D2 Agent Script Commands

The following are the D2 agent scripting commands.
The following are the D2 agent scripting commands. Each command is followed by its description, its syntax, and an example where applicable.
Cortex XSOAR server comes with a few example agent scripts. These will help you get more acquainted with the functions. You can copy the scripts, change them and check the results.
Command
Syntax
Description
env
var env = {OS:"",ARCH:""};
Holds the environment variables. env.OS and env.ARCH are populated with OS and architecture.
Example:
console.log(JSON.stringify(env))
pwd
function string pwd();
Returns the absolute path of the working folder.
which
function string which(path string);
Returns the absolute path for a given path or executable.
Example:
console.log(which('ls'));/bin/lsconsole.log(which('syslog'));/usr/bin/syslog
execute
function ExecResult execute(cmd string);
Executes the given command.
Returns:
{Stdout string // process stdout captured Stderr string // process stderr captured PID int // PID of process that was running Success bool // whether process ended successfully Error string // string describing the error if exsts}
Example:
var ret=execute('ls -l');console.log(ret.Stdout);console.log(JSON.stringify(ret)); }
pack
function null pack(content object, contentformat string[optional]);
Returns the content as an entry on the investigation. Content can be a JSON object or when specified value.
contentformat
may be one of the following: 'table', 'text' or 'json'. If not provided, the format will be determined according the type of content.
pack_file
function null pack_file(path string, content string[optional]);
Returns the
path
as a file entry on the investigation. If content is provided, it will be attached to the file.
files
function []FileInfo files(folder string, recurse bool[=false], hashes bool[=false], regex string[=""]);
Retrieves a list of files from the folder. If recurse is true, sub-folders will be included. If hashes is true, it will compute hashes for each file. If regex is provided, it will return only file names matching the regex.
Returns an array of:{Created int CreatedStr string Accessed int AccessedStr string Changed int ChangedStr string Path string Type string Size int Mode string MD5 string SHA1 string SHA256 string SHA512 string SSDeep string}
Example:
console.log(JSON.stringify(files('/tmp',true,true)));
copy
function int copy(src string, dest string, overwrite bool[=false], regex string[=""]);
Copies the source (src) to the destination (dest). If overwrite is false, it will throw an exception if the destination exists. If regex is provided, it will copy only files matching the regex. This function is not recursive.
Returns: The number of items copied.
move
function int move(src string, dest string, overwrite bool[=false], regex string[=""]);
Same as copy, but also deletes the source files.
del
function int del(file string, regex[=""]);
Deletes the file. If the file is a folder, and regex is not empty, it will remove only the files matching regex from that folder.
grep
function []GrepMatch grep(path string, regex string, recursive bool[=false]);
Searches the given path for files matching regex. If recursive is true, it will dive into the sub folders.
Returns an array of: { Path string // Path to file matching Offsets [][]int // The matching indexes on the line}
Example:
console.log(JSON.stringify(grep('/tmp/','Scan',true)));
strings
function []string strings(path string, min int[=4], max int[=1024]);
Searches strings contained in the file provided by path. Use min and max to control the sizes of the strings that are captured.
Example:
console.log(JSON.stringify(strings('/bin/ls')));
bytes
function string bytes(file string, offset int[=0], size int[=1024];
Returns a
size
bytes chunk of a
file
starting at
offset
.
Example:
console.log(JSON.stringify(bytes('ddb',0,15)));
mkdir
function bool mkdir(path string);
Returns 'true' if a folder was created. Throws an exception otherwise.
rmdir
function bool rmdir(path string);
Removes the folder provided by *path.
Returns: 'true' if a folder was removed. Throws an exception otherwise.
join_path
function string join_path(part1, part2... string);
Joins the paths provided by
part1
to
partN
.
Returns: Path string.
Example:
console.log(join_path("/tmp","one","two","three.file"));/tmp/one/two/three.file
http
function HTTPResponse http(url string, arg object);
Performs HTTP GET call to URL with the provided arg as a request body.
Returns object:{StatusCode int // HTTP response code Status string // HTTP status as text Cookies []http.Cookie Body string Headers string[][]}
http.cookie object: Name string Value string Path string // optional Domain string // optional Expires time.Time // optional RawExpires string // for reading cookies only // MaxAge=0 means no 'Max-Age' attribute specified. // MaxAge<0 means delete cookie now, equivalently 'Max-Age: 0' // MaxAge>0 means Max-Age attribute present and given in seconds MaxAge int Secure bool HttpOnly bool Raw string Unparsed []string // Raw text of unparsed attribute-value pairs
Example:
console.log(JSON.stringify(http("http://www.google.com/lala")));
read_file
function string read_file(path string);
Returns the entire content of the path. Throws an exception if it does not exist.
wait
function string wait(seconds int);
Sleeps for the number of defined seconds.
Windows Specific Functions
Command
Syntax
Description
processes
function ProcessInfo[] processes();
Returns a list of processes.
services
function ServiceInfo[] services();
Returns a list of services.
wmi_query
function Object[] wmi_query(query string);
Executes a WMI query.
Returns an array in JSON representing the results.
registry
function Object[] registy(path string);
Gets all values under the registry path provided by
path
as a set of JSON objects. This function is always recursive if a key name is provided.
The key name must start with one of the following: "HKEY_CLASSES_ROOT", "HKEY_CURRENT_USER", "HKEY_LOCAL_MACHINE", "HKEY_USERS" or "HKEY_CURRENT_CONFIG".
ifconfig
function Object[] ifconfig();
Returns a list of all interface adapters and their configurations.
fsconfig
function Object[] fsconfig();
Returns a list of all file systems.
accounts
function Object[] accounts();
Returns a list of all defined user accounts.

Recommended For You