Skip to main content

PFXAnalyzer

This Script is part of the Common Scripts Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.10.0 and later.

This Python script is designed to analyze a PFX (Personal Information Exchange) file for various suspicious or noteworthy characteristics from a security perspective.

Script Data#


NameDescription
Script Typepython3
Cortex XSOAR Version6.10.0

Inputs#


Argument NameDescription
fileEntryIdThe ID of the file entry from the incident context that contains the PFX file.
pfxPasswordPassword for the PFX file (if encrypted).

Outputs#


PathDescriptionType
PFXAnalysis.Private_Key_PresentTrue if a private key was found in the PFX.boolean
PFXAnalysis.Key_TypeType of the private key (e.g., RSA, ECC).string
PFXAnalysis.Key_SizeSize of the private key in bits (for RSA) or curve name (for ECC).number
PFXAnalysis.Certificate_PresentTrue if a certificate was found in the PFX.boolean
PFXAnalysis.Common_NameCommon Name from the certificate's subject.string
PFXAnalysis.IssuerCommon Name of the certificate's issuer.string
PFXAnalysis.Validity_StartCertificate validity start date/time (UTC).date
PFXAnalysis.Validity_EndCertificate validity end date/time (UTC).date
PFXAnalysis.Validity_DaysTotal number of days the certificate is valid for.number
PFXAnalysis.Self_SignedTrue if the certificate is self-signed.boolean
PFXAnalysis.Trusted_IssuerTrue if the certificate's issuer is in the predefined trusted list.boolean
PFXAnalysis.CRL_URIsList of CRL Distribution Point URIs.string
PFXAnalysis.OCSP_URIsList of OCSP Access Method URIs.string
PFXAnalysis.Suspicious_Keywords_in_CNTrue if suspicious keywords were found in the Common Name.boolean
PFXAnalysis.ReasonsA list of all identified suspicious reasons.string
PFXAnalysis.Is_SuspiciousOverall boolean indicator if the PFX is considered suspicious.boolean