Common Scripts

Details
Content
Dependencies
Version History
Download With Dependencies

Frequently used scripts pack.

PUBLISHER

Cortex XSOAR

INFO

Certification	Certified	Read more
Supported By	Cortex XSOAR
Created	July 27, 2020
Last Release	September 29, 2022

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.

Automations

Name	Description
ContextGetEmails	Gets all email addresses in context, excluding ones given.
ticksToTime	Converting time in Ticks to readable time. Ticks are used to represent time by some vendors, most commonly by Microsoft.
GetEnabledInstances	Gets all currently enabled integration instances.
ParseCSV	This script will parse a CSV file and place the unique IPs, Domains and Hashes into the context.
PCAPMiner	Deprecated. Use PCAPMinerV2 instead. PCAPMiner is a tool to parse PCAP files and will return things like extracted files that are found, HTTP flows, and a variety of other information. It is uses a docker instance located on docker hub trorabaugh/dempcap:1.0. To use simply upload a PCAP file and then run PCAPMiner entryId="<your_entry_id>". To get the entry id click on the link on the top right hand corner of a file attachment.
SearchIncidentsV2	Searches Demisto incidents. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html
Base64EncodeV2	Encodes an input to Base64 format.
DemistoVersion	Return the Demisto server version.
ExtractDomainAndFQDNFromUrlAndEmail	Extracts domains and FQDNs from URLs and emails.
SetByIncidentId	Works the same as the 'Set' command, but can work across incidents by specifying 'id' as an argument. Sets a value into the context with the given context key. Doesn't append by default. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html
FileReputation	A context script for hash entities
IsIntegrationAvailable	Returns 'yes' if integration brand is available. Otherwise returns 'no'
FileCreateAndUploadV2	Creates a file (using the given data input or entry ID) and uploads it to the current investigation War Room.
LinkIncidentsWithRetry	Use this script to avoid DB version errors when simultaneously running multiple linked incidents.
VerifyJSON	Verifies if the supplied JSON string is valid and optionally verifies against a provided schema. The script utilizes Powershell's Test-JSON cmdlet.
IPToHost	Try to get the hostname correlated with the input IP.
ShowLocationOnMap	Show indicator geo location on map
ToTable	Convert an array to a nice table display. Usually, from the context.
ExtractAttackPattern	Extract Attack Pattern Threat Intel Object. After auto extract extracts the Attack Pattern IDs, this script is executed and extracts the value (name) of the Attack Pattern.
ParseEmailFilesV2	Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook. This script is based on the parse-emails XSOAR python package, check the script documentation for more info
ProvidesCommand	Finds which integrations implement a specific Demisto command. The results will be returned as comma-separated values (CSV). The "Demisto REST API" integration must first be enabled.
GenerateInvestigationSummaryReport	A script to generate investigation summary report in an automated way Can be used in post-processing flow as well.
MaliciousRatioReputation	Set indicator reputation to "suspicious" when malicious ratio is above threshold. Malicious ratio is the ration between number of "bad" incidents to total number of incidents the indicator appears in.
TimeStampToDate	Converts UNIX Epoch time stamp to a simplified extended ISO format string. Use it to convert time stamp to Demisto date field e.g. 1525006939 will return '2018-04-29T13:02:19.000Z'
DateStringToISOFormat	This is a thin wrapper around the `dateutil.parser.parse` function. It will parse a string containing a date/time stamp and return it in ISO 8601 format.
LowerCidrNumAddresses	Check if number of availble addresses in IPv4 CIDR is lower than given number.
jmespath	Performs a JMESPath search on an input JSON format, when using a transformer.
ModifyDateTime	Takes a date or time input and adds or subtracts a determined amount of time. Returns a string in date or time in ISO Format.
ParseJSON	Parse a given JSON string "value" to a representative object. Example: '{"a": "value"}' => {"a": "value"}.
AreValuesEqual	Check whether the values provided in arguments are equal. If either of the arguments are missing, no is returned.
ConvertAllExcept	Convert all chosen values but exceptions.
RegexGroups	Extraction of elements which are contained in all the subgroups of the match to the pattern. For example, extracting from the string "The quick brown fox" the object `{"article":"The","noun":quick"}` (See arguments descriptions for more details)
StringReplace	Replaces regex match/es in string. Returns the string after replace was preformed.
IPReputation	A context script for IP entities
IPv4Whitelist	Transformer that returns a filtered list of IPv4 addresses, based on whether they match a comma-separated list of IPv4 ranges. Useful for filtering in internal IP address space.
CompareIncidentsLabels	Compares the labels of two incidents. Returns the labels that are unique to each incident. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html
NotInContextVerification	Not in context verification is a script that executes the given command and verifies that the specified field is not in the context after execution.
ListUsedDockerImages	List all Docker images that are in use by the installed integrations and automations.
ContextFilter	Filter context keys by applying one of the various available manipulations and storing in a new context key. Please notice that the resulting context key will not be available automatically as an option but you can still specify it.
SendMessageToOnlineUsers	Send message to Demisto online users over Email, Slack, Mattermost or all.
checkValue	Gets a value and return it. This is to be used in playbook conditional tasks - get a value from incident field, label or context, and act accordingly. If an array is returned. the first value will be the decision making value.
UtilAnyResults	Utility script to use in playbooks - returns "yes" if the input is non-empty.
IgnoreFieldsFromJson	Removed selected fields from the JSON object.
EncodeToAscii	Input Text Data to Encode as ASCII (Ignores any chars that aren't interpreted as ASCII)
EmailAskUserResponse	Extract user's response from EmailAskUser reply. Returns the first textual response line of the provided entry that contains the reply body. Use ${lastCompletedTaskEntries} to analyze the previous playbook task containing the user's reply.
LanguageDetect	Language detection based on Google's language-detection.
GetDockerImageLatestTag	Gets docker image latest tag. Script simulates the docker pull flow but doesn't actually pull the image. Returns an entry with the docker image latest tag if all is good, otherwise will return an error.
ContextGetIps	Gets all IP addresses in context, excluding ones given.
CheckContextValue	This script checks that a context key exists (and contains data), and optionally checks the value of the context key for a match against an input value. If a regex is not supplied, the script checks that the key is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value. This scripts does not support a context key which holds a list of values.
ZipFile	Zip a file and upload to war room
ExposeIncidentOwner	Expose the incident owner into IncidentOwner context key
DBotAverageScore	Calculates average score for each indicator from context
GetTime	Retrieves the current date and time.
ConvertXmlToJson	Converts XML string to JSON format
MatchRegex	Deprecated. Use the MatchRegexV2 script instead.
IsListExist	Check if list exist in demisto lists.
HTMLtoMD	Converts HTML to Markdown.
GetDuplicatesMlv2	Deprecated. Use the "PhishingDedupPreprocessingRule" script instead. Find duplicate incidents candidates. Using machine learning techniques with pre-defined data (can also use data from the local environment), this script takes into consideration different features such as: labels comparison, email labels (relevant for phishing), incident time difference and shared indicators, which can be customized by the arguments. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html
CheckFieldValue	This script checks that a field exists (and contains data), and optionally checks the value of the field for a match against an input value. If a regex is not supplied, the script checks that the field is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value.
LastArrayElement	Returns the last element of an array. If the value passed is not an array, it returns the original value that was passed.
BinarySearchPy	Deprecated. No available replacement. Search for a binary on an endpoint using Carbon Black
IndicatorMaliciousRatioCalculation	Return indicators appears in resolved incidents, and resolved incident ids. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html
RunDockerCommand	This command will allow you to run commands against a local Docker Container. You can run commands like wc for instance with word count, or other types of commands that you want on the docker container. We recommend for tools that you want to use that are not part of the default Docker container, to cope this Automation script and then create a customer docker container with /docker_image_create with a custom docker container to add any command level tool to Demisto and output the results directly to the context.
ResolveShortenedURL	Resolve the original URL from the given shortened URL and place it in both as output and in the context of a playbook. (https://unshorten.me/api)
ContextSearchForString	Searches for string in a path in context. If path is null, string will be searched in full context.
UnEscapeIPs	Remove escaping chars from IP 127[.]0[.]0[.]1 -> 127.0.0.1
CopyNotesToIncident	Copy all entries marked as notes from current incident to another incident.
Cut	Cut a string by delimiter and return specific fields. Example input: "A-B-C-D-E" delimiter: "-" fields: "1,5" return: "A-E"
GetErrorsFromEntry	Get the error(s) associated with a given entry/entries. Use ${lastCompletedTaskEntries} to check the previous task entries. The automation will return an array of the error contents from those entries.
URLReputation	A context script for URL entities
ContainsCreditCardInfo	Check if a given value is true. Will return 'no' otherwise
ParseWordDoc	Takes an input docx file (entryID) as an input and saves an output text file (file entry) with the original file's contents.
ScheduleGenericPolling	Called by the GenericPolling playbook, schedules the polling task.
GenerateRandomUUID	Generates a random UUID (UUID 4).
MathUtil	Script will run the provided mathematical action on 2 provided values and produce a result. The result can be stored on the context using the contextKey argument
PrintRaw	Prints a raw representation of a string or object, visualising things likes tabs and newlines. For instance, '\n' will be displayed instead of a newline character, or a Windows CR will be displayed as '\r\n'. This is useful for debugging issues where things aren't behaving as expected, such as when parsing a string with a regular expression.
ReverseList	Reverse a list e.g. ["Mars", "Jupiter", "Saturn"] => ["Saturn", "Jupiter", "Mars"] This is an example for entire-list transformer - it operates the argument as a list (note the "entirelist" tag)
emailFieldTriggered	Sends email to incident owner when selected field is triggered.
ExtractEmailV2	Verifies that an email address is valid and only returns the address if it is valid.
RemoteExec	Execute a command on a remote machine (without installing a D2 agent)
URLEncode	Encodes a URL string by replacing special characters in the string using the %xx escape. For example: https://example.com converts to https:%2F%2Fexample.com.
RemoveKeyFromList	Removes a key in key/value store backed by an XSOAR list.
ExtractDomainFromUrlAndEmail	Extract Domain(s) from URL(s) and/or Email(s)
ShowOnMap	Returns a map entry with a marker on the given coordinates (lat,lng), or address (requires a configured GoogleMaps instance).
GetByIncidentId	Gets a value from the specified incident's context.
IsRFC1918Address	A filter that determines whether an IPv4 address is in the private RFC-1918 address space (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). For more information, see https://en.wikipedia.org/wiki/Private_network
FilterByList	Checks whether the specified item is in a list. The default list is the Demisto Indicators Whitelist.
IsIPInRanges	Returns yes if the IP is in one of the ranges provided, returns no otherwise.
MapValues	Map the given values to the translated values. If given values: a,b,c and translated: 1,2,3 then input is a will return 1
AddEvidence	Adds provided entries to the incident Evidence Board. In playbook, can be positioned after a task to add the previous task's entries to Evidence Board automatically (with no need to provide arguments)
ParseHTMLIndicators	This script will extract indicators from given HTML and will handle bad top-level domains to avoid false positives caused by file extensions.
MarkAsNoteByTag	Mark entries as notes if they are tagged with given tag
StopTimeToAssignOnOwnerChange	Stops the "Time To Assign" timer if the owner of the incident was changed.
AddDBotScoreToContext	Add DBot score to context for indicators with custom vendor, score, reliability, and type.
ExtractFQDNFromUrlAndEmail	Extracts FQDNs from URLs and emails.
PadZeros	Adds zeros (0) to the beginning of the string, until the string reaches the specified length.
CheckIfSubdomain	Checks whether a given domain is a subdomain of one of the listed domains.
IsMaliciousIndicatorFound	Checks if the investigation found any malicious indicators (file, URL, IP address, domain, or email). Returns "yes" if at least one malicious indicator is found.
ExtractInbetween	Extract a string from an existing string.
Base64ListToFile	Converts Base64 file in a list to a binary file and upload to warroom
Ping	Pings an IP or url address, to verify it's up
StringToArray	Converts string to array. For example: `http://example.com/?score:1,4,time:55` will be transformed to `["http://example.com/?score:1,4,time:55"]`.
SCPPullFiles	Take a list of devices and pull a specific file (given by path) from each using SCP
MapValuesTransformer	This script converts the input value into another value using two lists. The input value is searched in the first list (input_values). If it exists, the value from the second list (mapped_values) at the same index is retutrned. If there is no match, the original value is returned. If the original input is a dictionary, then the script will look for a "stringified" version of the key/:/value pair in the input_values and then map the result in the output_values into the original "value". Example 1: input_values = "1,2,3,4" mapper_values = "4,3,2,1" value = 3 Output would be "2" Example 2: input_values ="firstkey: datahere,secondkey: datathere" mapper_values = "datathere,datahere" value(dict)= { "firstkey": "datahere" } Output would be: { "firstkey": "datathere" } The reason for matching the key AND value pair in a dictionary is to allow the mappig of values that have a specific key name. In most cases, dictionaries will continan key-value pairs in which the values are the same. You might want to change the value of KeyA, but not the value of KeyB. This method gives control over which key is changed. When the input is a dict, str , int, or list, the output is ALWAYS returned as a string.
CalculateEntropy	Calculates the entropy for the given data.
ExampleJSScript	This is only an example script, to showcase how to use and write JavaScript scripts
TopMaliciousRatioIndicators	Find the top malicious ratio indicators. Malicious ratio is defined by the ratio between the number of "bad" incidents divided by the number of total number of incidents that the indicators appears in.
ChangeContext	Enables changing context in two ways. The first is to capitalize the first letter of each key in following level of the context key entered. The second is to change context keys to new values.
GetDomainDNSDetails	Returns DNS details for a domain
IncidentAddSystem	Add a remote system (such as a desktop under investigation) to an investigation (this will allow you to install and agent on the system)
DBotClosedIncidentsPercentage	Data output script for populating dashboard pie graph widget with the percentage of incidents closed by DBot vs. incidents closed by analysts
MarkRelatedIncidents	Marks given incidents as related to current incident. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html
EmailDomainWhitelist	Accepts an array of domains as an allow list, and a list of email addresses. The script then filters out any email address whose domain is not in the allow list. The filtered list will be returned as an array.
ContextGetPathForString	Searches for string in context and returns context path, returns null if not found.
JSONFileToCSV	Script to convert a War Room output JSON File to a CSV file.
RepopulateFiles	After running DeleteContext, this script can repopulate all the file entries in the ${File} context key
ScheduleCommand	Schedule a command to run inside the war room at a future time (once or reoccurring)
EmailReputation	A context script for Email entities
StripChars	Strip set of characters from prefix and/or suffix e.g. StripChar value=~!!~www.mydomain.com~!~!~ chars=!~ will return www.mydomain.com
FailedInstances	Executes a test for all integration instances available and returns detailed information about succeeded and failed integration instances.
DockerHardeningCheck	Checks if the Docker container running this script has been hardened according to the recommended settings at: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/docker/docker-hardening-guide.html
ReadPDFFileV2	Load a PDF file's content and metadata into context.
FeedRelatedIndicatorsWidget	Widget script to view information about the relationship between an indicator, entity and other indicators and connect to indicators, if relevant.
ConvertKeysToTableFieldFormat	Convert object keys to match table keys. Use when mapping object/collection to table (grid) field. (Array of objects/collections is also supported). Example: Input: { "Engine": "val1", "Max Results": 13892378, "Key_With^Special (characters)": true } Output: { "engine": "val1", "maxresults": 13892378, "keywithspecialcharacters": true }
PcapHTTPExtractor	Allows to parse and extract http flows (requests & responses) from a pcap/pcapng file.
AddKeyToList	Adds/Replaces a key in key/value store backed by an XSOAR list.
GeneratePassword	This function generates a password and allows various parameters to customize the properties of the password depending on the use case (e.g. password complexity requirements). The default behavior is to generate a password of random length including all four character classes (upper, lower, digits, symbols) with at least five and at most ten characters per class. The min_* values all default to 0. This means that if the command is executed in this way: !GeneratePassword max_lcase=10 It is possible that a password of length zero could be generated. It is therefore recommended to always include a min_* parameter that matches. The debug parameter will print certain properties of the command into the WarRoom for easy diagnostics.
WhereFieldEquals	Return all items from the list where their given 'field' attribute is equal to 'equalTo' argument E.g. !WhereFieldEquals with the following arguments: value=[{ "name": "192.1,0.82", "type": "IP" }, { "name": "myFile.txt", "type": "File" }, { "name": "172.0.0.2", "type": "IP" }] field='type' equalTo='IP' getField='name' Will return all items names where field 'type' equals 'IP' - ['192.1,0.82', '172.0.0.2']
DisplayHTML	Display HTML in the War Room.
LoadJSON	Loads a json from string input, and returns a json object result
RegexExtractAll	Extraction of all matches from a specified regular expression pattern from a provided string. Returns an array of results. This differs from RegexGroups in several ways: It returns all matches of the specified pattern, not just specific groups. This is useful for extracting things using a pattern where the content of the source string is indeterminate, such as extracting all email addresses. Some "convenience" arguments have been added to enhance usability: multi-line, ignore_case, period_matches_newline Added a new argument, "error_if_no_match". The script will not ordinarily throw an error if a match is not found but if not using as a transformer within a playbook, it may, in certain limited circumstances, be desirable to throw an error if the expression doesn't match. It uses the 'regex' library, which supports more some more advanced regex functionality than the standard 're' library. For more info, see https://pypi.org/project/regex/.
ParseEmailFiles	Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook.
commentsToContext	Takes the comments of a given entry ID and stores them in the incident context, under a provided context key. For accessing the last executed task's comments, provide ${lastCompletedTaskEntries.[0]} as the value for the entryId input parameter.
GetValuesOfMultipleFields	The script receives a list of fields and a context key base path. For example, Key=demisto.result List=username,user and will get all of the values from demisto.result.username and demisto.result.user. The Get field of the task must have the value ${.=[]}.
CountArraySize	Count an array size
CreateIndicatorsFromSTIX	Creates indicators from the submitted STIX file. Supports STIX 1.0 and STIX 2.0.
CalculateTimeDifference	Calculate the time difference, in minutes
AfterRelativeDate	Checks the given datetime has occured after the provided relative time.
IsNotInCidrRanges	Checks whether an IPv4 address is not contained in one or more comma-delimited CIDR ranges.
FileToBase64List	Encode a file as base64 and store it in a Demisto list.
IsTrue	Check if a given value is true. Will return 'no' otherwise
EmailDomainSquattingReputation	Check if an email address's domain is trying to squat other domain using Levenshtein distance algorithm
If-Then-Else	A transformer for simple if-then-else logic.
StringLength	Returns the length of the string passed as argument
CheckSenderDomainDistance	Get the string distance for the sender from our domain
UnPackFile	Deprecated. Use the UnzipFile script instead. UnPack a file using fileName or entryID to specify a file. Files unpacked will be pushed to the war room and names will be pushed to the context. supported types are: 7z (.7z), ACE (.ace), ALZIP (.alz), AR (.a), ARC (.arc), ARJ (.arj), BZIP2 (.bz2), CAB (.cab), compress (.Z), CPIO (.cpio), DEB (.deb), DMS (.dms), GZIP (.gz), LRZIP (.lrz), LZH (.lha, .lzh), LZIP (.lz), LZMA (.lzma), LZOP (.lzo), RPM (.rpm), RAR (.rar), RZIP (.rz), TAR (.tar), XZ (.xz), ZIP (.zip, .jar) and ZOO (.zoo)
IsInternalDomainName	This script accepts multiple values for both arguments and will iterate through each of the domains to check if the specified subdomains are located in at least one of the specified main domains. If the tested subdomain is in one of the main domains, the result will be true. For example, if the domain_to_check values are apps.paloaltonetworks.com and apps.paloaltonetworks.bla and the domains_to_compare values are paloaltonetworks.com and demisto.com, the result for apps.paloaltonetworks.com will be true since it is a part of the paloaltonetworks.com domain. The result for apps.paloaltonetworks.bla will be false since it is not a part of the paloaltonetworks.com or demisto.com domain.
URLSSLVerification	Verify URL SSL certificate
GreaterCidrNumAddresses	Check if number of availble addresses in IPv4 or IPv6 CIDR is greater than given number.
PopulateCriticalAssets	Populates critical assets in a grid field that has the section headers "Asset Type" and "Asset Name".
Print	Prints text to war room (Markdown supported)
GetFieldsByIncidentType	Returns the incident field names associated to the specified incident type.
CIDRBiggerThanPrefix	Checks whether a given CIDR prefix is bigger than the defined maximum prefix.
GenericPollingScheduledTask	Runs the polling command repeatedly, completes a blocking manual task when polling is done.
IsInternalHostName	Checks if the supplied hostnames match either the organization's internal naming convention or the domain suffix.
SetAndHandleEmpty	Set a value in context under the key you entered. If no value is entered, the script doesn't do anything. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html
SetMultipleValues	Set multiple keys/values to the context.
findIncidentsWithIndicator	Lookup incidents with specified indicator. Use currentIncidentId to omit the existing incident from output. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html
TimeStampCompare	Compares a single timestamp to a list of timestamps.
DecodeMimeHeader	Decode MIME base64 headers.
hideFieldsOnNewIncident	When you apply this script to an incident field, that incident field is hidden for new incidents, and it displays in edit mode.
HTTPListRedirects	List the redirects for a given URL
GetIndicatorDBotScoreFromCache	Get the overall score for the indicator as calculated by DBot.
InRange	checks if left side is in range of right side (from,to anotation) e.g. - InRange left=4right=1,8 will return true.
URLDecode	Converts https:%2F%2Fexample.com into https://example.com
DT	This automation allows the usage of DT scripts within playbooks transformers
EmailAskUser	Ask a user a question via email and process the reply directly into the investigation.
SetIfEmpty	Checks an object for an empty value and returns a pre-set default value.
SendEmailOnSLABreach	Sends an email informing the user of an SLA breach. The email is sent to the user who is assigned to the incident. It includes the incident name, ID, name of the SLA field that was breached, duration of that SLA field, and the date and time when that SLA was started. In order to run successfully, the script should be configured to trigger on SLA breach, through field edit mode.
ConvertXmlFileToJson	Converts XML file entry to JSON format
ProductJoin	Returns the product of two lists, joined by a separator, as a list of strings.
SetTime	Fill the current time in a custom incident field
DisableUserWrapper	This script allows disabling a specified user using one or more of the following integrations: SailPointIdentityIQ, ActiveDirectoryQuery, Okta, MicrosoftGraphUser, and IAM.
CloseInvestigationAsDuplicate	Close the current investigation as duplicate to other investigation.
JsonToTable	Accepts a json object and returns a markdown.
MatchRegexV2	Extracts regex data from the provided text. The script support groups and looping.
ChangeRemediationSLAOnSevChange	Changes the remediation SLA once a change in incident severity occurs. This is done automatically and the changes can be configured to your needs.
GetRange	Gets specified indexes of a list.
CopyContextToField	Copy a context key to an incident field of multiple incidents, based on an incident query. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html
FirstArrayElement	Returns the first element of an array. If the value passed is not an array, it returns the original value that was passed.
PortListenCheck	Checks whether a port was open on given host.
SetDateField	Sets a custom incident field with current date
HttpV2	Sends a HTTP request with advanced capabilities
SumList	Sums a List e.g. ["25", "10", "25"] => "60" This is an example for number transformer.
GenerateRandomString	Generates random string
ExtractHTMLTables	Find tables inside HTML and extract the contents into objects using the following logic: If table has a single column, just create an array of strings from the values If table has 2 columns and has no header row, treat the first column as key and second as value and create a table of key/value If table has a header row, create a table of objects where attribute names are the headers If table does not have a header row, create table of objects where attribute names are cell1, cell2, cell3…
StopScheduledTask	This stops the scheduled task whose ID is given in the taskID argument.
NumberOfPhishingAttemptPerUser	Shows a bar chart of the number of incident the 'To' and 'From' email addresses. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html
WordTokenizer	Tokenize the words in a input text.
ParseExcel	The automation takes Excel file (entryID) as an input and parses its content to the war room and context
DeleteContext	Delete field from context. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html
Base64Decode	Decodes an input in Base64 format.
EmailDomainBlacklist	Accepts an array of domains as a block list, and a list of email addresses. The script then filters out any email address whose domain is in the block list. The filtered list will be returned as an array.
CreateArray	Will create an array object in context from given string input
ReadFile	Load the contents of a file into context.
listExecutedCommands	Lists executed commands in War Room
EditServerConfig	Edit the server configuration (under settings/troubleshooting). You can either add a new configuration or update and remove an existing one.
SetGridField	Creates a Grid table from items or key-value pairs.
IdentifyAttachedEmail	Identify whether the incident includes an email message attached as an eml or msg file and return the answer to playbook. Also saves the identified entry ID to context for use for later. Commonly used in automated playbooks that handle phishing reports sent to a special phishing mailbox set up by the security team.
http	Sends http request. Returns the response as json.
CreateEmailHtmlBody	This script allows sending an HTML email, using a template stored as a list item under Lists (Settings -> Advanced -> Lists). Placeholders are marked in DT format (i.e. ${incident.id} for incident ID). Available placeholders for example: ${incident.labels.Email/from} ${incident.name} ${object.value} See incident Context Data menu for available placeholders Note: Sending emails require an active Mail Sender integration instance.
IPNetwork	Gather information regarding CIDR - 1. Broadcast_address 2. CIDR 3. First_address 4. Last address 5. Max prefix len 6. Num addresses 7. Private 8. Version
PrettyPrint	Pretty-print data using Python's pprint library. This is useful for seeing the structure of incident and context data. Here's how to use it: !PrettyPrint value=${incident}
RunPollingCommand	Runs a specified polling command one time. This is useful for initiating a local playbook context before running a polling scheduled task. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html
BetweenDates	Whether value is within a date range.
FindSimilarIncidents	Finds similar incidents by common incident keys, labels, custom fields or context keys. It's highly recommended to use incident keys if possible (e.g., "type" for the same incident type). For best performance, it's recommended to avoid using context keys if possible (for example, if the value also appears in a label key, use label). This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html
IncreaseIncidentSeverity	Optionally increases the incident severity to the new value if it is greater than the existing severity.
CEFParser	Parse CEF data into the context. Please notice that outputs will display only the 7 mandatory fields even if the CEF event includes many other custom or extended fields.
GetListRow	Parses a list by header and value.
StixCreator	Gets a list of indicators from the indicators argument, and generates a JSON file in STIX 2.0 format.
JSONtoCSV	Convert a JSON War Room output via EntryID to a CSV file.
GenerateSummaryReports	Generate report summaries for the passed incidents.
SSDeepSimilarity	This script finds similar files that can be related to each other by fuzzy hash (SSDeep).
FormatURL	Strips, unquotes and unescapes URLs. If the URL is a Proofpoint or ATP URL, extracts its redirect URL.
TextFromHTML	Extract regular text from the given HTML
ExtractIndicatorsFromTextFile	Extract indicators from a text-based file. Indicators that can be extracted: IP Domain URL File Hash Email Address This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html
FormattedDateToEpoch	Converts a custom-formatted timestamp to UNIX epoch time. Use it to convert custom time stamps to a Demisto date field. If you pass formatter argument, we will use it to transform. If not, we will use dateparser.parse for transforming. For more info, see: https://docs.python.org/3.7/library/datetime.html#strftime-and-strptime-behavior
UnEscapeURLs	Extract URLs redirected by security tools like Proofpoint. Changes https://urldefense.proofpoint.com/v2/url?u=https-3A__example.com_something.html -> https://example.com/something.html Also, un-escape URLs that are escaped for safety with formats like hxxps://www[.]demisto[.]com
IsInCidrRanges	Determines whether an IPv4 address is contained in at least one of the comma-delimited CIDR ranges. Multiple IPv4 addresses can be passed comma-delimited and each will be tested.
JoinIfSingleElementOnly	Return the single element in case the array has only 1 element in it, otherwise return the whole array
GetIndicatorDBotScore	Add into the incident's context the system internal DBot score for the input indicator.
GetStringsDistance	Get the string distance between inputString and compareString (compareString can be a comma-separated list) based on Levenshtein Distance algorithm.
UnzipFile	Unzip a file using fileName or entryID to specify a file. Unzipped files will be loaded to the War Room and names will be put into the context.
Sleep	Sleep for X seconds
Base64Encode	Will encode an input using Base64 format.
SSDeepReputation	Calculate ssdeep reputation based on similar files (by ssdeep similarity) on the system.
ZipStrings	Joins values from two lists by index according to a given format.
ConvertToSingleElementArray	Converts a single string to an array of that string.
isError	Check whether given entry/entries returned an error. Use ${lastCompletedTaskEntries} to check the previous task entries. If array is provided, will return yes if one of the entries returned an error.
PositiveDetectionsVSDetectionEngines	Shows a bar chart of the number of Positive Detections out of overall detections
ConvertTableToHTML	Converts a given array to an HTML table
IncidentFields	Returns a dict of all incident fields that exist in the system.
PDFUnlocker	Removing the password protection from a PDF file and adding a new file entry with the unlocked PDF.
ConvertDatetoUTC	Converts a date from a different timezone to UTC timezone.
GetEntries	Collect entries matching to the conditions in the war room
PrintErrorEntry	Prints an error entry with a given message
ExtractIndicatorsFromWordFile	Used to extract indicators from Word files (DOC, DOCX). The script does not extract data from macros (e.g., embedded code). This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html
PublishEntriesToContext	Publish entries to incident's context
LookupCSV	Parses a CSV and looks for a specific value in a specific column, returning a dict of the entire matching row. If no column value is specified, the entire CSV is read into the context.
Exists	Check if a given value exists in the context. Will return 'no' for empty empty arrays. To be used mostly with DQ and selectors.
PrintContext	Pretty-print the contents of the playbook context
VerifyIPv6Indicator	Verify that the address is a valid IPv6 address.
ContextContains	This script searches for a value in a context path.
ContextGetHashes	Gets hashes (MD5,SHA1,SHA256) from context.
CompareLists	Compare two lists and put the differences in context.
IPv4Blacklist	Transformer that returns a filtered list of IPv4 addresses, based on whether they do not match a comma-separated list of IPv4 ranges. Useful for filtering out internal IP address space.
Strings	Extract strings from a file with optional filter - similar to binutils strings command
AssignAnalystToIncident	Assign analyst to incident. By default, the analyst is picked randomly from the available users, according to the provided roles (if no roles provided, will fetch all users). Otherwise, the analyst will be picked according to the 'assignBy' arguments. machine-learning: DBot will calculated and decide who is the best analyst for the job. top-user: The user that is most commonly owns this type of incident less-busy-user: The less busy analyst will be picked to be the incident owner. online: The analyst is picked randomly from all online analysts, according to the provided roles (if no roles provided, will fetch all users). current: The user that executed the command
DomainReputation	A context script for Domain entities
LessThanPercentage	Checks if one percentage is less than another Returns less: if firstPercentage < secondPercentage Returns more: if firstPercentage >= secondPercentage Returns exception if one of the inputs is not a float
IsGreaterThan	Checks if one number(float) as bigger than the other(float) Returns yes: if first > second Returns no: if first <= second Returns exception if one of the inputs is not a number
IsValueInArray	Indicates whether a given value is a member of given array
DumpJSON	Dumps a json from context key input, and returns a json object string result
ConvertFile	Converts a file from one format to a different format by using the convert-to function of Libre Office. For a list of supported input/output formats see: https://wiki.openoffice.org/wiki/Framework/Article/Filter/FilterList_OOo_3_0
URLNumberOfAds	Fetches the numbers of ads in the given url
StringContainsArray	Checks whether a substring or an array of substrings is within a string array(each item will be checked). Supports single strings as well. For example, for substrings ['a','b','c'] in a string 'a' the script will return true.
ShowScheduledEntries	Show all scheduled entries for specific incident.
IsEmailAddressInternal	Checks if the email address is part of the internal domains
OnionURLReputation	This script adds the reputation to Onion URL indicators. The script is automatically triggered when a Onion URL indicator is auto-extracted. For instance, if you run a Cortex XSOAR CLI on a valid Onion URL, the indicators are extracted automatically and this script is triggered for the extracted indicators.
IsUrlPartOfDomain	Checks if the supplied URLs are in the specified domains.
ExportToCSV	Export given array to csv file
Set	Set a value in context under the key you entered.
BetweenHours	Checks whether the given value is within the specified time (hour) range.
FileCreateAndUpload	Deprecated. Use FileCreateAndUploadV2 instead. Will create a file (using the given data input or entry ID) and upload it to current investigation war room.

Required Content Packs (2)

Pack Name	Pack By
Base	By: Cortex XSOAR
DemistoRESTAPI	By: Cortex XSOAR

Optional Content Packs (11)

Pack Name	Pack By
Gmail	By: Cortex XSOAR
Shodan	By: Cortex XSOAR
SumoLogic	By: Cortex XSOAR
GmailSingleUser	By: Cortex XSOAR
MicrosoftGraphListener	By: Cortex XSOAR
MicrosoftGraphMail	By: Cortex XSOAR
Elasticsearch	By: Cortex XSOAR
EWSMailSender	By: Cortex XSOAR
ProtectWise	By: Cortex XSOAR
MailSenderNew	By: Cortex XSOAR
RemoteAccess	By: Cortex XSOAR

1.8.0 - 3755666 (September 29, 2022)

Scripts

New: DisableUserWrapper

This script allows disabling a specified user using one or more of the following integrations: SailPointIdentityIQ, ActiveDirectoryQuery, Okta, MicrosoftGraphUser, and IAM. (Available from Cortex XSOAR 6.0.0).

Related pull requests:
- 21343

Download

1.7.67 - 3720747 (September 24, 2022)

Scripts

DeleteContext

Fixed an issue when using the keysToKeep argument containing list indexes did not work properly.

Related pull requests:
- 21400

Download

1.7.66 - 3709503 (September 22, 2022)

Scripts

RunPollingCommand

Updated the Docker image to: demisto/python3:3.10.7.33922.
Fixed an issue in RunPollingCommand where it passed malformed arguments to the polling command, causing GenericPolling playbook to fail.

Related pull requests:
- 21430

Download

1.7.65 - 3705998 (September 22, 2022)

Scripts

MaliciousRatioReputation

Updated the Docker image to: demisto/python3:3.10.7.33922.

DisplayHTML

Updated the Docker image to: demisto/python3:3.10.7.33922.

SendEmailOnSLABreach

Updated the Docker image to: demisto/python3:3.10.7.33922.

ResolveShortenedURL

Updated the Docker image to: demisto/python3:3.10.7.33922.
Added support for the insecure argument.

FileToBase64List

Updated the Docker image to: demisto/python3:3.10.7.33922.

Related pull requests:
- 20999

Download

1.7.64 - 3702189 (September 21, 2022)

Scripts

New: IgnoreFieldsFromJson

You can now remove selected fields from the JSON object. (Available from Cortex XSOAR 6.5.0).

ExtractEmailV2

Added support for defanged emails containing "[.]".
Updated the Docker image to: demisto/python3:3.10.7.33922.

Related pull requests:
- 21398

Download

1.7.62 - 3698640 (September 21, 2022)

Scripts

SCPPullFiles

Updated the Docker image to: demisto/python3:3.10.6.33415.

Strings

Updated the Docker image to: demisto/python3:3.10.6.33415.

UtilAnyResults

Updated the Docker image to: demisto/python3:3.10.6.33415.

RunPollingCommand

Updated the Docker image to: demisto/python3:3.10.6.33415.

IdentifyAttachedEmail

Updated the Docker image to: demisto/python3:3.10.6.33415.

ReadFile

Updated the Docker image to: demisto/python3:3.10.6.33415.

ExtractIndicatorsFromTextFile

Updated the Docker image to: demisto/python3:3.10.6.33415.

ExtractHTMLTables

Updated the Docker image to: demisto/bs4-py3:1.0.0.32198.

Related pull requests:
- 20951

Download

1.7.60 - 3684182 (September 19, 2022)

Scripts

FileReputation

Improve handling of errors from reputation command.
Updated the Docker image to: demisto/python3:3.10.7.33922.

DomainReputation

Improve handling of errors from reputation command.
Updated the Docker image to: demisto/python3:3.10.7.33922.

URLReputation

Improve handling of errors from reputation command.
Updated the Docker image to: demisto/python3:3.10.7.33922.

EmailReputation

Improve handling of errors from reputation command.
Updated the Docker image to: demisto/python3:3.10.7.33922.

IPReputation

Improve handling of errors from reputation command.
Updated the Docker image to: demisto/python3:3.10.7.33922.

New: GetEntries

Added the GetEntries script, the script collect entries matching to the conditions in the war room (Available from Cortex XSOAR 6.5.0).

Related pull requests:
- 21310
- 21244

Download

1.7.58 - 3681802 (September 18, 2022)

Scripts

SetIfEmpty

Fixed an issue where default value of None is converted to "None" in string.
Updated the Docker image to: demisto/python3:3.10.7.33922.

SetAndHandleEmpty

Fixed an issue where "None" is set when stringify is true.
Updated the Docker image to: demisto/python3:3.10.7.33922.

If-Then-Else

Fixed an issue where an empty string == None is evaluated as False.

Related pull requests:
- 21291
- 21274
- 21310
- 21288
- 21292
- 21244

Download

1.7.56 - 3660124 (September 14, 2022)

Scripts

SSDeepReputation

Updated the Docker image to: demisto/python3:3.10.6.33415.

Related pull requests:
- 21009

Download

1.7.55 - 3656716 (September 14, 2022)

Scripts

CheckSenderDomainDistance

Updated the Docker image to: demisto/python3:3.10.7.33922.

Related pull requests:
- 21065

Download

1.7.53 - 3652468 (September 13, 2022)

Scripts

BetweenDates

Updated the Docker image to: demisto/python3:3.10.7.33922.
Fixed an issue with arguments name in BetweenDates script.

ParseEmailFilesV2

Updated the Docker image to: demisto/parse-emails:1.0.0.33967.
Fixed an issue where the attachment filename was not parsed properly.

Related pull requests:
- 21202
- 21065

Download

1.7.52 - 3649843 (September 13, 2022)

Scripts

JSONtoCSV

Updated the Docker image to: demisto/python3:3.10.6.33415.

JSONFileToCSV

Updated the Docker image to: demisto/python3:3.10.6.33415.

StopTimeToAssignOnOwnerChange

Updated the Docker image to: demisto/python3:3.10.6.33415.

PcapHTTPExtractor

Updated the Docker image to: demisto/pcap-http-extractor:1.0.0.32113.

IndicatorMaliciousRatioCalculation

Updated the Docker image to: demisto/python3:3.10.6.33415.

hideFieldsOnNewIncident

Updated the Docker image to: demisto/python3:3.10.7.33922.

PrintErrorEntry

Updated the Docker image to: demisto/python3:3.10.6.33415.

TextFromHTML

Updated the Docker image to: demisto/python3:3.10.6.33415.

StopScheduledTask

Updated the Docker image to: demisto/python3:3.10.6.33415.

Base64ListToFile

Updated the Docker image to: demisto/python3:3.10.6.33415.

ChangeRemediationSLAOnSevChange

Updated the Docker image to: demisto/python3:3.10.6.33415.

GetEnabledInstances

Fixed an issue where the script returned builtin brands.
Updated the Docker image to: demisto/python3:3.10.7.33922.

GetStringsDistance

Updated the Docker image to: demisto/python3:3.10.7.33922.

Related pull requests:
- 20979

Download

1.7.35 - 3635034 (September 10, 2022)

Scripts

GetIndicatorDBotScore

Fixed an issue with using custom indicator type.
Updated the Docker image to: demisto/python3:3.10.6.33415.

FindSimilarIncidents

Updated the Docker image to: demisto/python3:3.10.6.33415.

ParseCSV

Updated the Docker image to: demisto/python3:3.10.6.33415.

EncodeToAscii

Updated the Docker image to: demisto/python3:3.10.6.33415.

DemistoVersion

Updated the Docker image to: demisto/python3:3.10.6.33415.

ProvidesCommand

Updated the Docker image to: demisto/python3:3.10.6.33415.

Related pull requests:
- 17638

Download

1.7.31 - 3612694 (September 7, 2022)

Scripts

ParseWordDoc

Updated the Docker image to: demisto/docxpy:1.0.0.33689.

Related pull requests:
- 20956

Download

1.7.30 - 3606822 (September 6, 2022)

Scripts

GetDockerImageLatestTag

Updated the Docker image to: demisto/python3:3.10.6.33415.

SetTime

Updated the Docker image to: demisto/python3:3.10.6.33415.

FileReputation

Updated the Docker image to: demisto/python3:3.10.6.33415.

EmailReputation

Updated the Docker image to: demisto/python3:3.10.6.33415.

URLNumberOfAds

Updated the Docker image to: demisto/python3:3.10.6.33415.

DecodeMimeHeader

Updated the Docker image to: demisto/python3:3.10.6.33415.

IsEmailAddressInternal

Updated the Docker image to: demisto/python3:3.10.6.33415.

URLSSLVerification

Updated the Docker image to: demisto/python3:3.10.6.33415.

PDFUnlocker

Updated the Docker image to: demisto/readpdf:1.0.0.33704.

SetMultipleValues

Updated the Docker image to: demisto/python3:3.10.6.33415.

PrintContext

Updated the Docker image to: demisto/python3:3.10.6.33415.

JoinIfSingleElementOnly

Updated the Docker image to: demisto/python3:3.10.6.33415.

MarkAsNoteByTag

Updated the Docker image to: demisto/python3:3.10.6.33415.

IsIntegrationAvailable

Updated the Docker image to: demisto/python3:3.10.6.33415.

IPReputation

Updated the Docker image to: demisto/python3:3.10.6.33415.

URLReputation

Updated the Docker image to: demisto/python3:3.10.6.33415.

DomainReputation

Updated the Docker image to: demisto/python3:3.10.6.33415.

Related pull requests:
- 21012

Download

1.7.27 - 3570916 (August 31, 2022)

Scripts

FormatURL

Improved implementation of the regex and the formatter.

Related pull requests:
- 20170

Download

1.7.26 - 3556969 (August 29, 2022)

Scripts

ParseEmailFilesV2

Added support for cid-embedded images in EML files.
Updated the Docker image to: demisto/parse-emails:1.0.0.33308.

Related pull requests:
- 20951
- 20802

Download

1.7.25 - 3551782 (August 28, 2022)

Scripts

ReadPDFFileV2

Updated the Docker image to: demisto/readpdf:1.0.0.33079.
Fixed an issue where read-only files were not removed after creation.
Fixed an issue where byPdf2 ran in strict mode and introduced unneeded warnings and errors.

Related pull requests:
- 20754

Download

1.7.23 - 3528006 (August 24, 2022)

Scripts

BetweenHours

Added human readable and BetweenHours context outputs.
Updated the Docker image to: demisto/python3:3.10.5.31928.

BetweenDates

Added human readable and BetweenDates context outputs.
Updated the Docker image to: demisto/python3:3.10.5.31928.

Related pull requests:
- 20693

Download

1.7.22 - 3520117 (August 23, 2022)

Scripts

RepopulateFiles

Updated the Docker image to: demisto/python3:3.10.5.31928.
Added the AttachmentFile context record to include only incident attachment files, in addition to all attachments and entry files in the File record.

Related pull requests:
- 20729
- 21548
- 20495

Download

1.7.21 - 3506185 (August 21, 2022)

Scripts

StixCreator

Added support for indicators with keys that don't match the common indicator names, as long as their key contains a common indicator name, or their value matches the expected indicator value (e.g. 8.8.8.8 for ip).

Related pull requests:
- 20660

Download

1.7.20 - 3472136 (August 16, 2022)

Scripts

StixCreator

Fixed an issue where export to STIX failed when more than one indicator was being exported.
Fixed an issue where export to STIX failed when trying to export file types.
Updated the Docker image to: demisto/py3-tools:1.0.0.32758.

Related pull requests:
- 20323

Download

1.7.19 - 3459681 (August 14, 2022)

Scripts

EmailDomainSquattingReputation

Fixed an issue where the script was case sensitive causing invalid levenshtein distance between domains.

Related pull requests:
- 20491

Download

1.7.18 - 3427401 (August 9, 2022)

Scripts

ReadPDFFileV2

Updated the Docker image to: demisto/readpdf:1.0.0.32561.
Fixed an issue with dangling file reference.

DeleteContext

Fixed an issue when using the keysToKeep argument containing list indexes did not work properly.

Related pull requests:
- 20162

Download

1.7.16 - 3323751 (July 24, 2022)

Scripts

RunPollingCommand

Added support for using argument.

Related pull requests:
- 19974

Download

1.7.15 - 3305407 (July 21, 2022)

Scripts

ParseEmailFilesV2
Updated the Docker image to: demisto/parse-emails:1.0.0.32153.

Related pull requests:
- 20095

Download

1.7.14 - 3257461 (July 13, 2022)

Scripts

ParseEmailFilesV2

Moved the script from beta to GA.

Related pull requests:
- 20041

Download

1.7.13 - 3254147 (July 13, 2022)

Scripts

StixCreator

You can now export almost all of the XSOAR indicator types to STIX objects.
Updated the Docker image to: demisto/py3-tools:1.0.0.31193.

Related pull requests:
- 19595

Download

1.7.12 - 3202776 (July 4, 2022)

Scripts

ParseEmailFiles

Removed copyright section.

Related pull requests:
- 19848

Download

1.7.11 - 3200623 (July 4, 2022)

Scripts

FindSimilarIncidents

Replaced unwanted usage of demisto.log() with demisto.debug().

Related pull requests:
- 19840

Download

1.7.10 - 3184834 (June 30, 2022)

Scripts

GenerateRandomString

Improved implementation with limiting the maximum length of the generated string to be 10,000.
Updated the Docker image to 3.10.4.30607.

Related pull requests:
- 19693

Download

1.7.9 - 3167802 (June 28, 2022)

Scripts

FormatURL

Fixed an issue where running the script on an invalid URL would create a URL with "Failed to execute FormatURL" error.
Updated docker image from 3.10.4.27798 to 3.10.4.30607.

ZipStrings

Added support for more input format.
Updated the Docker image to: demisto/python3:3.10.4.30607.

Related pull requests:
- 19645

Download

1.7.7 - 3143373 (June 23, 2022)

Scripts

HttpV2

Updated the Docker image to: demisto/python3:3.10.4.30607.
Added support for passing the headers parameter as string.

Related pull requests:
- 19693
- 19669

Download

1.7.6 - 3128765 (June 21, 2022)

Scripts

ExtractEmailV2

Fixed an issue where indicators filtered by this script caused an incorrect mapping of indicators in the system.
Updated docker image from 3.9.8.24399 to 3.10.4.30607.

VerifyIPv6Indicator

Fixed an issue where indicators filtered by this script caused an incorrect mapping of indicators in the system.
Updated docker image from 3.9.7.24076 to 3.10.4.30607.

Related pull requests:
- 19651

Download

1.7.5 - 3120482 (June 20, 2022)

Scripts

DockerHardeningCheck

Added support for cgroups v2.
Fixed an issue where memory check_type was incorrect.
Updated the Docker image to: demisto/python3:3.10.4.30607.

Related pull requests:
- 19599
- 19590

Download

1.7.4 - 3118515 (June 19, 2022)

Scripts

ReadFile

Updated the Docker image to: demisto/python:2.7.18.27799.

RunPollingCommand

Updated the Docker image to: demisto/python:2.7.18.27799.

ScheduleGenericPolling

Updated the Docker image to: demisto/python:2.7.18.27799.

StopTimeToAssignOnOwnerChange

Updated the Docker image to: demisto/python:2.7.18.27799.

URLSSLVerification

Updated the Docker image to: demisto/python:2.7.18.27799.

Base64ListToFile

Updated the Docker image to: demisto/python:2.7.18.27799.

ChangeRemediationSLAOnSevChange

Updated the Docker image to: demisto/python:2.7.18.27799.

CheckSenderDomainDistance

Updated the Docker image to: demisto/python:2.7.18.27799.

DecodeMimeHeader

Updated the Docker image to: demisto/python:2.7.18.27799.

DisplayHTML

Updated the Docker image to: demisto/python:2.7.18.27799.

Related pull requests:
- 19582

Download

1.7.3 - 3090372 (June 14, 2022)

Scripts

StixCreator

Updated the Docker image to: demisto/py3-tools:0.0.1.30715 as demisto/stix2 image is deprecated.

ExtractDomainAndFQDNFromUrlAndEmail

Updated the Docker image to: demisto/py3-tools:0.0.1.30715 as demisto/tld image is deprecated.

jmespath

Updated the Docker image to: demisto/py3-tools:0.0.1.30715 as demisto/jmespath image is deprecated.

ExtractFQDNFromUrlAndEmail

Updated the Docker image to: demisto/py3-tools:0.0.1.30715 as demisto/tld image is deprecated.

ZipFile

Updated the Docker image to: demisto/py3-tools:0.0.1.30715 as demisto/python_zipfile image is deprecated.

ExtractDomainFromUrlAndEmail

Updated the Docker image to: demisto/py3-tools:0.0.1.30715 as demisto/tld image is deprecated.

ParseExcel

Updated the Docker image to: demisto/py3-tools:0.0.1.30715 as demisto/xlrd-py3 image is deprecated.

LanguageDetect

Updated the Docker image to: demisto/py3-tools:0.0.1.30715 as demisto/langdetect image is deprecated.

Related pull requests:
- 19562

Download

1.7.2 - 3083568 (June 13, 2022)

Scripts

ReadPDFFileV2

Fixed an issue where some PDF files failed on Could not find object error.
Updated the Docker image to: demisto/readpdf:1.0.0.30663.

Related pull requests:
- 19506

Download

1.7.1 - 3061129 (June 9, 2022)

Scripts

ParseEmailFiles

Fixed an issue where the script failed on particular MIME entity file type.

Related pull requests:
- 19430
- 19381

Download

1.7.0 - 3056265 (June 8, 2022)

Scripts

New: GetErrorsFromEntry

Added the GetErrorsFromEntry utility script meant to be used in conjunction with the Playbook Error Handling feature introduced in platform version 6.8.0.

Related pull requests:
- 19311

Download

1.6.70 - 3024435 (June 2, 2022)

Scripts

DeleteContext

Fixed an issue where the command returned an error when parsing nested path.

Related pull requests:
- 19339

Download

1.6.69 - 3018073 (June 1, 2022)

Scripts

ParseEmailFilesV2
Updated the Docker image to: demisto/parse-emails:1.0.0.30171.

Related pull requests:
- 19323

Download

1.6.68 - 3008452 (May 31, 2022)

Scripts

FilterByList

Updated the Docker image to: demisto/python3:3.10.4.29342.

BinarySearchPy

Deprecated. No available replacement.

ContextContains

Updated the Docker image to: demisto/python3:3.10.4.29342.

CompareIncidentsLabels

Updated the Docker image to: demisto/python3:3.10.4.29342.

CloseInvestigationAsDuplicate

Updated the Docker image to: demisto/python3:3.10.4.29342.

CopyContextToField

Updated the Docker image to: demisto/python3:3.10.4.29342.

CalculateTimeDifference

Updated the Docker image to: demisto/python3:3.10.4.29342.

Related pull requests:
- 19285

Download

1.6.67 - 3006310 (May 30, 2022)

Scripts

ReadPDFFileV2

Fixed an issue where some PDF files failed on ValueError.
Updated the Docker image to: demisto/readpdf:1.0.0.29961.

Related pull requests:
- 19256

Download

1.6.66 - 3002096 (May 29, 2022)

Scripts

ParseHTMLIndicators

Fixes the domain indicator regex.
Fixes the code structure.

PUBLISHER

INFO

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Example

Scripts

New: DisableUserWrapper

Scripts

DeleteContext

Scripts

RunPollingCommand

Scripts

MaliciousRatioReputation

DisplayHTML

SendEmailOnSLABreach

ResolveShortenedURL

FileToBase64List

Scripts

New: IgnoreFieldsFromJson

ExtractEmailV2

Scripts

SCPPullFiles

Strings

UtilAnyResults

RunPollingCommand

IdentifyAttachedEmail

ReadFile

ExtractIndicatorsFromTextFile

ExtractHTMLTables

Scripts

FileReputation

DomainReputation

URLReputation

EmailReputation

IPReputation

New: GetEntries

Scripts

SetIfEmpty

SetAndHandleEmpty

If-Then-Else

Scripts

SSDeepReputation

Scripts

CheckSenderDomainDistance

Scripts

BetweenDates

ParseEmailFilesV2

Scripts

JSONtoCSV

JSONFileToCSV

StopTimeToAssignOnOwnerChange

PcapHTTPExtractor

IndicatorMaliciousRatioCalculation

hideFieldsOnNewIncident

PrintErrorEntry

TextFromHTML

StopScheduledTask

Base64ListToFile

ChangeRemediationSLAOnSevChange

GetEnabledInstances

GetStringsDistance

Scripts

GetIndicatorDBotScore

FindSimilarIncidents

ParseCSV

EncodeToAscii

DemistoVersion

ProvidesCommand

Scripts

ParseWordDoc

Scripts

GetDockerImageLatestTag

SetTime

FileReputation

EmailReputation

URLNumberOfAds

DecodeMimeHeader

IsEmailAddressInternal

URLSSLVerification