1. Home
    2. Security Operations
    3. Cortex XSOAR
    4. Cortex XSOAR Administrator’s Guide
    5. Playbooks
    6. Automations
    7. Common Scripts to use in Automations
    End-of-Life (EoL)

    Common Scripts to use in Automations

    script automation integrations
    Common Scripts are scripts that contain common code (functions, variables, etc.) to be used across scripts which can be embedded when writing your own Automation scripts and Integrations. The common scripts appear in the Automation page, but are used to enhance the API in other scripts and integrations.
    For example, the function tableToMarkdown in CommonServer.yml takes a JSON and transforms it to markdown. You can call this function from integrations and scripts that you author.
    CommonServer
    CommonServer is a system script and cannot be changed. You can add your own functions to the CommonUserServer script which is a built-in script that can be modified.
    You can also use CommonUserServer to override our existing scripts in CommonServer.
    Common Scripts for Python
    To find common scripts for Python open the
    Automation
     screen and search for
    CommonServerPython
    .
    If you have your own common scripts in Python that you would like to save and reuse you can save them in
    CommonServerUserPython
    .
    Common Scripts for Java Scripts
    To find common scripts for Java Script open the
    Automation
     screen and search for
    CommonServer
    .
    If you have your own common scripts in Java Script that you would like to save and reuse you can save them in
    CommonServerUser
    .
    Python Common Scripts
    Script
    Description
    Parameter
    positiveUrl
    Gets the Entry parameter from the WarRoom and checks each Reputation Tool to determine if the URL in this Entry parameter is malicious or non-malicious.
    You can change the threshold by changing the Thresholds dictionary.
    The function returns true if the URL is safe, otherwise returns false.
    Entry parameter
    positiveFile
    Gets the Entry parameter from the WarRoom and checks each Reputation Tool to determine if the file in this Entry parameter is malicious or non-malicious.
    You can change the threshold by changing the Thresholds dictionary.
    The function returns true if the file is safe, otherwise returns false.
    Entry parameter
    vtCountPositives
    Gets the entry parameter and checks how many good URLs are hosted on the IP in this entry.
    Entry parameter
    shortCrowdStrike
    Formats the response from CrowdStrike to a pretty markdown.
    Entry parameter
    shortUrl
    Gets the Entry parameter from the War Room and checks it in the Reputation tools (adding information to context and formatting the response to the War Room) when checking the URL.
    Entry parameter
    shortFile
    Gets the Entry parameter from the War Room and checks it in the Reputation tools (adding information to context and formatting the response to the War Room) when checking the IP.
    Entry parameter
    FormatADTimestamp
    Gets the Entry parameter from the War Room and formats the timestamp returned from AD.
    Entry parameter
    formatCell
    Gets the JSON parameter string and formats it to a regular string that can be used in a table.
    JSON parameter string
    flattenCell
    Gets the JSON parameter string and converts it to a string that can be used in a table. Also supports tables containing sub cells.
    JSON parameter string
    flattenRow
    Gets a key and data and adds it to the context. Checks if the key already exists. It it exists, it creates an array in the existing key.
    Key and data, and optionally dedup=False – don’t add duplicate items
    fileResult
    Creates a new file that contains the data and displays the file in the WarRoom.
    Filename and data
    JavaScript Common Scripts
    Script
    Description
    Parameter
    tableToMarkdown
    Converts a Cortex XSOAR table in JSON format to a Markdown format table.
    Table name, JSON object and the headers to display.
    closeInvestigation
    Closes the current investigation.
    args - arguments for the close (what happened, damage, etc.)
    setSeverity
    Sets the severity of an incident. The incident must be related to the current investigation.
    arg that has 2 keys:
    • 'id' - the incident id
    • 'severity' - the new severity value (Critical, High, Medium etc.)
    setIncident
    Sets fields of the incident. The incident must be related to the current investigation and be the only incident in it.
    Dictionary of args - has 5 optional keys:
    • type
    • severity
    • details
    • name
    • incident systems
    createNewIncident
    Creates a new incident with the fields specified. This is only carried out if an incident with the same name does not exist as an active incident.
    Dictionary of args - has 5 optional keys: type, severity, details, name and the incident systems.
    setOwner
    Sets the owner of the incident. The incident must be related to the current investigation.
    Owner user name.
    taskAssign
    Assigns a playbook task to a user.
    Dictionary of args - has 2 keys:
    • 'id' - the task id
    • 'assignee' - assignee user name
    setPlaybook
    Sets investigation playbook
    Playbook name.
    isCommandAvailable
    Checks if the specific command is available.
    Command name.
    objToMd
    Converts a given object to Markdown while descending multiple levels.
    Gets the object that will be converted to Markdown.
    Object
    positiveUrl
    Gets the Entry parameter from the WarRoom and checke each Reputation Tool if the URL in this Entry parameter is malicious or non-malicious.
    You can change the threshold by changing the Thresholds dictionary.
    The function returns true if the URL is safe, otherwise returns false.
    Entry from War Room.
    positiveFile
    Gets the Entry parameter from the WarRoom and checks each Reputation Tool if the file in this Entry parameter is malicious or non-malicious.
    You can change the threshold by changing the Thresholds dictionary.
    The function returns true if the file is safe, otherwise returns false.
    Entry from War Room.
    positiveIP
    Gets the Entry parameter from the WarRoom and checks each Reputation Tool if the IP in this Entry parameter is malicious or non-malicious.
    You can change the threshold by changing the Thresholds dictionary.
    The function returns true if the IP is safe, otherwise returns false.
    Entry from War Room.
    shortCrowdStrike
    Formats the response from CrowdStrike to a pretty Markdown.
    Entry from War Room.
    shortUrl
    Gets the Entry parameter from the War Room and checks it in the Reputation tools (adding information to context and formatting the response to the War Room) when checking the URL.
    Entry from War Room.
    shortFile
    Gets the Entry parameter from the War Room and checks it in the Reputation tools (adding information to context and formatting the response to the War Room) when checking the file.
    Entry from War Room.
    shortIp
    Gets the Entry parameter from the War Room and checks it in the Reputation tools (adding information to context and formatting the response to the War Room) when checking the IP.
    Entry from War Room.
    treeToFlattenObject
    Flattens all JSON tree objects to key-value format.
    JSON object.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo