Use existing scripts - Edit scripts to use in playbooks and run in the War Room. - Administrator Guide - Cortex XSIAM - Cortex

Use existing scripts - Edit scripts to use in playbooks and run in the War Room. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product

Cortex XSIAM

Creation date

2024-03-06

Last date published

2025-12-29

Category

Administrator Guide

Abstract

Edit scripts to use in playbooks and run in the War Room.

Consider editing an existing script to leverage its functionality and save time and effort.

For example, scripts from the Base and Common Scripts content packs provide basic and reusable functions that can streamline your playbook development.

Cortex XSIAM comes out-of-the-box with several common scripts that can be used in playbooks and commands (from the War Room), the majority of which are contained in the Base and Common Scripts content packs.

The Base content pack is a core pack that helps you get started and includes scripts that can be used in other JavaScript, Python, and PowerShell scripts. The Common Scripts content pack includes scripts that are commonly used, such as EmailReputation, RunDockerCommand, and ConvertXMLToJson.

Common Scripts contain code (such as functions and variables) that can be used across scripts and can be embedded when writing your scripts and integrations. Common Scripts are reusable modules or functions that provide additional functionality and capabilities to interact with APIs. Instead of duplicating code across multiple scripts or integrations, developers can create common scripts containing commonly used API interactions, such as authentication, data retrieval, or data manipulation. For example, in the CommonServer script, the tableToMarkdown function takes a JSON and transforms it into markdown. You can call this function from integrations and scripts that you author.

On the Scripts page, you can view/edit common scripts such as:

CommonServer
The CommonServer script contains JavaScript functions and variables that can be used when writing your scripts and integrations.
The script contains nearly 200 functions/variables, such as tabletoMarkdown, closeInvestigation, and SetSeverity.
You can copy the script and add new functions/variables or add your functions to the CommonUserServer script. You can also use your scripts to override the existing scripts in the CommonServer script.
CommonServerPython
The CommonServerPython script contains Python functions that can be used when writing your scripts and integrations.
The script contains over 400 functions, such as appendContext, vtCountPositives (which counts the number of detected URLs in the War Room entry), and datetime_to_string, (which converts a DateTime object into a string).
You can copy the script and add new functions/variables or add your functions to the CommonServerUserPython script. You can also use your scripts to override the existing scripts in the CommonServerPython script.
CommonServerPowerShell
The CommonServerPowerShell script contains PowerShell arguments/functions that can be used when writing your scripts and integrations.
The script contains many arguments/functions, such as SetIntegrationContext, Write-HostToLog (which writes to the demisto.log), and ReturnOutputs (which returns results to the user more intuitively).
You can copy the script and add new arguments/functions or add your own to the CommonServerUserPowerShell script. You can also use your scripts to override the existing scripts in the CommonServerPowerShell script.

Navigate to Incident Response → Automation → Scripts and in the Scripts Library search for the script you want to use.
- Use free text in the search box to find an existing script. From the search drop down, you can:
  - Perform a basic search by Basic (name and tag), Name, or Tag.
  - Perform an advanced search for specific words In Script or Everywhere (including the script name and tags).
- You can search for an exact match of the script name by putting quotation marks around the search text. For example, searching for "AddKeyToList" returns the script with that name. You can search for more than one exact match by including the logical operator "or" in-between your search texts in quotation marks. For example, searching for "AnalyzeTimestampIntervals" or "AddKeyToList" returns the two scripts with those names. Wildcards are not supported in free text search.
- You can sort the scripts in the library alphabetically, by modified date, by system or custom, and you can filter for disabled or deprecated scripts.
- The Script Helper also provides a list of available alphabetically ordered commands and scripts.
Click Edit. If the script you want to use is locked, click and select either Duplicate Script or Detach Script.
If a script is installed from a content pack, by default, the script is attached or locked, which means that it is not editable. To edit the script, you need to either make a copy or detach it. While the script is detached, it is not updated by the content pack. This may be useful when you want to update the script without breaking customization. If you want to update the script through content pack updates, you need to reattach it, but any changes are overridden by the content pack on upgrade. If you want to keep the changes, make a copy before reattaching.
Edit the script code and settings as needed. For more information on script settings, see Create a script.