Cortex XSOAR Tips & Tricks – Execute Command Function

Introduction

When developing the automated SOC workflows for the NVISO Managed SOC and the additional NITRO services on Cortex XSOAR, we have started to make use of automations to do complex tasks instead of playbooks. Automations have much better performances and, if your team has a decent level of Python skills, developing complex tasks in automations can be much easier than playbooks.

When using automations in Cortex XSOAR, the command you will call most often is demisto.executeCommand. This is used to execute available commands from integrations and to call other automations.

To add additional functionality to this command, we have created our own nitro_execute_command wrapper function which is available on the NVISO Github:

https://github.com/NVISOsecurity/blogposts/blob/master/CortexXSOAR/nitro_execute_command.py

nitro_execute_command()

When  using demisto.executeCommand to run commands in an automation, the first issue you will come across is that it does not return an error when the command execution was unsuccessful. The execution status of the command that has run can be find in the Type key of the returned result of demisto.executeCommand:

[
    {
        'ModuleName': 'CustomScripts', 
        'Brand': 'Scripts', 
        'Category': 'automation', 
        'ID': '', 
        'Version': 0, 
        'Type': 1, 
        'Contents': None
    }
]

In our nitro_execute_command function, we loop through all returned results from demisto.executeCommand and check the Type key value. If the value is Error (4), we raise an exception with the error message:

raise Exception(f"Error when executing command: {command} with arguments:{args}: {error_result.get('Contents')}")

Because in certain use cases, you might not want your automation to halt whenever a command was unable to run successfully, we have added a fail_on_error boolean parameter to nitro_execute_command:

nitro_execute_command(command='setIncident', args={'name': 'incident name'}, fail_on_error=False)

To improve the resiliency of our set of automations, we have additionally added retry logic when the execution of a command returns an error. In case of an error, the nitro_execute_command function retries by default 3 times before raising an exception and halting the automation. This can be configured with the retry parameter of nitro_execute_command:

nitro_execute_command(command='setIncident', args={'name': 'incident name'}, retry=5)

We have added this custom function to the CommonServerUserPython automation. This automation is created for user-defined code that is merged into each script and integration during execution. It will allow you to use nitro_execute_command in all your custom automations.

References

https://xsoar.pan.dev/docs/reference/api/demisto-class#executecommand

https://xsoar.pan.dev/docs/reference/scripts/common-server-user-python

About the author

Wouter is an expert in the SOAR engineering team in the NVISO SOC. As the lead engineer and development process lead he is responsible for the design, development and deployment of automated analysis workflows created by the SOAR Engineering team to enable the NVISO SOC analyst to faster detect attackers in customers environments. With his experience in cloud and devops, he has enabled the SOAR engineering team to automate the development lifecycle and increase operational stability of the SOAR platform.

Wouter via his LinkedIn page.


Want to learn more about SOAR? Sign- up here and we will inform you about new content and invite you to our SOAR For Fun and Profit webcast.
https://forms.office.com/r/dpuep3PL5W

Series Navigation<< Cortex XSOAR Tips & TricksCortex XSOAR Tips & Tricks – Tagging War Room Entries >>

One thought on “Cortex XSOAR Tips & Tricks – Execute Command Function

Leave a Reply