D2 Agent Script Commands - Administrator Guide - 6.5 - Cortex XSOAR - Cortex - Security Operations

env

var env = {OS:"",ARCH:""};

Holds environment variables. env.OS and env.ARCH are populated with OS and architecture.

Example: console.log(JSON.stringify(env))

pwd

function string pwd();

Returns the absolute path of the working folder.

which

function string which(path string);

Returns the absolute path for a given path or executable.

Example: console.log(which('ls'));/bin/lsconsole.log(which('syslog'));/usr/bin/syslog

execute

function ExecResult execute(cmd string);

Executes the given command.

Returns:

{Stdout string // process stdout captured Stderr string // process stderr captured PID int // PID of process that was running Success bool // whether process ended successfully Error string // string describing the error if exists}

Example: var ret=execute('ls -l');console.log(ret.Stdout);console.log(JSON.stringify(ret)); }

pack

function null pack(content object, contentformat string[optional]);

Returns the content as an entry on the investigation. Content can be a JSON object or when specified as a value.contentformat may be one of the following:

table

text

json

If not provided, the format will be determined according the type of content.

pack_file

function null pack_file(path string, content string[optional]);

Returns the path as a file entry in the investigation. If content is provided, it is attaches to the file.

files

function []FileInfo files(folder string, recurse bool[=false], hashes bool[=false], regex string[=""]);

Retrieves a list of files from the folder. If recurse is true, sub-folders are included. If hashes are true, it computes hashes for each file. If regex is provided, it returns only file names matching the regex.

Returns an array of:

{Created int CreatedStr string Accessed int AccessedStr string Changed int ChangedStr string Path string Type string Size int Mode string MD5 string SHA1 string SHA256 string SHA512 string SSDeep string}

Example: console.log(JSON.stringify(files('/tmp',true,true)));

copy

function int copy(src string, dest string, overwrite bool[=false], regex string[=""]);

Copies the source (src) to the destination (dest). If overwrite is false, it throws an exception, if the destination exists. If regex is provided, it copies only files matching the regex. This function is not recursive.

Returns the number of items copied.

move

function int move(src string, dest string, overwrite bool[=false], regex string[=""]);

Same as copy, but also deletes the source files.

del

function int del(file string, regex[=""]);

Deletes the file. If the file is a folder, and regex is not empty, it removes only the files matching regex from that folder.

grep

function []GrepMatch grep(path string, regex string, recursive bool[=false]);

Searches the given path for files matching regex. If recursive is true, it will dive into the sub folders.

Returns an array of:

{ Path string // Path to file matching Offsets [][]int // The matching indexes on the line}

Example: console.log(JSON.stringify(grep('/tmp/','Scan',true)));

strings

function []string strings(path string, min int[=4], max int[=1024]);

Searches strings contained in the file provided by path. Use min and max to control the sizes of the strings that are captured.

Example: console.log(JSON.stringify(strings('/bin/ls')));

bytes

function string bytes(file string, offset int[=0], size int[=1024];

Returns a size bytes chunk of a file starting at offset.

Example: console.log(JSON.stringify(bytes('ddb',0,15)));

mkdir

function bool mkdir(path string);

Returns 'true' if a folder was created. Throws an exception otherwise.

rmdir

function bool rmdir(path string);

Removes the folder provided by *path.

Returns: 'true' if a folder was removed. Throws an exception otherwise.

join_path

function string join_path(part1, part2... string);

Joins the paths provided by part1 to partN.

Returns: Path string.

Example: console.log(join_path("/tmp","one","two","three.file"));/tmp/one/two/three.file

http

function HTTPResponse http(url string, arg object);

Performs HTTP GET call to URL with the provided arg as a request body.

Returns object:

{StatusCode int // HTTP response code Status string // HTTP status as text Cookies []http.Cookie Body string Headers string[][]}

http.cookie object: Name string Value string Path string // optional Domain string // optional Expires time.Time // optional RawExpires string // for reading cookies only // MaxAge=0 means no 'Max-Age' attribute specified. // MaxAge<0 means delete cookie now, equivalently 'Max-Age: 0' // MaxAge>0 means Max-Age attribute present and given in seconds MaxAge int Secure bool HttpOnly bool Raw string Unparsed []string // Raw text of unparsed attribute-value pairs

Example: console.log(JSON.stringify(http("http://www.google.com/lala")));

read_file

function string read_file(path string);

Returns the entire content of the path. Throws an exception if it does not exist.

wait

function string wait(seconds int);

Sleeps for the number of defined seconds.

processes

function ProcessInfo[] processes();

Returns a list of processes.

services

function ServiceInfo[] services();

Returns a list of services.

wmi_query

function Object[] wmi_query(query string);

Executes a WMI query.

Returns an array in JSON representing the results.

registry

function Object[] registry(path string);

Gets all values under the registry path provided by the path as a set of JSON objects. This function is always recursive if a key name is provided.

The key name must start with one of the following:

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

ifconfig

function Object[] ifconfig();

Returns a list of all interface adapters and their configurations.

fsconfig

function Object[] fsconfig();

Returns a list of all file systems.

accounts

function Object[] accounts();

Returns a list of all defined user accounts.