Overview

A set of math and data manipulation actions to power up playbook capabilities.

Actions

Convert Time Format

Description

Converts a datetime value from one format to another.

Parameters

ParameterTypeDefault ValueIs MandatoryDescription
InputStringN/AYesSpecify the input datetime value that will be converted.
From FormatStringN/AYesSpecify the datetime format the input string is in. https://arrow.readthedocs.io/en/stable/#supported-tokens
To FormatStringYYYY/MM/DDYesSpecify the desired time format of the output. Use arrow time format. https://arrow.readthedocs.io/en/stable/#supported-tokens
Time Delta In SecondsInteger0YesSpecify the number of seconds you want to shift the output to. Use positive value for future time/date and negative value for the past.
TimezoneStringN/ANoSpecify the output timezone.

Example

In this scenario, a datetime input of 11/23/2002 07:23:09 with an arrow time format of MM/DD/YYYY HH:mm:ss is converted to a time only, going back 5 seconds and using UTC timezone.

Action Results

  • Script Result
    Script Result NameValue optionsExample
    ScriptResultTime Result07:23:04

Create Thumbnail

Description

Converts a Base64 thumbnail of an image.

Parameters

ParameterTypeDefault ValueIs MandatoryDescription
Base64 ImageStringN/ANoSpecify the Base64 string of the image.
Thumbnail SizeString250,250YesSpecify the size of the thumbnail comma separated (W,L).
Input JSONJSONN/ANoSpecify the JSON input. Example: {“image” :”<base64 of image>”}
Image Key PathStringN/ANoIf using Input JSON, specify the key path for the image field.

Example

In this scenario we are creating a 500x500 thumbnail from a Base64 input.

Action Results

  • JSON Result
    {
    "Thumbnail" : "<base 64 string>"
    }

IP to Integer

Description

Converts an IP Address or a list of IP addresses to integers.

Parameters

ParameterTypeDefault ValueIs MandatoryDescription
IP AddressesStringN/AYesSpecify list of IP addresses separated by comma to be converted to integers.

Example

In this scenario, IP addresses of 1.1.1.1 and 2.2.2.2 are converted to their integer form.

Action Results

  • Script Result
    Script Result NameValue optionsExample
    ScriptResultInteger values16843009,33686018
  • JSON Result
    {
    "1.1.1.1" : 16843009, 
    "2.2.2.2" : 33686018
    }


Math Arithmetic

Description

A set of built in math operators:

Plus - returns a result for the sum of 2 arguments

Sub - returns a result for 1 argument minus the other

Multi - returns a result for 1 argument multiplied by the other

Div - returns a result for 1 argument divided by the other

Mod - returns the result of the percentage between 2 arguments

Parameters

ParameterTypeDefault ValueIs MandatoryDescription
FunctionDropdownPlusYesSpecify the function you would like to run on two given arguments.
Arg 2IntegerN/AYesSpecify the second argument
Arg 1IntegerN/AYesSpecify the first argument

Example 1: Plus

In this scenario, 200 + 100 resulting in 300.

Example 2: Sub

In this scenario, 1000 - 300 resulting in 700.

Example 3: Multi

In this scenario, 30 x 20 resulting in 600.

Example 4: Div

In this scenario, 500 / 5 resulting in 100.

Example 5: Mod

In this scenario , 100 % 23 resulting in 8.

Action Result

  • Script Result
    Script Result NameValue optionsExample
    ScriptResultCalculated result300


Math Functions

Description

A set of built-in Python functions:

Abs - returns the absolute value of a number

Float - returns a floating point number

Display - converts the number to include commas where needed

Hex - converts a number into a hexadecimal value

Int - returns an integer number

Max - returns the largest item in an iterable

Min - returns the smallest item in an iterable

Round - rounds a number

Sort - returns a sorted number

Sum - sums the items of an iterator

Parameters

ParameterTypeDefault ValueIs MandatoryDescription
FunctionDropdownMaxYesSpecify the Math function you would like to run on the numbers.
NumbersIntegerN/AYesSpecify the numbers you would like to run the math function on separated by comma.

Example 1: Max

In this scenario, the max value out of the numbers: 13.5, -90, 556, 11.32 results in 556.

Example 2: Min

In this scenario, the min value out of the numbers: 13.5, -90, 556, 11.32 results in -90.

Example 3: Round

In this scenario, 57.63 is rounded and resulting in 58.

Example 4: Sort

In this scenario, numbers [13.5, -90.0, 556.0, 11.32] are sorted in ascending order to [-90.0, 11.32, 13.5, 556.0].

Example 5: Sum

In this scenario, the sum of the following numbers [10, 20, 30, 40, 50] is 150.

Example 6: Float

In this scenario, numbers [100,200] are converted to float values of [100.0, 200.0].

Example 6: Hex

In this scenario, numbers [100,200] are converted to hexadecimal values of ['0x64', '0xc8'].

Example 7: Int

In this scenario, a float value of 100.23 is converted to an inter of 100.

Example 8: Abs

In this scenario, a negative integer of -53 is converted to an absolute value of 53.

Example 9: Display

In this scenario, a value of 10000 is converted to include commas resulting in a value of 10,000.

Action Results

  • Script Result
    Script Result NameValue optionsExample
    ScriptResultCalculated result-90


Run JSONPath Query

Description

Runs an JSONPath Query on a given json and extracts values according to the expression.

View https://github.com/h2non/jsonpath-ng for more information on JSONPath.

Parameters

ParameterTypeDefault ValueIs MandatoryDescription
JSONDropdownJSONYesSpecify the JSON input.
JSONPath ExpressionStringN/AYesJSON path expressions always refer to a JSON structure in the same way as XPath expressions are used in combination with an XML document.

Example

In this scenario, key2’s value is extracted from the json input resulting in an output value of “value2”.

Action Results

  • JSON Result
    {
    "matches" : {"0" : "value2"}
    }


SanitizeHTML

Description

Given a fragment of HTML, this action will parse it according to the HTML5 parsing algorithm and sanitize any disallowed tags or attributes. This algorithm also handles wrong syntax such as unclosed and (some) misnested tags.

Parameters

ParameterTypeDefault ValueIs MandatoryDescription
TagsStringN/ANoTags is the allowed set of HTML tags. Comma separated list. HTML tags not in this list will be escaped or stripped.
AttributesString{‘a’ : [‘href’, ‘title’], ‘abbr’: [‘title’]}NoAttributes lets you specify which attributes are allowed. Value should be a comma separated list
StylesStringN/ANoIf you allow the style attribute, specify the allowed style set, for example color and background-color. Value should be comma separated.
Allow All AttributesCheckboxUncheckedNoSet true to allow all attributes
Input HTMLStringN/AYesSpecify the HTML fragment that will be sanitized.

Example

In this scenario, the Input HTML contains a tag not listed in the Tags section resulting in a sanitized output of “<script>evil()</script>” .

Action Results

  • Script Result
    Script Result NameValue optionsExample
    ScriptResultSanitized Result<script>evil()</script>”


String Functions

Description

Includes basic Pythonic string functions:

Lower: Converts a string into lower case.

Upper: Converts a string into upper case.

Count: Returns the number of times a specified value occurs in a string.

Find: Searches the string for a specified value and returns the position of where it was found.

IsAlpha: Returns "True" if all characters in the string are in the alphabet.

IsDigit: Returns "True" if all characters in the string are digits.

Replace: Returns a string where a specified value is replaced with a specified value.

Strip: Returns a trimmed version of the string.

Title: Converts the first character of each word to uppercase.

Regex Replace: Replaces a regular expression match

JSON Serialize: converts a json object to a serialized string.

Regex: Find a match based on regular expression.

Split: Splits the input string into a list using Param 1 as the separator. Defaults to comma.

Parameters

ParameterTypeDefault ValueIs MandatoryDescription
Param2StringN/ANoSpecify the second parameter.
Param1StringN/ANoSpecify the first parameter.
InputStringN/AYesSpecify the input for the function.
FunctionDropdownLowerYesSpecify the function you want to run.

Example 1: Lower

In this scenario, input “SAMPLE INPUT” is converted to “sample input”.

Example 2: Upper

In this scenario, input “sample input” is converted to “SAMPLE INPUT”.

Example 3: Count

In this scenario, it's counting the number of times the word “sample” occurs in the input string, which results in 2. Note, param value is case sensitive.

Example 4: Find 

In this scenario, it’s finding the index where the word “containing” starts in the input string resulting in a value of 13.

Example 5: isAlpha

In this scenario, it’s checking if all characters in the input string are alphanumeric, resulting in a False return value.

Example 6: isDigit

In this scenario, it’s checking if all characters in the input string are digits, resulting in a False return value.

Example 7: Replace

In this scenario, it’s replacing the word “information” with “info” resulting in an output of “sample input containing sample info”.

Example 8: Strip 

In this scenario, it’s removing spaces in the beginning and end of the input string resulting of an output of “sample input containing sample information”.

Example 9: Title

In this scenario, it’s converting the first character of each word in the input string to a capital character resulting in a output of “Sample Input Containing Sample Information”.

Example 10: Regex Replace

In this scenario, we’re searching for “The” using regex and replacing it with “a”.

Example 11: JSON Serialize

In this scenario, it’s converting the json input to a serialized string resulting in a output of "{\"key\" :\"value\"}".

Example 12: Regex

In this scenario, we’re trying to use a regex to pull the value in the input JSON.

Example 13: Split

In this scenario, input is converted to a list using comma as a delimiter resulting in an output of [100,200,300,400,500].

Action Results

  • Script Result
    Script Result NameValue optionsExample
    ScriptResultResult value based on the function23


Time Duration Calculator

Description

Calculates the difference between two date times.

Parameters

ParameterTypeDefault ValueIs MandatoryDescription
Input DateTime 1StringN/AYesSpecify the first datetime input value. Supports either strftime format or “now” for the current time.
Input DateTime 1 FormatString%Y-%d-%m'T'%H:%M:%SYesSpecify the strftime format of “Datetime 1” string. For more info, visit https://strftime.org.
Input DateTime 2StringnowYesSpecify the second datetime input value. Supports either strftime format or “now” for the current time.
Input DateTime 2 FormatString%Y-%d-%m'T'%h:%m:%sYesSpecify the strftime format of “Datetime 2” string. For more info, visit https://strftime.org.

Example

In this scenario, it calculates the difference between 2022-13-03'T'04:13:01 and now’s date time resulting in an output of: 0 years, 200 days, 10 hours, 51 minutes and 20 seconds.

Action Results

  • Script Result
    Script Result NameValue optionsExample
    SecondsCalculated time in seconds17319080
  • JSON Result
    {
         "years": 0, "days": 200,
         "hours": 4810, 
         "minutes": 288651, 
         "seconds": 17319080, 
         "duration": "Time between dates: 0 years, 200 days, 10 hours, 51 minutes and 20     
                           seconds"
    }


XMLtoJson

Description

Converts XML formatted input to its JSON representation.

Parameters

ParameterTypeDefault ValueIs MandatoryDescription
XMLStringN/AYesSpecify XML to convert to JSON.

Example

In this scenario, we’re converting a sample xml string to a JSON object.

Action Results

  • Script Result
    Script Result NameValue optionsExample
    ScriptResultTrue/FalseTrue
  • JSON Result
    {
    "cybersecurity": {"threat": [{"name": "Malware", "description": "A type of software designed to harm computer systems.", "severity": "High", "prevention": {"software": "Antivirus", "policy": "Regular software updates and patches"}}, {"name": "Phishing", "description": "A fraudulent attempt to obtain sensitive information by impersonating a trustworthy entity.", "severity": "High", "prevention": {"software": "Firewalls and intrusion detection systems", "policy": "Limiting access to network resources to only authorized personnel"}}]}
    }


Detect Hash Type

Description

This action detects the most likely hash type of entities. Supported types are SHA256, MD5, SHA1, SHA-512.

Parameters

ParameterTypeDefault ValueIs MandatoryDescription
HashesStringN/AYesSpecify hash value. Supports comma separated list.

Example

In this scenario, we’re identifying hash types for two hashes resulting in MD5 and SHA256.

Action Results

  • Script Result
    Script Result NameValue optionsExample
    IsSuccessTrue/FalseTrue
  • JSON Result
    [{
    "Hash": "b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9", "HashType": "SHA-256"}, {"Hash": "ed076287532e86365e841e92bfc50d8c", "HashType": "MD5"
    }]


Detect IP Type

Description

Checks if an IP is an IPv4 or IPv6 address. IP Address entities will be enriched with IPType field.

Parameters

ParameterTypeDefault ValueIs MandatoryDescription
IP AddressesStringN/AYesSpecify IP value. Supports comma separated list.

Example

In this scenario, we’re checking two different IP Addresses to identify their type.

Action Results

  • Script Result
    Script Result NameValue optionsExample
    IsSuccessTrue/FalseTrue
  • JSON Result
    [{
    "Address": "2001:0db8:85a3:0000:0000:8a2e:0370:7334", "IPType": "IPV6"}, {"Address": "0.0.0.0", "IPType": "IPV4"}
    }]