forked from demisto/content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdoc-howto.json
32 lines (32 loc) · 91.9 KB
/
doc-howto.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
[
{
"body": "\u003col\u003e\n \u003cli\u003e\n \u003cstrong\u003eReturn result as simple text entry to War Room\u003c/strong\u003e\u003cbr\u003e\n demisto.results(\"Mission Accomplished\")\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eReturn result as a complex entry to the War Room\u003c/strong\u003e\u003cbr\u003e\n \u003ch3\u003eFields\u003c/h3\u003e\n \u003ctable style=\"height:26px\" width=\"409\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:405px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Type\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e\u003cspan style=\"font-size:13px\"\u003e\u003cspan style=\"font-size:13px\"\u003e:\u0026nbsp;\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e\u003cspan style=\"font-size:13px\"\u003eThe value is the number that corresponds to the entry type: \"1 (note)\", \"3 (file)\", \"4 (error)\", \"7 (image)\". There are several additional entry types that Demisto uses internally.\u003c/span\u003e\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Specifies the type of entry. Default is \"1\".\u0026nbsp;\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ctable style=\"height:26px\" width=\"409\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:405px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Contents\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: N/A\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Raw data of the command or script. If no HumanReadable is provided, this also displays in the War Room.\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ctable style=\"height:88px\" width=\"433\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:429px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: ContentsFormat\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: \"json\", \"markdown\", \"text\", \"image\", \"html\"\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Format of the content from the Content field.\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ctable style=\"height:26px\" width=\"409\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:405px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: HumanReadable\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: N/A\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Content that displays in the War Room.\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ctable style=\"height:26px\" width=\"409\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:405px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: ReadableContentsFormat\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: \"json\", \"markdown\"\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Format of the content from the HumanReadable field.\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ctable style=\"height:26px\" width=\"409\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:405px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: EntryContext\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: N/A\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Data added to the investigation context (Output Context), which you can use in playbooks.\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ch3\u003eExample\u003c/h3\u003e\n \u003cp\u003e\n entry = {'Type' : entryTypes['note'],\u003cbr\u003e\n \u0026nbsp; \u0026nbsp; 'Contents': data,\u003cbr\u003e\n \u0026nbsp; \u0026nbsp; 'ContentsFormat' : formats['json'],\u003cbr\u003e\n \u0026nbsp; \u0026nbsp; 'HumanReadable': md,\u003cbr\u003e\n \u0026nbsp; \u0026nbsp; 'ReadableContentsFormat' : formats['markdown'],\u003cbr\u003e\n \u0026nbsp; \u0026nbsp; 'EntryContext' : context}\n \u003c/p\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eReturn data to the war room as a file\u003c/strong\u003e\u003cbr\u003e\n demisto.results(fileResult('filename',data))\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eReturn an error to War Room\u003cbr\u003e\u003c/strong\u003emyErrorText\u0026nbsp; = \"No matching\n sensors.\"\u003cbr\u003e\n demisto.results( { \"Type\" : entryTypes[\"error\"], \"ContentsFormat\" : formats[\"text\"],\n \"Contents\" : myErrorText } )\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eReturn multiple entries to War Room\u003cbr\u003e\u003c/strong\u003eoutput = []\u003cbr\u003e\n output.append( { \"Type\" : entryTypes[\"error\"], \"ContentsFormat\" : formats[\"text\"],\n \"Contents\" : \"First part of the script failed.\" } )\u003cbr\u003e\n output += [ { \"Type\" : entryTypes[\"note\"], \"ContentsFormat\" : formats[\"text\"],\n \"Contents\" : \"Second part of the script completed successfully.\" } ]\u003cbr\u003e\n demisto.results( output )\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eGet context value\u003c/strong\u003e\u003cbr\u003e\n Fetches the value from the context by it's key. demisto.get(demisto.context(),\n 'key')\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eSet Context\u003c/strong\u003e\u003cbr\u003e\n To set context from an integration, you can inject context through the returned\n entry. In this example an entry result is sent to the War Room that adds\n the \u003ccode\u003ekey.subkey\u003c/code\u003e to the current incident context.\u0026nbsp;\u003cbr\u003e\n demisto.results( { \"Type\" : entryTypes[\"note\"], \"ContentsFormat\" : formats[\"text\"],\n \"Contents\" : \"data\", \"EntryContext\": { \"key.subkey\": \"value\" } } )\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eSave data in playbook\u003cbr\u003e\u003c/strong\u003e\n \u003cp\u003e\n Saves data into context for later task scripts within the currently executing\n playbook.\n \u003c/p\u003e\n \u003cp\u003edemisto.setContext('myIPs', ['1.1.1.1','2.2.2.2']);\u003c/p\u003e\n \u003cp\u003edemisto.setContext('sender', '[email protected]');\u003c/p\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eFormat Results as a table\u003cbr\u003e\u003c/strong\u003eIn addition to plain text,\n you can return results to the war room formatted as a table. Error entries\n can also be formatted as tables, by setting the `entryType`to `error`.\n \u003cp\u003eres = [ {\"col1\" : \"val1\", \"col2\" : 1} ]\u003c/p\u003e\n \u003cp\u003eres.append( {\"col1\" : \"val2\", \"col2\" : 2} )\u003c/p\u003e\n demisto.results( {'ContentsFormat': formats['table'], 'Type': entryTypes['note'],\n 'Contents': res} )\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eFormat Results using Markdown\u003cbr\u003e\u003c/strong\u003eResults can also be formatted\n using\n \u003ca href=\"https://en.wikipedia.org/wiki/Markdown\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eMarkdown\u003c/a\u003e.\n \u003cp\u003e\n if entry['Type'] != entryTypes['error'] and entry['ContentsFormat'] ==\n formats['json']:\n \u003c/p\u003e\n \u003cp\u003e\u0026nbsp;\u0026nbsp;\u0026nbsp; res += '\\n### Users:'\u003c/p\u003e\n \u003cp\u003e\n \u0026nbsp;\u0026nbsp;\u0026nbsp; res += '\\n- High Risk: ' + str(demisto.get(entry,\n 'Contents.highRisk'))\n \u003c/p\u003e\n \u003cp\u003e\n \u0026nbsp;\u0026nbsp;\u0026nbsp; res += '\\n- Recent: ' + str(demisto.get(entry, 'Contents.recent'))\n \u003c/p\u003e\n \u003cp\u003e\n \u0026nbsp;\u0026nbsp;\u0026nbsp; res += '\\n- Total: ' + str(demisto.get(entry, 'Contents.total'))\n \u003c/p\u003e\n demisto.results({'ContentsFormat': formats['markdown'], 'Type': entryTypes['note'],\n 'Contents': res})\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eSet Results As Notes\u003cbr\u003e\u003c/strong\u003eResults can be tagged as Notes\n \u003cp\u003eres = '## This is a note\\n'\u003c/p\u003e\n \u003cp\u003eres += 'It has important information\\n'\u003c/p\u003e\n demisto.results({'ContentsFormat': formats['markdown'], 'Type': entryTypes['note'],\n 'Contents': res, 'Note': True})\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eAccess Investigation Metadata\u003c/strong\u003e\u003cbr\u003e\n \u003col\u003e\n \u003cli\u003e\n When you run a script in a War Room, whether manually or through\n a playbook, sometimes there is a need to access the investigation\n metadata, which is accessible through the `investigation` and `incidents`\n objects which are mapped into the script by the platform. Try the\n following example in a war room, and in the playground, to see the\n structure of the object in different investigations. Then you can\n extract the fields that interest your for your script’s logic and\n purpose.\n \u003c/li\u003e\n \u003c/ol\u003e\n \u003cp\u003e\n \u0026nbsp;To see the structure of the investigation metadata object:\n \u003c/p\u003e\n \u003cp\u003e\u0026nbsp;demisto.results( demisto.investigation() )\u003c/p\u003e\n \u003cp\u003e\n \u0026nbsp;To see the structure of the incidents metadata object:\n \u003c/p\u003e\n \u003cp\u003e\u0026nbsp;demisto.results( demisto.incidents() )\u003c/p\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003ePrinting to Log\u003cbr\u003e\u003c/strong\u003e\n \u003cp\u003eTo print to war room: demisto.log(...)\u003c/p\u003e\n \u003cp\u003eTo print to demisto log in INFO: demisto.info(...)\u003c/p\u003e\n \u003cp\u003eTo print to demisto log in DEBUG: demisto.debug(...)\u003c/p\u003e\n \u003cp\u003eTo print to demisto log in ERROR: demisto.error(...)\u003c/p\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eIncident Severity Levels\u003c/strong\u003e\u003cbr\u003e\n \u003cul\u003e\n \u003cli\u003eUnknown: 0\u003c/li\u003e\n \u003cli\u003eInformational: .5\u003c/li\u003e\n \u003cli\u003eLow: 1\u003c/li\u003e\n \u003cli\u003eMedium: 2\u003c/li\u003e\n \u003cli\u003eHigh: 3\u003c/li\u003e\n \u003cli\u003eCritical: 4\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eIncident Statuses\u003c/strong\u003e\u003cbr\u003e\n \u003cul\u003e\n \u003cli\u003ePending: 0\u003c/li\u003e\n \u003cli\u003eActive: 1\u003c/li\u003e\n \u003cli\u003eDone: 2\u003c/li\u003e\n \u003cli\u003eArchive: 3\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/li\u003e\n\u003c/ol\u003e",
"language": "python",
"editorType": "integration"
},
{
"body": "\u003col\u003e\n \u003cli\u003e\n \u003cstrong\u003eReturn result as simple text entry to War Room\u003c/strong\u003e\u003cbr\u003e\n return \"Mission Accomplished\";\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eReturn result as a complex entry to the War Room\u003c/strong\u003e\u003cbr\u003e\n \u003ch3\u003eFields\u003c/h3\u003e\n \u003ctable style=\"height:26px\" width=\"409\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:405px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Type\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e\u003cspan style=\"font-size:13px\"\u003e\u003cspan style=\"font-size:13px\"\u003e\u003cspan style=\"font-size:13px\"\u003e:\u0026nbsp;\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e\u003cspan style=\"font-size:13px\"\u003e\u003cspan style=\"font-size:13px\"\u003eThe value is the number that corresponds to the entry type: \"1 (note)\", \"3 (file)\", \"4 (error)\", \"7 (image)\". There are several additional entry types that Demisto uses internally.\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Specifies the type of entry. Default is \"1\".\u0026nbsp;\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ctable style=\"height:26px\" width=\"409\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:405px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Contents\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: N/A\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Raw data of the command or script. If no HumanReadable is provided, this also displays in the War Room.\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ctable style=\"height:88px\" width=\"433\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:429px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: ContentsFormat\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: \"json\", \"markdown\", \"text\", \"image\", \"html\"\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Format of the content from the Content field.\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ctable style=\"height:26px\" width=\"409\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:405px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: HumanReadable\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: N/A\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Content that displays in the War Room.\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ctable style=\"height:26px\" width=\"409\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:405px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: ReadableContentsFormat\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: \"json\", \"markdown\"\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Format of the content from the HumanReadable field.\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ctable style=\"height:26px\" width=\"409\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:405px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: EntryContext\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: N/A\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Data added to the investigation context (Output Context), which you can use in playbooks.\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ch3\u003eExample\u003c/h3\u003e\n \u003cp\u003e\n entry = {'Type' : entryTypes.note,\u003cbr\u003e\n \u0026nbsp; \u0026nbsp; 'Contents': data,\u003cbr\u003e\n \u0026nbsp; \u0026nbsp; 'ContentsFormat' : formats.json,\u003cbr\u003e\n \u0026nbsp; \u0026nbsp; 'HumanReadable': md,\u003cbr\u003e\n \u0026nbsp; \u0026nbsp; 'ReadableContentsFormat' : formats.markdown,\u003cbr\u003e\n \u0026nbsp; \u0026nbsp; 'EntryContext' : context}\n \u003c/p\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eReturn data to the war room as a file\u003c/strong\u003e\u003cbr\u003e\n return saveFile(res.Body);\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eReturn an error to War Room\u003c/strong\u003e\u003cbr\u003e\n return { ContentsFormat: formats.text, Type: entryTypes.error, Contents:\n 'First part of the script failed.' };\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eReturn multiple entries to War Room\u003cbr\u003e\u003c/strong\u003evar output = [];\u003cbr\u003e\n output.push( { ContentsFormat: formats.text, Type: entryTypes.error, Contents:\n 'First part of the script failed.' } );\u003cbr\u003e\n output.push( { ContentsFormat: formats.text, Type: entryTypes.note, Contents:\n 'Second part of the script completed successfully.' } );\u003cbr\u003e\n return output;\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eGet Context value\u003c/strong\u003e\u003cbr\u003e\n Fetches the value from the context by it's key. dq(invContext,'key.path')\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eSet Context\u003c/strong\u003e\u003cbr\u003e\n setContext(args.key, args.value);\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eSending an HTTP request or file\u003c/strong\u003e\u003cbr\u003e\n http(url,{Method: method,Headers: headers,Body: body, Username: username,Password:\n password},params.insecure,params.proxy);\u003cbr\u003e\n httpMultipart(url,file_id,{Headers: headers, Username: username,Password:\n password},body,params.insecure,params.proxy,false,'uploadFile', file_name,true);\u003cbr\u003e\n \u003cstrong\u003ehttp\u003c/strong\u003e sends a request and receives a response and\n \u003cstrong\u003ehttpMultipart\u003c/strong\u003e sends a file in HTTP protocol\u003cbr\u003e\n where:\u003cbr\u003e\n \u003cstrong\u003eURL\u003c/strong\u003e: the site url (mandatory)\u003cbr\u003e\n method is the http method such as 'GET', 'POST', 'PUT' (mandatory)\u003cbr\u003e\n fileID is the entry ID of the file in the War room\u003cbr\u003e\n headers is the HTTP request headers\u003cbr\u003e\n body is the http request body\u003cbr\u003e\n username and password are the authentication details if needed\u003cbr\u003e\n insecure is a Boolean parameter that is true if secure and false if not secure.\u003cbr\u003e\n proxy is a Boolean parameter that is true to use proxy and false if not use\n proxy.\u003cbr\u003e\n file_name is the name of the file that is sent. Can be different than the\n file ID.;\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eSave data in playbook\u003cbr\u003e\u003c/strong\u003e\n \u003cp\u003e\n Saves data into context for later task scripts within the currently executing\n playbook.\n \u003c/p\u003e\n \u003cp\u003esetContext('myIPs', ['1.1.1.1','2.2.2.2']);\u003c/p\u003e\n \u003cp\u003esetContext('sender', '[email protected]');\u003c/p\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cp\u003e\n \u003cstrong\u003eFormat Results as a table\u003cbr\u003e\u003c/strong\u003eIn addition to plain text,\n you can return results to the war room formatted as a table. Error entries\n can also be formatted as tables, by setting the `entryType` to `error`.\n \u003c/p\u003e\n \u003cp\u003e\n rows = [ { col1 : 'val1', col2 : 1 } , { col1 : 'val2', col2 : 2 } ]\n \u003c/p\u003e\n \u003cp\u003e\n return {ContentsFormat: formats.table, Type: entryTypes.note, Contents:\n rows};\n \u003c/p\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eFormat Results using Markdown\u003c/strong\u003e\u003cbr\u003e\n \u003cp\u003e\n Results can also be formatted using\n \u003ca href=\"https://en.wikipedia.org/wiki/Markdown\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eMarkdown\u003c/a\u003e.\n \u003c/p\u003e\n \u003cp\u003evar res = '## My title\\n### My subsection\\n'\u003c/p\u003e\n \u003cp\u003e\n rows = [ { col1 : 'val1', col2 : 1 } , { col1 : 'val2', col2 : 2 } ]\n \u003c/p\u003e\n \u003cp\u003emarkdownBasedTable = 'num|col1|col2\\n'\u003c/p\u003e\n \u003cp\u003emarkdownBasedTable += '---|---|---\\n'\u003c/p\u003e\n \u003cp\u003efor (var i = 0; i \u0026lt; rows.length; i++)\u003c/p\u003e\n \u003cp\u003e\n markdownBasedTable += (i+1) + '|' + rows[i].col1 + '|' + rows[i].col2\n + '\\n'\n \u003c/p\u003e\n \u003cp\u003eres += markdownBasedTable\u003c/p\u003e\n return { ContentsFormat: formats.markdown, Type: entryTypes.note, Contents:\n res } ;\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eSet Results As Notes\u003c/strong\u003e\u003cbr\u003e\n \u003cp\u003eResults can be set as notes\u003c/p\u003e\n \u003cp\u003evar res = '## This is a note\\n';\u003c/p\u003e\n \u003cp\u003eres += 'It has important information\\n';\u003c/p\u003e\n return { ContentsFormat: formats.markdown, Type: entryTypes.note, Contents:\n res, Note: true } ;\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eBase 64\u003cbr\u003e\u003c/strong\u003e\n \u003cp\u003ebtoa: encode string to base 64\u003c/p\u003e\n \u003cp\u003eatob: decode base 64 to string\u003c/p\u003e\n \u003cp\u003e\n entrytoa: gets a file entry ID and returns the file in base 64.\n \u003c/p\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eAccess Investigation Metadata\u003c/strong\u003e\n \u003cp\u003e\n When you run a script in a War Room, whether manually or through a playbook,\n sometimes there is a need to access the investigation metadata, which\n is accessible through the `investigation` and `incidents` objects which\n are mapped into the script by the platform. Try the following example\n in a war room, and in the playground, to see the structure of the object\n in different investigations. Then you can extract the fields that interest\n your for your script's logic and purpose.\n \u003c/p\u003e\n \u003cp\u003eTo see the structure of the investigation metadata object:\u003c/p\u003e\n \u003cp\u003ereturn investigation;\u003c/p\u003e\n \u003cp\u003eTo see the structure of the incidents metadata object:\u003c/p\u003e\n \u003cp\u003ereturn incidents;\u003c/p\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003ePrinting to Log\u003cbr\u003e\u003c/strong\u003e\n \u003cp\u003eTo print to war room: log(...)\u003c/p\u003e\n \u003cp\u003eTo print to demisto log in INFO: logInfo(...)\u003c/p\u003e\n \u003cp\u003eTo print to demisto log in DEBUG: logDebug(...)\u003c/p\u003e\n \u003cp\u003eTo print to demisto log in ERROR: logError(...)\u003c/p\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eIncident Severity Levels\u003c/strong\u003e\u003cbr\u003e\n \u003cul\u003e\n \u003cli\u003eUnknown: 0\u003c/li\u003e\n \u003cli\u003eInformational: .5\u003c/li\u003e\n \u003cli\u003eLow: 1\u003c/li\u003e\n \u003cli\u003eMedium: 2\u003c/li\u003e\n \u003cli\u003eHigh: 3\u003c/li\u003e\n \u003cli\u003eCritical: 4\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eIncident Statuses\u003c/strong\u003e\u003cbr\u003e\n \u003cul\u003e\n \u003cli\u003ePending: 0\u003c/li\u003e\n \u003cli\u003eActive: 1\u003c/li\u003e\n \u003cli\u003eDone: 2\u003c/li\u003e\n \u003cli\u003eArchive: 3\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/li\u003e\n\u003c/ol\u003e",
"language": "javascript",
"editorType": "integration"
},
{
"body": "\u003col\u003e\n \u003cli\u003e\n \u003cstrong\u003eReturn result as simple text entry to the War Room\u003c/strong\u003e\u003cbr\u003e\n $demisto.Results(\"Mission Accomplished\")\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eReturn result as a complex entry to the War Room\u003c/strong\u003e\u003cbr\u003e\n \u003ch3\u003eFields\u003c/h3\u003e\n \u003ctable style=\"height:26px\" width=\"409\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:405px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Type\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e\u003cspan style=\"font-size:13px\"\u003e\u003cspan style=\"font-size:13px\"\u003e:\u0026nbsp;\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e\u003cspan style=\"font-size:13px\"\u003eThe value is the number that corresponds to the entry type: \"1 (note)\", \"3 (file)\", \"4 (error)\", \"7 (image)\". There are several additional entry types that Demisto uses internally.\u003c/span\u003e\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Specifies the type of entry. Default is \"note\".\u0026nbsp;\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ctable style=\"height:26px\" width=\"409\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:405px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Contents\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: N/A\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Raw data of the command or script. If no HumanReadable is provided, this also displays in the War Room.\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ctable style=\"height:88px\" width=\"433\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:429px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: ContentsFormat\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: \"json\", \"markdown\", \"text\", \"image\", \"html\"\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Format of the content from the Content field.\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ctable style=\"height:26px\" width=\"409\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:405px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: HumanReadable\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: N/A\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Content that displays in the War Room.\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ctable style=\"height:26px\" width=\"409\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:405px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: ReadableContentsFormat\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: \"json\", \"markdown\"\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Format of the content from the HumanReadable field.\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ctable style=\"height:26px\" width=\"409\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:405px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: EntryContext\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: N/A\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Data added to the investigation context (Output Context), which you can use in playbooks.\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ctable style=\"height:26px\" width=\"409\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:405px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Tags\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: List of strings\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Tags to apply to the War Room entry.\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ch3\u003eExample\u003c/h3\u003e\n \u003cp\u003e\n entry = {'Type' : entryTypes.note,\u003cbr\u003e\n 'Contents': data,\u003cbr\u003e\n 'ContentsFormat' : formats.json,\u003cbr\u003e\n 'HumanReadable': md,\u003cbr\u003e\n 'ReadableContentsFormat' : formats.markdown,\u003cbr\u003e\n 'EntryContext' : context,\u003cbr\u003e\n 'Tags' : @('tag1', 'tag2')}\n \u003c/p\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eReturn an error to War Room\u003cbr\u003e\u003c/strong\u003emyErrorText\u0026nbsp; = \"No matching\n sensors.\"\u003cbr\u003e\n $demisto.Results( @{\n Type = 1;\n ContentsFormat = \"json\";\n Contents = $contents;\n EntryContext = $context;\n ReadableContentsFormat = \"markdown\";\n HumanReadable = $contents\n } )\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eSet Context\u003c/strong\u003e\u003cbr\u003e\n $demisto.SetContext(demisto.Args().key, demisto.Args().'value')\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eSave data in playbook\u003cbr\u003e\u003c/strong\u003e\n \u003cp\u003e\n Saves data into context for later task scripts within the currently executing\n playbook.\n \u003c/p\u003e\n \u003cp\u003e$demisto.SetContext('myIPs', '1.1.1.1','2.2.2.2');\u003c/p\u003e\n \u003cp\u003e$demisto.SetContext('sender', '[email protected]');\u003c/p\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eAccess Investigation Metadata\u003c/strong\u003e\u003cbr\u003e\n \u003col\u003e\n \u003cli\u003e\n When you run a script in a War Room, whether manually or through\n a playbook, sometimes there is a need to access the investigation\n metadata, which is accessible through the `investigation` and `incidents`\n objects which are mapped into the script by the platform. Try the\n following example in a war room, and in the playground, to see the\n structure of the object in different investigations. Then you can\n extract the fields that interest your for your script\ufffds logic and\n purpose.\n \u003c/li\u003e\n \u003c/ol\u003e\n \u003cp\u003e\n \u0026nbsp;To see the structure of the investigation metadata object:\n \u003c/p\u003e\n \u003cp\u003e\u0026nbsp;$demisto.Results( demisto.Investigation() )\u003c/p\u003e\n \u003cp\u003e\n \u0026nbsp;To see the structure of the incidents metadata object:\n \u003c/p\u003e\n \u003cp\u003e\u0026nbsp;$demisto.Results( demisto.Incidents() )\u003c/p\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003ePrinting to Log\u003cbr\u003e\u003c/strong\u003e\n \u003cp\u003eTo print to war room: $demisto.Log(...)\u003c/p\u003e\n \u003cp\u003eTo print to demisto log in INFO: $demisto.Info(...)\u003c/p\u003e\n \u003cp\u003eTo print to demisto log in DEBUG: $demisto.Debug(...)\u003c/p\u003e\n \u003cp\u003eTo print to demisto log in ERROR: $demisto.Error(...)\u003c/p\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eClose the current investigation\u003cbr\u003e\u003c/strong\u003e$demisto.ExecuteCommand('closeInvestigation',\n @{ reason_What-happened : 'Automated malware playbook completed.' } )\u003cstrong\u003e\u003cbr\u003e\u003c/strong\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eAdvanced How To\u003cbr\u003e\u003c/strong\u003eTo be added soon:\u003cbr\u003e\n 1. Access War Room entries from within a script - return entries matching\n a specific condition, aggregate content from entries, run a regex-based search\n against all text in the war room to collect a list of identifiers, and more.\u003cbr\u003e\n 2. Send files from war room as email attachments.\u003cbr\u003e\n 3. Access context data directly disregarding arguments.\u003cbr\u003e\n 4.More tips and use cases to come.\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eIncident Severity Levels\u003c/strong\u003e\u003cbr\u003e\n \u003cul\u003e\n \u003cli\u003eUnknown: 0\u003c/li\u003e\n \u003cli\u003eInformational: .5\u003c/li\u003e\n \u003cli\u003eLow: 1\u003c/li\u003e\n \u003cli\u003eMedium: 2\u003c/li\u003e\n \u003cli\u003eHigh: 3\u003c/li\u003e\n \u003cli\u003eCritical: 4\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eIncident Statuses\u003c/strong\u003e\u003cbr\u003e\n \u003cul\u003e\n \u003cli\u003ePending: 0\u003c/li\u003e\n \u003cli\u003eActive: 1\u003c/li\u003e\n \u003cli\u003eDone: 2\u003c/li\u003e\n \u003cli\u003eArchive: 3\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/li\u003e\n\u003c/ol\u003e\n",
"language": "powershell",
"editorType": "integration"
},
{
"body": "\u003col\u003e\n \u003cli\u003e\n \u003cstrong\u003eReturn result as simple text entry to the War Room\u003c/strong\u003e\u003cbr\u003e\n demisto.results(\"Mission Accomplished\")\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eReturn result as a complex entry to the War Room\u003c/strong\u003e\u003cbr\u003e\n \u003ch3\u003eFields\u003c/h3\u003e\n \u003ctable style=\"height:26px\" width=\"409\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:405px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Type\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e\u003cspan style=\"font-size:13px\"\u003e\u003cspan style=\"font-size:13px\"\u003e:\u0026nbsp;\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e\u003cspan style=\"font-size:13px\"\u003eThe value is the number that corresponds to the entry type: \"1 (note)\", \"3 (file)\", \"4 (error)\", \"7 (image)\". There are several additional entry types that Demisto uses internally.\u003c/span\u003e\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Specifies the type of entry. Default is \"note\".\u0026nbsp;\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ctable style=\"height:26px\" width=\"409\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:405px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Contents\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: N/A\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Raw data of the command or script. If no HumanReadable is provided, this also displays in the War Room.\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ctable style=\"height:88px\" width=\"433\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:429px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: ContentsFormat\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: \"json\", \"markdown\", \"text\", \"image\", \"html\"\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Format of the content from the Content field.\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ctable style=\"height:26px\" width=\"409\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:405px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: HumanReadable\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: N/A\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Content that displays in the War Room.\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ctable style=\"height:26px\" width=\"409\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:405px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: ReadableContentsFormat\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: \"json\", \"markdown\"\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Format of the content from the HumanReadable field.\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ctable style=\"height:26px\" width=\"409\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:405px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: EntryContext\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: N/A\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Data added to the investigation context (Output Context), which you can use in playbooks.\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ctable style=\"height:26px\" width=\"409\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:405px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Tags\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: List of strings\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Tags to apply to the War Room entry.\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ch3\u003eExample\u003c/h3\u003e\n \u003cp\u003e\n entry = {'Type' : entryTypes['note'],\u003cbr\u003e\n 'Contents': data,\u003cbr\u003e\n 'ContentsFormat' : formats['json'],\u003cbr\u003e\n 'HumanReadable': md,\u003cbr\u003e\n 'ReadableContentsFormat' : formats['markdown'],\u003cbr\u003e\n 'EntryContext' : context,\u003cbr\u003e\n 'Tags' : ['tag1', 'tag2']}\n \u003c/p\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eReturn data to the War Room as a file\u003c/strong\u003e\u003cbr\u003e\n demisto.results(fileResult('filename',data))\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eReturn an error to War Room\u003cbr\u003e\u003c/strong\u003emyErrorText\u0026nbsp; = \"No matching\n sensors.\"\u003cbr\u003e\n demisto.results( { \"Type\" : entryTypes[\"error\"], \"ContentsFormat\" : formats[\"text\"],\n \"Contents\" : myErrorText } )\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eReturn multiple entries to War Room\u003cbr\u003e\u003c/strong\u003eoutput = []\u003cbr\u003e\n output.append( { \"Type\" : entryTypes[\"error\"], \"ContentsFormat\" : formats[\"text\"],\n \"Contents\" : \"First part of the script failed.\" } )\u003cbr\u003e\n output += [ { \"Type\" : entryTypes[\"note\"], \"ContentsFormat\" : formats[\"text\"],\n \"Contents\" : \"Second part of the script completed successfully.\" } ]\u003cbr\u003e\n demisto.results( output )\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eGetting time and other metadata for war room entries\u003cbr\u003e\u003c/strong\u003ee\n = demisto.executeCommand('getEntry', {'id': '270@4dfc3b65-9da2-46c5-8751-ebe959f31a7b'});\n demisto.results(demisto.get(e[0], 'Metadata.Created'));\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eGetting metadata for war room entries in JSON\u003cbr\u003e\u003c/strong\u003ee = demisto.executeCommand('getEntry',\n {'id': '60@4751'}); demisto.results(json.dumps(e[0]['Metadata'], indent=2));\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eExecute Commands\u003c/strong\u003e\u003cbr\u003e\n arrResultEntries = demisto.executeCommand('ip', { \"ip\" : \"8.8.8.8\" } )\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eGet context value\u003c/strong\u003e\u003cbr\u003e\n Fetches the value from the context by it's key. demisto.get(demisto.context(),\n 'key')\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eSet Context\u003c/strong\u003e\u003cbr\u003e\n demisto.setContext(demisto.args()['key'], demisto.args()['value'])\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eSet an Incident\u003c/strong\u003e\u003cbr\u003e\n demisto.executeCommand(\"setIncident\", {'mydate': '2018-02-02T22:58:21+02:00'})\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eSend notifications (e.g. Email)\u003c/strong\u003e\u003cbr\u003e\n demisto.executeCommand(\"send-mail\", { \"to\" : \"\u003ca href=\"mailto:[email protected]\"\[email protected]\u003c/a\u003e\",\n \"cc\" : \"\u003ca href=\"mailto:[email protected]\"\[email protected]\u003c/a\u003e\", \"subject\"\n : \"Update on Demisto investigation\", \"body\" : \"Contents of your message.\"\n } )\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eHandle Errors\u003c/strong\u003e\u003cbr\u003e\n \u003col\u003e\n \u003cli\u003eoutput = []\u003c/li\u003e\n \u003c/ol\u003e\n \u003cp\u003e\n resultEntries = demisto.executeCommand( 'dummy-command', { 'arg' : 'value'\n } )\n \u003c/p\u003e\n \u003cp\u003etry:\u003c/p\u003e\n \u003cp\u003e\u0026nbsp;\u0026nbsp;\u0026nbsp; if isError( resultEntries[0] ):\u003c/p\u003e\n \u003cp\u003e\n \u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; # We have something special\n to say about this error\n \u003c/p\u003e\n \u003cp\u003e\n if 'failed with status 404 NOT FOUND' in resultEntries[0]['Contents']:\n \u003c/p\u003e\n \u003cp\u003e\n demisto.results( { 'Type' : entryTypes['error'], 'ContentsFormat' : formats['text'],\n 'Contents' : 'Received HTTP Error 404 from Session API. Please ensure\n that you do not already have an active session with that sensor, and\n if not - report to the sysadmin.' } )\n \u003c/p\u003e\n \u003cp\u003e\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; else:\u003c/p\u003e\n \u003cp\u003e\n # If it's not the error we recognize - send all entries returned from\n the command back to the war room as-is\n \u003c/p\u003e\n \u003cp\u003e\n \u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; demisto.results(resultEntries)\n \u003c/p\u003e\n \u003cp\u003e\u0026nbsp;\u0026nbsp;\u0026nbsp; else:\u003c/p\u003e\n \u003cp\u003e\n demisto.results( { 'Type' : entryTypes['note'], 'ContentsFormat' : formats['text'],\n 'Contents': 'Success.' } )\n \u003c/p\u003e\n \u003cp\u003eexcept Exception as ex:\u003c/p\u003e\n demisto.results( { 'Type' : entryTypes['error'], 'Contentmat' : formats['text'],\n 'Contents' : 'Error occurred while parsing output from command. Exception\n info:\\n' + str(ex) + '\\n\\nInvalid output:\\n' + str( resultEntries ) } )\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eExecute Another Script\u003cbr\u003e\u003c/strong\u003eYou can execute other scripts\n just as you execute commands, using `executeCommand`.\n \u003cp\u003e\n arrResultEntries = demisto.executeCommand( \"IPReputation\", { \"ip\" : \"8.8.8.8\"\n } )\n \u003c/p\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eSave data in playbook\u003cbr\u003e\u003c/strong\u003e\n \u003cp\u003e\n Saves data into context for later task scripts within the currently executing\n playbook.\n \u003c/p\u003e\n \u003cp\u003edemisto.setContext('myIPs', ['1.1.1.1','2.2.2.2']);\u003c/p\u003e\n \u003cp\u003edemisto.setContext('sender', '[email protected]');\u003c/p\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eReading file contents\u003c/strong\u003e\u003cbr\u003e\n demisto.executeCommand('getFilePath', {'id': demisto.args()['entryId'] })\n \u003cp\u003e\n filePath = resultEntries[0][\"Contents\"][\"path\"] with open(filePath ,\n 'rb') as file:\n \u003c/p\u003e\n \u003cp\u003edata = file.read()\u003c/p\u003e\n \u003cp\u003edemisto.log('Actual file path on disk was: ' + filePath)\u003c/p\u003e\n \u003cp\u003e\n demisto.results( { \"Type\" : entryTypes[\"note\"], \"ContentsFormat\" : formats[\"text\"],\n \"Contents\" : data } )\n \u003c/p\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eFormat Results as a table\u003cbr\u003e\u003c/strong\u003eIn addition to plain text,\n you can return results to the war room formatted as a table. Error entries\n can also be formatted as tables, by setting the `entryType` to `error`.\n \u003cp\u003eres = [ {\"col1\" : \"val1\", \"col2\" : 1} ]\u003c/p\u003e\n \u003cp\u003eres.append( {\"col1\" : \"val2\", \"col2\" : 2} )\u003c/p\u003e\n demisto.results( {'ContentsFormat': formats['table'], 'Type': entryTypes['note'],\n 'Contents': res} )\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eFormat Results using Markdown\u003cbr\u003e\u003c/strong\u003eResults can also be formatted\n using\n \u003ca href=\"https://en.wikipedia.org/wiki/Markdown\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eMarkdown\u003c/a\u003e.\n \u003cp\u003eres = '## Exabeam global info'\u003c/p\u003e\n \u003cp\u003eentry = demisto.executeCommand('xb-users', {})[0]\u003c/p\u003e\n \u003cp\u003e\n if entry['Type'] != entryTypes['error'] and entry['ContentsFormat'] ==\n formats['json']:\n \u003c/p\u003e\n \u003cp\u003e\u0026nbsp;\u0026nbsp;\u0026nbsp; res += '\\n### Users:'\u003c/p\u003e\n \u003cp\u003e\n res += '\\n- High Risk: ' + str(demisto.get(entry, 'Contents.highRisk'))\n \u003c/p\u003e\n \u003cp\u003e\n res += '\\n- Recent: ' + str(demisto.get(entry, 'Contents.recent'))\n \u003c/p\u003e\n \u003cp\u003e\n res += '\\n- Total: ' + str(demisto.get(entry, 'Contents.total'))\n \u003c/p\u003e\n demisto.results({'ContentsFormat': formats['markdown'], 'Type': entryTypes['note'],\n 'Contents': res})\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eSet Results As Notes\u003cbr\u003e\u003c/strong\u003eResults can be tagged as Notes\n \u003cp\u003eres = '## This is a note\\n'\u003c/p\u003e\n \u003cp\u003eres += 'It has important information\\n'\u003c/p\u003e\n demisto.results({'ContentsFormat': formats['markdown'], 'Type': entryTypes['note'],\n 'Contents': res, 'Note': True})\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eAccess Investigation Metadata\u003c/strong\u003e\u003cbr\u003e\n \u003col\u003e\n \u003cli\u003e\n When you run a script in a War Room, whether manually or through\n a playbook, sometimes there is a need to access the investigation\n metadata, which is accessible through the `investigation` and `incidents`\n objects which are mapped into the script by the platform. Try the\n following example in a war room, and in the playground, to see the\n structure of the object in different investigations. Then you can\n extract the fields that interest your for your script’s logic and\n purpose.\n \u003c/li\u003e\n \u003c/ol\u003e\n \u003cp\u003e\n \u0026nbsp;To see the structure of the investigation metadata object:\n \u003c/p\u003e\n \u003cp\u003e\u0026nbsp;demisto.results( demisto.investigation() )\u003c/p\u003e\n \u003cp\u003e\n \u0026nbsp;To see the structure of the incidents metadata object:\n \u003c/p\u003e\n \u003cp\u003e\u0026nbsp;demisto.results( demisto.incidents() )\u003c/p\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003ePrinting to Log\u003cbr\u003e\u003c/strong\u003e\n \u003cp\u003eTo print to war room: demisto.log(...)\u003c/p\u003e\n \u003cp\u003eTo print to demisto log in INFO: demisto.info(...)\u003c/p\u003e\n \u003cp\u003eTo print to demisto log in DEBUG: demisto.debug(...)\u003c/p\u003e\n \u003cp\u003eTo print to demisto log in ERROR: demisto.error(...)\u003c/p\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eClose the current investigation\u003cbr\u003e\u003c/strong\u003edemisto.executeCommand('closeInvestigation',\n { 'reason_What-happened' : 'Automated malware playbook completed.' } )\u003cstrong\u003e\u003cbr\u003e\u003c/strong\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eAdvanced How To\u003cbr\u003e\u003c/strong\u003eTo be added soon:\u003cbr\u003e\n 1. Access War Room entries from within a script – return entries matching\n a specific condition, aggregate content from entries, run a regex-based search\n against all text in the war room to collect a list of identifiers, and more.\u003cbr\u003e\n 2. Send files from war room as email attachments.\u003cbr\u003e\n 3. Access context data directly disregarding arguments.\u003cbr\u003e\n 4.More tips and use cases to come.\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eReturn a map to the War Room\u003c/strong\u003e\u003cbr\u003e\n demisto.results({\u003cbr\u003e\n 'Type': entryTypes['map'],\u003cbr\u003e\n 'ContentsFormat' : formats['json'],\u003cbr\u003e\n 'Contents': {\u003cbr\u003e\n 'lat': \u0026lt;latitude-coordinate\u0026gt;,\u003cbr\u003e\n 'lng': \u0026lt;longitude-coordinate\u0026gt;,\u003cbr\u003e\n }\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eIncident Severity Levels\u003c/strong\u003e\u003cbr\u003e\n \u003cul\u003e\n \u003cli\u003eUnknown: 0\u003c/li\u003e\n \u003cli\u003eInformational: .5\u003c/li\u003e\n \u003cli\u003eLow: 1\u003c/li\u003e\n \u003cli\u003eMedium: 2\u003c/li\u003e\n \u003cli\u003eHigh: 3\u003c/li\u003e\n \u003cli\u003eCritical: 4\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eIncident Statuses\u003c/strong\u003e\u003cbr\u003e\n \u003cul\u003e\n \u003cli\u003ePending: 0\u003c/li\u003e\n \u003cli\u003eActive: 1\u003c/li\u003e\n \u003cli\u003eDone: 2\u003c/li\u003e\n \u003cli\u003eArchive: 3\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/li\u003e\n\u003c/ol\u003e",
"language": "python",
"editorType": "automation"
},
{
"body": "\u003col\u003e\n \u003cli\u003e\n \u003cstrong\u003eReturn result as simple text entry to the War Room\u003c/strong\u003e\u003cbr\u003e\n return \"Mission Accomplished\";\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eReturn result as a complex entry to the War Room\u003c/strong\u003e\u003cbr\u003e\n \u003ch3\u003eFields\u003c/h3\u003e\n \u003ctable style=\"height:26px\" width=\"409\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:405px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Type\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e\u003cspan style=\"font-size:13px\"\u003e:\u0026nbsp;\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003eThe value is the number that corresponds to the entry type: \"1 (note)\", \"3 (file)\", \"4 (error)\", \"7 (image)\". There are several additional entry types that Demisto uses internally. \u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Specifies the type of entry. Default is \"note\".\u0026nbsp;\u003c/span\u003e\u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExample\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Specifies the type of entry. Default is \"note\".\u0026nbsp;\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ctable style=\"height:26px\" width=\"409\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:405px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Contents\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: N/A\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Raw data of the command or script. If no HumanReadable is provided, this also displays in the War Room.\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ctable style=\"height:88px\" width=\"433\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:429px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: ContentsFormat\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: \"json\", \"markdown\", \"text\", \"image\", \"html\"\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Format of the content from the Content field.\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ctable style=\"height:26px\" width=\"409\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:405px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: HumanReadable\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: N/A\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Content that displays in the War Room.\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ctable style=\"height:26px\" width=\"409\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:405px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: ReadableContentsFormat\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: \"json\", \"markdown\"\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Format of the content from the HumanReadable field.\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ctable style=\"height:26px\" width=\"409\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:405px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: EntryContext\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: N/A\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Data added to the investigation context (Output Context), which you can use in playbooks.\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ctable style=\"height:26px\" width=\"409\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:405px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Tags\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: List of strings\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Tags to apply to the War Room entry.\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ch3\u003eExample\u003c/h3\u003e\n \u003cp\u003e\n entry = {'Type' : entryTypes.note,\u003cbr\u003e\n 'Contents': data,\u003cbr\u003e\n 'ContentsFormat' : formats.json,\u003cbr\u003e\n 'HumanReadable': md,\u003cbr\u003e\n 'ReadableContentsFormat' : formats.markdown,\u003cbr\u003e\n 'EntryContext' : context,\u003cbr\u003e\n 'Tags' : ['tag1', 'tag2']}\n \u003c/p\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eReturn data to the War Room as a file\u003c/strong\u003e\u003cbr\u003e\n return saveFile(res.Body);\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eReturn an error to the War Room\u003c/strong\u003e\u003cbr\u003e\n return { ContentsFormat: formats.text, Type: entryTypes.error, Contents:\n 'First part of the script failed.' };\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eReturn multiple entries to the War Room\u003cbr\u003e\u003c/strong\u003evar output =\n [];\u003cbr\u003e\n output.push( { ContentsFormat: formats.text, Type: entryTypes.error, Contents:\n 'First part of the script failed.' } );\u003cbr\u003e\n output.push( { ContentsFormat: formats.text, Type: entryTypes.note, Contents:\n 'Second part of the script completed successfully.' } );\u003cbr\u003e\n return output;\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eGetting time and other metadata for War Room entries\u003c/strong\u003e\u003cbr\u003e\n !js script=\"e = executeCommand('getEntry', {id: '270@4dfc3b65-9da2-46c5-8751-ebe959f31a7b'});\n return e[0].Metadata.Created;\"\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eGetting metadata for War Room entries in JSON\u003c/strong\u003e\u003cbr\u003e\n !js script=\"e = executeCommand('getEntry', {id: '60@4751'}); return JSON.stringify(e[0].Metadata,\n null, 2);\"\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eExecute Commands\u003c/strong\u003e\u003cbr\u003e\n var arrResultEntries = executeCommand('ip', { ip: '8.8.8.8' } );\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eGet Context value\u003c/strong\u003e\u003cbr\u003e\n Fetches the value from the context by it's key. dq(invContext,'key.path')\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eSet Context\u003c/strong\u003e\u003cbr\u003e\n setContext(args.key, args.value);\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eSend notifications (e.g. Email)\u003c/strong\u003e\u003cbr\u003e\n var arrResultEntries = executeCommand('send-mail', { to : '[email protected]',\n cc : '[email protected]', subject : 'Update on Demisto investigation', body\n : 'Contents of your message.'\u0026nbsp; });\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eSending an HTTP request or file\u003c/strong\u003e\u003cbr\u003e\n http(url,{Method: method,Headers: headers,Body: body, Username: username,Password:\n password},params.insecure,params.proxy);\u003cbr\u003e\n httpMultipart(url,file_id,{Headers: headers, Username: username,Password:\n password},body,params.insecure,params.proxy,false,'uploadFile', file_name,true);\u003cbr\u003e\n \u003cstrong\u003ehttp\u003c/strong\u003e sends a request and receives a response and\u0026nbsp;\u003cstrong\u003ehttpMultipart\u003c/strong\u003e\n sends a file in HTTP protocol\u003cbr\u003e\n where:\u003cbr\u003e\n \u003cstrong\u003eURL\u003c/strong\u003e: the site url (mandatory)\u003cbr\u003e\n method is the http method such as 'GET', 'POST', 'PUT' (mandatory)\u003cbr\u003e\n fileID is the entry ID of the file in the War room\u003cbr\u003e\n headers is the HTTP request headers\u003cbr\u003e\n body is the http request body\u003cbr\u003e\n username and password are the authentication details if needed\u003cbr\u003e\n insecure is a Boolean parameter that is true if secure and false if not secure.\u003cbr\u003e\n proxy is a Boolean parameter that is true to use proxy and false if not use\n proxy.\u003cbr\u003e\n file_name is the name of the file that is sent. Can be different than the\n file ID.;\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eHandle Errors\u003c/strong\u003e\u003cbr\u003e\n \u003ctable style=\"height:452px\" width=\"720\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:716px;background-color:#d3d3d3\"\u003e\n \u003col\u003e\n \u003cli\u003e\n \u003cp\u003eif (res[0].Type == entryTypes.error) {\u003c/p\u003e\n \u003cp\u003e\n \u0026nbsp;\u0026nbsp;\u0026nbsp; // Return the error to war\n room no results to parse.\n \u003c/p\u003e\n \u003cp\u003e\u0026nbsp;\u0026nbsp;\u0026nbsp; return res[0];\u003c/p\u003e\n \u003cp\u003e} else {\u003c/p\u003e\n \u003cp\u003e\u0026nbsp;\u0026nbsp;\u0026nbsp; var usersOnCall = res[0].Contents;\u003c/p\u003e\n \u003cp\u003e\u0026nbsp;\u0026nbsp;\u0026nbsp; var selectedUser = usersOnCall[0];\u003c/p\u003e\n \u003cp\u003e\u0026nbsp;\u0026nbsp;\u0026nbsp; if (selectedUser === null) {\u003c/p\u003e\n \u003cp\u003e\n return { ContentsFormat: formats.text, Type:\n entryTypes.error, Contents: 'error : did not\n receive any users from PagerDutyGetUsersOnCallNow!'\n };\n \u003c/p\u003e\n \u003cp\u003e\u0026nbsp;\u0026nbsp;\u0026nbsp; } else {\u003c/p\u003e\n \u003cp\u003e\n \u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;return\n selectedUser.name;\n \u003c/p\u003e\n \u003cp\u003e\u0026nbsp;\u0026nbsp;\u0026nbsp; }\u003c/p\u003e\n }var res = executeCommand('PagerDutyGetUsersOnCallNow',\n { });\n \u003c/li\u003e\n \u003c/ol\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eExecute Another Script\u003cbr\u003e\u003c/strong\u003eYou can execute other scripts\n just as you execute commands, using `executeCommand`.\n \u003cp\u003e\n var arrResultEntries = executeCommand('IPReputation', { ip: '8.8.8.8'\n } );\n \u003c/p\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eSave data in playbook\u003cbr\u003e\u003c/strong\u003e\n \u003cp\u003e\n Saves data into context for later task scripts within the currently executing\n playbook.\n \u003c/p\u003e\n \u003cp\u003esetContext('myIPs', ['1.1.1.1','2.2.2.2']);\u003c/p\u003e\n \u003cp\u003esetContext('sender', '[email protected]');\u003c/p\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cp\u003e\n \u003cstrong\u003eFormat Results as a table\u003cbr\u003e\u003c/strong\u003eIn addition to plain text,\n you can return results to the war room formatted as a table. Error entries\n can also be formatted as tables, by setting the `entryType` to `error`.\n \u003c/p\u003e\n \u003cp\u003e\n rows = [ { col1 : 'val1', col2 : 1 } , { col1 : 'val2', col2 : 2 } ]\n \u003c/p\u003e\n \u003cp\u003e\n return {ContentsFormat: formats.table, Type: entryTypes.note, Contents:\n rows};\n \u003c/p\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eFormat Results using Markdown\u003c/strong\u003e\u003cbr\u003e\n \u003cp\u003e\n Results can also be formatted using\n \u003ca href=\"https://en.wikipedia.org/wiki/Markdown\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eMarkdown\u003c/a\u003e.\n \u003c/p\u003e\n \u003cp\u003evar res = '## My title\\n### My subsection\\n'\u003c/p\u003e\n \u003cp\u003e\n rows = [ { col1 : 'val1', col2 : 1 } , { col1 : 'val2', col2 : 2 } ]\n \u003c/p\u003e\n \u003cp\u003emarkdownBasedTable = 'num|col1|col2\\n'\u003c/p\u003e\n \u003cp\u003emarkdownBasedTable += '---|---|---\\n'\u003c/p\u003e\n \u003cp\u003efor (var i = 0; i \u0026lt; rows.length; i++)\u003c/p\u003e\n \u003cp\u003e\n markdownBasedTable += (i+1) + '|' + rows[i].col1 + '|' + rows[i].col2\n + '\\n'\n \u003c/p\u003e\n \u003cp\u003eres += markdownBasedTable\u003c/p\u003e\n return { ContentsFormat: formats.markdown, Type: entryTypes.note, Contents:\n res } ;\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eSet Results As Notes\u003c/strong\u003e\u003cbr\u003e\n \u003cp\u003eResults can be set as notes\u003c/p\u003e\n \u003cp\u003evar res = '## This is a note\\n';\u003c/p\u003e\n \u003cp\u003eres += 'It has important information\\n';\u003c/p\u003e\n return { ContentsFormat: formats.markdown, Type: entryTypes.note, Contents:\n res, Note: true } ;\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eBase 64\u003cbr\u003e\u003c/strong\u003e\n \u003cp\u003ebtoa: encode string to base 64\u003c/p\u003e\n \u003cp\u003eatob: decode base 64 to string\u003c/p\u003e\n \u003cp\u003e\n entrytoa: gets a file entry ID and returns the file in base 64.\n \u003c/p\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eAccess Investigation Metadata\u003c/strong\u003e\n \u003cp\u003e\n When you run a script in a War Room, whether manually or through a playbook,\n sometimes there is a need to access the investigation metadata, which\n is accessible through the `investigation` and `incidents` objects which\n are mapped into the script by the platform. Try the following example\n in a war room, and in the playground, to see the structure of the object\n in different investigations. Then you can extract the fields that interest\n your for your script's logic and purpose.\n \u003c/p\u003e\n \u003cp\u003eTo see the structure of the investigation metadata object:\u003c/p\u003e\n \u003cp\u003ereturn investigation;\u003c/p\u003e\n \u003cp\u003eTo see the structure of the incidents metadata object:\u003c/p\u003e\n \u003cp\u003ereturn incidents;\u003c/p\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003ePrinting to Log\u003cbr\u003e\u003c/strong\u003e\n \u003cp\u003eTo print to war room: log(...)\u003c/p\u003e\n \u003cp\u003eTo print to demisto log in INFO: logInfo(...)\u003c/p\u003e\n \u003cp\u003eTo print to demisto log in DEBUG: logDebug(...)\u003c/p\u003e\n \u003cp\u003eTo print to demisto log in ERROR: logError(...)\u003c/p\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eClose the current investigation\u003cbr\u003e\u003c/strong\u003ecloseInvestigation({Reason:\n 'Automated malware playbook completed.'});\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eAdvanced How To\u003cbr\u003e\u003c/strong\u003eTo be added soon:\u003cbr\u003e\n 1. Access War Room entries from within a script – return entries matching\n a specific condition, aggregate content from entries, run a regex-based search\n against all text in the war room to collect a list of identifiers, and more.\u003cbr\u003e\n 2. Send files from war room as email attachments.\u003cbr\u003e\n 3. Access context data directly disregarding arguments.\u003cbr\u003e\n 4.More tips and use cases to come.\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eReturn a map to the War Room\u003c/strong\u003e\u003cbr\u003e\n return {\u003cbr\u003e\n Type: entryTypes.map,\u003cbr\u003e\n ContentsFormat: formats.json,\u003cbr\u003e\n Contents: {\u003cbr\u003e\n lat: \u0026lt;latitude-coordinate\u0026gt;,\u003cbr\u003e\n lng: \u0026lt;longitude-coordinate\u0026gt;,\u003cbr\u003e\n }\u003cbr\u003e\n };\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eIncident Severity Levels\u003c/strong\u003e\u003cbr\u003e\n \u003cul\u003e\n \u003cli\u003eUnknown: 0\u003c/li\u003e\n \u003cli\u003eInformational: 0.5\u003c/li\u003e\n \u003cli\u003eLow: 1\u003c/li\u003e\n \u003cli\u003eMedium: 2\u003c/li\u003e\n \u003cli\u003eHigh: 3\u003c/li\u003e\n \u003cli\u003eCritical: 4\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eIncident Statuses\u003c/strong\u003e\u003cbr\u003e\n \u003cul\u003e\n \u003cli\u003ePending: 0\u003c/li\u003e\n \u003cli\u003eActive: 1\u003c/li\u003e\n \u003cli\u003eDone: 2\u003c/li\u003e\n \u003cli\u003eArchive: 3\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/li\u003e\n\u003c/ol\u003e",
"language": "javascript",
"editorType": "automation"
},
{
"body": "\u003col\u003e\n \u003cli\u003e\n \u003cstrong\u003eReturn result as simple text entry to the War Room\u003c/strong\u003e\u003cbr\u003e\n $demisto.Results(\"Mission Accomplished\")\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eReturn result as a complex entry to the War Room\u003c/strong\u003e\u003cbr\u003e\n \u003ch3\u003eFields\u003c/h3\u003e\n \u003ctable style=\"height:26px\" width=\"409\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:405px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Type\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e\u003cspan style=\"font-size:13px\"\u003e\u003cspan style=\"font-size:13px\"\u003e:\u0026nbsp;\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e\u003cspan style=\"font-size:13px\"\u003eThe value is the number that corresponds to the entry type: \"1 (note)\", \"3 (file)\", \"4 (error)\", \"7 (image)\". There are several additional entry types that Demisto uses internally.\u003c/span\u003e\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Specifies the type of entry. Default is \"note\".\u0026nbsp;\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ctable style=\"height:26px\" width=\"409\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:405px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Contents\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: N/A\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Raw data of the command or script. If no HumanReadable is provided, this also displays in the War Room.\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ctable style=\"height:88px\" width=\"433\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:429px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: ContentsFormat\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: \"json\", \"markdown\", \"text\", \"image\", \"html\"\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Format of the content from the Content field.\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ctable style=\"height:26px\" width=\"409\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:405px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: HumanReadable\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: N/A\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Content that displays in the War Room.\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ctable style=\"height:26px\" width=\"409\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:405px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: ReadableContentsFormat\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: \"json\", \"markdown\"\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Format of the content from the HumanReadable field.\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ctable style=\"height:26px\" width=\"409\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:405px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: EntryContext\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: N/A\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Data added to the investigation context (Output Context), which you can use in playbooks.\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ctable style=\"height:26px\" width=\"409\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd style=\"width:405px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eField\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Tags\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eExpected Values\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: List of strings\u0026nbsp;\u003c/span\u003e\u003cbr style=\"font-size:13px\"\u003e\n \u003cspan style=\"font-weight:bolder;font-size:13px\"\u003eDescription\u003c/span\u003e\u003cspan style=\"font-size:13px\"\u003e: Tags to apply to the War Room entry.\u003c/span\u003e\n \u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n \u003c/table\u003e\n \u003cbr\u003e\n \u003ch3\u003eExample\u003c/h3\u003e\n \u003cp\u003e\n entry = {'Type' : entryTypes.note,\u003cbr\u003e\n 'Contents': data,\u003cbr\u003e\n 'ContentsFormat' : formats.json,\u003cbr\u003e\n 'HumanReadable': md,\u003cbr\u003e\n 'ReadableContentsFormat' : formats.markdown,\u003cbr\u003e\n 'EntryContext' : context,\u003cbr\u003e\n 'Tags': @('tag1', 'tag2')}\n \u003c/p\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eReturn an error to War Room\u003cbr\u003e\u003c/strong\u003emyErrorText\u0026nbsp; = \"No matching\n sensors.\"\u003cbr\u003e\n $demisto.Results( @{\n Type = 1;\n ContentsFormat = \"json\";\n Contents = $contents;\n EntryContext = $context;\n ReadableContentsFormat = \"markdown\";\n HumanReadable = $contents\n } )\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eExecute Commands\u003c/strong\u003e\u003cbr\u003e\n $arrResultEntries = demisto.ExecuteCommand('ip', @{ip = \"8.8.8.8\" } )\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eSet Context\u003c/strong\u003e\u003cbr\u003e\n $demisto.SetContext(demisto.Args().key, demisto.Args().'value')\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eSet an Incident\u003c/strong\u003e\u003cbr\u003e\n $demisto.ExecuteCommand(\"setIncident\", @{mydate: '2018-02-02T22:58:21+02:00'})\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eExecute Another Script\u003cbr\u003e\u003c/strong\u003eYou can execute other scripts\n just as you execute commands, using `ExecuteCommand`.\n \u003cp\u003e\n $arrResultEntries = demisto.ExecuteCommand( \"IPReputation\", @{ ip : \"8.8.8.8\" } )\n \u003c/p\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eSave data in playbook\u003cbr\u003e\u003c/strong\u003e\n \u003cp\u003e\n Saves data into context for later task scripts within the currently executing\n playbook.\n \u003c/p\u003e\n \u003cp\u003e$demisto.SetContext('myIPs', '1.1.1.1','2.2.2.2');\u003c/p\u003e\n \u003cp\u003e$demisto.SetContext('sender', '[email protected]');\u003c/p\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eReading file contents\u003c/strong\u003e\u003cbr\u003e\n demisto.ExecuteCommand('getFilePath', @{id: demisto.Args().entryId })\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eAccess Investigation Metadata\u003c/strong\u003e\u003cbr\u003e\n \u003col\u003e\n \u003cli\u003e\n When you run a script in a War Room, whether manually or through\n a playbook, sometimes there is a need to access the investigation\n metadata, which is accessible through the `investigation` and `incidents`\n objects which are mapped into the script by the platform. Try the\n following example in a war room, and in the playground, to see the\n structure of the object in different investigations. Then you can\n extract the fields that interest your for your script\ufffds logic and\n purpose.\n \u003c/li\u003e\n \u003c/ol\u003e\n \u003cp\u003e\n \u0026nbsp;To see the structure of the investigation metadata object:\n \u003c/p\u003e\n \u003cp\u003e\u0026nbsp;$demisto.Results( demisto.Investigation() )\u003c/p\u003e\n \u003cp\u003e\n \u0026nbsp;To see the structure of the incidents metadata object:\n \u003c/p\u003e\n \u003cp\u003e\u0026nbsp;$demisto.Results( demisto.Incidents() )\u003c/p\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003ePrinting to Log\u003cbr\u003e\u003c/strong\u003e\n \u003cp\u003eTo print to war room: $demisto.Log(...)\u003c/p\u003e\n \u003cp\u003eTo print to demisto log in INFO: $demisto.Info(...)\u003c/p\u003e\n \u003cp\u003eTo print to demisto log in DEBUG: $demisto.Debug(...)\u003c/p\u003e\n \u003cp\u003eTo print to demisto log in ERROR: $demisto.Error(...)\u003c/p\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eClose the current investigation\u003cbr\u003e\u003c/strong\u003e$demisto.ExecuteCommand('closeInvestigation',\n @{ reason_What-happened : 'Automated malware playbook completed.' } )\u003cstrong\u003e\u003cbr\u003e\u003c/strong\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eAdvanced How To\u003cbr\u003e\u003c/strong\u003eTo be added soon:\u003cbr\u003e\n 1. Access War Room entries from within a script - return entries matching\n a specific condition, aggregate content from entries, run a regex-based search\n against all text in the war room to collect a list of identifiers, and more.\u003cbr\u003e\n 2. Send files from war room as email attachments.\u003cbr\u003e\n 3. Access context data directly disregarding arguments.\u003cbr\u003e\n 4.More tips and use cases to come.\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eIncident Severity Levels\u003c/strong\u003e\u003cbr\u003e\n \u003cul\u003e\n \u003cli\u003eUnknown: 0\u003c/li\u003e\n \u003cli\u003eInformational: .5\u003c/li\u003e\n \u003cli\u003eLow: 1\u003c/li\u003e\n \u003cli\u003eMedium: 2\u003c/li\u003e\n \u003cli\u003eHigh: 3\u003c/li\u003e\n \u003cli\u003eCritical: 4\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/li\u003e\n \u003cli\u003e\n \u003cstrong\u003eIncident Statuses\u003c/strong\u003e\u003cbr\u003e\n \u003cul\u003e\n \u003cli\u003ePending: 0\u003c/li\u003e\n \u003cli\u003eActive: 1\u003c/li\u003e\n \u003cli\u003eDone: 2\u003c/li\u003e\n \u003cli\u003eArchive: 3\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/li\u003e\n\u003c/ol\u003e\n",
"language": "powershell",
"editorType": "automation"
}
]