Community Common Scripts

Tests whether left side version number is equal to right side version number.
Version numbers need to have at least a major and minor version component to be considered valid. E.g. 1.0

This transformer will get an index of an element from an array.
ex:["phishing","Malware"], if we provide "Malware" to array_value argument, will get index as 1.

randomly select elements from a list in Python

This automation is being executed by the "GetFilePathPreProcessing" pre-processing script that collects the paths and names of attachments of an incoming incident, then passes it to this automation that reads the files and creates them in an existing incident

Calculates the time span between two dates using Powershell's New-TimeSpan command.

A timespan with a start date of "2022-04-02T15:42:48" and end date of "2022-04-12T16:55:07" would return the following:

Days : 10
Hours : 1
Minutes : 12
Seconds : 19
Milliseconds : 0
Ticks : 8683390000000
TotalDays : 10.0502199074074
TotalHours : 241.205277777778
TotalMinutes : 14472.3166666667
TotalSeconds : 868339
TotalMilliseconds : 868339000

Tests whether left side version number is greater than right side version number.

Version numbers need to have at least a major and minor version component to be considered valid. E.g. 1.0

deletes expired indicators.

Converts unix time to AD Integer8 time. This is used in many AD date fields like pwdLastSet.

An automation script to return subnet collision result

Run JQ Query.

Check these links:

• https://stedolan.github.io/jq/manual/#Invokingjq
• https://jqplay.org/

Compares two lists.

Defangs IP, Mail and URL address to prevent them from being recognized.

An automation script to return address IANA information

Converts JSON objects to HTML tables.

Display warroom entries in a dynamic section which are tagged with 'report'

Display the indicator context object in markdown format in a dynamic section layout

Use this automation to create an EDL instance on XSOAR.

Will create an array object in context from a given string input , allowing for duplicate values to be retained

Output is to ContextKey.array as JSON does not permit duplicate key names

e.g., ContextKey.array.value1, ContextKey.array.value2, ContextKey.array.value3, etc.

Creates external ask links for the Ask task with the given name.

Use this automation to delete incidents using query parameter with the same format as used in incidents search. Core REST API integration instance should be created.

Converts Markdown to HTML.

This transformer will invert every two items in an array.
Example:
["A", "B", "C", "D"]
Result:
["B", "A", "D", "C"]

If the total of items in the array is an odd number the last item will be removed
Example:
["A", "B", "C", "D", "E"]
Result:
["B", "A", "D", "C"]

If the item is not an array the output will be same passed object.

Purpose: This automation will produce docx file detailing the tasks in the given playbook. It can produce a table or paragraph format of the report.

Author: Mahmood Azmat

Input1: Name of the playbook (Mandatory)
Input2: Format type needed. Table or Paragraph. Paragraph is default.
Input3: Name of the docx file that will be produced. Give the full name including the ".docx" extension. (Mandatory)

Requirements: This automation requires "Core REST API" integration enabled and connected to the XSOAR itself. Automation uses it to read the objects of the playbook.

Redactindicator can help you to defang/redact any kind of indicator (IPv4, url, domain and email), IP addresses will be in the dotted representation like 8.8.8[.].8, all domains will be example[.]com. Optional you can define a "searchkey" which does not to be case sensitive, which will be replaced as <REDACTED>.

Retrieves fields from an object using dot notation

Deprecated. Use RetrievePlaybookDependencies instead. Retrieves all Playbook (and Sub-Playbook) Names and Integrations for a provided Playbook name

This automation is for comparing array(list) data of context to existing lists on XSOAR server. You can avoid using loop of sub-playbook.
inputArray: the context array/list data
listName: the XSOAR system list.

Delete indicators based on query, values, or IDs.

Advanced Filter. It enables you to make filters with complex conditions.

This transformer will take in a value and transform it based on multiple regular expressions defined in a JSON dictionary structure. The key:value pair of the JSON dictionary should be:

"desired outcome": "regex to match"

For example:

{
"Match 1": ".match 1.",
"Match 2": ".match 2.",
"Catch all": ".*"
}

The transformer will match in order of dictionary entries.

This transformer will get list of array elements by providing keyword. List data format
[
{
"folder": "abc",
"username": "test"
},
{
"folder": "def",
"username": "test123"
},
{
"folder": "ghi",
"username": "admin"
}
]

Returns indicator custom fields into the context by the given query.

This transformer convert the Epoch or UTC timestamp to desired stamp

This automation script will pull a random image from https://images.nasa.gov based on the search parameter provided. If the script is used within a widget, it will output an image in markdown format. If it is used anywhere else it will output an image in markdown format and also context data.

Gets the minimum value from list
e.g. ["25", "10", "25"] => "10"

Use this automation to check for validity of your SSL certificate and get the time until expiration.

This is a pre-processing script that is used to create the attachments of incoming incidents in an existing incident, then drop the incoming incident.
It should be configured as a pre-processing rule, and the logic for finding the right incident should be added to the code manually.
The automation collects the paths and names of the attachments of the incoming incident and passes it to the "CreateFileFromPathObject" automation that is being executed on the existing incident

Script to create a perceptual hash of an image (or file) stored in the incident. Wrapps https://pypi.org/project/ImageHash/

Tests whether left side version number is less than right side version number.

Version numbers need to have at least a major and minor version component to be considered valid. E.g. 1.0

Generate a list of random dictionaries, using Faker Python library. For more information, please visit https://faker.readthedocs.io

An automation script to return address in binary format

This Automation takes in a string of comma separated items and returns a dictionary of with the defined chunk size.

Get the final verdict from the DBotScore of the context.
Provided that it has all of the latest source verdict, this script gives you the right final verdict.

Returns the current datetime as an epoch value for use in timestamp comparisons.

An automation script to return subnet addresses

The automation removes evidence based on a query performed on the evidence content,
if the provided string is found within the evidence- it will be removed.

Strip accent marks (diacritics) from a given string.
For example: "Niño שָׁלוֹם Montréal اَلسَّلَامُ عَلَيْكُمْ‎"
Will return: "Nino שלום Montreal السلام عليكم"

Converts the given time to an LDAP timestamp.

Retrieves all Playbook (and Sub-Playbook) Names, Integrations, Automation Scripts, Commands not using-brand, and lists for a provided Playbook name. Also accepts inputs for incident types, layouts, incident fields, indicator fields, jobs, mappers, and pre-process rules connected to the parent playbook. Results can be output as an HTML or Markdown list.

An Automation Script to return subnet broadcast address

An Automation Script to return subnet network ID

Gets the maximum value from list
e.g. ["25", "10", "25"] => "25"

This automation script will pull a random image from https://images.nasa.gov based on the search parameter provided. If the script is used within a widget, it will output an image in markdown format. If it is used anywhere else it will output an image in markdown format and also context data.

Converts unix time to AD Integer8 time. This is used in many AD date fields like pwdLastSet.

This transformer will take in a value and transform it based on multiple regular expressions defined in a JSON dictionary structure. The key:value pair of the JSON dictionary should be:

"desired outcome": "regex to match"

For example:

{
"Match 1": ".match 1.",
"Match 2": ".match 2.",
"Catch all": ".*"
}

The transformer will match in order of dictionary entries.

This transformer will get list of array elements by providing keyword. List data format
[
{
"folder": "abc",
"username": "test"
},
{
"folder": "def",
"username": "test123"
},
{
"folder": "ghi",
"username": "admin"
}
]

Tests whether left side version number is less than right side version number.

Version numbers need to have at least a major and minor version component to be considered valid. E.g. 1.0

This is a pre-processing script that is used to create the attachments of incoming incidents in an existing incident, then drop the incoming incident.
It should be configured as a pre-processing rule, and the logic for finding the right incident should be added to the code manually.
The automation collects the paths and names of the attachments of the incoming incident and passes it to the "CreateFileFromPathObject" automation that is being executed on the existing incident

Compares two lists.

Strip accent marks (diacritics) from a given string.
For example: "Niño שָׁלוֹם Montréal اَلسَّلَامُ عَلَيْكُمْ‎"
Will return: "Nino שלום Montreal السلام عليكم"

This transformer will invert every two items in an array.
Example:
["A", "B", "C", "D"]
Result:
["B", "A", "D", "C"]

If the total of items in the array is an odd number the last item will be removed
Example:
["A", "B", "C", "D", "E"]
Result:
["B", "A", "D", "C"]

If the item is not an array the output will be same passed object.

Delete indicators based on query, values, or IDs.

Retrieves all Playbook (and Sub-Playbook) Names, Integrations, Automation Scripts, Commands not using-brand, and lists for a provided Playbook name. Also accepts inputs for incident types, layouts, incident fields, indicator fields, jobs, mappers, and pre-process rules connected to the parent playbook. Results can be output as an HTML or Markdown list.

This transformer will get an index of an element from an array.
ex:["phishing","Malware"], if we provide "Malware" to array_value argument, will get index as 1.

Run JQ Query.

Check these links:

• https://stedolan.github.io/jq/manual/#Invokingjq
• https://jqplay.org/

Will create an array object in context from a given string input , allowing for duplicate values to be retained

Output is to ContextKey.array as JSON does not permit duplicate key names

e.g., ContextKey.array.value1, ContextKey.array.value2, ContextKey.array.value3, etc.

Returns indicator custom fields into the context by the given query.

randomly select elements from a list in Python

Display warroom entries in a dynamic section which are tagged with 'report'

Retrieves fields from an object using dot notation

Use this automation to delete incidents using query parameter with the same format as used in incidents search. Core REST API integration instance should be created.

Use this automation to delete alerts using query parameter with the same format as used in alerts search. Core REST API integration instance should be created.

The automation removes evidence based on a query performed on the evidence content,
if the provided string is found within the evidence- it will be removed.

This automation is being executed by the "GetFilePathPreProcessing" pre-processing script that collects the paths and names of attachments of an incoming incident, then passes it to this automation that reads the files and creates them in an existing incident

An automation script to return address IANA information

Generate a list of random dictionaries, using Faker Python library. For more information, please visit https://faker.readthedocs.io

deletes expired indicators.

Calculates the time span between two dates using Powershell's New-TimeSpan command.

A timespan with a start date of "2022-04-02T15:42:48" and end date of "2022-04-12T16:55:07" would return the following:

Days : 10
Hours : 1
Minutes : 12
Seconds : 19
Milliseconds : 0
Ticks : 8683390000000
TotalDays : 10.0502199074074
TotalHours : 241.205277777778
TotalMinutes : 14472.3166666667
TotalSeconds : 868339
TotalMilliseconds : 868339000

Converts JSON objects to HTML tables.

Use this automation to create an EDL instance on XSOAR.

Purpose: This automation will produce docx file detailing the tasks in the given playbook. It can produce a table or paragraph format of the report.

Author: Mahmood Azmat

Input1: Name of the playbook (Mandatory)
Input2: Format type needed. Table or Paragraph. Paragraph is default.
Input3: Name of the docx file that will be produced. Give the full name including the ".docx" extension. (Mandatory)

Requirements: This automation requires "Core REST API" integration enabled and connected to the XSOAR itself. Automation uses it to read the objects of the playbook.

Gets the maximum value from list
e.g. ["25", "10", "25"] => "25"

Redactindicator can help you to defang/redact any kind of indicator (IPv4, url, domain and email), IP addresses will be in the dotted representation like 8.8.8[.].8, all domains will be example[.]com. Optional you can define a "searchkey" which does not to be case sensitive, which will be replaced as <REDACTED>.

Deprecated. Use RetrievePlaybookDependencies instead. Retrieves all Playbook (and Sub-Playbook) Names and Integrations for a provided Playbook name

Converts Markdown to HTML.

Defangs IP, Mail and URL address to prevent them from being recognized.

Get the final verdict from the DBotScore of the context.
Provided that it has all of the latest source verdict, this script gives you the right final verdict.

This transformer convert the Epoch or UTC timestamp to desired stamp

Tests whether left side version number is equal to right side version number.
Version numbers need to have at least a major and minor version component to be considered valid. E.g. 1.0

An Automation Script to return subnet broadcast address

Tests whether left side version number is greater than right side version number.

Version numbers need to have at least a major and minor version component to be considered valid. E.g. 1.0

Creates external ask links for the Ask task with the given name.

Returns the current datetime as an epoch value for use in timestamp comparisons.

Gets the minimum value from list
e.g. ["25", "10", "25"] => "10"

An automation script to return subnet collision result

Converts the given time to an LDAP timestamp.

This automation is for comparing array(list) data of context to existing lists on XSOAR server. You can avoid using loop of sub-playbook.
inputArray: the context array/list data
listName: the XSOAR system list.

Advanced Filter. It enables you to make filters with complex conditions.

An Automation Script to return subnet network ID

Display the indicator context object in markdown format in a dynamic section layout

An automation script to return subnet addresses

This Automation takes in a string of comma separated items and returns a dictionary of with the defined chunk size.

Use this automation to check for validity of your SSL certificate and get the time until expiration.

An automation script to return address in binary format

Script to create a perceptual hash of an image (or file) stored in the incident. Wrapps https://pypi.org/project/ImageHash/