Run a Batch file Using Agent Tools - Administrator Guide - 6.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.5
Creation date
2022-09-28
Last date published
2024-11-12
End_of_Life
EoL
Category
Administrator Guide
Abstract

Open ports between Cortex XSOAR server and the Windows server, and run a batch file using agent tools, for shared agents and D2 agents.

Run a simple batch file that returns results of a dir command. You can use this Automation either in a Playbook or in the Cortex XSOAR CLI (manual investigation in an incident War Room).

Relevant for both shared agents and D2 agents.

Before you begin:

  • Open ports between the Cortex XSOAR server and the Windows server:

    Port 445 from Cortex XSOAR server to Windows server.

    Port 443 from Cortex XSOAR server to Windows server and vice versa.

  • Set the user credentials for the Windows server.

  1. Create a batch file.

    The file must be in ZIP or Tar format.

    In this example, we created a batch file, called TestBatch, containing the following.

    cd c:\
    						dir
  2. Upload the batch file to run.

    1. Select SettingsINTEGRATIONSAgent Tools+ Add Tool

    2. Drag-and-Drop or browse to the Zip or Tar file created in step 1.

  3. Add a system to the incident in the CLI or Automation.

    Use the following automation called "D2Execute.yml" to install the D2 Agent from within a playbook and run the automation (D2Run) that is running the utility/batch.

    commonfields:
    						id: ef9edd54-0580-4945-8f06-f43dfb69fb20
    						version: 20
    						name: D2Execute
    						script: |-
    						demisto.results(demisto.executeCommand("addSystem", {"name":demisto.args()["name"], "host":demisto.args()["host"],
    						"username":demisto.args()["username"], "password":demisto.args()["password"], "os":demisto.args()["os"]}))
    						demisto.results("Installing Agent...")
    						demisto.results(demisto.executeCommand("d2_install", {"system":demisto.args()["name"]}))
    						demisto.results("Running script...")
    						demisto.results(demisto.executeCommand(demisto.args()["scriptName"], {"id":demisto.args()["name"], "using":demisto.args()["name"]}))
    						type: python
    						tags: []
    						enabled: true
    						args:
    						- name: name
    						required: true
    						default: true
    						description: System name
    						- name: host
    						required: true
    						description: Computer name
    						- name: os
    						required: true
    						auto: PREDEFINED
    						predefined:
    						- linux
    						- osx
    						- windows
    						description: OS
    						- name: username
    						required: true
    						description: username
    						- name: password
    						required: true
    						secret: true
    						description: password
    						- name: scriptName
    						required: true
    						description: Script Name
    						scripttarget: 0
    					
  4. Execute the utility running the CLI or Automation.

    For example, use the following D2Run.yml automation:

    commonfields:
      id: 9a18460a-e72f-488a-8112-044c9a7be76a
      version: 13
    name: D2Run
    script: |-
      //+TestBatch/TestBatch.bat
    
      var batch_file = 'TestBatch.bat';
    
      if (env.OS !== 'windows') {
          throw ('script can only run on Windows');
        }
    
      var d2path = pwd();
      var batch_path = d2path + '\\' + batch_file;
      batch_path = batch_path.replace(/\\/g, "\\\\\\\\");
      pack(execute('cmd /c ' + batch_path, 60));
    type: javascript
    tags: []
    enabled: true
    scripttarget: 1
    					

    Note the following:

    //+TestBatch/TestBatch.bat: this is the name of the zip/batch file that you upload in Agent Tools.

    var batch_file = 'TestBatch.bat';: name of the batch file to run.