Demisto Class
'All Python integrations and scripts have available as part of the runtime the demisto class object. The object exposes a series of API methods which are used to retrieve and send data to the Cortex XSOAR Server.
note
The demisto class is a low level API. For many operations we provide a simpler and more robust API as part of the Common Server Functions.
params
(Integration only) Retrieves the integration parameters object
Returns:
dict- Integrations parameters object
args
Retrieves a command / script arguments object
Returns:
dict- Arguments object
command
(Integration only) Retrieves the integration command that is being run
Returns:
str- Integrations command name
log
Prints a message to the current incidents war room log
Arguments:
msgstr - The message to be logged
Returns:
None- No data returned
get
Extracts field value from nested object
Arguments:
objdict - The object to extract the field fromfieldstr - The field to extract from the object, given in dot notation
Returns:
str- The value of the extracted field
gets
Extracts field value from nested object
Arguments:
objdict - The object to extract the field fromfieldstr - The field to extract from the object, given in dot notation
Returns:
str- The value of the extracted field
context
Retrieves the context data object of the current incident
Returns:
dict- Context data object
uniqueFile
Generate a unique file name based upon a random UUID
Returns:
str- Random UUID
getLastRun
(Integration only) Retrieves the LastRun object
Returns:
dict- LastRun object
setLastRun
(Integration only) Stores given object in the LastRun object
Arguments:
objdict - The object to store
Returns:
None- No data returned
info
Prints a message to the server logs in info level
Arguments:
msgstr - The message to be loggedargsdict - Additional arguments to log
Returns:
None- No data returned
error
Prints a message to the server logs in error level
Arguments:
msgstr - The message to be loggedargsdict - Additional arguments to log
Returns:
None- No data returned
debug
Prints a message to the server logs in debug level
Arguments:
msgstr - The message to be loggedargsdict - Additional arguments to log
Returns:
None- No data returned
getAllSupportedCommands
(Script only) Retrieves all available integration commands and scripts
Returns:
dict- Object of all available integrations and scripts
results
Outputs entries to the war-room
Arguments:
resultsUnion[list, dict] - The entry object or array of entry objects to output
Returns:
None- No data returned
credentials
(Integration only) For integrations that support fetching credentials. Send the fetched credentials to the server.
Arguments:
credentialslist - List of credential objects
Returns:
None- No data returned
getFilePath
Retrieves file path and name, given file entry ID
Arguments:
idstr - File entry ID to get details of
Returns:
dict- Object contains file ID, path and name
investigation
Retrieves the ID of the investigation in which being run in
Returns:
dict- Object contains the investigation ID
executeCommand
(Script only) Executes given integration command / script and arguments
Arguments:
commandstr - Integration command name or script name to runargsdict - Integration command / script arguments
Returns:
Union[dict, list]: Command execution response wrapped in Demisto entry object
getParam
(Integration only) Extracts given parameter from the integration parameters object
Arguments:
paramstr - Integration parameter to get value of
Returns:
str- Integration parameter value
getArg
Extracts given argument from the arguments object
Arguments:
argstr - Argument to get value of
Returns:
str- Argument value
setIntegrationContext
(Integration only) Stores given object in the IntegrationContext object
Arguments:
contextdict - The object to store
Returns:
None- No data returned
getIntegrationContext
(Integration only) Retrieves the IntegrationContext object
Returns:
dict- IntegrationContext object
setIntegrationContextVersioned
(Integration only) Stores given object in the IntegrationContext object in given version
Arguments:
contextdict - The object to storeversionint - The context version to set. If the version is older than the current, an error will be thrown. (Default value = -1) # noqasyncbool - Whether to save the context to the DB right away. If false, the context will be saved at the end of the command. (Default value = False)
Returns:
None- No data returned
getIntegrationContextVersioned
(Integration only) Retrieves the versioned IntegrationContext object
Arguments:
refreshbool - Whether to get the integration context straight from the DB and not from the instance memory. (Default value = False) # noqa
Returns:
dict- IntegrationContext versioned object
incidents
In script, retrieves the Incidents list from the context
In integration, used to return incidents to the server
Arguments:
incidentslist - In integration only, list of incident objects (Default value = None)
Returns:
list- List of incident objects
incident
Retrieves the current incident
Returns:
dict- dict representing an incident object
setContext
(Script only) Sets given value in path in the context data
Arguments:
contextPathstr - The context data path to set the value invaluestr - The value to set in the context data path
Returns:
dict- Object contains operation result status
demistoUrls
Retrieves the following URLs related to the incident.
- evidenceBoard
- investigation
- relatedIncidents
- server
- warRoom
- workPlan You can use these URLs when you send notifications outside the system over email or slack and would like to include a link to the incident.
Returns:
dict- Object contains server URLs with page as key and URL as value
dt
Extracts field from object using DT language syntax
Arguments:
objdict - The object to look in for the requested field (Default value = None)trnsfrmstr - The field to get value of (Default value = None)
Returns:
str- The field value in the object
addEntry
(Integration only) Adds an entry to a mirrored investigation war room
Arguments:
idstr - Incident ID to add the entry inentrystr - The text to add in the entryusernamestr - The username of the user to be the entry creator (Default value = None)emailstr - The email address of the user to be the entry creator (Default value = None)footerstr - The email address of the user to be the entry creator (Default value = None)
Returns:
None- No data returned
mirrorInvestigation
(Integration only) Marks an investigation as mirrored
Arguments:
idstr - Incident ID to mirrormirrorTypestr - Contains mirror type and mirror direction separated by colon, e.g. all:bothautoClosebool - Whether to close the investigation when the mirrored channel is closed/archived (Default value = False)
Returns:
None- No data returned
updateModuleHealth
(Integration only) Updated integration module health with given error message
Arguments:
errorstr - The error message to display in the integration module health
Returns:
None- No data returned
directMessage
(Integration only) Executes command provided in direct message to messaging bot
Arguments:
messagestr - The message sent in personal contextusernamestr - The username of the user that sent the direct message (Default value = None)emailstr - The email address of the user that sent the direct message (Default value = None)anyoneCanOpenIncidentsbool - Whether external users can create incidents or not (Default value = None)
Returns:
str- Server response to command executed in the direct message
createIncidents
(Integration only) Creates incident in long running execution
Arguments:
incidentslist - List of incident objects to create, with the following optional keys:- name (str)
- type (str) - If not provided, an Unclassified incident will be created
- labels (list) - List of {"type": , "value": } objects
- rawJSON (str) - Will be omitted after the classification & mapping step
- occurred (str)
- details (str)
- severity (int)
lastRundict - the LastRun object to set (Default value = None)userIDstr - The user associated with the request (Default value = None)
Returns:
Union[list, dict]: Created incident object
findUser
(Integration only) Looks up for a user in the system
Arguments:
usernamestr - The username of the user to search for (Default value = None)emailstr - The email address of the user to search for (Default value = None)
Returns:
dict- Object representing the user found
handleEntitlementForUser
(Integration only) Sends request to server to process entitlement response given from messaging client
Arguments:
incidentIDstr - The incident ID in which the question was sent inguidstr - The entitlement UUID which identifies the questionemailstr - The email address of the user that respondedcontentstr - The content of the responsetaskIDstr - The playbook task ID to mark as complete (Default value = "")
Returns:
None- No data returned
demistoVersion
Retrieves server version and build number
Returns:
dict- Objects contains server version and build number
integrationInstance
(Integration only) Retrieves the integration instance name in which ran in
Returns:
str- The integration instance name
createIndicators
(Integration only) Creates indicators from given indicator objects batch
Arguments:
indicators_batchlist - List of indicators objects to create
Returns:
None- No data returned
searchIndicators
Searches for indicators according to given query
Arguments:
fromdatestr - The start date to search from (Default value = '')querystr - Indicator search query (Default value = '')sizeint - Limit the number of returned results (Default value = 100)pageint - Response paging (Default value = 0)todatestr - The end date to search until to (Default value = '')valuestr - The indicator value to search (Default value = '')searchAfterstr - Use the last searchIndicators() outputs for search batch (Default value = None)
Returns:
dict- Object contains the search results
getIndexHash
(Integration only) Retrieves the hashed value of the tenant in which ran in
Returns:
str- Hashed value of tenant name
getLicenseID
Retrieves the ID of the license used in the server
Returns:
str- The license ID
mapObject
Mapping an object using chosen mapper
Returns:
dict- the obj after mapping