Using the Script Native Action

the script native action in swimlane turbine empowers analysts and security professionals to harness the flexibility of python for automating tasks within their playbooks while swimlane turbine supports advanced jsonata scripting, the script action simplifies handling basic python tasks key benefits of the script action flexibility with python leverage python 3 11 to manipulate data and handle edge cases efficiency reduces complexity compared to jsonata for simpler tasks preloaded libraries access standard python libraries, numpy https //numpy org/doc/stable/index html (v1 25 2), and pendulum https //pendulum eustace io/ (v2 1 2) for enhanced scripting capabilities swimlane python chatbot use the swimlane python chatbot for script assistance, powered by chatgpt's openai integration for boolean and null data types, import the json library and use json loads(\<my ref>) to ensure proper data loading python does not natively support all json types, but this method ensures correct handling setting up the script native action here’s how to configure a script action in your playbook from the add panel, drag and drop the script action onto the playbook canvas click configure , then add property to define input data types (string, number, boolean, object, array, or attachment) write your python script in the provided field or select upstream playbook inputs using the property drawer script inputs define static and dynamic inputs using the following supported types string number boolean object array attachment configuring script inputs follow these steps to set up your inputs click add property in the inputs pane to define your inputs rename properties as needed using the pencil icon write or paste your python code in the script pane in this example, a script evaluates a last malicious score to determine if it meets the malicious score threshold outputs tab the outputs tab enables promotion of action outputs for downstream use outputs tab allows you to select all outputs provided by the action and you can promote them the output tab also allows you to mark the data as sensitive you can mark as sensitive my clicking the ellipsis button and click mark sensitive script testing want to test your script action before continuing to build your playbook? in the script action, from the test tab, you can view inputs to the left and script to the right you will notice that "attachment" fields are not shown in the test tab inputs attachments currently cannot be used in test runs of the action, you will have to do a full playbook test to test attachment inputs the result pane at the bottom shows the tested results just like discovered outputs and testing docid\ xdoxji82d8iulanf8c34h in an http action, results vary so in addition to the base of property types, and depending on the inputs you select, the action outputs may return additional properties these are the discovered outputs, which you can promote and/or delete from the outputs tab see a script test use case docid\ zrzcp0gr12dfzzkb risd for an example on testing the script native action handling attachments in scripts if you need to return an attachment or use an attachment as an input in the script native action, follow the instructions below output attachment in your playbook, follow the instructions below to configure an output attachment from the action drop down menu, select script let's title this action return attachment and click configure there are two ways to write python code to return an attachment let's look! under script, enter the following code with output attachment open("test txt") as f f write("test") action outputs = {"first file" f} the test txt placeholder is the name of your attachment you can also write the code as follows second file = output attachment open("test2 txt") second file write("test2") action outputs\["second file"] = second file click apply to save changes input attachment you can use an attachment input in a python script using a script native action from the action drop down menu, select script let's title this action input attachment and click configure click add property and select attachment you can click the pencil icon to edit the name for example, you can change the name to file1 click select a property and select playbook property the playbook property drawer opens and based on the example, you would select the object for first file then return to inputs and repeat steps 4 and 5, but add the object for second file under script, enter the following code with action inputs\["file1"] open() as file1 action outputs\["file1 text"] = file1 read() action outputs\["file1 size"] = file1 size() action outputs\["file1 mimetype"] = file1 mimetype() you can get the size of the attachment using the size() method, and you can get the mime type of the attachment using the mimetype() method both are shown in the code above you can also write the code as follows file2 = action inputs\["file2"] open() action outputs\["file2 text"] = file2 read() file2 close() click apply to save changes now both files are mapped testing the script test your script in the test tab before full integration the results appear in the results pane this is useful for debugging and validating output see the script test use case for detailed examples use cases for more examples and detailed use cases, see the script test use case best practices start simple begin with straightforward scripts before moving to more complex logic use comments comment your code for clarity and easier debugging test frequently use the test tab to validate your script iteratively handle errors gracefully include error handling to manage unexpected inputs or conditions