Skip to main content

Command-Line Analysis

This Playbook is part of the Common Playbooks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

This playbook takes a command line from the alert and performs the following actions:

  • Checks for base64 string and decodes if exists
  • Extracts and enriches indicators from the command line
  • Checks specific arguments for malicious usage

At the end of the playbook, it sets a possible verdict for the command line, based on the finding:

  1. Indicators found in the command line
  2. Found AMSI techniques
  3. Found suspicious parameters
  4. Usage of malicious tools
  5. Indication of network activity
  6. Indication of suspicious LOLBIN execution

Note: In case you are wishing to run this playbook with a list of command lines, set this playbook to be running in a loop. To do so, navigate to the 'Loop' and check "For Each Input".


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Compare Process Execution Arguments To LOLBAS Patterns


This playbook does not use any integrations.


  • DeleteContext
  • Set
  • Base64Decode
  • MatchRegexV2


  • extractIndicators

Playbook Inputs#

NameDescriptionDefault ValueRequired
CommandlineThe command line.Optional
StringSimilarityThresholdStringSimilarity automation threshold. Used by the Compare "Process Execution Arguments To LOLBAS Patterns" sub-playbook. This input controls the StringSimilarity automation threshold.0.5Optional

Playbook Outputs#

MatchRegexThe regex found in the command lineunknown
IndicatorsIndicators extracted from the command lineunknown
commandline.originalThe original command lineunknown
commandline.decodedThe decoded command lineunknown
CommandlineVerdictThe command line verdictunknown
IPThe IP object.unknown
URLThe URL object.uknown
FileThe file object.unknown
DomainThe domain object.unknown

Playbook Image#

Command-Line Analysis