1. Home
    2. Security Operations
    3. Cortex XSOAR
    4. Cortex XSOAR Administrator’s Guide
    5. Agents
    6. Agent Tools
    7. D2 Agent Script Commands
    End-of-Life (EoL)

    D2 Agent Script Commands

    The following are the D2 agent scripting commands.
    The following are the D2 agent scripting commands. Each command is followed by its description, its syntax, and an example where applicable.
    Cortex XSOAR server comes with a few example agent scripts. These will help you get more acquainted with the functions. You can copy the scripts, change them and check the results.
    Command
    Syntax
    Description
    env
    var env = {OS:"",ARCH:""};
    Holds the environment variables. env.OS and env.ARCH are populated with OS and architecture.
    Example:
    console.log(JSON.stringify(env))
    pwd
    function string pwd();
    Returns the absolute path of the working folder.
    which
    function string which(path string);
    Returns the absolute path for a given path or executable.
    Example:
    console.log(which('ls'));/bin/lsconsole.log(which('syslog'));/usr/bin/syslog
    execute
    function ExecResult execute(cmd string);
    Executes the given command.
    Returns:
    {Stdout string // process stdout captured Stderr string // process stderr captured PID int // PID of process that was running Success bool // whether process ended successfully Error string // string describing the error if exsts}
    Example:
    var ret=execute('ls -l');console.log(ret.Stdout);console.log(JSON.stringify(ret)); }
    pack
    function null pack(content object, contentformat string[optional]);
    Returns the content as an entry on the investigation. Content can be a JSON object or when specified value.
    contentformat
     may be one of the following: 'table', 'text' or 'json'. If not provided, the format will be determined according the type of content.
    pack_file
    function null pack_file(path string, content string[optional]);
    Returns the
    path
     as a file entry on the investigation. If content is provided, it will be attached to the file.
    files
    function []FileInfo files(folder string, recurse bool[=false], hashes bool[=false], regex string[=""]);
    Retrieves a list of files from the folder. If recurse is true, sub-folders will be included. If hashes is true, it will compute hashes for each file. If regex is provided, it will return only file names matching the regex.
    Returns an array of:{Created int CreatedStr string Accessed int AccessedStr string Changed int ChangedStr string Path string Type string Size int Mode string MD5 string SHA1 string SHA256 string SHA512 string SSDeep string}
    Example:
    console.log(JSON.stringify(files('/tmp',true,true)));
    copy
    function int copy(src string, dest string, overwrite bool[=false], regex string[=""]);
    Copies the source (src) to the destination (dest). If overwrite is false, it will throw an exception if the destination exists. If regex is provided, it will copy only files matching the regex. This function is not recursive.
    Returns: The number of items copied.
    move
    function int move(src string, dest string, overwrite bool[=false], regex string[=""]);
    Same as copy, but also deletes the source files.
    del
    function int del(file string, regex[=""]);
    Deletes the file. If the file is a folder, and regex is not empty, it will remove only the files matching regex from that folder.
    grep
    function []GrepMatch grep(path string, regex string, recursive bool[=false]);
    Searches the given path for files matching regex. If recursive is true, it will dive into the sub folders.
    Returns an array of: { Path string // Path to file matching Offsets [][]int // The matching indexes on the line}
    Example:
    console.log(JSON.stringify(grep('/tmp/','Scan',true)));
    strings
    function []string strings(path string, min int[=4], max int[=1024]);
    Searches strings contained in the file provided by path. Use min and max to control the sizes of the strings that are captured.
    Example:
    console.log(JSON.stringify(strings('/bin/ls')));
    bytes
    function string bytes(file string, offset int[=0], size int[=1024];
    Returns a
    size
     bytes chunk of a
    file
     starting at
    offset
    .
    Example:
    console.log(JSON.stringify(bytes('ddb',0,15)));
    mkdir
    function bool mkdir(path string);
    Returns 'true' if a folder was created. Throws an exception otherwise.
    rmdir
    function bool rmdir(path string);
    Removes the folder provided by *path.
    Returns: 'true' if a folder was removed. Throws an exception otherwise.
    join_path
    function string join_path(part1, part2... string);
    Joins the paths provided by
    part1
     to
    partN
    .
    Returns: Path string.
    Example:
    console.log(join_path("/tmp","one","two","three.file"));/tmp/one/two/three.file
    http
    function HTTPResponse http(url string, arg object);
    Performs HTTP GET call to URL with the provided arg as a request body.
    Returns object:{StatusCode int // HTTP response code Status string // HTTP status as text Cookies []http.Cookie Body string Headers string[][]}
    http.cookie object: Name string Value string Path string // optional Domain string // optional Expires time.Time // optional RawExpires string // for reading cookies only // MaxAge=0 means no 'Max-Age' attribute specified. // MaxAge<0 means delete cookie now, equivalently 'Max-Age: 0' // MaxAge>0 means Max-Age attribute present and given in seconds MaxAge int Secure bool HttpOnly bool Raw string Unparsed []string // Raw text of unparsed attribute-value pairs
    Example:
    console.log(JSON.stringify(http("http://www.google.com/lala")));
    read_file
    function string read_file(path string);
    Returns the entire content of the path. Throws an exception if it does not exist.
    wait
    function string wait(seconds int);
    Sleeps for the number of defined seconds.
    Windows Specific Functions
    Command
    Syntax
    Description
    processes
    function ProcessInfo[] processes();
    Returns a list of processes.
    services
    function ServiceInfo[] services();
    Returns a list of services.
    wmi_query
    function Object[] wmi_query(query string);
    Executes a WMI query.
    Returns an array in JSON representing the results.
    registry
    function Object[] registy(path string);
    Gets all values under the registry path provided by
    path
     as a set of JSON objects. This function is always recursive if a key name is provided.
    The key name must start with one of the following: "HKEY_CLASSES_ROOT", "HKEY_CURRENT_USER", "HKEY_LOCAL_MACHINE", "HKEY_USERS" or "HKEY_CURRENT_CONFIG".
    ifconfig
    function Object[] ifconfig();
    Returns a list of all interface adapters and their configurations.
    fsconfig
    function Object[] fsconfig();
    Returns a list of all file systems.
    accounts
    function Object[] accounts();
    Returns a list of all defined user accounts.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo