D2 Agent Script Commands - Administrator Guide - 6.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.5
Creation date
2022-09-28
Last date published
2024-11-12
End_of_Life
EoL
Category
Administrator Guide
Abstract

D2 agent scripting commands, including Windows specific functions. Cortex XSOAR provides example agent scripts.

The following are the D2 agent script commands. Each command is followed by its description, its syntax, and an example where applicable.

Note

Cortex XSOAR server comes with a few example agent scripts. These help you get more acquainted with the functions. You can copy the scripts, change them and check the results.

Command

Syntax

Description

env

var env = {OS:"",ARCH:""};

Holds environment variables. env.OS and env.ARCH are populated with OS and architecture.

Example: console.log(JSON.stringify(env))

pwd

function string pwd();

Returns the absolute path of the working folder.

which

function string which(path string);

Returns the absolute path for a given path or executable.

Example: console.log(which('ls'));/bin/lsconsole.log(which('syslog'));/usr/bin/syslog

execute

function ExecResult execute(cmd string);

Executes the given command.

Returns:

{Stdout string // process stdout captured Stderr string // process stderr captured PID int // PID of process that was running Success bool // whether process ended successfully Error string // string describing the error if exists}

Example: var ret=execute('ls -l');console.log(ret.Stdout);console.log(JSON.stringify(ret)); }

pack

function null pack(content object, contentformat string[optional]);

Returns the content as an entry on the investigation. Content can be a JSON object or when specified as a value.contentformat may be one of the following:

table

text

json

If not provided, the format will be determined according the type of content.

pack_file

function null pack_file(path string, content string[optional]);

Returns the path as a file entry in the investigation. If content is provided, it is attaches to the file.

files

function []FileInfo files(folder string, recurse bool[=false], hashes bool[=false], regex string[=""]);

Retrieves a list of files from the folder. If recurse is true, sub-folders are included. If hashes are true, it computes hashes for each file. If regex is provided, it returns only file names matching the regex.

Returns an array of:

{Created int CreatedStr string Accessed int AccessedStr string Changed int ChangedStr string Path string Type string Size int Mode string MD5 string SHA1 string SHA256 string SHA512 string SSDeep string}

Example: console.log(JSON.stringify(files('/tmp',true,true)));

copy

function int copy(src string, dest string, overwrite bool[=false], regex string[=""]);

Copies the source (src) to the destination (dest). If overwrite is false, it throws an exception, if the destination exists. If regex is provided, it copies only files matching the regex. This function is not recursive.

Returns the number of items copied.

move

function int move(src string, dest string, overwrite bool[=false], regex string[=""]);

Same as copy, but also deletes the source files.

del

function int del(file string, regex[=""]);

Deletes the file. If the file is a folder, and regex is not empty, it removes only the files matching regex from that folder.

grep

function []GrepMatch grep(path string, regex string, recursive bool[=false]);

Searches the given path for files matching regex. If recursive is true, it will dive into the sub folders.

Returns an array of:

{ Path string // Path to file matching Offsets [][]int // The matching indexes on the line}

Example: console.log(JSON.stringify(grep('/tmp/','Scan',true)));

strings

function []string strings(path string, min int[=4], max int[=1024]);

Searches strings contained in the file provided by path. Use min and max to control the sizes of the strings that are captured.

Example: console.log(JSON.stringify(strings('/bin/ls')));

bytes

function string bytes(file string, offset int[=0], size int[=1024];

Returns a size bytes chunk of a file starting at offset.

Example: console.log(JSON.stringify(bytes('ddb',0,15)));

mkdir

function bool mkdir(path string);

Returns 'true' if a folder was created. Throws an exception otherwise.

rmdir

function bool rmdir(path string);

Removes the folder provided by *path.

Returns: 'true' if a folder was removed. Throws an exception otherwise.

join_path

function string join_path(part1, part2... string);

Joins the paths provided by part1 to partN.

Returns: Path string.

Example: console.log(join_path("/tmp","one","two","three.file"));/tmp/one/two/three.file

http

function HTTPResponse http(url string, arg object);

Performs HTTP GET call to URL with the provided arg as a request body.

Returns object:

{StatusCode int // HTTP response code Status string // HTTP status as text Cookies []http.Cookie Body string Headers string[][]}

http.cookie object: Name string Value string Path string // optional Domain string // optional Expires time.Time // optional RawExpires string // for reading cookies only // MaxAge=0 means no 'Max-Age' attribute specified. // MaxAge<0 means delete cookie now, equivalently 'Max-Age: 0' // MaxAge>0 means Max-Age attribute present and given in seconds MaxAge int Secure bool HttpOnly bool Raw string Unparsed []string // Raw text of unparsed attribute-value pairs

Example: console.log(JSON.stringify(http("http://www.google.com/lala")));

read_file

function string read_file(path string);

Returns the entire content of the path. Throws an exception if it does not exist.

wait

function string wait(seconds int);

Sleeps for the number of defined seconds.

Windows Specific Functions

Command

Syntax

Description

processes

function ProcessInfo[] processes();

Returns a list of processes.

services

function ServiceInfo[] services();

Returns a list of services.

wmi_query

function Object[] wmi_query(query string);

Executes a WMI query.

Returns an array in JSON representing the results.

registry

function Object[] registry(path string);

Gets all values under the registry path provided by the path as a set of JSON objects. This function is always recursive if a key name is provided.

The key name must start with one of the following:

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

ifconfig

function Object[] ifconfig();

Returns a list of all interface adapters and their configurations.

fsconfig

function Object[] fsconfig();

Returns a list of all file systems.

accounts

function Object[] accounts();

Returns a list of all defined user accounts.