Common Scripts | Cortex XSOAR

Details
Content
Version History

Frequently used scripts pack.

PUBLISHER

Cortex XSOAR

INFO

Certification	Certified	Read more
Supported By	Cortex XSOAR
Created	July 27, 2020
Last Release	October 18, 2021

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.

Automations

Name	Description
HTMLtoMD	Converts HTML to Markdown.
ListUsedDockerImages	List all Docker images that are in use by the installed integrations and automations.
ConvertXmlFileToJson	Converts XML file entry to JSON format
BetweenDates	Whether value is within a date range.
ParseCSV	This script will parse a CSV file and place the unique IPs, Domains and Hashes into the context.
CompareIncidentsLabels	Compares the labels of two incidents. Returns the labels that are unique to each incident.
SCPPullFiles	Take a list of devices and pull a specific file (given by path) from each using SCP
EmailDomainSquattingReputation	Check if an email address's domain is trying to squat other domain using Levenshtein distance algorithm
IsTrue	Check if a given value is true. Will return 'no' otherwise
UnEscapeURLs	Extract URLs redirected by security tools like Proofpoint. Changes https://urldefense.proofpoint.com/v2/url?u=https-3A__example.com_something.html -> https://example.com/something.html Also, un-escape URLs that are escaped for safety with formats like hxxps://www[.]demisto[.]com
LanguageDetect	Language detection based on Google's language-detection.
ContextContains	This script searches for a value in a context path.
ParseJSON	Parse a given JSON string "value" to a representative object. Example: "{'a':'value'}" => { a: "value"}.
JoinIfSingleElementOnly	Return the single element in case the array has only 1 element in it, otherwise return the whole array
CheckFieldValue	This script checks that a field exists (and contains data), and optionally checks the value of the field for a match against an input value. If a regex is not supplied, the script checks that the field is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value.
StringToArray	Converts string to array. For example: `http://example.com/?score:1,4,time:55` will be transformed to `["http://example.com/?score:1,4,time:55"]`.
WordTokenizer	Tokenize the words in a input text.
ContextGetEmails	Gets all email addresses in context, excluding ones given.
JSONtoCSV	Convert a JSON warroom output via EntryID to a CSV file.
BinarySearchPy	Search for a binary on an endpoint using Carbon Black
OnionURLReputation	This script adds the reputation to Onion URL indicators. The script is automatically triggered when a Onion URL indicator is auto-extracted. For instance, if you run a Cortex XSOAR CLI on a valid Onion URL, the indicators are extracted automatically and this script is triggered for the extracted indicators.
CheckSenderDomainDistance	Get the string distance for the sender from our domain
ContextFilter	Filter context keys by applying one of the various available manipulations and storing in a new context key. Please notice that the resulting context key will not be available automatically as an option but you can still specify it.
WhereFieldEquals	Return all items from the list where their given 'field' attribute is equal to 'equalTo' argument E.g. !WhereFieldEquals with the following arguments: value=[{ "name": "192.1,0.82", "type": "IP" }, { "name": "myFile.txt", "type": "File" }, { "name": "172.0.0.2", "type": "IP" }] field='type' equalTo='IP' getField='name' Will return all items names where field 'type' equals 'IP' - ['192.1,0.82', '172.0.0.2']
ChangeRemediationSLAOnSevChange	Changes the remediation SLA once a change in incident severity occurs. This is done automatically and the changes can be configured to your needs.
GetEnabledInstances	Gets all currently enabled integration instances.
LastArrayElement	Returns the last element of an array. If the value passed is not an array, it returns the original value that was passed.
UnPackFile	UnPack a file using fileName or entryID to specify a file. Files unpacked will be pushed to the war room and names will be pushed to the context. supported types are: 7z (.7z), ACE (.ace), ALZIP (.alz), AR (.a), ARC (.arc), ARJ (.arj), BZIP2 (.bz2), CAB (.cab), compress (.Z), CPIO (.cpio), DEB (.deb), DMS (.dms), GZIP (.gz), LRZIP (.lrz), LZH (.lha, .lzh), LZIP (.lz), LZMA (.lzma), LZOP (.lzo), RPM (.rpm), RAR (.rar), RZIP (.rz), TAR (.tar), XZ (.xz), ZIP (.zip, .jar) and ZOO (.zoo)
EditServerConfig	Edit the server configuration (under settings/troubleshooting). You can either add a new configuration or update and remove an existing one.
Exists	Check if a given value exists in the context. Will return 'no' for empty empty arrays. To be used mostly with DQ and selectors.
PrintRaw	Prints a raw representation of a string or object, visualising things likes tabs and newlines. For instance, '\n' will be displayed instead of a newline character, or a Windows CR will be displayed as '\r\n'. This is useful for debugging issues where things aren't behaving as expected, such as when parsing a string with a regular expression.
IncreaseIncidentSeverity	Optionally increases the incident severity to the new value if it is greater than the existing severity.
IsNotInCidrRanges	Checks whether an IPv4 address is not contained in one or more comma-delimited CIDR ranges.
LowerCidrNumAddresses	Check if number of availble addresses in IPv4 CIDR is lower than given number.
ExtractAttackPattern	Extract Attack Pattern Threat Intel Object. After auto extract extracts the Attack Pattern IDs, this script is executed and extracts the value (name) of the Attack Pattern.
GreaterCidrNumAddresses	Check if number of availble addresses in IPv4 or IPv6 CIDR is greater than given number.
IsListExist	Check if list exist in demisto lists.
Sleep	Sleep for X seconds
Base64Decode	Decodes an input in Base64 format.
IsInternalDomainName	This script accepts multiple values for both arguments and will iterate through each of the domains to check if the specified subdomains are located in at least one of the specified main domains. If the tested subdomain is in one of the main domains, the result will be true. For example, if the domain_to_check values are apps.paloaltonetworks.com and apps.paloaltonetworks.bla and the domains_to_compare values are paloaltonetworks.com and demisto.com, the result for apps.paloaltonetworks.com will be true since it is a part of the paloaltonetworks.com domain. The result for apps.paloaltonetworks.bla will be false since it is not a part of the paloaltonetworks.com or demisto.com domain.
ProductJoin	Returns the product of two lists, joined by a separator, as a list of strings.
IPReputation	A context script for IP entities
IsIPInRanges	Returns yes if the IP is in one of the ranges provided, returns no otherwise.
ProvidesCommand	Finds which integrations implement a specific Demisto command. The results will be returned as comma-separated values (CSV). The "Demisto REST API" integration must first be enabled.
SendEmailOnSLABreach	Sends an email informing the user of an SLA breach. The email is sent to the user who is assigned to the incident. It includes the incident name, ID, name of the SLA field that was breached, duration of that SLA field, and the date and time when that SLA was started. In order to run successfully, the script should be configured to trigger on SLA breach, through field edit mode.
IsInternalHostName	Checks if the supplied hostnames match either the organization's internal naming convention or the domain suffix.
JSONFileToCSV	Script to convert a JSON File waroom output to a CSV file.
DisplayHTML	Display HTML in the War Room.
PublishEntriesToContext	Publish entries to incident's context
CalculateTimeDifference	Calculate the time difference, in minutes
FormattedDateToEpoch	Converts a custom-formatted timestamp to UNIX epoch time. Use it to convert custom time stamps to a Demisto date field. Uses the python strptime format. For more info, see: https://docs.python.org/3.7/library/datetime.html#strftime-and-strptime-behavior
PortListenCheck	Checks whether a port was open on given host.
EmailDomainBlacklist	Accepts an array of domains as a blacklist, and a list of email addresses. The script then filters out any email address whose domain is in the blacklist. The filtered list will be returned as an array.
FilterByList	Checks whether the specified item is in a list. The default list is the Demisto Indicators Whitelist.
SetMultipleValues	Set multiple keys/values to the context.
IPv4Whitelist	Transformer that returns a filtered list of IPv4 addresses, based on whether they match a comma-separated list of IPv4 ranges. Useful for filtering in internal IP address space.
MathUtil	Script will run the provided mathematical action on 2 provided values and produce a result. The result can be stored on the context using the contextKey argument
ZipFile	Zip a file and upload to war room
LoadJSON	Loads a json from string input, and returns a json object result
CheckContextValue	This script checks that a context key exists (and contains data), and optionally checks the value of the context key for a match against an input value. If a regex is not supplied, the script checks that the key is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value. This scripts does not support a context key which holds a list of values.
AssignAnalystToIncident	Assign analyst to incident. By default, the analyst is picked randomly from the available users, according to the provided roles (if no roles provided, will fetch all users). Otherwise, the analyst will be picked according to the 'assignBy' arguments. machine-learning: DBot will calculated and decide who is the best analyst for the job. top-user: The user that is most commonly owns this type of incident less-busy-user: The less busy analyst will be picked to be the incident owner. online: The analyst is picked randomly from all online analysts, according to the provided roles (if no roles provided, will fetch all users). current: The user that executed the command
IndicatorMaliciousRatioCalculation	Return indicators appears in resolved incidents, and resolved incident ids.
IsUrlPartOfDomain	Checks if the supplied URLs are in the specified domains.
FileReputation	A context script for hash entities
DBotClosedIncidentsPercentage	Data output script for populating dashboard pie graph widget with the percentage of incidents closed by DBot vs. incidents closed by analysts
ExtractDomainFromUrlAndEmail	Extract Domain(s) from URL(s) and/or Email(s)
GetFieldsByIncidentType	Returns the incident field names associated to the specified incident type.
AddDBotScoreToContext	Add DBot score to context for indicators with custom vendor, score, reliability, and type.
ConvertToSingleElementArray	Converts a single string to an array of that string.
PcapHTTPExtractor	Allows to parse and extract http flows (requests & responses) from a pcap/pcapng file.
RemoteExec	Execute a command on a remote machine (without installing a D2 agent)
CEFParser	Parse CEF data into the context. Please notice that outputs will display only the 7 mandatory fields even if the CEF event includes many other custom or extended fields.
SetAndHandleEmpty	Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.
FeedRelatedIndicatorsWidget	Widget script to view information about the relationship between an indicator, entity and other indicators and connect to indicators, if relevant.
RunPollingCommand	Runs a specified polling command one time. This is useful for initiating a local playbook context before running a polling scheduled task.
BetweenHours	Checks whether the given value is within the specified time (hour) range.
AreValuesEqual	Check whether the values provided in arguments are equal. If either of the arguments are missing, no is returned.
IsRFC1918Address	A filter that determines whether an IPv4 address is in the private RFC-1918 address space (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). For more information, see https://en.wikipedia.org/wiki/Private_network
ConvertFile	Converts a file from one format to a different format by using the convert-to function of Libre Office. For a list of supported input/output formats see: https://wiki.openoffice.org/wiki/Framework/Article/Filter/FilterList_OOo_3_0
ReadFile	Load the contents of a file into context.
ExportToCSV	Export given array to csv file
DeleteContext	Delete field from context
SetTime	Fill the current time in a custom incident field
CopyContextToField	Copy a context key to an incident field of multiple incidents, based on an incident query.
ConvertXmlToJson	Converts XML string to JSON format
StringReplace	Replaces regex match/es in string. Returns the string after replace was preformed.
Base64ListToFile	Converts Base64 file in a list to a binary file and upload to warroom
MapValuesTransformer	This script converts the input value into another value using two lists. The input value is searched in the first list (input_values). If it exists, the value from the second list (mapped_values) at the same index is retutrned. If there is no match, the original value is returned. If the original input is a dictionary, then the script will look for a "stringified" version of the key/:/value pair in the input_values and then map the result in the output_values into the original "value". Example 1: input_values = "1,2,3,4" mapper_values = "4,3,2,1" value = 3 Output would be "2" Example 2: input_values ="firstkey: datahere,secondkey: datathere" mapper_values = "datathere,datahere" value(dict)= { "firstkey": "datahere" } Output would be: { "firstkey": "datathere" } The reason for matching the key AND value pair in a dictionary is to allow the mappig of values that have a specific key name. In most cases, dictionaries will continan key-value pairs in which the values are the same. You might want to change the value of KeyA, but not the value of KeyB. This method gives control over which key is changed. When the input is a dict, str , int, or list, the output is ALWAYS returned as a string.
MarkRelatedIncidents	Marks given incidents as related to current incident
ContainsCreditCardInfo	Check if a given value is true. Will return 'no' otherwise
HTTPListRedirects	List the redirects for a given URL
ToTable	Convert an array to a nice table display. Usually, from the context.
GenerateSummaryReports	Generate report summaries for the passed incidents.
SendMessageToOnlineUsers	Send message to Demisto online users over Email, Slack, Mattermost or all.
SetDateField	Sets a custom incident field with current date
IncidentAddSystem	Add a remote system (such as a desktop under investigation) to an investigation (this will allow you to install and agent on the system)
TimeStampCompare	Compares a single timestamp to a list of timestamps.
ShowOnMap	Returns a map entry with a marker on the given coordinates (lat,lng), or address (requires a configured GoogleMaps instance).
EmailDomainWhitelist	Accepts an array of domains as a whitelist, and a list of email addresses. The script then filters out any email address whose domain is not in the whitelist. The filtered list will be returned as an array.
MatchRegexV2	Extracts regex data from the provided text. The script support groups and looping.
CopyNotesToIncident	Copy all entries marked as notes from current incident to another incident.
CreateArray	Will create an array object in context from given string input
Print	Prints text to war room (Markdown supported)
NumberOfPhishingAttemptPerUser	Shows a bar chart of the number of incident the 'To' and 'From' email addresses. appeared on
EmailAskUser	Ask a user a question via email and process the reply directly into the investigation.
Base64Encode	Will encode an input using Base64 format.
NotInContextVerification	Not in context verification is a script that executes the given command and verifies that the specified field is not in the context after execution.
PopulateCriticalAssets	Populates critical assets in a grid field that has the section headers "Asset Type" and "Asset Name".
RegexExtractAll	Extraction of all matches from a specified regular expression pattern from a provided string. Returns an array of results. This differs from RegexGroups in several ways: It returns all matches of the specified pattern, not just specific groups. This is useful for extracting things using a pattern where the content of the source string is indeterminate, such as extracting all email addresses. Some "convenience" arguments have been added to enhance usability: multi-line, ignore_case, period_matches_newline Added a new argument, "error_if_no_match". The script will not ordinarily throw an error if a match is not found but if not using as a transformer within a playbook, it may, in certain limited circumstances, be desirable to throw an error if the expression doesn't match. It uses the 'regex' library, which supports more some more advanced regex functionality than the standard 're' library. For more info, see https://pypi.org/project/regex/.
UnzipFile	Unzip a file using fileName or entryID to specify a file. Unzipped files will be loaded to the War Room and names will be put into the context.
IsInCidrRanges	Determines whether an IPv4 address is contained in one or more comma-delimited CIDR ranges.
GetIndicatorDBotScore	Add into the incident's context the system internal DBot score for the input indicator.
LinkIncidentsWithRetry	Use this script to avoid DB version errors when simultaneously running multiple linked incidents.
ContextGetHashes	Gets hashes (MD5,SHA1,SHA256) from context.
GetListRow	Parses a list by header and value.
ContextGetIps	Gets all IP addresses in context, excluding ones given.
IdentifyAttachedEmail	Identify whether the incident includes an email message attached as an eml or msg file and return the answer to playbook. Also saves the identified entry ID to context for use for later. Commonly used in automated playbooks that handle phishing reports sent to a special phishing mailbox set up by the security team.
findIncidentsWithIndicator	Lookup incidents with specified indicator. Use currentIncidentId to omit the existing incident from output
MapValues	Map the given values to the translated values. If given values: a,b,c and translated: 1,2,3 then input is a will return 1
Cut	Cut a string by delimiter and return specific fields. Example input: "A-B-C-D-E" delimiter: "-" fields: "1,5" return: "A-E"
URLSSLVerification	Verify URL SSL certificate
GetDockerImageLatestTag	Gets docker image latest tag. Script simulates the docker pull flow but doesn't actually pull the image. Returns an entry with the docker image latest tag if all is good, otherwise will return an error.
ShowScheduledEntries	Show all scheduled entries for specific incident.
ShowLocationOnMap	Show indicator geo location on map
EmailAskUserResponse	Extract user's response from EmailAskUser reply. Returns the first textual response line of the provided entry that contains the reply body. Use ${lastCompletedTaskEntries} to analyze the previous playbook task containing the user's reply.
AddKeyToList	Adds/Replaces a key in key/value store backed by an XSOAR list.
GetTime	Retrieves the current date and time.
commentsToContext	Takes the comments of a given entry ID and stores them in the incident context, under a provided context key. For accessing the last executed task's comments, provide ${lastCompletedTaskEntries.[0]} as the value for the entryId input parameter.
EncodeToAscii	Input Text Data to Encode as ASCII (Ignores any chars that aren't interpreted as ASCII)
ScheduleCommand	Schedule a command to run inside the war room at a future time (once or reoccurring)
URLNumberOfAds	Fetches the numbers of ads in the given url
ParseWordDoc	Takes an input docx file (entryID) as an input and saves an output text file (file entry) with the original file's contents.
ContextGetPathForString	Searches for string in context and returns context path, returns null if not found.
hideFieldsOnNewIncident	When you apply this script to an incident field, that incident field is hidden for new incidents, and it displays in edit mode.
StopScheduledTask	This stops the scheduled task whose ID is given in the taskID argument.
StripChars	Strip set of characters from prefix and/or suffix e.g. StripChar value=~!!~www.mydomain.com~!~!~ chars=!~ will return www.mydomain.com
GetDomainDNSDetails	Returns DNS details for a domain
StopTimeToAssignOnOwnerChange	Stops the "Time To Assign" timer if the owner of the incident was changed.
SearchIncidentsV2	Searches Demisto incidents
ExampleJSScript	This is only an example script, to showcase how to use and write JavaScript scripts
ConvertDatetoUTC	Converts a date from a different timezone to UTC timezone.
isError	Check whether given entry/entries returned an error. Use ${lastCompletedTaskEntries} to check the previous task entries. If array is provided, will return yes if one of the entries returned an error.
FileToBase64List	Encode a file as base64 and store it in a Demisto list.
IsIntegrationAvailable	Returns 'yes' if integration brand is available. Otherwise returns 'no'
FirstArrayElement	Returns the first element of an array. If the value passed is not an array, it returns the original value that was passed.
GenerateInvestigationSummaryReport	A script to generate investigation summary report in an automated way Can be used in post-processing flow as well.
StringContainsArray	Checks whether a substring or an array of substrings is within a string array(each item will be checked). Supports single strings as well. For example, for substrings ['a','b','c'] in a string 'a' the script will return true.
CountArraySize	Count an array size
GenerateRandomUUID	Generates a random UUID (UUID 4).
SetByIncidentId	Works the same as the 'Set' command, but can work across incidents by specifying 'id' as an argument. Sets a value into the context with the given context key. Doesn't append by default.
ReverseList	Reverse a list e.g. ["Mars", "Jupiter", "Saturn"] => ["Saturn", "Jupiter", "Mars"] This is an example for entire-list transformer - it operates the argument as a list (note the "entirelist" tag)
MaliciousRatioReputation	Set indicator reputation to "suspicious" when malicious ratio is above threshold. Malicious ratio is the ration between number of "bad" incidents to total number of incidents the indicator appears in.
DateStringToISOFormat	This is a thin wrapper around the `dateutil.parser.parse` function. It will parse a string containing a date/time stamp and return it in ISO 8601 format.
ExtractDomainAndFQDNFromUrlAndEmail	Extracts domains and FQDNs from URLs and emails.
IncidentFields	Returns a dict of all incident fields that exist in the system.
ParseHTMLIndicators	This script will extract indicators from given HTML and will handle bad top-level domains to avoid false positives caused by file extensions.
Ping	Pings an IP or url address, to verify it's up
URLEncode	Encodes a URL string by replacing special characters in the string using the %xx escape. For example: https://example.com converts to https:%2F%2Fexample.com.
ResolveShortenedURL	Resolve the original URL from the given shortened URL and place it in both as output and in the context of a playbook. (https://unshorten.me/api)
listExecutedCommands	Lists executed commands in War Room
ModifyDateTime	Takes a date or time input and adds or subtracts a determined amount of time. Returns a string in date or time in ISO Format.
AddEvidence	Adds provided entries to the incident Evidence Board. In playbook, can be positioned after a task to add the previous task's entries to Evidence Board automatically (with no need to provide arguments)
ParseExcel	The automation takes Excel file (entryID) as an input and parses its content to the war room and context
Set	Set a value in context under the key you entered.
If-Then-Else	A transformer for simple if-then-else logic.
PositiveDetectionsVSDetectionEngines	Shows a bar chart of the number of Positive Detections out of overall detections
RunDockerCommand	This command will allow you to run commands against a local Docker Container. You can run commands like wc for instance with word count, or other types of commands that you want on the docker container. We recommend for tools that you want to use that are not part of the default Docker container, to cope this Automation script and then create a customer docker container with /docker_image_create with a custom docker container to add any command level tool to Demisto and output the results directly to the context.
IsValueInArray	Indicates whether a given value is a member of given array
InRange	checks if left side is in range of right side (from,to anotation) e.g. - InRange left=4right=1,8 will return true.
FailedInstances	Executes a test for all integration instances available and returns detailed information about succeeded and failed integration instances.
GetDuplicatesMlv2	Deprecated. Use the "PhishingDedupPreprocessingRule" script instead. Find duplicate incidents candidates. Using machine learning techniques with pre-defined data (can also use data from the local environment), this script takes into consideration different features such as: labels comparison, email labels (relevant for phishing), incident time difference and shared indicators, which can be customized by the arguments.
ExtractFQDNFromUrlAndEmail	Extracts FQDNs from URLs and emails.
LessThanPercentage	Checks if one percentage is less than another Returns less: if firstPercentage < secondPercentage Returns more: if firstPercentage >= secondPercentage Returns exception if one of the inputs is not a float
ConvertKeysToTableFieldFormat	Convert object keys to match table keys. Use when mapping object/collection to table (grid) field. (Array of objects/collections is also supported). Example: Input: { "Engine": "val1", "Max Results": 13892378, "Key_With^Special (characters)": true } Output: { "engine": "val1", "maxresults": 13892378, "keywithspecialcharacters": true }
TimeStampToDate	Converts UNIX Epoch time stamp to a simplified extended ISO format string. Use it to convert time stamp to Demisto date field e.g. 1525006939 will return '2018-04-29T13:02:19.000Z'
ExtractEmailV2	Verifies that an email address is valid and only returns the address if it is valid.
ExtractHTMLTables	Find tables inside HTML and extract the contents into objects using the following logic: If table has a single column, just create an array of strings from the values If table has 2 columns and has no header row, treat the first column as key and second as value and create a table of key/value If table has a header row, create a table of objects where attribute names are the headers If table does not have a header row, create table of objects where attribute names are cell1, cell2, cell3…
ChangeContext	Enables changing context in two ways. The first is to capitalize the first letter of each key in following level of the context key entered. The second is to change context keys to new values.
URLReputation	A context script for URL entities
FileCreateAndUpload	Will create a file (using the given data input or entry ID) and upload it to current investigation war room.
EmailReputation	A context script for Email entities
TopMaliciousRatioIndicators	Find the top malicious ratio indicators. Malicious ratio is defined by the ratio between the number of "bad" incidents divided by the number of total number of incidents that the indicators appears in.
SumList	Sums a List e.g. ["25", "10", "25"] => "60" This is an example for number transformer.
SSDeepReputation	Calculate ssdeep reputation based on similar files (by ssdeep similarity) on the system.
RegexGroups	Extraction of elements which are contained in all the subgroups of the match to the pattern. For example, extracting from the string "The quick brown fox" the object `{"article":"The","noun":quick"}` (See arguments descriptions for more details)
PDFUnlocker	Removing the password protection from a PDF file and adding a new file entry with the unlocked PDF.
GeneratePassword	This function generates a password and allows various parameters to customize the properties of the password depending on the use case (e.g. password complexity requirements). The default behavior is to generate a password of random length including all four character classes (upper, lower, digits, symbols) with at least five and at most ten characters per class. The min_* values all default to 0. This means that if the command is executed in this way: !GeneratePassword max_lcase=10 It is possible that a password of length zero could be generated. It is therefore recommended to always include a min_* parameter that matches. The debug parameter will print certain properties of the command into the WarRoom for easy diagnostics.
JsonToTable	Accepts a json object and returns a markdown.
GetByIncidentId	Gets a value from the specified incident's context.
CloseInvestigationAsDuplicate	Close the current investigation as duplicate to other investigation.
ConvertTableToHTML	Converts a given array to an HTML table
GenericPollingScheduledTask	Runs the polling command repeatedly, completes a blocking manual task when polling is done.
CreateIndicatorsFromSTIX	Creates indicators from the submitted STIX file. Supports STIX 1.0 and STIX 2.0.
DT	This automation allows the usage of DT scripts within playbooks transformers
SetIfEmpty	Checks an object for an empty value and returns a pre-set default value.
ParseEmailFiles	Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook.
DumpJSON	Dumps a json from context key input, and returns a json object string result
RepopulateFiles	After running DeleteContext, this script can repopulate all the file entries in the ${File} context key
AfterRelativeDate	Checks the given datetime has occured after the provided relative time.
PrettyPrint	Pretty-print data using Python's pprint library. This is useful for seeing the structure of incident and context data. Here's how to use it: !PrettyPrint value=${incident}
IsMaliciousIndicatorFound	Checks if the investigation found any malicious indicators (file, URL, IP address, domain, or email). Returns "yes" if at least one malicious indicator is found.
GetIndicatorDBotScoreFromCache	Get the overall score for the indicator as calculated by DBot.
jmespath	Performs a JMESPath search on an input JSON format, when using a transformer.
DockerHardeningCheck	Checks if the Docker container running this script has been hardened according to the recommended settings at: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/docker/docker-hardening-guide.html
MarkAsNoteByTag	Mark entries as notes if they are tagged with given tag
ExposeIncidentOwner	Expose the incident owner into IncidentOwner context key
VerifyIPv6Indicator	Verify that the address is a valid IPv6 address.
emailFieldTriggered	Sends email to incident owner when selected field is triggered.
ReadPDFFileV2	Load a PDF file's content and metadata into context.
CalculateEntropy	Calculates the entropy for the given data.
MatchRegex	Deprecated. Use the MatchRegexV2 script instead.
GetStringsDistance	Get the string distance between inputString and compareString (could be a comma separated list) based on Levenshtein Distance algorithm.
SSDeepSimilarity	This script finds similar files that can be related to each other by fuzzy hash (SSDeep).
IPToHost	Try to get the hostname correlated with the input IP.
PadZeros	Adds zeros (0) to the beginning of the string, until the string reaches the specified length.
PCAPMiner	Deprecated. Use PCAPMinerV2 instead. PCAPMiner is a tool to parse PCAP files and will return things like extracted files that are found, HTTP flows, and a variety of other information. It is uses a docker instance located on docker hub trorabaugh/dempcap:1.0. To use simply upload a PCAP file and then run PCAPMiner entryId="<your_entry_id>". To get the entry id click on the link on the top right hand corner of a file attachment.
LookupCSV	Parses a CSV and looks for a specific value in a specific column, returning a dict of the entire matching row. If no column value is specified, the entire CSV is read into the context.
TextFromHTML	Extract regular text from the given HTML
DomainReputation	A context script for Domain entities
DemistoVersion	Return the Demisto server version.
IPv4Blacklist	Transformer that returns a filtered list of IPv4 addresses, based on whether they do not match a comma-separated list of IPv4 ranges. Useful for filtering out internal IP address space.
StringLength	Returns the length of the string passed as argument
RemoveKeyFromList	Removes a key in key/value store backed by an XSOAR list.
ticksToTime	Converting time in Ticks to readable time. Ticks are used to represent time by some vendors, most commonly by Microsoft.
IsGreaterThan	Checks if one number(float) as bigger than the other(float) Returns yes: if first > second Returns no: if first <= second Returns exception if one of the inputs is not a number
CompareLists	Compare two lists and put the differences in context.
UnEscapeIPs	Remove escaping chars from IP 127[.]0[.]0[.]1 -> 127.0.0.1
SetGridField	Creates a Grid table from items or key-value pairs.
http	Sends http request. Returns the response as json.
DecodeMimeHeader	Decode MIME base64 headers.
ScheduleGenericPolling	Called by the GenericPolling playbook, schedules the polling task.
PrintContext	Pretty-print the contents of the playbook context
CreateEmailHtmlBody	This script allows sending an HTML email, using a template stored as a list item under Lists (Settings -> Advanced -> Lists). Placeholders are marked in DT format (i.e. ${incident.id} for incident ID). Available placeholders for example: ${incident.labels.Email/from} ${incident.name} ${object.value} See incident Context Data menu for available placeholders Note: Sending emails require an active Mail Sender integration instance.
IsEmailAddressInternal	Checks if the email address is part of the internal domains
FindSimilarIncidents	Finds similar incidents by common incident keys, labels, custom fields or context keys. It's highly recommended to use incident keys if possible (e.g., "type" for the same incident type). For best performance, it's recommended to avoid using context keys if possible (for example, if the value also appears in a label key, use label).
DBotAverageScore	Calculates average score for each indicator from context
UtilAnyResults	Utility script to use in playbooks - returns "yes" if the input is non-empty.
PrintErrorEntry	Prints an error entry with a given message
Base64EncodeV2	Encodes an input to Base64 format.
GenerateRandomString	Generates random string
GetValuesOfMultipleFields	The script receives a list of fields and a context key base path. For example, Key=demisto.result List=username,user and will get all of the values from demisto.result.username and demisto.result.user. The Get field of the task must have the value ${.=[]}.
IPNetwork	Gather information regarding CIDR - 1. Broadcast_address 2. CIDR 3. First_address 4. Last address 5. Max prefix len 6. Num addresses 7. Private 8. Version
VerifyJSON	Verifies if the supplied JSON string is valid and optionally verifies against a provided schema. The script utilizes Powershell's Test-JSON cmdlet.
ExtractIndicatorsFromWordFile	Used to extract indicators from Word files (DOC, DOCX). The script does not extract data from macros (e.g., embedded code).
URLDecode	Converts https:%2F%2Fexample.com into https://example.com
checkValue	Gets a value and return it. This is to be used in playbook conditional tasks - get a value from incident field, label or context, and act accordingly. If an array is returned. the first value will be the decision making value.
Strings	Extract strings from a file with optional filter - similar to binutils strings command
ConvertAllExcept	Convert all chosen values but exceptions.
ExtractIndicatorsFromTextFile	Extract indicators from a text-based file. Indicators that can be extracted: IP Domain URL File Hash Email Address
ContextSearchForString	Searches for string in a path in context. If path is null, string will be searched in full context.
StixCreator	Gets a list of indicators from the indicators argument, and generates a JSON file in STIX 2.0 format.

1.4.47 - 1809851 (October 18, 2021)

Scripts

New: GetEnabledInstances

Gets all currently enabled integration instances. (Available from Cortex XSOAR 6.0.0).

1.4.46 - 1795571 (October 14, 2021)

Scripts

ParseEmailFiles

Fixed an issue where multiline 'From' headers were incorrectly parsed in a windows format.

1.4.45 - 1785320 (October 12, 2021)

Scripts

GetIndicatorDBotScore

Updated the Docker image to: demisto/python3:3:3.9.7.24076.

DumpJSON

Updated the Docker image to: demisto/python3:3:3.9.7.24076.

InRange

Updated the Docker image to: demisto/python3:3:3.9.7.24076.

IsListExist

Updated the Docker image to: demisto/python3:3:3.9.7.24076.

LoadJSON

Updated the Docker image to: demisto/python3:3:3.9.7.24076.

RepopulateFiles

Updated the Docker image to: demisto/python3:3:3.9.7.24076.

ReverseList

Updated the Docker image to: demisto/python3:3:3.9.7.24076.

SetByIncidentId

Updated the Docker image to: demisto/python3:3:3.9.7.24076.

SetIfEmpty

Updated the Docker image to: demisto/python3:3:3.9.7.24076.

1.4.44 - 1779968 (October 11, 2021)

Scripts

New: EditServerConfig

Added a new script that allows updating or deleting the values of server configuration keys (available from XSOAR 6.0.0).

1.4.43 - 1765549 (October 8, 2021)

Scripts

ListUsedDockerImages

Improve the output for the ListUsedDockerImages to ignore the disabled integration and disabled automation.

1.4.42 - 1760862 (October 7, 2021)

Scripts

JsonToTable

Added the headers argument.

1.4.41 - 7933644 (October 4, 2021)

Scripts

URLSSLVerification

Added the argument set_http_as_suspicious that will allow the user to choose whether to set the URL as Suspicious in case that the URL starts with HTTP and not HTTPS.

1.4.40 - 7789574 (September 26, 2021)

Scripts

FindSimilarIncidents

Updated the Docker image to: demisto/python:2.7.18.24066.

JSONFileToCSV

Updated the Docker image to: demisto/python:2.7.18.24066.

LoadJSON

Updated the Docker image to: demisto/python:2.7.18.24066.

RunPollingCommand

Updated the Docker image to: demisto/python:2.7.18.24066.

ScheduleGenericPolling

Updated the Docker image to: demisto/python:2.7.18.24066.

DecodeMimeHeader

Updated the Docker image to: demisto/python:2.7.18.24066.

IsRFC1918Address

Updated the Docker image to: demisto/netutils:1.0.0.24101.

1.4.38 - 7681620 (September 19, 2021)

Scripts

New: ListUsedDockerImages

List the Docker images used by the installed integrations and automations.

1.4.37 - 7640590 (September 16, 2021)

Scripts

ConvertDatetoUTC

Updated the Docker image to: demisto/python3:3.9.7.24076.

LastArrayElement

Updated the Docker image to: demisto/python3:3.9.7.24076.

URLNumberOfAds

Updated the Docker image to: demisto/python:2.7.18.24066.

DemistoVersion

Updated the Docker image to: demisto/python3:3.9.7.24076.

GetListRow

Updated the Docker image to: demisto/python3:3.9.7.24076.

RegexExtractAll

Updated the Docker image to: demisto/python3:3.9.7.24076.

DateStringToISOFormat

Updated the Docker image to: demisto/python3:3.9.7.24076.

CheckContextValue

Updated the Docker image to: demisto/python3:3.9.7.24076.

TopMaliciousRatioIndicators

Updated the Docker image to: demisto/python:2.7.18.24066.

EmailReputation

Updated the Docker image to: demisto/python:2.7.18.24066.

UtilAnyResults

Updated the Docker image to: demisto/python:2.7.18.24066.

JsonToTable

Updated the Docker image to: demisto/python3:3.9.7.24076.

ConvertAllExcept

Updated the Docker image to: demisto/python3:3.9.7.24076.

IsInternalDomainName

Updated the Docker image to: demisto/python3:3.9.7.24076.

DomainReputation

Updated the Docker image to: demisto/python:2.7.18.24066.

ExtractAttackPattern

Updated the Docker image to: demisto/python3:3.9.7.24076.

BetweenHours

Updated the Docker image to: demisto/python3:3.9.7.24076.

MapValuesTransformer

Updated the Docker image to: demisto/python3:3.9.7.24076.

VerifyIPv6Indicator

Updated the Docker image to: demisto/python3:3.9.7.24076.

FileToBase64List

Updated the Docker image to: demisto/python:2.7.18.24066.

CheckFieldValue

Updated the Docker image to: demisto/python3:3.9.7.24076.

LookupCSV

Updated the Docker image to: demisto/python3:3.9.7.24076.

SetDateField

Updated the Docker image to: demisto/python:2.7.18.24066.

FileReputation

Updated the Docker image to: demisto/python:2.7.18.24066.

ModifyDateTime

Updated the Docker image to: demisto/python3:3.9.7.24076.

ContextContains

Updated the Docker image to: demisto/python:2.7.18.24066.

GetStringsDistance

Updated the Docker image to: demisto/python:2.7.18.24066.

URLDecode

Updated the Docker image to: demisto/python3:3.9.7.24076.

OnionURLReputation

Updated the Docker image to: demisto/python3:3.9.7.24076.

CompareLists

Updated the Docker image to: demisto/python3:3.9.7.24076.

FeedRelatedIndicatorsWidget

Updated the Docker image to: demisto/python3:3.9.7.24076.

IsListExist

Updated the Docker image to: demisto/python:2.7.18.24066.

NumberOfPhishingAttemptPerUser

Updated the Docker image to: demisto/python3:3.9.7.24076.

CreateIndicatorsFromSTIX

Updated the Docker image to: demisto/python3:3.9.7.24076.

LinkIncidentsWithRetry

Updated the Docker image to: demisto/python:2.7.18.24066.

ReverseList

Updated the Docker image to: demisto/python:2.7.18.24066.

SCPPullFiles

Updated the Docker image to: demisto/python:2.7.18.24066.

CloseInvestigationAsDuplicate

Updated the Docker image to: demisto/python:2.7.18.24066.

ReadFile

Updated the Docker image to: demisto/python:2.7.18.24066.

MaliciousRatioReputation

Updated the Docker image to: demisto/python:2.7.18.24066.

SetByIncidentId

Updated the Docker image to: demisto/python:2.7.18.24066.

EmailDomainWhitelist

Updated the Docker image to: demisto/python3:3.9.7.24076.

ParseCSV

Updated the Docker image to: demisto/python:2.7.18.24066.

ShowLocationOnMap

Updated the Docker image to: demisto/python3:3.9.7.24076.

PortListenCheck

Updated the Docker image to: demisto/python:2.7.18.24066.

BetweenDates

Updated the Docker image to: demisto/python3:3.9.7.24076.

EmailDomainBlacklist

Updated the Docker image to: demisto/python3:3.9.7.24076.

PopulateCriticalAssets

Updated the Docker image to: demisto/python3:3.9.7.24076.

DT

Updated the Docker image to: demisto/python:2.7.18.24066.

RepopulateFiles

Updated the Docker image to: demisto/python:2.7.18.24066.

FilterByList

Updated the Docker image to: demisto/python:2.7.18.24066.

IsInternalHostName

Updated the Docker image to: demisto/python3:3.9.7.24076.

AddKeyToList

Updated the Docker image to: demisto/python3:3.9.7.24076.

GetDockerImageLatestTag

Updated the Docker image to: demisto/python:2.7.18.24066.

SSDeepReputation

Updated the Docker image to: demisto/python:2.7.18.24066.

IPNetwork

Updated the Docker image to: demisto/python3:3.9.7.24076.

CalculateEntropy

Updated the Docker image to: demisto/python3:3.9.7.24076.

GetValuesOfMultipleFields

Updated the Docker image to: demisto/python3:3.9.7.24076.

ProductJoin

Updated the Docker image to: demisto/python3:3.9.7.24076.

GetByIncidentId

Updated the Docker image to: demisto/python3:3.9.7.24076.

ExtractEmailV2

Updated the Docker image to: demisto/python3:3.9.7.24076.

ConvertToSingleElementArray

Updated the Docker image to: demisto/python3:3.9.7.24076.

PrintContext

Updated the Docker image to: demisto/python:2.7.18.24066.

AfterRelativeDate

Updated the Docker image to: demisto/python3:3.9.7.24076.

SetAndHandleEmpty

Updated the Docker image to: demisto/python3:3.9.7.24076.

SendEmailOnSLABreach

Updated the Docker image to: demisto/python:2.7.18.24066.

TextFromHTML

Updated the Docker image to: demisto/python:2.7.18.24066.

LowerCidrNumAddresses

Updated the Docker image to: demisto/python3:3.9.7.24076.

IsUrlPartOfDomain

Updated the Docker image to: demisto/python3:3.9.7.24076.

Base64EncodeV2

Updated the Docker image to: demisto/python3:3.9.7.24076.

IsIntegrationAvailable

Updated the Docker image to: demisto/python:2.7.18.24066.

RegexGroups

Updated the Docker image to: demisto/python3:3.9.7.24076.

JoinIfSingleElementOnly

Updated the Docker image to: demisto/python:2.7.18.24066.

SetIfEmpty

Updated the Docker image to: demisto/python:2.7.18.24066.

HTTPListRedirects

Updated the Docker image to: demisto/python:2.7.18.24066.

BinarySearchPy

Updated the Docker image to: demisto/python:2.7.18.24066.

CopyNotesToIncident

Updated the Docker image to: demisto/python3:3.9.7.24076.

ResolveShortenedURL

Updated the Docker image to: demisto/python:2.7.18.24066.

URLReputation

Updated the Docker image to: demisto/python:2.7.18.24066.

FormattedDateToEpoch

Updated the Docker image to: demisto/python3:3.9.7.24076.

StripChars

Updated the Docker image to: demisto/python3:3.9.7.24076.

CheckSenderDomainDistance

Updated the Docker image to: demisto/python:2.7.18.24066.

GreaterCidrNumAddresses

Updated the Docker image to: demisto/python3:3.9.7.24076.

ChangeContext

Updated the Docker image to: demisto/python3:3.9.7.24076.

ChangeRemediationSLAOnSevChange

Updated the Docker image to: demisto/python:2.7.18.24066.

SetTime

Updated the Docker image to: demisto/python:2.7.18.24066.

ProvidesCommand

Updated the Docker image to: demisto/python3:3.9.7.24076.

DumpJSON

Updated the Docker image to: demisto/python:2.7.18.24066.

SumList

Updated the Docker image to: demisto/python3:3.9.7.24076.

FirstArrayElement

Updated the Docker image to: demisto/python3:3.9.7.24076.

Base64Decode

Updated the Docker image to: demisto/python3:3.9.7.24076.

GenerateRandomUUID

Updated the Docker image to: demisto/python3:3.9.7.24076.

RemoveKeyFromList

Updated the Docker image to: demisto/python3:3.9.7.24076.

InRange

Updated the Docker image to: demisto/python:2.7.18.24066.

CalculateTimeDifference

Updated the Docker image to: demisto/python:2.7.18.24066.

WhereFieldEquals

Updated the Docker image to: demisto/python3:3.9.7.24076.

Base64ListToFile

Updated the Docker image to: demisto/python:2.7.18.24066.

CompareIncidentsLabels

Updated the Docker image to: demisto/python:2.7.18.24066.

EncodeToAscii

Updated the Docker image to: demisto/python:2.7.18.24066.

PadZeros

Updated the Docker image to: demisto/python3:3.9.7.24076.

GetIndicatorDBotScore

Updated the Docker image to: demisto/python:2.7.18.24066.

StopScheduledTask

Updated the Docker image to: demisto/python3:3.9.7.24076.

GenerateRandomString

Updated the Docker image to: demisto/python:2.7.18.24066.

CopyContextToField

Updated the Docker image to: demisto/python:2.7.18.24066.

Cut

Updated the Docker image to: demisto/python3:3.9.7.24076.

IndicatorMaliciousRatioCalculation

Updated the Docker image to: demisto/python:2.7.18.24066.

ExtractIndicatorsFromTextFile

Updated the Docker image to: demisto/python:2.7.18.24066.

AddDBotScoreToContext

Updated the Docker image to: demisto/python3:3.9.7.24076.

IdentifyAttachedEmail

Updated the Docker image to: demisto/python:2.7.18.24066.

StringToArray

Updated the Docker image to: demisto/python3:3.9.7.24076.

PrintRaw

Updated the Docker image to: demisto/python3:3.9.7.24076.

URLSSLVerification

Updated the Docker image to: demisto/python:2.7.18.24066.

TimeStampCompare

Updated the Docker image to: demisto/python3:3.9.7.24076.

DockerHardeningCheck

Updated the Docker image to: demisto/python3:3.9.7.24076.

RunDockerCommand

Updated the Docker image to: demisto/python:2.7.18.24066.

StopTimeToAssignOnOwnerChange

Updated the Docker image to: demisto/python:2.7.18.24066.

PositiveDetectionsVSDetectionEngines

Updated the Docker image to: demisto/python3:3.9.7.24076.

IPToHost

Updated the Docker image to: demisto/python:2.7.18.24066.

DisplayHTML

Updated the Docker image to: demisto/python:2.7.18.24066.

PrintErrorEntry

Updated the Docker image to: demisto/python:2.7.18.24066.

IsEmailAddressInternal

Updated the Docker image to: demisto/python:2.7.18.24066.

Strings

Updated the Docker image to: demisto/python:2.7.18.24066.

MarkAsNoteByTag

Updated the Docker image to: demisto/python:2.7.18.24066.

hideFieldsOnNewIncident

Updated the Docker image to: demisto/python:2.7.18.24066.

GetIndicatorDBotScoreFromCache

Updated the Docker image to: demisto/python3:3.9.7.24076.

SetMultipleValues

Updated the Docker image to: demisto/python:2.7.18.24066.

PrettyPrint

Updated the Docker image to: demisto/python3:3.9.7.24076.

JSONtoCSV

Updated the Docker image to: demisto/python:2.7.18.24066.

IncidentFields

Updated the Docker image to: demisto/python3:3.9.7.24076.

GetFieldsByIncidentType

Updated the Docker image to: demisto/python3:3.9.7.24076.

SearchIncidentsV2

Updated the Docker image to: demisto/python3:3.9.7.24076.

IPReputation

Updated the Docker image to: demisto/python3:3.9.7.24076.

MatchRegexV2

Updated the Docker image to: demisto/python3:3.9.7.24076.

URLEncode

Updated the Docker image to: demisto/python3:3.9.7.24076.

IsInCidrRanges

Updated the Docker image to: demisto/netutils:1.0.0.24101.

IPv4Blacklist

Updated the Docker image to: demisto/netutils:1.0.0.24101.

IPv4Whitelist

Updated the Docker image to: demisto/netutils:1.0.0.24101.

IsNotInCidrRanges

Updated the Docker image to: demisto/netutils:1.0.0.24101.

1.4.35 - 7526437 (September 9, 2021)

Scripts

ParseEmailFiles

Fixed an issue where underscores were not replaced with spaces in MIME encoded headers.

1.4.34 - 7516780 (September 9, 2021)

Scripts

Cut

Fixed an issue where the automation script failed on non UTF-8 characters.
Updated the Docker image to: demisto/python3:3.9.6.24067.

1.4.33 - 7471538 (September 6, 2021)

Scripts

ParseEmailFiles

Fixed an issue where the automation script failed to process MIME encoded-words.
Updated the Docker image to: demisto/python:2.7.18.24066.

1.4.32 - 7459007 (September 5, 2021)

Scripts

UnEscapeURLs

URLs with meow:// and meows:// are now supported.

ExtractEmailV2

Email addresses containing [@] are now extracted.

1.4.31 - 7423160 (September 2, 2021)

Scripts

ParseEmailFiles

Fixed an issue where non UTF-8 attachments were decoded to UTF-8.

LoadJSON

Fixed an issue where the command failed on inputs that contained control characters.
Updated the Docker image to: demisto/python:2.7.18.24019.

1.4.29 - 7391875 (September 1, 2021)

Scripts

GetIndicatorDBotScoreFromCache

Fixed an issue where the automation script failed to run on indicators with a verdict of Unknown.
Updated the Docker image to: demisto/python3:3.9.6.24019.

1.4.28 - 7360649 (August 30, 2021)

Scripts

ParseEmailFiles

Fixed an issue where ParseEmailFiles fails on timeout.
Updated the Docker image to: demisto/python:2.7.18.24019.

1.4.27 - 7296983 (August 26, 2021)

Scripts

New: StringToArray

Converts a string to array.

1.4.26 - 7259008 (August 25, 2021)

Scripts

ParseEmailFiles

Fixed an issue where multiple MIME encoded words were not decoded.
Added default_encoding argument to use while message parsing where encoding fails.
Added forced_encoding argument to force use that encoding while message parsing.

1.4.25 - 415742 (August 24, 2021)

Scripts

SetGridField

Breaking Change: Added support for columns with underscores (_). Previously underscores in columns were removed automatically by the automation.
Add back support for column names with more than 255 chars (support was removed in v1.4.24).

1.4.23 - 414184 (August 20, 2021)

Scripts

WhereFieldEquals

Improved handling where the automation failed to run on array which contains strings given in the value argument.

1.4.22 - 412606 (August 17, 2021)

Scripts

New: ExtractAttackPattern

Fixed an issue where the script extracted invalid Attack Pattern indicators.

1.4.21 - 410734 (August 12, 2021)

Scripts

IPv4Blacklist

Updated the Docker image to: demisto/netutils:1.0.0.23344.

IPv4Whitelist

Updated the Docker image to: demisto/netutils:1.0.0.23344.

IsInCidrRanges

Updated the Docker image to: demisto/netutils:1.0.0.23344.

IsNotInCidrRanges

Updated the Docker image to: demisto/netutils:1.0.0.23344.

ConvertTableToHTML

Added support for the headers argument in the tableToHTML function.

1.4.19 - 408673 (August 8, 2021)

Scripts

ConvertTableToHTML

Added the headers argument.

ParseEmailFiles

Fixed an issue where parsing failed due to empty sub email.

1.4.17 - 407320 (August 5, 2021)

Scripts

ParseEmailFiles

Added multipart/related to the supported formats.

1.4.16 - 406668 (August 5, 2021)

Scripts

New: SSDeepSimilarity

This script finds similar files that can be related to each other by fuzzy hash (SSDeep). (Available from Cortex XSOAR 5.5.0).

ParseEmailFiles

Fixed an issue where S/MIME .eml files were not parsed properly.

1.4.14 - 405394 (August 3, 2021)

Scripts

ExtractDomainAndFQDNFromUrlAndEmail

Fixed an issue where in some cases ProofPoint safe URLs where not formatted properly.
Updated the Docker image to: demisto/tld:1.0.0.23423.

1.4.13 - 405107 (August 2, 2021)

Scripts

ExtractFQDNFromUrlAndEmail

Updated the Docker image to: demisto/tld:1.0.0.23423.

ExtractDomainFromUrlAndEmail

Updated the Docker image to: demisto/tld:1.0.0.23423.

ExtractDomainAndFQDNFromUrlAndEmail

Updated the Docker image to: demisto/tld:1.0.0.23423.

SetGridField

Fixed an issue where the sort_by argument was not respected.
Added support for multiple columns sort using the sort_by argument.
Updated the Docker image to: demisto/pandas:1.0.0.23402.

1.4.11 - 404180 (July 30, 2021)

Scripts

GetListRow

Added the list_separator argument to enable custom list delimiter.
Updated the Docker image to: demisto/python3:3.8.3.9324.

1.4.10 - 403617 (July 28, 2021)

Scripts

ParseEmailFiles

Improved decoding of MIME encoded words.

1.4.9 - 402821 (July 27, 2021)

Scripts

New: ExtractAttackPattern

A formatting script to extract attack pattern value from MITRE ID.

1.4.8 - 402535 (July 26, 2021)

Scripts

JSONFileToCSV

Updated the Docker image to: demisto/python:2.7.18.22912.

MaliciousRatioReputation

Updated the Docker image to: demisto/python:2.7.18.20958.

LinkIncidentsWithRetry

Updated the Docker image to: demisto/python:2.7.18.20958.

SetMultipleValues

Updated the Docker image to: demisto/python:2.7.18.20958.

TopMaliciousRatioIndicators

Updated the Docker image to: demisto/python:2.7.18.20958.

SCPPullFiles

Updated the Docker image to: demisto/python:2.7.18.20958.

UtilAnyResults

Updated the Docker image to: demisto/python:2.7.18.20958.

SendEmailOnSLABreach

Updated the Docker image to: demisto/python:2.7.18.20958.

URLNumberOfAds

Updated the Docker image to: demisto/python:2.7.18.20958.

TextFromHTML

Updated the Docker image to: demisto/python:2.7.18.20958.

SSDeepReputation

Updated the Docker image to: demisto/python:2.7.18.20958.

MarkAsNoteByTag

Updated the Docker image to: demisto/python:2.7.18.20958.

StopScheduledTask

Updated the Docker image to: demisto/python:2.7.18.20958.

URLReputation

Updated the Docker image to: demisto/python:2.7.18.20958.

SetTime

Updated the Docker image to: demisto/python:2.7.18.20958.

PrintContext

Updated the Docker image to: demisto/python:2.7.18.20958.

SetDateField

Updated the Docker image to: demisto/python:2.7.18.20958.

LoadJSON

Updated the Docker image to: demisto/python:2.7.18.20958.

Strings

Updated the Docker image to: demisto/python:2.7.18.20958.

RunDockerCommand

Updated the Docker image to: demisto/python:2.7.18.20958.

hideFieldsOnNewIncident

Updated the Docker image to: demisto/python:2.7.18.20958.

IsIntegrationAvailable

Updated the Docker image to: demisto/python:2.7.18.20958.

IsEmailAddressInternal

Updated the Docker image to: demisto/python:2.7.18.20958.

GetStringsDistance

Updated the Docker image to: demisto/python:2.7.18.20958.

IPToHost

Updated the Docker image to: demisto/python:2.7.18.20958.

EmailReputation

Updated the Docker image to: demisto/python:2.7.18.20958.

ChangeRemediationSLAOnSevChange

Updated the Docker image to: demisto/python:2.7.18.20958.

BinarySearchPy

Updated the Docker image to: demisto/python:2.7.18.20958.

DomainReputation

Updated the Docker image to: demisto/python:2.7.18.20958.

ContextContains

Updated the Docker image to: demisto/python:2.7.18.20958.

IndicatorMaliciousRatioCalculation

Updated the Docker image to: demisto/python:2.7.18.20958.

DisplayHTML

Updated the Docker image to: demisto/python:2.7.18.20958.

GenerateRandomString

Updated the Docker image to: demisto/python:2.7.18.20958.

IsListExist

Updated the Docker image to: demisto/python:2.7.18.20958.

CloseInvestigationAsDuplicate

Updated the Docker image to: demisto/python:2.7.18.20958.

CheckSenderDomainDistance

Updated the Docker image to: demisto/python:2.7.18.20958.

JoinIfSingleElementOnly

Updated the Docker image to: demisto/python:2.7.18.20958.

FileReputation

Updated the Docker image to: demisto/python:2.7.18.20958.

Base64ListToFile

Updated the Docker image to: demisto/python:2.7.18.20958.

IPReputation

Updated the Docker image to: demisto/python:2.7.18.20958.

ScheduleGenericPolling

Updated the Docker image to: demisto/python:2.7.18.22912.

RunPollingCommand

Updated the Docker image to: demisto/python:2.7.18.22912.

PrintErrorEntry

Updated the Docker image to: demisto/python:2.7.18.20958.

1.4.7 - 400461 (July 20, 2021)

Scripts

ParseEmailFiles

Fixed an issue where the script fails on timeout intermittently when receiving long emails.

1.4.6 - 398602 (July 16, 2021)

Scripts

ParseEmailFiles

Added multipart/mixed to the supported formats.
Updated the Docker image to: demisto/python:2.7.18.22912.

1.4.5 - 398533 (July 15, 2021)

Scripts

URLSSLVerification

Updated the Docker image to: demisto/python:2.7.18.20958.

ParseEmailFiles

Updated the Docker image to: demisto/python:2.7.18.20958.

1.4.4 - 398245 (July 15, 2021)

Scripts

ProductJoin

Updated the Docker image to: demisto/python3:3.9.5.21272.
Updated the Docker image to: demisto/python3:3.9.5.22665.

RepopulateFiles

Updated the Docker image to: demisto/python:2.7.18.20958.
Updated the Docker image to: demisto/python:2.7.18.20958.

DumpJSON

Updated the Docker image to: demisto/python:2.7.18.20958.

ExtractIndicatorsFromTextFile

Updated the Docker image to: demisto/python:2.7.18.20958.

CopyContextToField

Updated the Docker image to: demisto/python:2.7.18.20958.

ConvertToSingleElementArray

Updated the Docker image to: demisto/python3:3.9.5.21272.

DT

Updated the Docker image to: demisto/python:2.7.18.20958.

PortListenCheck

Updated the Docker image to: demisto/python:2.7.18.20958.
Updated the Docker image to: demisto/python:2.7.18.20958.

GetDockerImageLatestTag

Updated the Docker image to: demisto/python:2.7.18.20958.

FileToBase64List

Updated the Docker image to: demisto/python:2.7.18.20958.

CalculateTimeDifference

Updated the Docker image to: demisto/python:2.7.18.20958.

CompareIncidentsLabels

Updated the Docker image to: demisto/python:2.7.18.20958.

GetIndicatorDBotScore

Updated the Docker image to: demisto/python:2.7.18.20958.

ReadFile

Updated the Docker image to: demisto/python:2.7.18.20958.
Updated the Docker image to: demisto/python:2.7.18.20958.

InRange

Updated the Docker image to: demisto/python:2.7.18.20958.

HTTPListRedirects

Updated the Docker image to: demisto/python:2.7.18.20958.

Cut

Updated the Docker image to: demisto/python:2.7.18.20958.

EncodeToAscii

Updated the Docker image to: demisto/python:2.7.18.20958.

FilterByList

Updated the Docker image to: demisto/python:2.7.18.20958.

IdentifyAttachedEmail

Updated the Docker image to: demisto/python:2.7.18.20958.

JSONtoCSV

Updated the Docker image to: demisto/python:2.7.18.20958.

ParseCSV

Updated the Docker image to: demisto/python:2.7.18.20958.

ReverseList

Updated the Docker image to: demisto/python:2.7.18.20958.

ResolveShortenedURL

Updated the Docker image to: demisto/python:2.7.18.20958.

StopTimeToAssignOnOwnerChange

Updated the Docker image to: demisto/python:2.7.18.20958.

IsInternalHostName

Updated the Docker image to: demisto/python3:3.9.5.22665.

SetIfEmpty

Updated the Docker image to: demisto/python:2.7.18.20958.

StripChars

Updated the Docker image to: demisto/python3:3.9.5.22665.

SetByIncidentId

Updated the Docker image to: demisto/python:2.7.18.20958.

PopulateCriticalAssets

Updated the Docker image to: demisto/python3:3.9.5.22665.

1.4.1 - 397182 (July 13, 2021)

Scripts

ParseEmailFiles

Added multipart/alternative to the supported formats.

CopyNotesToIncident

Fixed an issue where the automation failed to copy the notes.
Upgraded the Docker image to: demisto/python3:3.9.5.21272.

AssignAnalystToIncident

Added the ability to exclude users who are currently set to away when using random owner assign.

GetDuplicatesMlv2

Updated the script to execute using the DBot role.

CompareIncidentsLabels

Updated the script to execute using the DBot role.

CopyContextToField

Updated the script to execute using the DBot role.

1.3.71 - 394494 (July 8, 2021)

Scripts

ReadPDFFileV2

Updated the script to execute using the DBot role.
Upgraded the Docker image to: demisto/readpdf:1.0.0.19258.

NumberOfPhishingAttemptPerUser

Updated the script to execute using the DBot role.
Upgraded the Docker image to: demisto/python3:3.9.5.21272.

ExtractIndicatorsFromWordFile

Updated the script to execute using the DBot role.

SetAndHandleEmpty

Updated the script to execute using the DBot role.
Upgraded the Docker image to: demisto/python3:3.9.5.21272.

1.3.70 - 393823 (July 6, 2021)

Scripts

ParseEmailFiles

Fixed an issue where some MIME encoded words were not decoded properly.

VerifyJSON

Updated the Docker image to: demisto/powershell:7.1.3.22028.

1.3.68 - 393444 (July 6, 2021)

Scripts

New: ParseHTMLIndicators

This script will extract indicators from given HTML and will handle bad top-level domains to avoid false positives caused by file extensions. (Available from Cortex XSOAR 5.5.0).

1.3.67 - 393138 (July 5, 2021)

Scripts

ExtractIndicatorsFromTextFile

Updated the script to execute using the DBot role.

1.3.66 - 391562 (June 30, 2021)

Scripts

ExtractIndicatorsFromWordFile

Updated the Docker image to: demisto/office-utils:2.0.0.21435.

SetGridField

Updated the Docker image to: demisto/pandas:1.0.0.21648.

GetDuplicatesMlv2

Updated the Docker image to: demisto/machine-learning:1.0.0.22015.
Maintenance and stability enhancements.

WordTokenizer

Updated the Docker image to: demisto/nltk:2.0.0.19143.

1.3.65 - 391074 (June 29, 2021)

Scripts

Base64Decode

Fixed an issue where the script failed to decode special characters in Windows-1252 encoding.
Updated the Docker image to: demisto/python3:3.9.5.21272.

1.3.64 - 389268 (June 24, 2021)

Scripts

ShowOnMap

ShowOnMap can now show addresses (or location descriptions, such as Paloalto Networks Tel Aviv Office) by calling the GoogleMaps integration.
Make sure to have a configured instance of GoogleMaps to utilize this functionality.

1.3.63 - 388541 (June 22, 2021)

Scripts

AssignAnalystToIncident

Changed email comparison from case-sensitive to case-insensitive.

1.3.62 - 386517 (June 17, 2021)

Scripts

ParseEmailFiles_SMIME_FIX

Fixed an issue where the script would not parse SMIME files.

EmailAskUserResponse

Fixed an issue where responses with \r characters were not handled properly.

1.3.60 - 386091 (June 16, 2021)

Scripts

SetByIncidentId

Added the errorUnfinished argument - if set to true, the script will return an error if not all the incidents were modified.

1.3.59 - 385669 (June 16, 2021)

Scripts

VerifyIPv6Indicator

Fixed an issue where the script did not drop indicators as expected.
Updated the Docker image to: demisto/python3:3.9.5.21272.

1.3.58 - 384775 (June 14, 2021)

Scripts

New: JsonToTable

A transformer that accepts a json object and returns a markdown. (Available from Cortex XSOAR 5.5.0).

1.3.57 - 383719 (June 13, 2021)

Scripts

MatchRegexV2

Documentation and metadata improvements.
Updated the Docker image to: demisto/python3:3.9.5.21272.

1.3.56 - 381886 (June 9, 2021)

Scripts

ExtractEmailV2

Fixed an issue where some special characters didn't exist in the email regex.
Updated the Docker image to: demisto/python3:3.9.5.20958.

1.3.55 - 379915 (June 7, 2021)

Scripts

PCAPMiner

Documentation and metadata improvements.

GetDuplicatesMlv2

Documentation and metadata improvements.
Documentation and metadata improvements.

1.3.53 - 371040 (May 30, 2021)

Scripts

Set

Documentation and metadata improvements.

1.3.52 - 367553 (May 26, 2021)

Scripts

New: GetIndicatorDBotScoreFromCache

Get the overall score for the indicator as calculated by DBot. (Available from Cortex XSOAR 6.0.0).

New: AddDBotScoreToContext

Add DBot score to context for indicators with custom vendor, score, reliability, and type. (Available from Cortex XSOAR 6.0.0).

1.3.51 - 363133 (May 23, 2021)

Scripts

PcapHTTPExtractor

Fixed an issue where the automation failed to extract pcap files.
Updated the Docker image to: demisto/pcap-http-extractor:1.0.0.20132.

1.3.50 - 361149 (May 20, 2021)

Scripts

New: ExtractEmailV2

Formatting script that verifies that an email address is valid and only returns the address if it is valid. (Available from Cortex XSOAR 5.5.0).
Maintenance and stability enhancements.

GetIndicatorDBotScore

Fixed an issue where the vendor score was ignored.

1.3.47 - 358734 (May 19, 2021)

Scripts

EmailAskUserResponse

Fixed an issue where the script failed to parse the response in case the email had an image embedded in it.

1.3.46 - 356353 (May 14, 2021)

Scripts

IsMaliciousIndicatorFound

Fixed an issue where malicious domains were ignored.

If-Then-Else

Added support for evaluation via custom condition expressions.

1.3.45 - 356061 (May 13, 2021)

Scripts

ExampleJSScript

Changed http example to work with http://www.paloaltonetworks.com.

1.3.44 - 354205 (May 12, 2021)

Scripts

FindSimilarIncidents

Improve query performance when using hoursBack flag.

1.3.43 - 351790 (May 10, 2021)

Scripts

IsMaliciousIndicatorFound

Fixed an issue where malicious domains were ignored.

1.3.42 - 351231 (May 9, 2021)

Scripts

GetIndicatorDBotScore

Breaking Change Support for multiple indicators is no longer available as a comma-separated string.

1.3.41 - 350331 (May 9, 2021)

Scripts

StixCreator

Improved implementation of the script in order to support future reputation options.

1.3.40 - 341456 (May 1, 2021)

Scripts

GetDuplicatesMlv2

Maintenance and stability enhancements.

FindSimilarIncidents

Maintenance and stability enhancements.

1.3.39 - 341097 (April 29, 2021)

Scripts

DBotAverageScore

Fixed an issue where average score calculation failed when an indicator had only one DbotScore entry.

1.3.38 - 336317 (April 25, 2021)

Scripts

FeedRelatedIndicatorsWidget

Fixed an issue where searching more than 10K indicators failed when using ElasticSearch.
Updated the Docker image to: demisto/python3:3.9.4.18682.

1.3.37 - 334155 (April 22, 2021)

Scripts

AssignAnalystToIncident

Fixed an issue where the AssignAnalystToIncident command did not use the roles argument when the assignBy argument was set to: machine-learning/, top-user, less-busy-user.

ParseEmailFiles

Fix an issue where the automation failed to decode emails that contained utf-8 characters.

1.3.35 - 328754 (April 18, 2021)

Scripts

ParseEmailFiles

Fixed an issue where emails containing an .ics attachment failed to parse.
Fixed an issue where Polish letters were parsed incorrectly.

1.3.34 - 327772 (April 13, 2021)

Scripts

UnEscapeURLs

Added support for Proofpoint gov cloud addresses.

1.3.33 - 322974 (April 7, 2021)

Scripts

DeleteContext

Fixed an issue where unrelated data was stored in the indicator InsightCache while using KeysToKeep in order to keep DBotScore data in the context.

ParseEmailFiles

Fixed an issue where the script failed to parse an email containing Polish characters.

1.3.31 - 316394 (March 31, 2021)

Scripts

SearchIncidentsV2

Fixed an issue where the value of an incident ID was an integer and would raise a TypeError exception.
Updated the Docker image to: demisto/python3:3.9.2.17957.

1.3.30 - 312165 (March 25, 2021)

Scripts

GetIndicatorDBotScore

Added support for using multiple indicators at once.

1.3.29 - 309125 (March 21, 2021)

Scripts

ParseEmailFiles

Fixed an issue where the script failed to parse email containing Russian.

1.3.28 - 302262 (March 14, 2021)

Scripts

IsRFC1918Address

Fixed an issue where the script was not working as a transformer.
Upgraded the Docker image to: demisto/netutils:1.0.0.14492.

1.3.27 - 294860 (March 3, 2021)

Scripts

GetDuplicatesMlv2

The script will now run on a separate container.

1.3.26 - 294008 (March 2, 2021)

Scripts

ConvertXmlToJson

Metadata and documentation enhancements.

IncidentAddSystem

Metadata and documentation enhancements.

ParseJSON

Metadata and documentation enhancements.

IsGreaterThan

Metadata and documentation enhancements.

MathUtil

Metadata and documentation enhancements.

CreateArray

Metadata and documentation enhancements.

ConvertXmlFileToJson

Metadata and documentation enhancements.

UnEscapeIPs

Metadata and documentation enhancements.

CreateEmailHtmlBody

Metadata and documentation enhancements.

LessThanPercentage

Metadata and documentation enhancements.

FileCreateAndUpload

Metadata and documentation enhancements.

NotInContextVerification

Metadata and documentation enhancements.

FindSimilarIncidents

Fixed an issue where the script would not find similar incidents while using the similarIncidentFields argument when given an int type.
Upgraded the Docker image to: demisto/python:2.7.18.15765.

PortListenCheck

Metadata and documentation enhancements.

DumpJSON

Metadata and documentation enhancements.

UnPackFile

Metadata and documentation enhancements.

Base64EncodeV2

Upgraded the Docker image to: demisto/python3:3.9.1.15759.

DT

Metadata and documentation enhancements.

InRange

Metadata and documentation enhancements.

1.3.23 - 292927 (March 1, 2021)

Scripts

CheckFieldValue

Fixed an issue where the script was failing for certain fields.

1.3.22 - 291127 (February 28, 2021)

Scripts

CheckContextValue

Fixed an issue where the script was failing for certain context paths.

1.3.21 - 290267 (February 25, 2021)

Scripts

GetIndicatorDBotScore

Fixed an issue where the script failed on indicators with Type 'File-256'.

1.3.20 - 282915 (February 17, 2021)

Scripts

New: CheckContextValue

This script checks that a context key exists (and contains data), and optionally checks the value of the context key for a match against an input value.

CheckFieldValue

Internal code improvements.
Updated the Docker image to: demisto/python3:3.9.1.15759.

1.3.19 - 276977 (February 10, 2021)

Scripts

GetIndicatorDBotScore

Fixed an issue where multiple DBotScores were part of a single entry.

1.3.18 - 274119 (February 7, 2021)

Scripts

SetIfEmpty

Fixed an issue where the script failed on non-ASCII data.

1.3.17 - 269882 (February 2, 2021)

Scripts

RunPollingCommand

Fixed an issue where the script was failing when given integers or non-English characters as additional arguments.

1.3.16 - 269341 (February 2, 2021)

Scripts

SetGridField

Fixed an issue where the script failed on an "unhashable type" error.

1.3.15 - 266021 (January 28, 2021)

Scripts

ModifyDateTime

Fixed an issue where the time zone was ignored.
Upgraded the Docker image to demisto/python3:3.9.1.15759.

1.3.14 - 264879 (January 27, 2021)

Scripts

SetGridField

Improved the error messages.
Fixed an issue where the script failed when an empty value was entered.
Upgraded the Docker image to demisto/pandas:1.0.0.15584.

1.3.13 - R263971 (January 27, 2021)

Scripts

PcapHTTPExtractor

Upgraded the Docker image to demisto/pcap-http-extractor:1.0.0.15436.

1.3.12 - 254579 (January 17, 2021)

Scripts

SetGridField

Improved the error message when a grid ID is incorrect.

1.3.11 - R253472 (January 16, 2021)

Scripts

RunPollingCommand

Updated the script to execute using the DBot role.

1.3.10 - 246162 (January 7, 2021)

Scripts

FailedInstances

Fixed an issue where testmodule was listed as a failed instance in air-gapped environments.

1.3.9 - 238583 (December 30, 2020)

Scripts

ZipFile

Updated Docker image to demisto/python_zipfile:1.0.0.12410.
Added the ability to zip multiple files into one .zip file by passing a CSV list of entry IDs to the entryID argument.

SearchIncidentsV2

Added a new output, foundIncidents.incidentLink, which is a list containing URL links to all incidents that were found.
Updated docker image from 3.8.6.13358 to 3.8.6.14516.

1.3.7 - 234922 (December 27, 2020)

Scripts

URLSSLVerification

Fixed an issue where URLs containing commas were not extracted correctly.

1.3.6 - 225429 (December 18, 2020)

Scripts

DeleteContext

Fixed an issue where using the keysToKeep argument on a context key which contained an array with duplicate values, would also perform deduplication on the array.

1.3.5 - 223270 (December 16, 2020)

Scripts

RepopulateFiles

Fixed an issue where the script failed when there were no files to repopulate.

1.3.3 - 216042 (December 9, 2020)

Scripts

GetDomainDNSDetails

Added missing script output DomainDNSDetails.CNAME - Domain CNAME records.

1.3.2 - 214879 (December 8, 2020)

Scripts

DateStringToISOFormat

Added the add_utc_timezone argument to indicate whether to add a UTC timezone in case an offset-naive date was provided as an input.
Updated the Docker image to: demisto/python3:3.8.6.13358

1.3.1 - 214230 (December 8, 2020)

Scripts

ScheduleGenericPolling

Added support for non-english chars in the ids argument

1.3.0 - 213016 (December 7, 2020)

Scripts

New: ConvertDatetoUTC

Converts a date from a different timezone to UTC timezone.

1.2.85 - 212473 (December 6, 2020)

Scripts

New: GetDomainDNSDetails

Returns DNS details for a domain

New: AddKeyToList

Adds/Replaces a key in key/value store backed by an XSOAR list.

New: RemoveKeyFromList

Removes a key in key/value store backed by an XSOAR list.

New: CopyNotesToIncident

Copy all entries marked as notes from current incident to another incident.

New: GenerateRandomUUID

Generates a random UUID (UUID 4).

1.2.84 - 205599 (November 30, 2020)

Scripts

URLDecode

Added unit testing and linting.
Updated the Docker image to: demisto/python3:3.8.6.13358

PCAPMiner

Deprecated. We recommend using PCAPMinerV2 instead.
Updated the Docker image to: demisto/dempcap:1.0.0.14059

1.2.83 - 204733 (November 30, 2020)

Scripts

RunPollingCommand

Added support for non-english chars in the ids argument

1.2.82 - 197136 (November 23, 2020)

Scripts

DeleteContext

Fixed an issue where all of the context data in the current sub-playbook wasn't deleted when all = yes and subplaybook = yes/auto.

1.2.81 - 194714 (November 20, 2020)

Scripts

ParseEmailFiles

Added support for ISO-8859 text in smime.p7m file type.

1.2.80 - 187903 (November 15, 2020)

Scripts

DockerHardeningCheck

Updated the description with an updated link to the Docker Hardening Guide.
Updated the Docker image to: demisto/python3:3.8.6.13358.

1.2.79 - 185756 (November 12, 2020)

Scripts

SearchIncidentsV2

Fixed an issue where multiple context results were outputted for the same incident id.
Updated the Docker image to: demisto/python3:3.8.6.13358.

1.2.78 - 183115 (November 11, 2020)

Scripts

New: VerifyIPv6Indicator

Formatting script for ipv6 to verify that the address is a valid IPv6 address.
Removed the previous formatting script UnEscapeIPv6Indicator.

1.2.77 - 181757 (November 10, 2020)

Scripts

ExtractDomainAndFQDNFromUrlAndEmail

Fixed an issue where the script recognized emails as a domains.

1.2.75 - R180529 (November 9, 2020)

Scripts

New: OnionURLReputation

This script adds the reputation to Onion URL indicators. The script is automatically triggered when a Onion URL indicator is auto-extracted. For instance, if you run a Cortex XSOAR CLI on a valid Onion URL, the indicators are extracted automatically and this script is triggered for the extracted indicators.

1.2.74 - 176085 (November 5, 2020)

Scripts

ParseEmailFiles

Fixed an issue where the script does not decode the content payload with its charset.

1.2.73 - 174642 (November 5, 2020)

Scripts

ParseEmailFiles

Fixed an issue where the script raised an error for emails with an empty file content.

1.2.72 - 171152 (November 3, 2020)

Scripts

ExtractIndicatorsFromTextFile

Fixed an issue where .txt files with Portuguese characters were not parsed successfully.

1.2.71 - 169656 (November 2, 2020)

Scripts

ExtractDomainAndFQDNFromUrlAndEmail

Fixed an issue where the script created an empty domain indicator.
Updated the Docker image to tld:1.0.0.12410.

1.2.70 - 168138 (November 1, 2020)

Scripts

AfterRelativeDate

Fixed an issue where the script was not initiated properly.

1.2.69 - 166232 (October 29, 2020)

Scripts

ParseEmailFiles

Fixed an issue where the sending address was invalid in case the email's 'From' header contained '\r\n'.

1.2.68 - 163799 (October 28, 2020)

Scripts

FeedRelatedIndicatorsWidget

You can now use links, strings and CSVs of links and strings in the Description field.
Upgraded the Docker image to demisto/python3:3.8.6.12176.

1.2.67 - 163183 (October 28, 2020)

Scripts

UnzipFile

Updated the Docker image to unzip:1.0.0.12410.
Fixed an issue where the script failed to extract files with long filename from zip files.

1.2.66 - 159832 (October 25, 2020)

Scripts

SetGridField

Fixed an issue where the script did not display single dictionary outputs correctly.

1.2.65 - 158706 (October 25, 2020)

Scripts

ParseEmailFiles

Fixed an issue where parsing failed due to incorrect email payload filtering.

1.2.64 - 152917 (October 20, 2020)

Scripts

UnEscapeIndicatorIPv6

Fixed an issue where the script did not work as intended.

1.2.63 - 150688 (October 19, 2020)

Scripts

New: AfterRelativeDate

Added a new filter which checks that given time has happend after relative time

1.2.62 - 149864 (October 18, 2020)

Scripts

FailedInstances

Returns an empty list in case no failed instances found.

1.2.61 - 148197 (October 15, 2020)

Scripts

SetGridField

Fixed an issue where the script set values in incorrect fields.
Upgraded the Docker image to demisto/pandas:1.0.0.12410.

1.2.60 - 147869 (October 15, 2020)

Scripts

New: UnEscapeIndicatorIPv6

Extracts IPv6 addresses from specific characters.

1.2.57 - 144615 (October 13, 2020)

Scripts

New: IsInternalDomainName

This script accepts multiple values for both arguments and will iterate through each of the domains to check if the specified subdomains are located in at least one of the specified main domains. If the tested subdomain is in one of the main domains, the result will be true.
For example, if the domain_to_check values are apps.paloaltonetworks.com and apps.paloaltonetworks.bla and the domains_to_compare values are paloaltonetworks.com and demisto.com, the result for apps.paloaltonetworks.com will be true since it is a part of the paloaltonetworks.com domain. The result for apps.paloaltonetworks.bla will be false since it is not a part of the paloaltonetworks.com or demisto.com domain.

1.2.56 - 143692 (October 12, 2020)

Scripts

SetIfEmpty

Maintenance and stability enhancements.

1.2.55 - 142148 (October 11, 2020)

Scripts

FindSimilarIncidents

Fixed an issue where the script did not handle special characters.

1.2.54 - 141641 (October 11, 2020)

Scripts

SearchIncidentsV2

Improved the description of the size argument.
Updated the Docker image to: demisto/python3:3.8.6.12176.

1.2.53 - 135587 (October 5, 2020)

Scripts

New: URLEncode

Encodes a URL string by replacing special characters in the string using the %xx
escape. For example: https://example.com converts to https:%2F%2Fexample.com.

1.2.52 - 134930 (October 5, 2020)

Scripts

jmespath

Fixed an issue where JMESpath transformer didnt handle list data as expected.
Upgraded the Docker image to demisto/jmespath:1.0.0.10854.

1.2.51 - 133593 (October 4, 2020)

Scripts

SetByIncidentId

Updated the script to execute using the DBot role.

1.2.50 - 131379 (October 1, 2020)

Scripts

New: CheckFieldValue

This script checks that a field exists (and contains data), and optionally checks the value of the field for a match against an input value. If a regex is not supplied, the script checks that the field is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value.

1.2.49 - 128183 (September 29, 2020)

Scripts

FindSimilarIncidents

Fixed an issue where the script failed to find incidents by numeric field values.

1.2.48 - 127254 (September 27, 2020)

Scripts

Set

Updated documentation and descriptions.

1.2.47 - 126669 (September 26, 2020)

Scripts

WhereFieldEquals

Added the stringify argument.

1.2.46 - R124496 (September 23, 2020)

Scripts

GetIndicatorDBotScore

Fixed an issue where the indicator's Vendor field returned an empty value.

1.2.45 - 121733 (September 21, 2020)

Scripts

New: MatchRegexV2

Extracts regex data from provided text. The script supports groups and looping.

MatchRegex

Deprecated. Use the MatchRegexV2 script instead.

1.2.44 - 120564 (September 20, 2020)

Scripts

IndicatorMaliciousRatioCalculation

Updated the script to execute using the DBot role.

GetDuplicatesMlv2

Updated the script to execute using the LimitedUser role.

DeleteContext

Updated the script to execute using the DBot role.

FindSimilarIncidents

Updated the script to execute using the DBot role.
Upgraded the Docker image to demisto/python:2.7.18.10627.

SearchIncidentsV2

Updated the script to execute using the DBot role.
Upgraded the Docker image to demisto/python3:3.8.3.9324.

DBotClosedIncidentsPercentage

Updated the script to execute using the DBot role.

MarkRelatedIncidents

Updated the script to execute using the DBot role.

findIncidentsWithIndicator

Updated the script to execute using the DBot role.

1.2.43 - 117673 (September 16, 2020)

Scripts

WhereFieldEquals

Fixed an issue where the transformer failed on KeyError.
Updated docker image.

1.2.42 - 116791 (September 15, 2020)

Scripts

DeleteContext

Updated the script to execute using the LimitedUser role.

1.2.41 - 114602 (September 13, 2020)

Scripts

DeleteContext

Updated the script to execute using the DBot role.

1.2.40 - 111755 (September 10, 2020)

Scripts

JSONtoCSV

Maintenance and stability enhancements.

1.2.39 - 109416 (September 8, 2020)

Scripts

LookupCSV

Added support for values that contain commas in CSV files.

1.2.38 - 109113 (September 8, 2020)

Scripts

SetAndHandleEmpty

The stringify and append parameters now work as expected.

1.2.37 - 108272 (September 7, 2020)

Scripts

ParseEmailFiles

Fixed a bug in which double periods (..) at a new line due to SMTP standard were not processed correctly.

1.2.36 - 105506 (September 6, 2020)

Scripts

RunPollingCommand

Improved error handling.

1.2.35 - 103995 (September 3, 2020)

Scripts

ParseEmailFiles

Fixed an issue where S/MIME .eml files were not parsed properly.

1.2.34 - R103871 (September 3, 2020)

Scripts

FeedRelatedIndicatorsWidget

Fixed an issue where the indicator link value was incorrect.

1.2.33 - 91191 (August 19, 2020)

Scripts

WhereFieldEquals

Fixed an issue where WhereFieldEquals would return a string instead of a list.

1.2.32 - R89207 (August 16, 2020)

Scripts

FailedInstances

This introduces breaking changes for 6.0 and above.

Tests all integration instances available and returns detailed information about succeeded and failed integration instances.

1.2.31 - 86770 (August 12, 2020)

Scripts

TimeStampCompare

Added a README file with details regarding script usage.

VerifyJSON

Added a README file with details regarding script usage.

1.2.30 - 86153 (August 11, 2020)

Scripts

FeedRelatedIndicatorsWidget

New widget script for FeedRelatedIndicators section in indicators layouts. Contains information about the relationship between an indicator, entity, such as malware, and other indicators, such as a MITRE ATT&CK indicator, and connects to indicators, if relevant. Add the script to the indicator layout using the Dynamic section.

1.2.29 - R85850 (August 11, 2020)

Scripts

ModifyDateTime

Added a new transformer script that takes a date or time and applies a variation in human-readable
format, such as "in 1 day" or "3 weeks ago".

1.2.28 - 84808 (August 10, 2020)

Scripts

ParseEmailFiles

Fixed an issue where some attachments were not correctly recognised when the attachment was empty.

1.2.27 - 84010 (August 9, 2020)

Scripts

jmespath

This is a transformer script that performs a JMESPath search on an input JSON format.

1.2.26 - 83050 (August 6, 2020)

Scripts

FailedInstances

Added several items to context.

The number of enabled instances.
The number of failed instances.
The number of working instances.
The status of the instance.

1.2.25 - 81234 (August 4, 2020)

Scripts

UnzipFile

Improved support for .rar files.

1.2.24 - 80672 (August 3, 2020)

Scripts

SearchIncidentsV2

Fixed the query argument to not support input as array.

1.2.23 - 80184 (August 3, 2020)

Scripts

ParseEmailFiles

Fixed an issue where some attachments were not correctly recognised.

1.2.21 - 79423 (August 2, 2020)

Scripts

CalculateEntropy

Added the Calculate Entropy automation, which calculates the entropy of the given data.-response=true.

1.2.20 - 78315 (July 30, 2020)

Scripts

GetTime

Fixed an issue where the script failed if it was executed from another script or with raw-response=true.

1.2.19 - 78184 (July 30, 2020)

Scripts

IsUrlPartOfDomain

Changed the way localhost is handled. URLs starting with localhost are universally returned as internal.

1.2.18 - 77762 (July 30, 2020)

Scripts

PrintRaw

Added new Automation PrintRaw, which prints a raw representation of a string or object, visualising things likes tabs and newlines. This is useful for debugging issues where things aren't behaving as expected, such as when parsing a string with a regular expression.

1.2.17 - 76513 (July 29, 2020)

Scripts

Set

Improved the description.

SetAndHandleEmpty

Improved the description.

1.2.16 - 76199 (July 28, 2020)

Scripts

IncreaseIncidentSeverity

The automation optionally increases the incident severity to the new value if it is greater than the existing severity.

1.2.15 - 74812 (July 27, 2020)

Scripts

GenerateSummaryReports

Fixed script descriptions.