Create a script - Create or edit an out-of-the-box script, including detach and attach and automation settings. - Administrator Guide - Cortex XSIAM - Cortex

Create a script - Create or edit an out-of-the-box script, including detach and attach and automation settings. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product

Cortex XSIAM

Creation date

2024-03-06

Last date published

2025-11-13

Basic script settings

Define the relevant Basic script parameters.

Parameter	Description
Name	An identifying name for the script.
Language type	Select the script language type.
Description	A meaningful description of the script.
Tags	Predefined script identifiers. For example, if a script is intended for phishing, tagging it with the phishing tag helps organize, classify, and manage the script among other scripts. Organizations can also implement policies or restrictions based on tags associated with scripts. For example, they may restrict certain users from accessing or executing a script tagged for phishing.
Enabled	Whether the script is available for playbook tasks and indicator types, or to run in the CLI.

Tags

Script tags enable you to use the script in a specific area in Cortex XSIAM. For example, a script can be tagged to use in post-processing, indicator formatting, field display, and indicator enhancement. The following table includes the commonly used tags:

Tag Value	Description
Condition	Conditional script in a playbook task Note All custom scripts are available for conditional tasks, including scripts without the condition tag. System scripts are only available for use in conditional tasks if they have the condition tag.
dynamic-indicator-section	General purpose dynamic section script for indicator layout
dynamic-section	General purpose dynamic section script for incident layout
enhancement	Indicator enhancement script
field-change-triggered	Script to run on incident field change
field-display	Field display script
filter	Script used as a filter or conditional operator in a playbook task
incident-action-button	Incident layout action button script
indicator-action-button	Indicator layout action button script
indicator-format	Indicator formatting script
post-processing	Incident post-processing script
preProcessing	Pre-process rule script
reputation	Indicator reputation script
sla	SLA breach script
transformer	Script used as a transformer in a playbook task
widget	Script that can be used to generate a dashboard/report widget

Arguments

You can create, edit, or delete arguments as required.

Parameter	Description
Argument	An identifying name.
Mandatory	Makes the argument mandatory.
Default	Makes the argument the default.
Sensitive	Hides the argument from being displayed in the UI and in logs.
Description	A meaningful description of the argument.
Default	The default value for the argument.
Is array	Specifies that the argument is an array.
Type	Select Unknown (default), Key-Value, or Text Area.
List options	A comma-separated list of argument values.

You can create, edit, or delete outputs as required. Define the outputs according to types such as string, number, date, and boolean. For more information, see Context and Outputs.

Script permissions

Parameter	Description
Password Protect	Enables you to add a password for the script, which will be required when running the script from the CLI.

Advanced

Parameter	Description
Timeout (seconds)	Time (in seconds) before the script times out. The default is 180.
Docker image name	For Python scripts, this is the name of the Docker image to use for the script. Cortex XSIAM supports the following Python versions: 2.7 3.0 and later
Run on a separate container	Runs the script on a separate container.

Parameter

Description

Timeout (seconds)

Time (in seconds) before the script times out. The default is 180.

Docker image name

For Python scripts, this is the name of the Docker image to use for the script.

Cortex XSIAM supports the following Python versions:

2.7
3.0 and later

Run on a separate container

Runs the script on a separate container.

Depends on commands

You can set the commands that the script depends on directly from these settings. You still have the option to set the dependencies in the script YAML file.

Edit existing code or create new code

Modify parameters, logic, or integrations within a script to adapt it to specific use cases, optimize performance, and address evolving security needs without starting from scratch.