Scripts - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Create and edit a script including detach and attach, automation settings, etc.

Scripts perform specific actions and are comprised of commands, which are used in playbook tasks and when running commands in the War Room.

In the Scripts page (AutomationScripts), you can view, edit, and create scripts in JavaScript, Python, or PowerShell. When creating a script, you can access all Cortex XSIAM APIs, including access to alerts, investigations, share data to the War Room, etc. Scripts can receive and access arguments, and can be password protected.

You can use the Script Helper when creating a script, which provides a list of available commands and scripts, ordered alphabetically.

Detach and Attach Scripts

When installing a script from a content pack, by default, the script is attached, which means that it is not editable. To edit the script, you need to either make a copy or detach it.


You can enable/disable the script in the Settings, without having to detach or duplicate the script.

While the script is detached, it is not updated by the content pack. This may be useful when you want to update the script without breaking customization. If you want to update the script through content pack updates, you need to reattach it, but any changes are overridden by the content pack on upgrade. If you want to keep the changes, make a copy before reattaching.

Search for Scripts

In the Scripts page, use free text in the search box to find a script. You can search using part or all of the scripts's name or tag. You can also search for an exact match of the script name by putting quotation marks around the search text. For example, searching for "AddEvidence" returns the script with that name. You can search for more than one exact match by including the logical operator "or" in between your search texts in quotation marks. For example, searching for "AddEvidence" or "AddKeyToList" returns the two scripts with those names. Wildcards are not supported in free text search.

Script Settings

In Script settings dialog box, you can define the following information:





An identifying name for the script.

Language type

Select the script language type.


A meaningful description for the script.


Predefined script identifiers that determine where the script is available. For example, to use this script as a phishing script, tag it with the phishing tag.


Whether the script is available for playbook tasks and indicator types.





An identifying name.


A meaningful description for the argument.


Makes the argument mandatory.

Initial value

The initial default value for the argument.


Makes the argument case sensitive.

Is array

Specifies that the argument is an array.

List options

CSV list of argument values.

You can define the outputs according to string, number, date, boolean, etc. For more information, see Context and Outputs. The Important field is for legacy compatibility only.




Password Protect

Enables you to add a password for the script, which will be required when running the script from the CLI.




Timeout (seconds)

Time (in seconds) before the script times out. Default is 180.

Docker image name

For Python automation, the name of the Docker image to use to run the script.

Run on a separate container

Runs the script on a separate container.