Enhancement scripts - Administrator Guide - Threat Intel Management Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-15
Category
Administrator Guide
Abstract

Enhancement scripts are run manually and can enrich indicators, write to context, and return entries to the War Room.

Enhancement scripts enable you to gather additional data about the highlighted entry in the War Room. They can enrich indicators, search a SIEM for a specific indicator, write indicator details to context, and return entries to the War Room.

Enhancement scripts are run manually from the Indicator Quick View window or the CLI after indicators are extracted to allow you to collect additional information about an indicator. If you have an incident that contains an IP indicator and you want to run one or more enhancement scripts, go to Indicator Quick ViewActions and under Run Scripts, select the desired script.

Note

Enhancement scripts are different from reputation commands. A reputation command runs every integration that has that command within it, to enrich the indicator. The reputation command ip , for example, runs every IP integration command in your enabled integrations, to collect data from multiple sources. An enhancement script is manually run after the initial extraction and enrichment for the indicator type is complete.

The enhancement script requires the indicator value as the input argument.

Argument

Description

The value of the indicator

For example ip, email, url.The argument name should match the indicator type in lower case. For example, the IPReputation script requires the ip input. For an EmailReputation script the input is email.

In the following example, the DomainReputation script uses domain as the input.

domain-rep-8-input.png

The enhancement script output depends on its input because the script is run manually. If you want the output to be added to indicator enrichment or the Threat Intelligence screen, it should follow the DBotScore convention in the content output as described in https://xsoar.pan.dev/docs/integrations/dbot.

output =
   {
       'Type': entryTypes['note'],
       'ContentsFormat': formats['json'],
       'Contents': ‘this is the enrichment data’,
       'EntryContext': {
           'Email': ‘xsoar@test.com’, 
           ‘DBotScore’: {}},
   }

return_results(output)
  1. Go to SettingsConfigurationsObject SetupIndicatorsTypes

  2. Select the indicator type and click Edit.

  3. Select one or more desired enhancement scripts.

    Note

    Enhancement scripts must have the enhancement tag applied to appear in the list.

You can run out-of-the-box or custom enhancement scripts in the CLI to enrich specific indicator values.

The following are examples of the syntax for running the out-of-the-box IPReputation and URLReputation enhancement scripts in the CLI.

  • !IPReputation ip=8.8.8.8

  • !URLReputation url=cardcom.com