Common predefined functions located in the script helper in the Cortex XSIAM UI.
Check the script helper for common predefined functions to facilitate script development. The following are some examples.
Returns a file to the War Room by using the following syntax:
filename = "sample.txt", file_content = "hello sample" return_results(fileResult(filename, file_content))
You can specify the file type, but it defaults to "None" when not provided.
Used when the API response to an indicator is not found and returns a verdict with an unknown score (0).
A generic response is returned to the War Room and to the context path by using the following syntax:
indicator = "www.google.com", indicator_type = DBotScoreType.URL reliability = DBotScoreReliability.C return_results(create_indicator_result_with_dbotscore_unknown(indicator, indicator_type, reliability))
The War Room result shows:
The Context Path shows:
If the integration has a reliability it should be noted, but it defaults to None
when not provided.
Note
If the indicator type is
CustomIndicator
, you need to provide thecontext_prefix
argument.If the indicator type is
Cryptocurrency
, you need to provide theaddress_type
argument.
Transforms your JSON, dict, or other table into a Markdown table.
name = 'Sample Table' t = {'first':'Foo', 'second': 'bar', 'third': 'baz', 'fourth': ''} headers = ['Input', 'Output'] tableToMarkdown(name, t, headers=headers, removeNull=True)
This sample code snippet creates this table:
Input | Output |
---|---|
first | Foo |
second | bar |
third | baz |
fourth |
In the War Room, tables appear as follows:
Add table headers
Use headerTransform
to convert existing keys into formatted headers.
t = {'header_1': 'a1', 'header_2': 'b1', 'header_3': 'c1'} tableToMarkdown('headerTransform Example', t, headerTransform=underscoreToCamelCase) |Header1|Header2|Header3| |---|---|---| | a1 | b1 | c1 | # You may also use ```removeNull``` to remove empty columns in the table. Default is False. ```python headers = ['header_1', 'header_2'] data = { 'header_1': 'foo', } tableToMarkdown('removeNull Example', data, removeNull=True, headers=headers) |header_1| |---| | foo | You may also use ```metadata``` to add text above the table as a secondary title. # Use the ```url_keys``` argument to specify a list of keys whose value in the MD table should be a clickable url. This list may contain keys of inner dicts\list of dicts in the data given to the tableToMarkdown function.
For example, for the following data with some of the keys nested:
d = { "id": "23", "url1": " https://url1.com", "result": { "files": [ { "filename": "Screen.jpg", "url2": "https://url2.com" } ] }, "links": { "url3": "https://url2.com" } }
and using ``url_keys=('url1', 'url2', 'url3')```
```python tableToMarkdown('Data Table', d, headers=('id', 'url1', 'result', 'links'), headerTransform=string_to_table_header, url_keys=('url1', 'url2', 'url3'))
The resulting table is:
Format date fields
Use the date_fields
argument (list) of date fields to format date values to human-readable output.
data = [ { "docker_image": "demisto/python3", "create_time": '1631521313466' } ] tableToMarkdown('tableToMarkdown date_fields example', data, headers=["docker_image", "create_time"], date_fields=['create_time']) |---|---| | demisto/python3 | 2021-09-13 08:21:53 | # Use the ```json_transform_mapping``` argument (Dict[str, JsonTransformer]), to map between a header key to the corresponding JsonTransformer. ```python data_with_list = { "Machine Action Id": "5b38733b-ed80-47be-b892-f2ffb52593fd", "MachineId": "f70f9fe6b29cd9511652434919c6530618f06606", "Hostname": "desktop-s2455r9", "Status": "Succeeded", "Creation time": "2022-02-17T08:20:02.6180466Z", "Commands": [ { "startTime": null, "endTime": "2022-02-17T08:22:33.823Z", "commandStatus": "Completed", "errors": ["error1", "error2", "error3"], "command": { "type": "GetFile", "params": [ { "key": "Path", "value": "test.txt" } ] } }, { "startTime": null, "endTime": "2022-02-17T08:22:33.823Z", "commandStatus": "Completed", "errors": [], "command": { "type": "GetFile", "params": [ { "key": "Path", "value": "test222.txt" } ] } } ] } table = tableToMarkdown("tableToMarkdown test", data_with_list, json_transform_mapping={'Commands': JsonTransformer(keys=('commandStatus', 'command'))})
For example, this code snippet generates the following table:
Transform JSON data to a table
Use the is_auto_json_transform
argument (bool), to auto-transform a complex JSON.
nested_data_example = { "name": "Active Directory Query", "changelog": { "1.0.4": { "path": "", "releaseNotes": "\n#### Integrations\n##### Active Directory Query v2\nFixed an issue where the ***ad-get-user*** command caused performance issues because the *limit* argument was not defined.\n", "displayName": "1.0.4 - R124496", "released": "2020-09-23T17:43:26Z" } }, "nested": { "item1": { "a": 1, "b": 2, "c": 3, "d": 4 } } } table = tableToMarkdown("tableToMarkdown test", nested_data_example, headers=['name', 'changelog', 'nested'], is_auto_json_transform=True)
For example, this code snippet generates the following table:
demisto.command()
ties a function to a command in Cortex XSIAM, for example:
if demisto.command() == 'ip': ip_search_command()
demisto.params()
returns a dictionary of parameters for a given integration to grab global variables in an integration, for example:
APIKEY = demisto.params().get('apikey') ACCOUNT_ID = demisto.params().get('account') MODE = demisto.params().get('mode') INSECURE = demisto.params().get('insecure')
demisto.args()
returns a dictionary of arguments for a given command to get non-global variables, for example:
url = demisto.args().get('url')
This argument can be seen in the integration settings as shown below:
After the command is executed, the arguments are displayed in the War Room as part of the command, for example:
IndicatorTimeline
is an optional object, applicable only for commands that operate on indicators. It is a dictionary (or list of dictionaries) in the following format:
{
'Value': '127.0.0.1',
'Message': 'System marked the indicator 127.0.0.1 as Benign',
'Category': 'Benign'
}
When IndicatorTimeline
data is returned in an entry, the timeline section of the indicator whose value was noted in the timeline data will be updated and is viewable in the indicator's view page in Cortex XSIAM.
What value should be used for the 'Category' field of a timeline data object?
Any Cortex XSIAM integration command or script that returns timeline data may include the Category
value. If not given, when returning timeline data from a Cortex XSIAM integration or script, the value will be Integration Update
or Automation Update
accordingly.
When should a timeline object be included in an entry returned to the War Room?
A timeline object should be included when a command operates on an indicator. For example, if the command returns a DBotScore or entities as described in context standards documentation to the entry context. A common case is reputation commands, such as !ip
, !url
, and !file
. When implementing these commands in integrations, timeline data should be included in the returned entry.
Argument | Type | Description |
---|---|---|
indicators | list | Expects a list of indicators, if a dictionary is passed it will be put into a list. |
category | string | Indicator category. |
message | string | Indicator message. |
For example:
results = [ CommandResults( outputs_prefix='VirusTotal.IP', outputs_key_field='Address', outputs={ 'Address': '8.8.8.8', 'ASN': 12345 } ), CommandResults( outputs_prefix='VirusTotal.IP', outputs_key_field='Address', outputs={ 'Address': '1.1.1.1', 'ASN': 67890 } )] return_results(results)
timeline = IndicatorsTimeline( indicators=[args.get('ips')], message='Important to note' ) timeline = IndicatorsTimeline( indicators=[args.get('ips')], category='Some category', message='IP was blocked in Checkpoint' )
This object returns outputs. It represents an entry in the War Room. A string representation of an object must be parsed into an object before being passed into the field.
Argument | Type | Description |
---|---|---|
outputs_prefix | String | Should be identical to the prefix in the YAML contextPath in YAML file. For example: CortexXDR.Incident. |
outputs_key_field | String | Primary key field in the main object. If the command returns incidents, and one of the properties of the incident is incident_id, then outputs_key_field='incident_id' |
outputs | List / dictionary | (Optional) The data to be returned and will be set to context. If not set, no data will be added to the context. |
readable_output | String | (Optional) Markdown string that will be presented in the War Room, should be human readable - (HumanReadable) - if not set, readable output will be generated via tableToMarkdown function. |
raw_response | Object | (Optional) Must be dictionary, if not provided then will be equal to outputs. Usually must be the original raw response from the third-party service (originally Contents). |
indicators | List | DEPRECATED: use 'indicator' instead. |
indicator | Common.Indicator | Single indicator such as Common.IP, Common.URL, Common.File, etc. |
indicators_timeline | IndicatorsTimeline | Used by the server to populate an indicator's timeline. |
ignore_auto_extract | Boolean | If set to |
mark_as_note | Boolean | If set to |
relationships | List | A list of |
scheduled_command | ScheduledCommand | Manages the way the command result should be polled. |
Example
results = CommandResults( outputs_prefix='VirusTotal.IP', outputs_key_field='Address', outputs={ 'Address': '8.8.8.8', 'ASN': 12345 }, indicators_timeline = timeline ) return_results(results)
For more information on how to return results, see Context and outputs.
return_results()
calls demisto.results()
. It accept either a list or single item of the CommandResults
object or any object that demisto.results
can accept. Use return_results
to return the CommandResults
object or a basic string.
For example:
results = CommandResults( outputs_prefix='VirusTotal.IP', outputs_key_field='Address', outputs={ 'Address': '8.8.8.8', 'ASN': 12345 } ) return_results(results)
results = CommandResults( outputs_prefix='VirusTotal.IP', outputs_key_field='Address', outputs={ 'Address': '8.8.8.8', 'ASN': 12345 }, indicators_timeline = timeline ) return_results(results)
return_results('Hello World')
Returns an error entry to the War Room and calls sys.exit()
, meaning the script will stop.
return_error(message="error has occurred: API Key is incorrect", error=ex)
It produces an error in the War Room, for example:
CommandRunner
is a class for executing multiple commands, which returns all valid results together with a human readable summary table of successful commands and commands that return errors.
To use this functionality, create a list of commands using the CommandRunner.Command
, and then call CommandRunner.run_commands_with_summary(commands)
.
The following are CommandRunner.Command
arguments.
Argument | Type | Description |
---|---|---|
| String or List | The command to run. Can be a single command or list of commands. |
| Dictionary or List | The command arguments. If provided in a list and the |
| String | (Optional) The instance the command should run. |
| String | (Optional) The brand the command should run. |
For example, the following code snippet returns all the results of all commands, including a human readable summary table.
commands = [CommandRunner.Command('command1', {'arg': 'val'}, CommandRunner.Command('command2', [{'arg1': 'val2'}, {'arg2': 'val2'}])), CommandRunner.Command(['command3', 'command4'], [{'arg1': 'val2'}, {'arg2': 'val2'}]), CommandRunner.Command('command5', {}, instance='some_instance', brand='some_brand')] return_results(CommandRunner.run_commands_with_summary(commands))
As part of CommandResults()
there is an argument called ignore_auto_extract
, which prevents the built-in indicator extraction feature from enriching IPs, URLs, files, and other indicators from the result.
By default, ignore_auto_extract
is set to False
.
For example:
results = CommandResults( outputs_prefix='VirusTotal.IP', outputs_key_field='Address', outputs={ 'Address': '8.8.8.8', 'ASN': 12345 }, indicators_timeline = timeline, ignore_auto_extract = True ) return_results(results)