Cortex XSOAR uses Python scripts for the following.
Playbook Task Automation Scripts
Python scripts for automated Cortex XSOAR playbook tasks use functions from Demisto Class and Common Server Python.
Users can also add custom common code to Common Server User Python, and that code is available for all user automations.
Note
XSOAR REST APIs may be used when additional functionality is required.
Content Packs and Integrations
Python scripts used as commands authenticate and retrieve data from external applications with functions from Common Server Python. They use the Demisto Class, with some limitations from the Demisto Class used by automations. Content packs may include playbooks, automations, and other Cortex XSOAR elements in addition to integrations.
Remote Applications
Python scripts enable remote applications to access Cortex XSOAR via the Demisto Python client.
Webhook Applications
Python scripts enable external applications to create incidents in Cortex XSOAR via the Generic Webhook integration and HTTP requests.
Additional Automation Scripts
Python scripts enable enhanced playbook display and processing with:
Incident field display scripts - When a field is populated, a script triggers to update the field’s display, such as sorting a list.
Incident field change scripts - When a field’s value changes, a script is triggered to receive the new and old field values and perform operations on them.
Filter scripts - A script for incident classification and mapping when a non-standard filter is required.
Transformer scripts - A script for incident classification and mapping or playbook task automations when a non-standard transformer is required.
Pre-processing scripts - A script that triggers before an incident is created, used with pre-process rules.
Post-processing scripts - A script that triggers when an incident is closed, such as closing a related help desk ticket.
Dynamic section scripts - A script that dynamically creates a section in an incident layout, such as helpful links associated with the incident.
Script-based widgets - A script that implements a widget to display data in dashboards.
The main difference between these scripts and standard playbook task automation scripts is specific argument passing conventions such as
new
andold
values passed in field change triggered scripts, and tags associating the script to specific processes within Cortex XSOAR. See Special Automation Tags for more information.The script tags are:
field-display
field-change-triggered
transformer
filter
dynamic-section
post-processing
preProcessing
Scripts as Part of the Incident Lifecycle
The following diagram shows the logical relationships between the different scripts and where they are defined and used in Cortex XSOAR.
When integration command scripts fetch an incident from a source, classification determines the type of incident and field mapping creates Cortex XSOAR incident fields from the raw incident.
A pre-processing script executes prior to incident creation and may take actions like drop or link to the incident.
Filter and transformer scripts are used during classification and mapping. Once the incident type is established, it links to the incident layout displayed in the web UI and the playbook assigned to the incident.
Tasks within the playbook execute automation scripts that output data to the War Room tab in the UI and fields in incident context.
The incident layout displays incident fields that can be modified by field change scripts.
Within the incident layout, sections of a display panel can be provided via dynamic sections scripts.
When an incident is closed, if defined in the incident type, a post processing script is triggered.
Dashboards may use script-based widgets to display data from Cortex XSOAR in addition to widgets from the widget library.