Enhancement scripts are run on demand. These scripts are not part of the indicator extraction flow, but can be run manually in the CLI or from the Indicator Quick View window. Examples of enhancement scripts include an enrichment script, a script that runs a search in a SIEM for the indicator, etc.
If you have reached your limit for extracting indicators, such as the VirusTotal limit, or you want to run indicator extraction manually, you can add an enhancement script for the indicator type, which enables you to run the script on the indicator type. The script can write to context, return an entry in the War Room, etc.
Note
Enhancement scripts are different from running a reputation command. Reputation commands, such as ip
are run on the specific indicator and are not run on the indicator type.
To add an enhancement script to an indicator type, navigate to Edit and select the desired enhancement script from the drop-down list. Enhancement scripts should have the enhancement
tag applied appear in the list.
In the IPReputation
, DomainReputation
etc. For example, the IP indicator uses the IPReputation
script as an enhanced script. This script enables you to add a specific IP address to look up. For example if you have an incident that contains an IP indicator and you have not extracted it, go to → and under Run Scripts, select the script.
For each indicator type you can add a reputation command and enhancement script. If indicator extraction is turned on, indicator extraction occurs automatically according to the incident type and you can still run a reputation command on demand, provided it is defined in the indicator type. For example, the IP indicator uses the ip
reputation command for IP indicator types.
Enhancement Script Inputs
The enhancement script requires the indicator value as the input argument. For example the IPReputation
script requires the ip
input. For an EmailReputation
script the input is email.
script: | register_module_line('EmailReputation', 'start', __line__()) def email_reputation(): results = demisto.executeCommand('email', {'email': demisto.get(demisto.args(), 'email')}) for item in results: if isError(item): item['Contents'] = item['Brand'] + ' returned an error.\n' + str(item['Contents']) demisto.results(results) def main(): email_reputation() if __name__ in ('__main__', '__builtin__', 'builtins'): # pragma: no cover main() register_module_line('EmailReputation', 'end', __line__())
Enhancement Script Outputs
Depends on the script. For example, the EmailReputation
script returns a dbotScore. The ListDeviceEvents
script returns the type of event, the timestamp, name of the product, etc. For more information, see https://xsoar.pan.dev/docs/reference/scripts/list-device-events.