Common Scripts to use in Automations

script automation integrations
Common Scripts are scripts that contain common code (functions, variables, etc.) to be used across scripts which can be embedded when writing your own Automation scripts and Integrations. The common scripts appear in the Automation page, but are used to enhance the API in other scripts and integrations.
For example, the function tableToMarkdown in CommonServer.yml takes a JSON and transforms it to markdown. You can call this function from integrations and scripts that you author.
CommonServer
CommonServer is a system script and cannot be changed. You can add your own functions to the CommonUserServer script which is a built-in script that can be modified.
You can also use CommonUserServer to override our existing scripts in CommonServer.
Common Scripts for Python
To find common scripts for Python open the
Automation
screen and search for
CommonServerPython
.
If you have your own common scripts in Python that you would like to save and reuse you can save them in
CommonServerUserPython
.
Common Scripts for Java Scripts
To find common scripts for Java Script open the
Automation
screen and search for
CommonServer
.
If you have your own common scripts in Java Script that you would like to save and reuse you can save them in
CommonServerUser
.
Python Common Scripts
Script
Description
Parameter
positiveUrl
Gets the Entry parameter from the WarRoom and checks each Reputation Tool to determine if the URL in this Entry parameter is malicious or non-malicious.
You can change the threshold by changing the Thresholds dictionary.
The function returns true if the URL is safe, otherwise returns false.
Entry parameter
positiveFile
Gets the Entry parameter from the WarRoom and checks each Reputation Tool to determine if the file in this Entry parameter is malicious or non-malicious.
You can change the threshold by changing the Thresholds dictionary.
The function returns true if the file is safe, otherwise returns false.
Entry parameter
vtCountPositives
Gets the entry parameter and checks how many good URLs are hosted on the IP in this entry.
Entry parameter
shortCrowdStrike
Formats the response from CrowdStrike to a pretty markdown.
Entry parameter
shortUrl
Gets the Entry parameter from the War Room and checks it in the Reputation tools (adding information to context and formatting the response to the War Room) when checking the URL.
Entry parameter
shortFile
Gets the Entry parameter from the War Room and checks it in the Reputation tools (adding information to context and formatting the response to the War Room) when checking the IP.
Entry parameter
FormatADTimestamp
Gets the Entry parameter from the War Room and formats the timestamp returned from AD.
Entry parameter
formatCell
Gets the JSON parameter string and formats it to a regular string that can be used in a table.
JSON parameter string
flattenCell
Gets the JSON parameter string and converts it to a string that can be used in a table. Also supports tables containing sub cells.
JSON parameter string
flattenRow
Gets a key and data and adds it to the context. Checks if the key already exists. It it exists, it creates an array in the existing key.
Key and data, and optionally dedup=False – don’t add duplicate items
fileResult
Creates a new file that contains the data and displays the file in the WarRoom.
Filename and data
JavaScript Common Scripts
Script
Description
Parameter
tableToMarkdown
Converts a Cortex XSOAR table in JSON format to a Markdown format table.
Table name, JSON object and the headers to display.
closeInvestigation
Closes the current investigation.
args - arguments for the close (what happened, damage, etc.)
setSeverity
Sets the severity of an incident. The incident must be related to the current investigation.
arg that has 2 keys:
  • 'id' - the incident id
  • 'severity' - the new severity value (Critical, High, Medium etc.)
setIncident
Sets fields of the incident. The incident must be related to the current investigation and be the only incident in it.
Dictionary of args - has 5 optional keys:
  • type
  • severity
  • details
  • name
  • incident systems
createNewIncident
Creates a new incident with the fields specified. This is only carried out if an incident with the same name does not exist as an active incident.
Dictionary of args - has 5 optional keys: type, severity, details, name and the incident systems.
setOwner
Sets the owner of the incident. The incident must be related to the current investigation.
Owner user name.
taskAssign
Assigns a playbook task to a user.
Dictionary of args - has 2 keys:
  • 'id' - the task id
  • 'assignee' - assignee user name
setPlaybook
Sets investigation playbook
Playbook name.
isCommandAvailable
Checks if the specific command is available.
Command name.
objToMd
Converts a given object to Markdown while descending multiple levels.
Gets the object that will be converted to Markdown.
Object
positiveUrl
Gets the Entry parameter from the WarRoom and checke each Reputation Tool if the URL in this Entry parameter is malicious or non-malicious.
You can change the threshold by changing the Thresholds dictionary.
The function returns true if the URL is safe, otherwise returns false.
Entry from War Room.
positiveFile
Gets the Entry parameter from the WarRoom and checks each Reputation Tool if the file in this Entry parameter is malicious or non-malicious.
You can change the threshold by changing the Thresholds dictionary.
The function returns true if the file is safe, otherwise returns false.
Entry from War Room.
positiveIP
Gets the Entry parameter from the WarRoom and checks each Reputation Tool if the IP in this Entry parameter is malicious or non-malicious.
You can change the threshold by changing the Thresholds dictionary.
The function returns true if the IP is safe, otherwise returns false.
Entry from War Room.
shortCrowdStrike
Formats the response from CrowdStrike to a pretty Markdown.
Entry from War Room.
shortUrl
Gets the Entry parameter from the War Room and checks it in the Reputation tools (adding information to context and formatting the response to the War Room) when checking the URL.
Entry from War Room.
shortFile
Gets the Entry parameter from the War Room and checks it in the Reputation tools (adding information to context and formatting the response to the War Room) when checking the file.
Entry from War Room.
shortIp
Gets the Entry parameter from the War Room and checks it in the Reputation tools (adding information to context and formatting the response to the War Room) when checking the IP.
Entry from War Room.
treeToFlattenObject
Flattens all JSON tree objects to key-value format.
JSON object.

Recommended For You