URL, the indicators are extracted automatically and this script is triggered for the extracted indicators.

Extract URLs redirected by security tools like Proofpoint.
Changes https://urldefense.proofpoint.com/v2/url?u=https-3A__example.com_something.html -> https://example.com/something.html
Also, un-escape URLs that are escaped for safety with formats like hxxps://www[.]demisto[.]com

This script will extract indicators from given HTML and will handle bad top-level domains to avoid false positives caused by file extensions.

Resolve the original URL from the given shortened URL and place it in both as output and in the context of a playbook. (https://unshorten.me/api)

Tokenize the words in a input text.

Adds zeros (0) to the beginning of the string, until the string reaches the specified length.

Return the single element in case the array has only 1 element in it, otherwise return the whole array

A context script for hash entities

Sums a List
e.g. ["25", "10", "25"] => "60"

This is an example for number transformer.

Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. Example of command:
!GridFieldSetup keys=ip,src val1=${AWS.EC2.Instances.NetworkInterfaces.PrivateIpAddress} val2="AWS" gridfiled="gridfield"

Indicates whether a given value is a member of given array

Utility script to use in playbooks - returns "yes" if the input is non-empty.

Searches Demisto incidents.

This automation runs using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html

Returns DNS details for a domain

Removed selected fields from the JSON object.

A transformer for simple if-then-else logic.

Calculates average score for each indicator from context

Converts a given array to an HTML table

checks if left side is in range of right side (from,to anotation)
e.g. - InRange left=4right=1,8 will return true.

Converts a custom-formatted timestamp to UNIX epoch time. Use it to convert custom time stamps to a Demisto date field. If you pass formatter argument, we will use it to transform. If not, we will use dateparser.parse for transforming. For more info, see: https://docs.python.org/3.7/library/datetime.html#strftime-and-strptime-behavior

Strip set of characters from prefix and/or suffix
e.g. StripChar value=~!!~www.mydomain.com~!~!~ chars=!~ will return www.mydomain.com

Extracts domains and FQDNs from URLs and emails.

Converts a file from one format to a different format by using the convert-to function of Libre Office. For a list of supported input/output formats see: https://wiki.openoffice.org/wiki/Framework/Article/Filter/FilterList_OOo_3_0

Used to extract indicators from Word files (DOC, DOCX).
The script does not extract data from macros (e.g., embedded code).

This automation runs using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html

Will encode an input using Base64 format.

Check if indicators exist in the Threat Intel database.

Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook.

Returns the product of two lists, joined by a separator, as a list of strings.

List the redirects for a given URL

Expose the incident owner into IncidentOwner context key

Gets all currently enabled integration instances.

Get the error(s) associated with a given entry/entries. Use ${lastCompletedTaskEntries} to check the previous task entries. The automation will return an array of the error contents from those entries.

Copy all entries marked as notes from current incident to another incident.

Convert all chosen values but exceptions.

Script to convert a War Room output JSON File to a CSV file.

A filter that determines whether an IPv4 address is in the private RFC-1918 address space (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). For more information, see https://en.wikipedia.org/wiki/Private_network

Count an array size

Accepts an array of domains as a block list, and a list of email addresses. The script then filters out any email address whose domain is in the block list. The filtered list will be returned as an array.

Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook. This script is based on the parse-emails XSOAR python package, check the script documentation for more info

This script checks that a context key exists (and contains data), and optionally checks the value of the context key for a match against an input value. If a regex is not supplied, the script checks that the key is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value. This scripts does not support a context key which holds a list of values.

Returns a dict of all incident fields that exist in the system.

Checks if the supplied URLs are in the specified domains.

Transformer that returns a filtered list of IPv4 addresses, based on whether they do not match a comma-separated list of IPv4 ranges. Useful for filtering out internal IP address space.

This script finds similar files that can be related to each other by fuzzy hash (SSDeep).

Encodes an input to Base64 format.

After running DeleteContext, this script can repopulate all the file entries in the ${File} context key

aquatone-discover will find the targets nameservers and shuffle DNS lookups between them. Should a lookup fail on the target domains nameservers, aquatone-discover will fall back to using Google public DNS servers to maximize discovery.

Extract Domain(s) from URL(s) and/or Email(s)

Calculate the time difference, in minutes

Searches for string in context and returns context path, returns null if not found.

The automation takes Excel file (entryID) as an input and parses its content to the war room and context

Data output script for populating dashboard pie graph widget with the percentage of incidents closed by DBot vs. incidents closed by analysts

Runs the polling command repeatedly, completes a blocking manual task when polling is done.

Decodes an input in Base64 format.

Sends a HTTP request with advanced capabilities

This is a thin wrapper around the dateutil.parser.parse function. It will parse a string containing a date/time stamp and return it in ISO 8601 format.

Gets a value from the specified incident's context.

Extract a string from an existing string.

Encode a file as base64 and store it in a Demisto list.

Send message to Demisto online users over Email, Slack, Mattermost or all.

Widget script to view information about the relationship between an indicator, entity and other indicators and connect to indicators, if relevant.

Parses a CSV and looks for a specific value in a specific column, returning a dict of the entire matching row. If no column value is specified, the entire CSV is read into the context.

Performs a JMESPath search on an input JSON format, when using a transformer.

Convert object keys to match table keys.
Use when mapping object/collection to table (grid) field.
(Array of objects/collections is also supported).
Example:
Input: { "Engine": "val1", "Max Results": 13892378, "Key_With^Special (characters)": true }
Output: { "engine": "val1", "maxresults": 13892378, "keywithspecialcharacters": true }

Calculates the entropy for the given data.

Joins values from two lists by index according to a given format.

A context script for URL entities

Pretty-print the contents of the playbook context

Creates a file (using the given data input or entry ID) and uploads it to the current investigation War Room.

Deprecated. No available replacement. Search for a binary on an endpoint using Carbon Black

Pretty-print data using Python's pprint library. This is useful for seeing the structure of incident and context data. Here's how to use it:

!PrettyPrint value=${incident}

Returns the incident field names associated to the specified incident type.

Takes a date or time input and adds or subtracts a determined amount of time. Returns a string in date or time in ISO Format.

Checks the given datetime has occured after the provided relative time.

Load the contents of a file into context.

Finds similar incidents by common incident keys, labels, custom fields or context keys.
It's highly recommended to use incident keys if possible (e.g., "type" for the same incident type).
For best performance, it's recommended to avoid using context keys if possible (for example, if the value also appears in a label key, use label).

This automation runs using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html

Fetches the numbers of ads in the given url

Converts XML file entry to JSON format

Checks whether the specified item is in a list. The default list is the Demisto Indicators Whitelist.

Lists executed commands in War Room

Return indicators appears in resolved incidents, and resolved incident ids.

This automation runs using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html

Check whether the values provided in arguments are equal. If either of the arguments are missing, no is returned.

Extract Attack Pattern Threat Intel Object. After auto extract extracts the Attack Pattern IDs, this script is executed and extracts the value (name) of the Attack Pattern.

Prints text to war room (Markdown supported)

Filter context keys by applying one of the various available manipulations and storing in a new context key. Please notice that the resulting context key will not be available automatically as an option but you can still specify it.

Searches for string in a path in context. If path is null, string will be searched in full context.

Loads a json from string input, and returns a json object result

Sends http request. Returns the response as json.

Check if a given value is true. Will return 'no' otherwise

Checks if the supplied hostnames match either the organization's internal naming convention or the domain suffix.

Parses a list by header and value.

Retrieves the current date and time.

Copy a context key to an incident field of multiple incidents, based on an incident query.

This automation runs using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html

Extracts regex data from the provided text. The script support groups and looping.

Set indicator reputation to "suspicious" when malicious ratio is above threshold.
Malicious ratio is the ration between number of "bad" incidents to total number of incidents the indicator appears in.

Called by the GenericPolling playbook, schedules the polling task.

Marks given incidents as related to current incident.

This automation runs using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html

Converts XML string to JSON format

Convert an array to a nice table display. Usually, from the context.

Execute a command on a remote machine (without installing a D2 agent)

Compares a single timestamp to a list of timestamps.

Shows a bar chart of the number of Positive Detections out of overall detections

This is only an example script, to showcase how to use and write JavaScript scripts

Not in context verification is a script that executes the given command and verifies that the specified field is not in the context after execution.

Take a list of devices and pull a specific file (given by path) from each using SCP

The script receives a list of fields and a context key base path. For example, Key=demisto.result List=username,user and will get all of the values from demisto.result.username and demisto.result.user.
The Get field of the task must have the value ${.=[]}.

Dumps a json from context key input, and returns a json object string result

Sleep for X seconds

Transformer that returns a filtered list of IPv4 addresses, based on whether they match a comma-separated list of IPv4 ranges. Useful for filtering in internal IP address space.

Populates critical assets in a grid field that has the section headers "Asset Type" and "Asset Name".

Deprecated. Use PCAPMinerV2 instead. PCAPMiner is a tool to parse PCAP files and will return things like extracted files that are found, HTTP flows, and a variety of other information. It is uses a docker instance located on docker hub trorabaugh/dempcap:1.0. To use simply upload a PCAP file and then run PCAPMiner entryId="<your_entry_id>". To get the entry id click on the link on the top right hand corner of a file attachment.

Removes a key in key/value store backed by an XSOAR list.

Extraction of elements which are contained in all the subgroups of the match to the pattern.
For example, extracting from the string "The quick brown fox" the object {"article":"The","noun":quick"}
(See arguments descriptions for more details)

Gets all email addresses in context, excluding ones given.

Map the given values to the translated values. If given values: a,b,c and translated: 1,2,3 then input is a will return 1

Checks whether the given value is within the specified time (hour) range.

Input Text Data to Encode as ASCII (Ignores any chars that aren't interpreted as ASCII)

Extraction of all matches from a specified regular expression pattern from a provided string. Returns an array of results. This differs from RegexGroups in several ways:

• It returns all matches of the specified pattern, not just specific groups. This is useful for extracting things using a pattern where the content of the source string is indeterminate, such as extracting all email addresses.
• Some "convenience" arguments have been added to enhance usability: multi-line, ignore_case, period_matches_newline
• Added a new argument, "error_if_no_match". The script will not ordinarily throw an error if a match is not found but if not using as a transformer within a playbook, it may, in certain limited circumstances, be desirable to throw an error if the expression doesn't match.
• It uses the 'regex' library, which supports more some more advanced regex functionality than the standard 're' library. For more info, see https://pypi.org/project/regex/.

Optionally increases the incident severity to the new value if it is greater than the existing severity.

Deprecated. Use the "PhishingDedupPreprocessingRule" script instead.
Find duplicate incidents candidates.
Using machine learning techniques with pre-defined data (can also use data from the local environment), this script takes into consideration different features such as: labels comparison, email labels (relevant for phishing), incident time difference and shared indicators, which can be customized by the arguments.

This automation runs using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html

Gets hashes (MD5,SHA1,SHA256) from context.

Ask a user a question via email and process the reply directly into the investigation.

Sends email to incident owner when selected field is triggered.

Checks whether an IPv4 address is not contained in one or more comma-delimited CIDR ranges.

This script searches for a value in a context path.

A context script for IP entities

Parse a given JSON string "value" to a representative object. Example: '{"a": "value"}' => {"a": "value"}.

Converts a single string to an array of that string.

Script will run the provided mathematical action on 2 provided values and produce a result.
The result can be stored on the context using the contextKey argument

Executes a test for all integration instances available and returns detailed information about succeeded and failed integration instances.

Checks if the email address is part of the internal domains

Generates a random UUID (UUID 4).

Show all scheduled entries for specific incident.

Return the Demisto server version.

List all Docker images that are in use by the installed integrations and automations.

This script allows disabling a specified user using one or more of the following integrations: SailPointIdentityIQ, ActiveDirectoryQuery, Okta, MicrosoftGraphUser, and IAM.

Takes the comments of a given entry ID and stores them in the incident context, under a provided context key.
For accessing the last executed task's comments, provide ${lastCompletedTaskEntries.[0]} as the value for the entryId input parameter.

Sets a custom incident field with current date

Unzip a file using fileName or entryID to specify a file. Unzipped files will be loaded to the War Room and names will be put into the context.

Returns 'yes' if integration brand is available. Otherwise returns 'no'

Gets specified indexes of a list.

Fill the current time in a custom incident field

Checks whether a given CIDR prefix is bigger than the defined maximum prefix.

Set a value in context under the key you entered.

Check if number of availble addresses in IPv4 or IPv6 CIDR is greater than given number.

Verify that the CIDRs are valid.

Accepts an array of domains as an allow list, and a list of email addresses. The script then filters out any email address whose domain is not in the allow list. The filtered list will be returned as an array.

Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.

This automation runs using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html

Checks if one percentage is less than another
Returns less: if firstPercentage < secondPercentage
Returns more: if firstPercentage >= secondPercentage
Returns exception if one of the inputs is not a float

Stops the "Time To Assign" timer if the owner of the incident was changed.

Gets a list of indicators from the indicators argument, and generates a JSON file in STIX 2.0 format.

Export given array to csv file

Converting time in Ticks to readable time. Ticks are used to represent time by some vendors, most commonly by Microsoft.

Whether value is within a date range.

Find the top malicious ratio indicators.
Malicious ratio is defined by the ratio between the number of "bad" incidents divided by the number of total number of incidents that the indicators appears in.

A context script for Domain entities

Check if an email address's domain is trying to squat other domain using Levenshtein distance algorithm

Generates random string

Reverse a list
e.g. ["Mars", "Jupiter", "Saturn"] => ["Saturn", "Jupiter", "Mars"]

This is an example for entire-list transformer - it operates the argument as a list (note the "entirelist" tag)

Find tables inside HTML and extract the contents into objects using the following logic:

• If table has a single column, just create an array of strings from the values
• If table has 2 columns and has no header row, treat the first column as key and second as value and create a table of key/value
• If table has a header row, create a table of objects where attribute names are the headers
• If table does not have a header row, create table of objects where attribute names are cell1, cell2, cell3…

Check if number of availble addresses in IPv4 CIDR is lower than given number.

Get the overall score for the indicator as calculated by DBot.

Sends an email informing the user of an SLA breach. The email is sent to the user who is assigned to the incident. It includes the incident name, ID, name of the SLA field that was breached, duration of that SLA field, and the date and time when that SLA was started.
In order to run successfully, the script should be configured to trigger on SLA breach, through field edit mode.

Publish entries to incident's context

Changes the remediation SLA once a change in incident severity occurs.
This is done automatically and the changes can be configured to your needs.

Pings an IP or url address, to verify it's up

Compare two lists and put the differences in context.

Add DBot score to context for indicators with custom vendor, score, reliability, and type.

A context script for Email entities

Enables changing context in two ways. The first is to capitalize the first letter of each key in following level of the context key entered. The second is to change context keys to new values.

Show indicator geo location on map

Load a PDF file's content and metadata into context.

Extract regular text from the given HTML

Shows a bar chart of the number of incident the 'To' and 'From' email addresses.

This automation runs using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html

Display HTML in the War Room.

Checks whether a given domain is a subdomain of one of the listed domains.

Adds provided entries to the incident Evidence Board. In playbook, can be positioned after a task to add the previous task's entries to Evidence Board automatically (with no need to provide arguments)

A context script for URL entities

checks if left side is in range of right side (from,to anotation)
e.g. - InRange left=4right=1,8 will return true.

This script adds the reputation to Onion URL indicators. The script is automatically triggered when a Onion URL indicator is auto-extracted. For instance, if you run a Cortex XSIAM CLI on a valid Onion URL, the indicators are extracted automatically and this script is triggered for the extracted indicators.

Checks if the email address is part of the internal domains

Add a remote system (such as a desktop under investigation) to an investigation (this will allow you to install and agent on the system)

Edit the server configuration (under settings/troubleshooting). You can either add a new configuration or update and remove an existing one.

Checks whether a given CIDR prefix is bigger than the defined maximum prefix.

Takes a date or time input and adds or subtracts a determined amount of time. Returns a string in date or time in ISO Format.

Checks whether an IPv4 address is not contained in one or more comma-delimited CIDR ranges.

Takes the comments of a given entry ID and stores them in the incident context, under a provided context key.
For accessing the last executed task's comments, provide ${lastCompletedTaskEntries.[0]} as the value for the entryId input parameter.

This script checks that a context key exists (and contains data), and optionally checks the value of the context key for a match against an input value. If a regex is not supplied, the script checks that the key is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value. This scripts does not support a context key which holds a list of values.

Gets docker image latest tag. Script simulates the docker pull flow but doesn't actually pull the image. Returns an entry with the docker image latest tag if all is good, otherwise will return an error.

Resolve the original URL from the given shortened URL and place it in both as output and in the context of a playbook. (https://unshorten.me/api)

Sleep for X seconds

Strip set of characters from prefix and/or suffix
e.g. StripChar value=~!!~www.mydomain.com~!~!~ chars=!~ will return www.mydomain.com

Gets all email addresses in context, excluding ones given.

Get the string distance between inputString and compareString (compareString can be a comma-separated list) based on Levenshtein Distance algorithm.

Will encode an input using Base64 format.

This script allows disabling a specified user using one or more of the following integrations: SailPointIdentityIQ, ActiveDirectoryQuery, Okta, MicrosoftGraphUser, and IAM.

Verifies if the supplied JSON string is valid and optionally verifies against a provided schema. The script utilizes Powershell's Test-JSON cmdlet.

When you apply this script to an incident field, that incident field is hidden for new incidents, and it displays in edit mode.

Extract Domain(s) from URL(s) and/or Email(s)

Parse CEF data into the context. Please notice that outputs will display only the 7 mandatory fields even if the CEF event includes many other custom or extended fields.

Export given array to csv file

Extracts domains and FQDNs from URLs and emails.

aquatone-discover will find the targets nameservers and shuffle DNS lookups between them. Should a lookup fail on the target domains nameservers, aquatone-discover will fall back to using Google public DNS servers to maximize discovery.

Copy all entries marked as notes from current incident to another incident.

Encodes an input to Base64 format.

Fetches the numbers of ads in the given url

This script will extract indicators from given HTML and will handle bad top-level domains to avoid false positives caused by file extensions.

This script checks that a field exists (and contains data), and optionally checks the value of the field for a match against an input value. If a regex is not supplied, the script checks that the field is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value.

Converts
https:%2F%2Fexample.com
into
https://example.com

Deprecated. Use the MatchRegexV2 script instead.

Find tables inside HTML and extract the contents into objects using the following logic:

• If table has a single column, just create an array of strings from the values
• If table has 2 columns and has no header row, treat the first column as key and second as value and create a table of key/value
• If table has a header row, create a table of objects where attribute names are the headers
• If table does not have a header row, create table of objects where attribute names are cell1, cell2, cell3…

Returns a map entry with a marker on the given coordinates (lat,lng), or address (requires a configured GoogleMaps instance).

Parses a list by header and value.

Count an array size

Extraction of all matches from a specified regular expression pattern from a provided string. Returns an array of results. This differs from RegexGroups in several ways:

• It returns all matches of the specified pattern, not just specific groups. This is useful for extracting things using a pattern where the content of the source string is indeterminate, such as extracting all email addresses.
• Some "convenience" arguments have been added to enhance usability: multi-line, ignore_case, period_matches_newline
• Added a new argument, "error_if_no_match". The script will not ordinarily throw an error if a match is not found but if not using as a transformer within a playbook, it may, in certain limited circumstances, be desirable to throw an error if the expression doesn't match.
• It uses the 'regex' library, which supports more some more advanced regex functionality than the standard 're' library. For more info, see https://pypi.org/project/regex/.

Checks if the Docker container running this script has been hardened according to the recommended settings at: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/docker/docker-hardening-guide.html

Sends email to incident owner when selected field is triggered.

Check whether the values provided in arguments are equal. If either of the arguments are missing, no is returned.

Enables changing context in two ways. The first is to capitalize the first letter of each key in following level of the context key entered. The second is to change context keys to new values.

Accepts a json object and returns a markdown.

Lookup incidents with specified indicator. Use currentIncidentId to omit the existing incident from output.

This automation runs using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html

Adds/Replaces a key in key/value store backed by an XSOAR list.

Check if number of availble addresses in IPv4 or IPv6 CIDR is greater than given number.

Cut a string by delimiter and return specific fields.

Example

input: "A-B-C-D-E"
delimiter: "-"
fields: "1,5"

return: "A-E"

Decode MIME base64 headers.

Optionally increases the incident severity to the new value if it is greater than the existing severity.

Add into the incident's context the system internal DBot score for the input indicator.

Prints a raw representation of a string or object, visualising things likes tabs and newlines. For instance, '\n' will be displayed instead of a newline character, or a Windows CR will be displayed as '\r\n'. This is useful for debugging issues where things aren't behaving as expected, such as when parsing a string with a regular expression.

This command will allow you to run commands against a local Docker Container. You can run commands like wc for instance with word count, or other types of commands that you want on the docker container.

We recommend for tools that you want to use that are not part of the default Docker container, to cope this Automation script and then create a customer docker container with /docker_image_create with a custom docker container to add any command level tool to Demisto and output the results directly to the context.

This is only an example script, to showcase how to use and write JavaScript scripts

This script accepts multiple values for both arguments and will iterate through each of the domains to check if the specified subdomains are located in at least one of the specified main domains. If the tested subdomain is in one of the main domains, the result will be true. For example, if the domain_to_check values are apps.paloaltonetworks.com and apps.paloaltonetworks.bla and the domains_to_compare values are paloaltonetworks.com and demisto.com, the result for apps.paloaltonetworks.com will be true since it is a part of the paloaltonetworks.com domain. The result for apps.paloaltonetworks.bla will be false since it is not a part of the paloaltonetworks.com or demisto.com domain.

Fill the current time in a custom incident field

Accepts an array of domains as a block list, and a list of email addresses. The script then filters out any email address whose domain is in the block list. The filtered list will be returned as an array.

Removes a key in key/value store backed by an XSOAR list.

Shows a bar chart of the number of incident the 'To' and 'From' email addresses.

This automation runs using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html

Marks given incidents as related to current incident.

This automation runs using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html

Determines whether an IPv4 address is contained in at least one of the comma-delimited CIDR ranges. Multiple IPv4 addresses can be passed comma-delimited and each will be tested.

Get the string distance for the sender from our domain

Encodes a URL string by replacing special characters in the string using the %xx escape. For example: https://example.com converts to https:%2F%2Fexample.com.

Converts a given array to an HTML table

Compares a single timestamp to a list of timestamps.

Sums a List
e.g. ["25", "10", "25"] => "60"

This is an example for number transformer.

Accepts an array of domains as an allow list, and a list of email addresses. The script then filters out any email address whose domain is not in the allow list. The filtered list will be returned as an array.

Dumps a json from context key input, and returns a json object string result

Sets a custom incident field with current date

A script to generate investigation summary report in an automated way
Can be used in post-processing flow as well.

Creates indicators from the submitted STIX file. Supports STIX 1.0 and STIX 2.x. This automation creates indicators and adds an indicator's relationships if available.

Extract user's response from EmailAskUser reply. Returns the first textual response line of the provided entry that contains the reply body. Use ${lastCompletedTaskEntries} to analyze the previous playbook task containing the user's reply.

Verifies that an email address is valid and only returns the address if it is valid.

Show all scheduled entries for specific incident.

Converts UNIX Epoch time stamp to a simplified extended ISO format string. Use it to convert time stamp to Demisto date field

e.g. 1525006939 will return '2018-04-29T13:02:19.000Z'

Indicates whether a given value is a member of given array

Transformer that returns a filtered list of IPv4 addresses, based on whether they do not match a comma-separated list of IPv4 ranges. Useful for filtering out internal IP address space.

Take a list of devices and pull a specific file (given by path) from each using SCP

Load a PDF file's content and metadata into context.

Deprecated. Use the UnzipFile script instead. UnPack a file using fileName or entryID to specify a file. Files unpacked will be pushed to the war room and names will be pushed to the context.
supported types are:
7z (.7z), ACE (.ace), ALZIP (.alz), AR (.a), ARC (.arc), ARJ (.arj), BZIP2 (.bz2), CAB (.cab), compress (.Z), CPIO (.cpio), DEB (.deb), DMS (.dms), GZIP (.gz), LRZIP (.lrz), LZH (.lha, .lzh), LZIP (.lz), LZMA (.lzma), LZOP (.lzo), RPM (.rpm), RAR (.rar), RZIP (.rz), TAR (.tar), XZ (.xz), ZIP (.zip, .jar) and ZOO (.zoo)

Send message to Demisto online users over Email, Slack, Mattermost or all.

Widget script to view information about the relationship between an indicator, entity and other indicators and connect to indicators, if relevant.

A context script for IP entities

Return indicators appears in resolved incidents, and resolved incident ids.

This automation runs using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html

Expose the incident owner into IncidentOwner context key

Takes an input docx file (entryID) as an input and saves an output text file (file entry) with the original file's contents.

Joins values from two lists by index according to a given format.

Pings an IP or url address, to verify it's up

Searches for string in a path in context. If path is null, string will be searched in full context.

Returns the product of two lists, joined by a separator, as a list of strings.

Calculates the entropy for the given data.

Replaces regex match/es in string.
Returns the string after replace was preformed.

Schedule a command to run inside the war room at a future time (once or reoccurring)

Extract strings from a file with optional filter - similar to binutils strings command

Return all items from the list where their given 'field' attribute is equal to 'equalTo' argument

E.g. !WhereFieldEquals with the following arguments:

• value=[{ "name": "192.1,0.82", "type": "IP" }, { "name": "myFile.txt", "type": "File" }, { "name": "172.0.0.2", "type": "IP" }]
• field='type'
• equalTo='IP'
• getField='name'

Will return all items names where field 'type' equals 'IP' - ['192.1,0.82', '172.0.0.2']

Returns the first element of an array. If the value passed is not an array, it returns the original value that was passed.

Convert all chosen values but exceptions.

Set multiple keys/values to the context.

Searches for string in context and returns context path, returns null if not found.

Compare two lists and put the differences in context.

Creates a Grid table from items or key-value pairs.

Generates random string

Deprecated. Use FileCreateAndUploadV2 instead. Will create a file (using the given data input or entry ID) and upload it to current investigation war room.

Gets a list of indicators from the indicators argument, and generates a JSON file in STIX 2.0 format.

List all Docker images that are in use by the installed integrations and automations.

Script will run the provided mathematical action on 2 provided values and produce a result.
The result can be stored on the context using the contextKey argument

Gets specified indexes of a list.

Returns a dict of all incident fields that exist in the system.

Not in context verification is a script that executes the given command and verifies that the specified field is not in the context after execution.

Checks if the supplied hostnames match either the organization's internal naming convention or the domain suffix.

Called by the GenericPolling playbook, schedules the polling task.

Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook.

Returns the incident field names associated to the specified incident type.

Adds zeros (0) to the beginning of the string, until the string reaches the specified length.

Parses a CSV and looks for a specific value in a specific column, returning a dict of the entire matching row. If no column value is specified, the entire CSV is read into the context.

Data output script for populating dashboard pie graph widget with the percentage of incidents closed by DBot vs. incidents closed by analysts

Creates a file (using the given data input or entry ID) and uploads it to the current investigation War Room.

Extraction of elements which are contained in all the subgroups of the match to the pattern.
For example, extracting from the string "The quick brown fox" the object {"article":"The","noun":quick"}
(See arguments descriptions for more details)

Return the single element in case the array has only 1 element in it, otherwise return the whole array

Extract Attack Pattern Threat Intel Object. After auto extract extracts the Attack Pattern IDs, this script is executed and extracts the value (name) of the Attack Pattern.

Check if an email address's domain is trying to squat other domain using Levenshtein distance algorithm

Unzip a file using fileName or entryID to specify a file. Unzipped files will be loaded to the War Room and names will be put into the context.

Transformer that returns a filtered list of IPv4 addresses, based on whether they match a comma-separated list of IPv4 ranges. Useful for filtering in internal IP address space.

Checks whether a substring or an array of substrings is within a string array(each item will be checked). Supports single strings as well. For example, for substrings ['a','b','c'] in a string 'a' the script will return true.

Check if a given value is true. Will return 'no' otherwise

Gets all currently enabled integration instances.

Converts a date from a different timezone to UTC timezone.

Checks whether the specified item is in a list. The default list is the Demisto Indicators Whitelist.

Utility script to use in playbooks - returns "yes" if the input is non-empty.

Check if a given value exists in the context. Will return 'no' for empty empty arrays. To be used mostly with DQ and selectors.

Populates critical assets in a grid field that has the section headers "Asset Type" and "Asset Name".

Retrieves the current date and time.

Get the error(s) associated with a given entry/entries. Use ${lastCompletedTaskEntries} to check the previous task entries. The automation will return an array of the error contents from those entries.

Prints an error entry with a given message

Language detection based on Google's language-detection.

Check if number of availble addresses in IPv4 CIDR is lower than given number.

Delete field from context.

This automation runs using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html

Extract a string from an existing string.

Performs a JMESPath search on an input JSON format, when using a transformer.

Parse a given JSON string "value" to a representative object. Example: '{"a": "value"}' => {"a": "value"}.

Generate report summaries for the passed incidents.

Pretty-print the contents of the playbook context

Shows a bar chart of the number of Positive Detections out of overall detections

This automation allows the usage of DT scripts within playbooks transformers

Executes a test for all integration instances available and returns detailed information about succeeded and failed integration instances.

Assign analyst to incident.
By default, the analyst is picked randomly from the available users, according to the provided roles (if no roles provided, will fetch all users).
Otherwise, the analyst will be picked according to the 'assignBy' arguments.
machine-learning: DBot will calculated and decide who is the best analyst for the job.
top-user: The user that is most commonly owns this type of incident
less-busy-user: The less busy analyst will be picked to be the incident owner.
online: The analyst is picked randomly from all online analysts, according to the provided roles (if no roles provided, will fetch all users).
current: The user that executed the command

Converting time in Ticks to readable time. Ticks are used to represent time by some vendors, most commonly by Microsoft.

Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. Example of command:
!GridFieldSetup keys=ip,src val1=${AWS.EC2.Instances.NetworkInterfaces.PrivateIpAddress} val2="AWS" gridfiled="gridfield"

Decodes an input in Base64 format.

Converts a single string to an array of that string.

Check if a given value is true. Will return 'no' otherwise

Used to extract indicators from Word files (DOC, DOCX).
The script does not extract data from macros (e.g., embedded code).

This automation runs using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html

Loads a json from string input, and returns a json object result

A context script for hash entities

Find the top malicious ratio indicators.
Malicious ratio is defined by the ratio between the number of "bad" incidents divided by the number of total number of incidents that the indicators appears in.

Gets a value from the specified incident's context.

Strips, unquotes and unescapes URLs. If the URL is a Proofpoint or ATP URL, extracts its redirect URL.

A context script for Domain entities

Display HTML in the War Room.

A transformer for simple if-then-else logic.

Identify whether the incident includes an email message attached as an eml or msg file and return the answer to playbook. Also saves the identified entry ID to context for use for later. Commonly used in automated playbooks that handle phishing reports sent to a special phishing mailbox set up by the security team.

Checks the given datetime has occured after the provided relative time.

Calculates average score for each indicator from context

This script searches for a value in a context path.

Extract URLs redirected by security tools like Proofpoint.
Changes https://urldefense.proofpoint.com/v2/url?u=https-3A__example.com_something.html -> https://example.com/something.html
Also, un-escape URLs that are escaped for safety with formats like hxxps://www[.]demisto[.]com

The script receives a list of fields and a context key base path. For example, Key=demisto.result List=username,user and will get all of the values from demisto.result.username and demisto.result.user.
The Get field of the task must have the value ${.=[]}.

Extract indicators from a text-based file.
Indicators that can be extracted:

• IP
• Domain
• URL
• File Hash
• Email Address

This automation runs using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html

Remove escaping chars from IP
127[.]0[.]0[.]1 -> 127.0.0.1

Compares the labels of two incidents. Returns the labels that are unique to each incident.

This automation runs using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html

This script finds similar files that can be related to each other by fuzzy hash (SSDeep).

Sends http request. Returns the response as json.

Calculate the time difference, in minutes

This script converts the input value into another value using two lists. The input value is searched in the first list (input_values).
If it exists, the value from the second list (mapped_values) at the same index is retutrned. If there is no match, the original value is returned.
If the original input is a dictionary, then the script will look for a "stringified" version of the key/:/value pair in the input_values and then map the result in the output_values into the original "value".

Example 1:

input_values = "1,2,3,4"
mapper_values = "4,3,2,1"
value = 3

Output would be "2"

Example 2:

input_values ="firstkey: datahere,secondkey: datathere"
mapper_values = "datathere,datahere"
value(dict)= {
"firstkey": "datahere"
}

Output would be:
{
"firstkey": "datathere"
}

The reason for matching the key AND value pair in a dictionary is to allow the mappig of values that have a specific key name. In most cases, dictionaries will continan key-value pairs in which the values are the same. You might want to change the value of KeyA, but not the value of KeyB. This method gives control over which key is changed.

When the input is a dict, str , int, or list, the output is ALWAYS returned as a string.

Converts XML file entry to JSON format

Verify URL SSL certificate

Convert object keys to match table keys.
Use when mapping object/collection to table (grid) field.
(Array of objects/collections is also supported).
Example:
Input: { "Engine": "val1", "Max Results": 13892378, "Key_With^Special (characters)": true }
Output: { "engine": "val1", "maxresults": 13892378, "keywithspecialcharacters": true }

Load the contents of a file into context.

Gets a value and return it. This is to be used in playbook conditional tasks - get a value from incident field, label or context, and act accordingly.
If an array is returned. the first value will be the decision making value.

Gets hashes (MD5,SHA1,SHA256) from context.

Calculate ssdeep reputation based on similar files (by ssdeep similarity) on the system.

Input Text Data to Encode as ASCII (Ignores any chars that aren't interpreted as ASCII)

Pretty-print data using Python's pprint library. This is useful for seeing the structure of incident and context data. Here's how to use it:

!PrettyPrint value=${incident}

Return the Demisto server version.

Will create an array object in context from given string input

Copy a context key to an incident field of multiple incidents, based on an incident query.

This automation runs using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html

Verify that the CIDRs are valid.

Checks if one number(float) as bigger than the other(float)
Returns yes: if first > second
Returns no: if first <= second
Returns exception if one of the inputs is not a number

Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.

This automation runs using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html

A filter that determines whether an IPv4 address is in the private RFC-1918 address space (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). For more information, see https://en.wikipedia.org/wiki/Private_network

Use this script to avoid DB version errors when simultaneously running multiple linked incidents.

Ask a user a question via email and process the reply directly into the investigation.

Publish entries to incident's context

Whether value is within a date range.

Checks if one percentage is less than another
Returns less: if firstPercentage < secondPercentage
Returns more: if firstPercentage >= secondPercentage
Returns exception if one of the inputs is not a float

Zip a file and upload to war room

List the redirects for a given URL

Mark entries as notes if they are tagged with given tag

Extract regular text from the given HTML

Searches Demisto incidents.

This automation runs using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html

Close the current investigation as duplicate to other investigation.

Try to get the hostname correlated with the input IP.

Returns the last element of an array. If the value passed is not an array, it returns the original value that was passed.

Converts string to array.
For example: http://example.com/?score:1,4,time:55 will be transformed to ["http://example.com/?score:1,4,time:55"].

Generates a random UUID (UUID 4).

Converts HTML to Markdown.

After running DeleteContext, this script can repopulate all the file entries in the ${File} context key

Finds similar incidents by common incident keys, labels, custom fields or context keys.
It's highly recommended to use incident keys if possible (e.g., "type" for the same incident type).
For best performance, it's recommended to avoid using context keys if possible (for example, if the value also appears in a label key, use label).

This automation runs using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html

Verify that the address is a valid IPv6 address.

This script allows sending an HTML email, using a template stored as a list item under Lists (Settings -> Advanced -> Lists).
Placeholders are marked in DT format (i.e. ${incident.id} for incident ID).
Available placeholders for example:

• ${incident.labels.Email/from}
• ${incident.name}
• ${object.value}
  See incident Context Data menu for available placeholders

Note: Sending emails require an active Mail Sender integration instance.

Gather information regarding CIDR -
1. Broadcast_address
2. CIDR
3. First_address
4. Last address
5. Max prefix len
6. Num addresses
7. Private
8. Version

A context script for Email entities

Encode a file as base64 and store it in a Demisto list.

Extracts FQDNs from URLs and emails.

Deprecated. Use the "PhishingDedupPreprocessingRule" script instead.
Find duplicate incidents candidates.
Using machine learning techniques with pre-defined data (can also use data from the local environment), this script takes into consideration different features such as: labels comparison, email labels (relevant for phishing), incident time difference and shared indicators, which can be customized by the arguments.

This automation runs using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html

Removing the password protection from a PDF file and adding a new file entry with the unlocked PDF.

Check whether given entry/entries returned an error. Use ${lastCompletedTaskEntries} to check the previous task entries. If array is provided, will return yes if one of the entries returned an error.

Returns 'yes' if integration brand is available. Otherwise returns 'no'

Checks if the supplied URLs are in the specified domains.

Checks an object for an empty value and returns a pre-set default value.

Convert a JSON War Room output via EntryID to a CSV file.

Sends an email informing the user of an SLA breach. The email is sent to the user who is assigned to the incident. It includes the incident name, ID, name of the SLA field that was breached, duration of that SLA field, and the date and time when that SLA was started.
In order to run successfully, the script should be configured to trigger on SLA breach, through field edit mode.

Execute a command on a remote machine (without installing a D2 agent)

Prints text to war room (Markdown supported)

Add DBot score to context for indicators with custom vendor, score, reliability, and type.

Reverse a list
e.g. ["Mars", "Jupiter", "Saturn"] => ["Saturn", "Jupiter", "Mars"]

This is an example for entire-list transformer - it operates the argument as a list (note the "entirelist" tag)

Script to convert a War Room output JSON File to a CSV file.

Checks whether a port was open on given host.

Returns the length of the string passed as argument

Checks whether a given domain is a subdomain of one of the listed domains.

Adds provided entries to the incident Evidence Board. In playbook, can be positioned after a task to add the previous task's entries to Evidence Board automatically (with no need to provide arguments)

Deprecated. Use PCAPMinerV2 instead. PCAPMiner is a tool to parse PCAP files and will return things like extracted files that are found, HTTP flows, and a variety of other information. It is uses a docker instance located on docker hub trorabaugh/dempcap:1.0. To use simply upload a PCAP file and then run PCAPMiner entryId="<your_entry_id>". To get the entry id click on the link on the top right hand corner of a file attachment.

Filter context keys by applying one of the various available manipulations and storing in a new context key. Please notice that the resulting context key will not be available automatically as an option but you can still specify it.

Extracts regex data from the provided text. The script support groups and looping.

Converts Base64 file in a list to a binary file and upload to warroom

Returns DNS details for a domain

Converts a file from one format to a different format by using the convert-to function of Libre Office. For a list of supported input/output formats see: https://wiki.openoffice.org/wiki/Framework/Article/Filter/FilterList_OOo_3_0

Works the same as the 'Set' command, but can work across incidents by specifying 'id' as an argument.
Sets a value into the context with the given context key. Doesn't append by default.

This automation runs using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html

Tokenize the words in a input text.

Check if list exist in demisto lists.

Checks whether the given value is within the specified time (hour) range.

Gets all IP addresses in context, excluding ones given.

Set indicator reputation to "suspicious" when malicious ratio is above threshold.
Malicious ratio is the ration between number of "bad" incidents to total number of incidents the indicator appears in.

Allows to parse and extract http flows (requests & responses) from a pcap/pcapng file.

Get the overall score for the indicator as calculated by DBot.

Set a value in context under the key you entered.

Runs a specified polling command one time. This is useful for initiating a local playbook context before running a polling scheduled task.

This automation runs using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html

This stops the scheduled task whose ID is given in the taskID argument.

Collect entries matching to the conditions in the war room

Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook. This script is based on the parse-emails XSOAR python package, check the script documentation for more info

Removed selected fields from the JSON object.

Deprecated. No available replacement. Search for a binary on an endpoint using Carbon Black

Show indicator geo location on map

Lists executed commands in War Room

This script will parse a CSV file and place the unique IPs, Domains and Hashes into the context.

This is a thin wrapper around the dateutil.parser.parse function. It will parse a string containing a date/time stamp and return it in ISO 8601 format.

Converts a custom-formatted timestamp to UNIX epoch time. Use it to convert custom time stamps to a Demisto date field. If you pass formatter argument, we will use it to transform. If not, we will use dateparser.parse for transforming. For more info, see: https://docs.python.org/3.7/library/datetime.html#strftime-and-strptime-behavior

Returns yes if the IP is in one of the ranges provided, returns no otherwise.

Sends a HTTP request with advanced capabilities

Finds which integrations implement a specific Demisto command. The results will be returned as comma-separated values (CSV). The "Demisto REST API" integration must first be enabled.

Map the given values to the translated values. If given values: a,b,c and translated: 1,2,3 then input is a will return 1

This function generates a password and allows various parameters to customize the properties of the password depending on the use case (e.g. password complexity requirements). The default behavior is to generate a password of random length including all four character classes (upper, lower, digits, symbols) with at least five and at most ten characters per class.

The min_* values all default to 0. This means that if the command is executed in this way:
!GeneratePassword max_lcase=10
It is possible that a password of length zero could be generated. It is therefore recommended to always include a min_* parameter that matches.

The debug parameter will print certain properties of the command into the WarRoom for easy diagnostics.

Checks if the investigation found any malicious indicators (file, URL, IP address, domain, or email). Returns "yes" if at least one malicious indicator is found.

Convert an array to a nice table display. Usually, from the context.

Converts XML string to JSON format

The automation takes Excel file (entryID) as an input and parses its content to the war room and context

Runs the polling command repeatedly, completes a blocking manual task when polling is done.