Enhancement Scripts - Threat Intel Management Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Threat Intel Management Guide

Cortex XSOAR
Creation date
Last date published
Threat Intel Management Guide

Enhancement scripts are run on demand. These scripts are not part of the indicator extraction flow, but can be run manually in the CLI or from the Indicator Quick View window. Examples of enhancement scripts include an enrichment script, a script that runs a search in a SIEM for the indicator, etc.

If you have reached your limit for extracting indicators, such as the VirusTotal limit, or you want to run indicator extraction manually, you can add an enhancement script for the indicator type, which enables you to run the script on the indicator type. The script can write to context, return an entry in the War Room, etc.


Enhancement scripts are different from running a reputation command. Reputation commands, such as ip are run on the specific indicator and are not run on the indicator type.

To add an enhancement script to an indicator type, navigate to Settings & InfoSettingsObject SetupIndicatorsTypes. Select the indicator type, click Edit and select the desired enhancement script from the drop-down list. Enhancement scripts should have the enhancement tag applied appear in the list.

In the Automation page, there are a number of out-of-the box enhancement scripts, such as IPReputation, DomainReputation etc. For example, the IP indicator uses the IPReputation script as an enhanced script. This script enables you to add a specific IP address to look up. For example if you have an incident that contains an IP indicator and you have not extracted it, go to Indicator Quick ViewActions and under Run Scripts, select the script.

For each indicator type you can add a reputation command and enhancement script. If indicator extraction is turned on, indicator extraction occurs automatically according to the incident type and you can still run a reputation command on demand, provided it is defined in the indicator type. For example, the IP indicator uses the ip reputation command for IP indicator types.

Enhancement Script Inputs

The enhancement script requires the indicator value as the input argument. For example the IPReputation script requires the ip input. For an EmailReputation script the input is email.

script: |
  register_module_line('EmailReputation', 'start', __line__())

  def email_reputation():
      results = demisto.executeCommand('email', {'email': demisto.get(demisto.args(), 'email')})

      for item in results:
          if isError(item):
              item['Contents'] = item['Brand'] + ' returned an error.\n' + str(item['Contents'])


  def main():

  if __name__ in ('__main__', '__builtin__', 'builtins'):  # pragma: no cover

  register_module_line('EmailReputation', 'end', __line__())
Enhancement Script Outputs

Depends on the script. For example, the EmailReputation script returns a dbotScore. The ListDeviceEvents script returns the type of event, the timestamp, name of the product, etc. For more information, see https://xsoar.pan.dev/docs/reference/scripts/list-device-events.