Functions
Overview
A set of math and data manipulation actions to power up playbook capabilities.
Actions
Convert Time Format
Description
Converts a datetime value from one format to another.
Parameters
Parameter | Type | Default Value | Is Mandatory | Description |
Input | String | N/A | Yes | Specify the input datetime value that will be converted. |
From Format | String | N/A | Yes |
Specify the datetime format the input string is in. https://strftime.org |
To Format | String | YYYY/MM/DD | Yes | Specify the desired time format of the output. Use arrow time format. https://arrow.readthedocs.io/en/stable/#supported-tokens |
Time Delta In Seconds | Integer | 0 | Yes | Specify the number of seconds you want to shift the output to. Use positive value for future time/date and negative value for the past. |
Timezone | String | N/A | No | Specify the output timezone. |
Example
In this scenario, a datetime input of 11/23/2002 07:23:09 with an arrow time format of MM/DD/YYYY HH:mm:ss is converted to a time only, going back 5 seconds and using UTC timezone.
Action Configurations
Parameter | Type |
Entities | All entities |
Input | 11/23/2002 07:23:09 |
From Format | MM/DD/YYYY HH:mm:ss |
To Format | HH:mm:ss |
Time Delta In Seconds | -5 |
Timezone | EST |
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult Time Result 07:23:04
Create Thumbnail
Description
Converts a Base64 thumbnail of an image.
Parameters
Parameter | Type | Default Value | Is Mandatory | Description |
Base64 Image | String | N/A | No | Specify the Base64 string of the image. |
Thumbnail Size | String | 250,250 | Yes | Specify the size of the thumbnail comma separated (W,L). |
Input JSON | JSON | N/A | No | Specify the JSON input. Example: {“image” :”<base64 of image>”} |
Image Key Path | String | N/A | No | If using Input JSON, specify the key path for the image field. |
Example
In this scenario we are creating a 500x500 thumbnail from a Base64 input.
Action Configurations
Parameter | Value |
Entities | All entities |
Base64 Image | iVBORWOKGgoAAAANSUhEUgAAAIgAAAH3CAYAAABnXCF6AAABXGIDQ1BJQ0MgUHJvZmIsZQAAK]FtkD9LQnEUhh9Nkf5ADhEVDQ4tgUmoBBFEdiMRCkyLr016NRXUflyNaGto6gNESOtBLc251mcoCpqDaA5cKm7naqVWBw7w8s5h5cDTq+uVNEFIMpVM×Gd96U2NnZeZ1y46cP]jGSUVCQeX5IRvrWz6vc4bL2dsG/NDi30qZvDEyOSemMBO//zndUTyZbMUTfpacMZVbBERa071aV/zQfCA6aEEj620d fkS5vTTb5uzKwmNOE7Ya+R1zPCT8L+dJufa+NSccf4ymCn78uW15Ki|9KiL]Mkhk80QpQQYYJor]CQP/2/F27saWyi2MOkQ|48VbkREUdRICsco4×BAL9wkEnpkP3v339seWoQpheg66zIpSVTTIMd7e8sQ VOTSHVvt]N/ee7jrqrshUKNrm3Buj3pdB884fDxY1|vNsj705f4jXNc/AQraYUmHWN3rAAAAmVYSWZNTOAqAAAACAABIZkABAAAAAEAAAAAAAAAAAADKOYABWAAABIAAABEOAIABAAAAAEAAAJY OAMABAAAAAAAAHAAAAEFTQO|JAAAAU2NyZwVuc2hvdBNik6MAAAHWAVRYdFhNTDpib20uYWRvYmUueG1wAAAAAAA8eDp4bXBtZXRhIHhtbG5zOng9|mFkb2|10m5zOm1 IdGEvliB40nhtcHR rPSJYTVAgQ29ZSA2LjAuMCI+CiAgIDxyZ |
Thumbnail Size | 500x500 |
Input JSON | Blank |
Image Key Path | Blank |
Action Results
-
JSON Result
{ "Thumbnail" : "<base 64 string>" }
IP to Integer
Description
Converts an IP Address or a list of IP addresses to integers.
Parameters
Parameter | Type | Default Value | Is Mandatory | Description |
IP Addresses | String | N/A | Yes | Specify list of IP addresses separated by comma to be converted to integers. |
Example
In this scenario, IP addresses of 1.1.1.1 and 2.2.2.2 are converted to their integer form.
Action Configurations
Parameter | Value |
Entities | All entities |
IP Addresses | 1.1.1.1,2.2.2.2 |
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult Integer values 16843009,33686018 -
JSON Result
{ "1.1.1.1" : 16843009, "2.2.2.2" : 33686018 }
Math Arithmetic
Description
A set of built in math operators:
Plus - returns a result for the sum of 2 arguments
Sub - returns a result for 1 argument minus the other
Multi - returns a result for 1 argument multiplied by the other
Div - returns a result for 1 argument divided by the other
Mod - returns the result of the percentage between 2 arguments
Parameters
Parameter | Type | Default Value | Is Mandatory | Description |
Function | Dropdown | Plus | Yes | Specify the function you would like to run on two given arguments. |
Arg 2 | Integer | N/A | Yes | Specify the second argument |
Arg 1 | Integer | N/A | Yes | Specify the first argument |
Example 1: Plus
In this scenario, 200 + 100 resulting in 300.
Action Configurations
Parameter | Value |
Entities | All entities |
Function | Plus |
Arg 2 | 100 |
Arg 1 | 200 |
Example 2: Sub
In this scenario, 1000 - 300 resulting in 700.
Action Configurations
Parameter | Value |
Entities | All entities |
Function | Sub |
Arg 2 | 300 |
Arg 1 | 1000 |
Example 3: Multi
In this scenario, 30 x 20 resulting in 600.
Action Configurations
Parameter | Value |
Entities | All entities |
Function | Multi |
Arg 2 | 20 |
Arg 1 | 30 |
Example 4: Div
In this scenario, 500 / 5 resulting in 100.
Action Configurations
Parameter | Value |
Entities | All entities |
Function | Div |
Arg 2 | 5 |
Arg 1 | 500 |
Example 5: Mod
In this scenario , 100 % 23 resulting in 8.
Action Configurations
Parameter | Value |
Entities | All entities |
Function | Mod |
Arg 2 | 23 |
Arg 1 | 100 |
Action Result
-
Script Result
Script Result Name Value options Example ScriptResult Calculated result 300
Math Functions
Description
A set of built-in Python functions:
Abs - returns the absolute value of a number
Float - returns a floating point number
Display - converts the number to include commas where needed
Hex - converts a number into a hexadecimal value
Int - returns an integer number
Max - returns the largest item in an iterable
Min - returns the smallest item in an iterable
Round - rounds a number
Sort - returns a sorted number
Sum - sums the items of an iterator
Parameters
Parameter | Type | Default Value | Is Mandatory | Description |
Function | Dropdown | Max | Yes | Specify the Math function you would like to run on the numbers. |
Numbers | Integer | N/A | Yes | Specify the numbers you would like to run the math function on separated by comma. |
Example 1: Max
In this scenario, the max value out of the numbers: 13.5, -90, 556, 11.32 results in 556.
Action Configurations
Parameter | Value |
Entities | All entities |
Function | Max |
Numbers | 13.5,-90,566,11.32 |
Example 2: Min
In this scenario, the min value out of the numbers: 13.5, -90, 556, 11.32 results in -90.
Action Configurations
Parameter | Value |
Entities | All entities |
Function | Min |
Numbers | 13.5,-90,566,11.32 |
Example 3: Round
In this scenario, 57.63 is rounded and resulting in 58.
Action Configurations
Parameter | Value |
Entities | All entities |
Function | Round |
Numbers | 57.63 |
Example 4: Sort
In this scenario, numbers [13.5, -90.0, 556.0, 11.32] are sorted in ascending order to [-90.0, 11.32, 13.5, 556.0].
Action Configurations
Parameter | Value |
Entities | All entities |
Function | Sort |
Numbers | 13.5,-90,566,11.32 |
Example 5: Sum
In this scenario, the sum of the following numbers [10, 20, 30, 40, 50] is 150.
Action Configurations
Parameter | Value |
Entities | All entities |
Function | Sum |
Numbers | 10, 20, 30, 40, 50 |
Example 6: Float
In this scenario, numbers [100,200] are converted to float values of [100.0, 200.0].
Action Configurations
Parameter | Value |
Entities | All entities |
Function | Float |
Numbers | 100,200 |
Example 6: Hex
In this scenario, numbers [100,200] are converted to hexadecimal values of ['0x64', '0xc8'].
Action Configurations
Parameter | Value |
Entities | All entities |
Function | Hex |
Numbers | 100,200 |
Example 7: Int
In this scenario, a float value of 100.23 is converted to an inter of 100.
Action Configurations
Parameter | Value |
Entities | All entities |
Function | Int |
Numbers | 100.23 |
Example 8: Abs
In this scenario, a negative integer of -53 is converted to an absolute value of 53.
Action Configurations
Parameter | Value |
Entities | All entities |
Function | Abs |
Numbers | -53 |
Example 9: Display
In this scenario, a value of 10000 is converted to include commas resulting in a value of 10,000.
Action Configurations
Parameter | Value |
Entities | All entities |
Function | Display |
Numbers | 10000 |
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult Calculated result -90
Run JSONPath Query
Description
Runs a JSONPath Query on a given json and extracts values according to the expression.
View https://github.com/h2non/jsonpath-ng for more information on JSONPath.
Parameters
Parameter | Type | Default Value | Is Mandatory | Description |
JSON | Dropdown | JSON | Yes | Specify the JSON input. |
JSONPath Expression | String | N/A | Yes | JSON path expressions always refer to a JSON structure in the same way as XPath expressions are used in combination with an XML document. |
Example
In this scenario, company name is extracted from the json sample input.
Action Configurations
Parameter | Value |
Entities | All entities |
JSON | JSON |
Editor | { "company": { "name": "Cyber Secure", "employees": 1000, "founded": "2005", "headquarters": { "city": "San Francisco", "state": "CA", "country": "USA" }, "security": { "firewall": true, "vpn": true, "intrusion_detection": true, "encryption": true, "two_factor_authentication": true } }, "products": [ { "name": "CyberShield", "type": "firewall", "price": 499, "description": "A state-of-the-art firewall for maximum protection against cyber attacks." }, { "name": "SecureVPN", "type": "VPN", "price": 99, "description": "A fast and secure VPN service for safe browsing and online privacy." }, { "name": "IntrusionAlert", "type": "intrusion detection", "price": 299, "description": "An advanced intrusion detection system that monitors your network and alerts you to potential threats." } ] } |
JSONPath Expression | $.company.name |
Action Results
- JSON Result
{ "matches" : {"0" : "Cyber Secure"} }
SanitizeHTML
Description
Given a fragment of HTML, this action will parse it according to the HTML5 parsing algorithm and sanitize any disallowed tags or attributes. This algorithm also handles wrong syntax such as unclosed and (some) misnested tags.
Parameters
Parameter | Type | Default Value | Is Mandatory | Description |
Tags | String | N/A | No | Tags is the allowed set of HTML tags. Comma separated list. HTML tags not in this list will be escaped or stripped. |
Attributes | String | {‘a’ : [‘href’, ‘title’], ‘abbr’: [‘title’]} | No | Attributes lets you specify which attributes are allowed. Value should be a comma separated list |
Styles | String | N/A | No | If you allow the style attribute, specify the allowed style set, for example color and background-color. Value should be comma separated. |
Allow All Attributes | Checkbox | Unchecked | No | Set true to allow all attributes |
Input HTML | String | N/A | Yes | Specify the HTML fragment that will be sanitized. |
Example
In this scenario, the Input HTML contains a tag not listed in the Tags section resulting in a sanitized output of “<script>evil()</script>” .
Action Configurations
Parameter | Value |
Entities | All entities |
Tags | a,abbr,acronym,b,blockquote,code,em,i,li,ol,strong,ul,table,tr,td,th,h1,h2,h3,body,tbody,thead,div,footer,head,header,html,img,option,p,section,span,strong,svg |
Attributes | Blank |
Styles | Blank |
Allow All Attributes | Unchecked |
Input HTML | <script>evil()<</script> |
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult Sanitized Result <script>evil()</script>”
String Functions
Description
Includes basic Pythonic string functions:
Lower: Converts a string into lower case.
Upper: Converts a string into upper case.
Count: Returns the number of times a specified value occurs in a string.
Find: Searches the string for a specified value and returns the position of where it was found.
IsAlpha: Returns "True" if all characters in the string are in the alphabet.
IsDigit: Returns "True" if all characters in the string are digits.
Replace: Returns a string where a specified value is replaced with a specified value.
Strip: Returns a trimmed version of the string.
Title: Converts the first character of each word to uppercase.
Regex Replace: Replaces a regular expression match
JSON Serialize: converts a json object to a serialized string.
Regex: Find a match based on regular expression.
Split: Splits the input string into a list using Param 1 as the separator. Defaults to comma.
Parameters
Parameter | Type | Default Value | Is Mandatory | Description |
Param2 | String | N/A | No | Specify the second parameter. |
Param1 | String | N/A | No | Specify the first parameter. |
Input | String | N/A | Yes | Specify the input for the function. |
Function | Dropdown | Lower | Yes | Specify the function you want to run. |
Example 1: Lower
In this scenario, input “SAMPLE INPUT” is converted to “sample input”.
Action Configurations
Parameter | Value |
Entities | All entities |
Param2 | Blank |
Param1 | Blank |
Input | SAMPLE INPUT |
Function | Lower |
Example 2: Upper
In this scenario, input “sample input” is converted to “SAMPLE INPUT”.
Action Configurations
Parameter | Value |
Entities | All entities |
Param2 | Blank |
Param1 | Blank |
Input | sample input |
Function | Upper |
Example 3: Count
In this scenario, it's counting the number of times the word “sample” occurs in the input string, which results in 2. Note, param value is case sensitive.
Action Configurations
Parameter | Value |
Entities | All entities |
Param2 | Blank |
Param1 | sample |
Input | sample sentence containing sample information. |
Function | Count |
Example 4: Find
In this scenario, it’s finding the index where the word “containing” starts in the input string resulting in a value of 13.
Action Configurations
Parameter | Value |
Entities | All entities |
Param2 | Blank |
Param1 | containing |
Input | sample sentence containing sample information. |
Function | Find |
Example 5: isAlpha
In this scenario, it’s checking if all characters in the input string are alphanumeric, resulting in a False return value.
Action Configurations
Parameter | Value |
Entities | All entities |
Param2 | Blank |
Param1 | Blank |
Input | %sample sentence containing sample information. |
Function | isAlpha |
Example 6: isDigit
In this scenario, it’s checking if all characters in the input string are digits, resulting in a False return value.
Action Configurations
Parameter | Value |
Entities | All entities |
Param2 | Blank |
Param1 | Blank |
Input | 100000001 |
Function | isDigit |
Example 7: Replace
In this scenario, it’s replacing the word “information” with “info” resulting in an output of “sample input containing sample info”.
Action Configurations
Parameter | Value |
Entities | All entities |
Param2 | info |
Param1 | information |
Input | sample sentence containing sample information. |
Function | Replace |
Example 8: Strip
In this scenario, it’s removing spaces in the beginning and end of the input string resulting of an output of “sample input containing sample information”.
Action Configurations
Parameter | Value |
Entities | All entities |
Param2 | Blank |
Param1 | Blank |
Input | sample sentence containing sample information. |
Function | Strip |
Example 9: Title
In this scenario, it’s converting the first character of each word in the input string to a capital character resulting in a output of “Sample Input Containing Sample Information”.
Action Configurations
Parameter | Value |
Entities | All entities |
Param2 | Blank |
Param1 | Blank |
Input | sample sentence containing sample information. |
Function | Title |
Example 10: Regex Replace
In this scenario, we’re searching for “The” using regex and replacing it with “a”.
In this scenario, we're searching for "The" using regex and replacing it with "a".
Action Configurations
Parameter | Value |
Entities | All entities |
Param2 | A |
Param1 | \bThe\b |
Input | The quick brown fox jumps over the lazy dog |
Function | Regex Replace |
Example 11: JSON Serialize
In this scenario, it’s converting the json input to a serialized string resulting in a output of "{\"key\" :\"value\"}".
Action Configurations
Parameter | Value |
Entities | All entities |
Param2 | Blank |
Param1 | Blank |
Input | {"ip" : "0.0.0.0"} |
Function | JSON Serialize |
Example 12: Regex
In this scenario, we’re trying to use a regex to pull the value in the input JSON.
Action Configurations
Parameter | Value |
Entities | All entities |
Param2 | Blank |
Param1 | (?<="resource":").*?(?=") |
Input | {"resource":"host001"} |
Function | Regex |
Example 13: Split
In this scenario, input is converted to a list using comma as a delimiter resulting in an output of [100,200,300,400,500].
Action Configurations
Parameter | Value |
Entities | All entities |
Param2 | Blank |
Param1 | , |
Input | 100,200,300,400,500 |
Function | Split |
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult Result value based on the function 23
Time Duration Calculator
Description
Calculates the difference between two date times.
Parameters
Parameter | Type | Default Value | Is Mandatory | Description |
Input DateTime 1 | String | N/A | Yes | Specify the first datetime input value. Supports either strftime format or “now” for the current time. |
Input DateTime 1 Format | String | %Y-%d-%m'T'%H:%M:%S | Yes | Specify the strftime format of “Datetime 1” string. For more info, visit https://strftime.org. |
Input DateTime 2 | String | now | Yes | Specify the second datetime input value. Supports either strftime format or “now” for the current time. |
Input DateTime 2 Format | String | %Y-%d-%m'T'%h:%m:%s | Yes | Specify the strftime format of “Datetime 2” string. For more info, visit https://strftime.org. |
Example
In this scenario, it calculates the difference between 2022-13-03'T'04:13:01 and now’s date time resulting in an output of: 0 years, 200 days, 10 hours, 51 minutes and 20 seconds.
Action Configurations
Parameter | Value |
Entities | All entities |
Input DateTime 1 | 2022-13-03'T'04:13:01 |
Input DateTime 1 Format | %Y-%d-%m'T'%H:%M:%S |
Input Datetime 2 | now |
Input DateTime 2 Format | %Y-%d-%m'T'%h:%m:%s |
Action Results
-
Script Result
Script Result Name Value options Example Seconds Calculated time in seconds 17319080 -
JSON Result
{ "years": 0, "days": 200, "hours": 4810, "minutes": 288651, "seconds": 17319080, "duration": "Time between dates: 0 years, 200 days, 10 hours, 51 minutes and 20 seconds" }
XMLtoJson
Description
Converts XML formatted input to its JSON representation.
Parameters
Parameter | Type | Default Value | Is Mandatory | Description |
XML | String | N/A | Yes | Specify XML to convert to JSON. |
Example
In this scenario, we’re converting a sample xml string to a JSON object.
Action Configurations
Parameter | Value |
Entities | All entities |
xml |
Action Results
-
Script Result
Script Result Name Value options Example ScriptResult True/False True -
JSON Result
{ "cybersecurity": {"threat": [{"name": "Malware", "description": "A type of software designed to harm computer systems.", "severity": "High", "prevention": {"software": "Antivirus", "policy": "Regular software updates and patches"}}, {"name": "Phishing", "description": "A fraudulent attempt to obtain sensitive information by impersonating a trustworthy entity.", "severity": "High", "prevention": {"software": "Firewalls and intrusion detection systems", "policy": "Limiting access to network resources to only authorized personnel"}}]} }
Detect Hash Type
Description
This action detects the most likely hash type of entities. Supported types are SHA256, MD5, SHA1, SHA-512.
Parameters
Parameter | Type | Default Value | Is Mandatory | Description |
Hashes | String | N/A | Yes | Specify hash value. Supports comma separated list. |
Example
In this scenario, we’re identifying hash types for two hashes resulting in MD5 and SHA256.
Action Configurations
Parameter | Value |
Entities | All entities |
Hashes | b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7aceZefcde9,ed076287532e86365e841e92bfc50d8c |
Action Results
-
Script Result
Script Result Name Value options Example IsSuccess True/False True -
JSON Result
[{ "Hash": "b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9", "HashType": "SHA-256"}, {"Hash": "ed076287532e86365e841e92bfc50d8c", "HashType": "MD5" }]
Detect IP Type
Description
Checks if an IP is an IPv4 or IPv6 address. IP Address entities will be enriched with IPType field.
Parameters
Parameter | Type | Default Value | Is Mandatory | Description |
IP Addresses | String | N/A | Yes | Specify IP value. Supports comma separated list. |
Example
In this scenario, we’re checking two different IP Addresses to identify their type.
Action Configurations
Parameter | Value |
Entities | All entities |
IP Addresses | 2001:0db8:85a3:0000:0000:8a2e:0370:7334,
0.0.0.0 |
Action Results
-
Script Result
Script Result Name Value options Example IsSuccess True/False True -
JSON Result
[{ "Address": "2001:0db8:85a3:0000:0000:8a2e:0370:7334", "IPType": "IPV6"}, {"Address": "0.0.0.0", "IPType": "IPV4"} }]