Skip to main content

Command-Line Analysis

This Playbook is part of the Common Playbooks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

This playbook takes the command line from the alert and performs the following actions:

  • Checks for base64 string and decodes if exists
  • Extracts and enriches indicators from the command line
  • Checks specific arguments for malicious usage

At the end of the playbook, it sets a possible verdict for the command line, based on the finding:

  1. Indicators found in the command line
  2. Found AMSI techniques
  3. Found suspicious parameters
  4. Usage of malicious tools
  5. Indication of network activity


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


This playbook does not use any integrations.


  • MatchRegexV2
  • Base64Decode
  • Set


  • enrichIndicators
  • extractIndicators

Playbook Inputs#

NameDescriptionDefault ValueRequired
CommandlineThe command line.Required

Playbook Outputs#

MatchRegexThe regex found in the command lineunknown
IndicatorsIndicators extracted from the command lineunknown
commandlineThe command lineunknown
CommandlineVerdictThe command line verdictunknown

Playbook Image#

Command-Line Analysis