Create a script - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2025-01-16
Category
Administrator Guide
Abstract

Create or edit an out-of-the-box script, including detach and attach and automation settings.

Developing scripts in Cortex XSIAM helps to automate repetitive tasks, streamline security operations, and make incident response more efficient. Customizing scripts can improve threat detection, mitigation, and remediation processes specific to your organization's needs.

Rather than creating a script from scratch, you can edit existing scripts. If the script was installed from a content pack, by default, the script is attached, which means that it is not editable. To edit the script, you need to either make a copy or detach it. While the script is detached, it is not updated by the content pack. This may be useful when you want to update the script without breaking customization. If you want to update the script through content pack updates, you need to reattach it, but any changes are overridden by the content pack on upgrade. If you want to keep the changes, make a copy before reattaching.

Note

  • You can enable/disable a script in the Settings, without having to detach or duplicate the script.

  • You can view recently modified or deleted scripts by clicking version history for all scripts versionhistory.png.

  1. Select Incident ResponseAutomationScriptsNew Script.

  2. Add an identifying name for the script.

  3. Save the script.

Define the relevant Basic script parameters.

Parameter

Description

Name

An identifying name for the script.

Language type

Select the script language type.

Description

A meaningful description of the script.

Tags

Predefined script identifiers.

For example, if a script is intended for phishing, tagging it with the phishing tag helps organize, classify, and manage the script among other scripts.

Organizations can also implement policies or restrictions based on tags associated with scripts. For example, they may restrict certain users from accessing or executing a script tagged for phishing.

Enabled

Whether the script is available for playbook tasks and indicator types, or to run in the CLI.

Special script tags

Special script tags enable you to use the script in a specific area of Cortex XSIAM. For example, a script can be tagged for use in post-processing, indicator formatting, field display, and indicator enhancement. The following table includes the commonly used tags:

Tag Value

Description

Condition

Conditional script in a playbook task

Note

All custom scripts are available for conditional tasks, including scripts without the condition tag. System scripts are only available for use in conditional tasks if they have the condition tag.

dynamic-indicator-section

General purpose dynamic section script for indicator layout

dynamic-section

General purpose dynamic section script for incident layout

enhancement

Indicator enhancement script

field-change-triggered

Script to run on incident field change

field-display

Field display script

filter

Script used as filter or conditional operator in a playbook task

general-dynamic-section

General purpose dynamic section script for object layouts (excluding incidents and indicator layouts)

incident-action-button

Incident layout action button script

indicator-action-button

Indicator layout action button script

indicator-format

Indicator formatting script

post-processing

Incident post-processing script

preProcessing

Pre-process rule script

reputation

Indicator reputation script

sla

SLA breach script

transformer

Script used as transformer in a playbook task

widget

Script that can be used to generate a dashboard/report widget

You can create, edit, or delete arguments as required.

Parameter

Description

Argument

An identifying name.

Mandatory

Makes the argument mandatory.

Default

Makes the argument the default.

Sensitive

Makes the argument case-sensitive.

Description

A meaningful description of the argument.

Default

The default value for the argument.

Is array

Specifies that the argument is an array.

Type

Select Unknown (default), Key-Value, or Text Area.

List options

A comma-separated list of argument values.

You can create, edit, or delete outputs as required. Define the outputs according to types such as string, number, date, and boolean. For more information, see Context and Outputs.

Parameter

Description

Password Protect

Enables you to add a password for the script, which will be required when running the script from the CLI.

Parameter

Description

Timeout (seconds)

Time (in seconds) before the script times out. Default is 180.

Docker image name

For Python scripts, this is the name of the Docker image to use for the script.

Cortex XSIAM supports the following Python versions:

  • 2.7

  • 3.0 and later

Run on a separate container

Runs the script on a separate container.

You can set the commands that the script depends on directly from these settings. You still have the option to set the dependencies in the script YAML file.

Modify parameters, logic, or integrations within a script to adapt it to specific use cases, optimize performance, and address evolving security needs without starting from scratch.

The Script Helper provides a list of available alphabetically ordered commands and scripts.