Scripts - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
8
Creation date
2024-02-14
Last date published
2024-05-30
Category
Administrator Guide
Solution
Cloud
Abstract

Create and edit a scrip in Cortex XSOAR, including detach and attach, script settings, etc.

Scripts perform specific actions and are comprised of commands, which are used in playbook tasks and when running commands in the War Room.

In the Scripts page, you can view, edit, and create scripts in JavaScript, Python, or PowerShell. When creating a script, you can access all Cortex XSOAR APIs, including access to incidents, investigations, share data to the War Room, etc. Scripts can receive and access arguments, and can be password protected.

You can use the Script Helper when creating a script, which provides a list of available commands and scripts, ordered alphabetically. For more information about the scripts used in Cortex XSOAR, see the List of Scripts.

Script Permissions

Permissions for scripts in Cortex XSOAR are determined by the Run as and Role fields. Run as determines the permissions with which the script runs. Role determines who the script can be seen and executed by.

By default, most scripts in Cortex XSOAR are run as the limited user. However, some scripts require higher permissions and are delivered, out-of-the-box with Run as set to DbotRole, which means the script executes with elevated permissions. When a script runs with elevated permissions, its results can be viewed even by users with lower permissions. To mitigate this, you should assign a role to the script that is aligned with the users to whom you want to expose the information the script can extract.

Note

As content packs may use a number of these scripts, and the scripts could have some dependency on each another, it is important that you assign the Run as and Role parameters consistently to ensure that all of the scripts can run properly.

For example, you have a script that searches for all incidents in the system. The following scenarios show how the system behaves given the various configurations.

Scenario 1

Set the script with Run as, defined as DBotRole and do not set the Role parameter.

Anyone can run the script, whether they are an analyst or administrator, and they have access to all incidents that are returned.

Scenario 2

Set the Run as parameter to DBotRole, and set the Role parameter to Analyst. Any user with at least analyst permissions will have access to execute the script. All other users are not able to implement the script in playbook tasks. They cannot run the script manually from the command line or in a playbook.

All users can see the results of the execution in the War Room.

Scenario 3

Set the Run as parameter to Analyst and do not set a role. Everyone can run the script, but only incidents that are viewable by the analyst role are returned.

Scenario 4

Set the Run as parameter to Analyst and define the Role parameter as Analyst. Only users with at least the analyst role are able to execute the script. Only incidents that are viewable by the analyst role are returned.

For example, you implemented the following roles on your incidents:

  • Incident 1 viewable to Administrators

  • Incident 2 without any role assigned

  • Incident 3 viewable by Analysts

  • Incident 4 viewable by nested Analyst (custom role)

As a nested analyst, you run the script to search for the incidents in your system.

  • In scenario 1, you see incidents 1 through 4.

  • In scenario 2, you are not able to execute the script, but if a playbook runs the script, you see incidents 1 through 4.

  • In scenario 3, you see incidents 2 through 4.

  • In scenario 4, you are not able to execute the script, however, if a playbook runs the script, you see incidents 2 and 4.

Note

When you change permissions for a script, those permissions do not affect playbooks that are already using the script. The playbooks continue using the previous permissions even when the playbook is triggered manually.

Detach and Attach Scripts

When installing a script from a content pack, by default, the script is attached, which means that it is not editable. To edit the script, you need to either make a copy or detach it.

Note

You can make some changes to the script settings, such as Propagation Labels, Run as, Roles, etc., without having to detach or duplicate the script.

While the script is detached, it is not updated by the content pack. This may be useful when you want to update the script without breaking customization. If you want to update the script through content pack updates, you need to reattach it, but any changes are overwritten by the content pack on upgrade. If you want to keep the changes, make a copy before reattaching.

Script Settings

In Script settings you can define the following information:

Basic

Parameter

Description

Name

An identifying name for the script.

Language type

Select the script language.

Version

The script language version.

Description

A meaningful description for the script.

Tags

Predefined script identifiers that determine where the script is available. For example, to use this script as a pre-processing script, it must be tagged with the pre-processing tag.

Run on

The Cortex XSOAR tenant, single engine, or a load-balancing group.

Note

You need to create an engine for the engine field to appear.

Propagation Labels

(Multi-tenant) Select the propagation labels for the script.

Enabled

Whether the script is available for playbook tasks, indicator types, incident types and fields.

Content Pack

The content pack to which the script belongs, if applicable.

Arguments

Click ADD ARGUMENT to add new arguments as required.

Parameter

Description

Argument

An identifying name.

Mandatory

Makes the argument mandatory.

Default

Makes this argument the default argument for the script.

Sensitive

Hides the argument from being displayed in the UI and in logs.

Description

A meaningful description for the argument.

Initial value

The initial default value for the argument.

Is array

Specifies that the argument is an array.

List options

CSV list of argument values.

Outputs

Click ADD OUTPUT to add the outputs according to string, number, date, boolean, etc. For more information, see Context and Outputs.

Parameter

Description

Context Path

A dot notation representation of the path to access the Context. For example, ThreatStream.Analysis.ReportID.

Description

A short description of what the context path represents. For example, The ID of the report submitted to the sandbox.

Type

The value type of the context path, such as string, number, etc. Enables Cortex XSOAR to format the data correctly.

Permissions

Parameter

Description

Password Protect

Enables you to add a password for the script, which will be required when running the script from the CLI.

Run as

Determines which role the script runs as. Select the role from the dropdown list.

Roles

The assigned roles determine who can run the script.

Advanced

Parameter

Description

Timeout (seconds)

Time (in seconds) before the script times out. Default is 180.

Docker image name

For Python scripts, the name of the Docker image to use to run this script. For more information, see Change the Docker Image for Scripts and Integrations.

Run on a separate container

Runs the script on a separate container.

Depends on Commands

You can set the commands that the script depends on directly from these settings. You still have the option to set the dependencies in the script yaml file.