Where Cortex XSOAR Uses Python Scripts - Python Development Quick Start Guide - 6.x - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Python Development Quick Start Guide

Product
Cortex XSOAR
Version
6.x
Creation date
2023-03-22
Last date published
2023-08-31
Category
Python Development Quick Start Guide

Cortex XSOAR uses Python scripts for the following.

  • Playbook Task Automation Scripts

    Python scripts for automated Cortex XSOAR playbook tasks use functions from Demisto Class and Common Server Python.

    Users can also add custom common code to Common Server User Python, and that code is available for all user automations.

    Note

    XSOAR REST APIs may be used when additional functionality is required.

  • Content Packs and Integrations

    Python scripts used as commands authenticate and retrieve data from external applications with functions from Common Server Python. They use the Demisto Class, with some limitations from the Demisto Class used by automations. Content packs may include playbooks, automations, and other Cortex XSOAR elements in addition to integrations.

  • Remote Applications

    Python scripts enable remote applications to access Cortex XSOAR via the Demisto Python client.

  • Webhook Applications

    Python scripts enable external applications to create incidents in Cortex XSOAR via the Generic Webhook integration and HTTP requests.

  • Additional Automation Scripts

    Python scripts enable enhanced playbook display and processing with:

    • Incident field display scripts - When a field is populated, a script triggers to update the field’s display, such as sorting a list.

    • Incident field change scripts - When a field’s value changes, a script is triggered to receive the new and old field values and perform operations on them.

    • Filter scripts - A script for incident classification and mapping when a non-standard filter is required.

    • Transformer scripts - A script for incident classification and mapping or playbook task automations when a non-standard transformer is required.

    • Pre-processing scripts - A script that triggers before an incident is created, used with pre-process rules.

    • Post-processing scripts - A script that triggers when an incident is closed, such as closing a related help desk ticket.

    • Dynamic section scripts - A script that dynamically creates a section in an incident layout, such as helpful links associated with the incident.

    • Script-based widgets - A script that implements a widget to display data in dashboards.

    The main difference between these scripts and standard playbook task automation scripts is specific argument passing conventions such as new and old values passed in field change triggered scripts, and tags associating the script to specific processes within Cortex XSOAR. See Special Automation Tags for more information.

    The script tags are:

    • field-display

    • field-change-triggered

    • transformer

    • filter

    • dynamic-section

    • post-processing

    • preProcessing

Scripts as Part of the Incident Lifecycle

The following diagram shows the logical relationships between the different scripts and where they are defined and used in Cortex XSOAR.

coretx-xsoar-script-relationships.png
  • When integration command scripts fetch an incident from a source, classification determines the type of incident and field mapping creates Cortex XSOAR incident fields from the raw incident.

  • A pre-processing script executes prior to incident creation and may take actions like drop or link to the incident.

  • Filter and transformer scripts are used during classification and mapping. Once the incident type is established, it links to the incident layout displayed in the web UI and the playbook assigned to the incident.

  • Tasks within the playbook execute automation scripts that output data to the War Room tab in the UI and fields in incident context.

  • The incident layout displays incident fields that can be modified by field change scripts.

  • Within the incident layout, sections of a display panel can be provided via dynamic sections scripts.

  • When an incident is closed, if defined in the incident type, a post processing script is triggered.

  • Dashboards may use script-based widgets to display data from Cortex XSOAR in addition to widgets from the widget library.