Skip to content
This repository contains all Demisto content and from here we share content updates
Python Rich Text Format Other
Branch: master
Clone or download
yaakovi Merge pull request #4192 from demisto/commonserver-changelog
Add get_demisto_version to CommonServerPython CHANGELOG
Latest commit 857eaf6 Aug 23, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
.circleci updated git sha1 Aug 22, 2019
.github new pr welcome bot message (#3410) May 28, 2019
.guardrails AD Query: fix error message with faulty server (#3338) Apr 11, 2019
.hooks reverted pre-commit changes Aug 1, 2019
Beta_Integrations Exabeam fixes - linters, missing brackets, unreachable code (#4181) Aug 22, 2019
Classifiers Clear release notes (#3489) May 3, 2019
Connections Add vt connections (#1742) Jul 2, 2018
Dashboards Added new SLA OOB content: (#2671) Jan 6, 2019
DockerImageFiles Fixes May 28, 2019
Documentation Revert "Powershell content support (#3691)" (#3803) Jul 3, 2019
IncidentFields Update change logs (#4102) Aug 14, 2019
IndicatorFields fixed id of indicator fields (#4156) Aug 20, 2019
Integrations Merge pull request #4189 from demisto/clear_rn19.8.2 Aug 22, 2019
Layouts Indicator Layouts cherry pick (#4144) Aug 20, 2019
Misc Merge branch 'master' of into clear_rn19.8.2 Aug 22, 2019
Playbooks Added change log to new playbooks Aug 22, 2019
Releases Update sane doc reports automation (#4114) Aug 18, 2019
Reports Clear release notes (#3336) Apr 4, 2019
Scripts move rn to changelog and remove md file Aug 23, 2019
TestData QRadar support 7.3.2 patch 3 (#4067) Aug 15, 2019
TestPlaybooks [Enhancement] Carbon Black Enterprise Response - Process info (#4143) Aug 22, 2019
Tests Add get_demisto_version function (#4135) Aug 22, 2019
Tools Adding o365 with agent tools in new content update ready structure. P… Nov 20, 2016
Utils Awsinstancetool (#3933) Jul 25, 2019
Widgets Clear release notes (#3336) Apr 4, 2019
docs Merge pull request #3981 from demisto/tests-docs Aug 18, 2019
.gitignore runas user for docker with fix for GetDuplicateMlv2, EWSMailSender, V… Jul 21, 2019 Create Feb 11, 2018 Update (#1909) Aug 8, 2018
LICENSE Create LICENSE Nov 23, 2016 Update Jul 28, 2019 OOP validate hook Feb 23, 2019
content-descriptor.json clear release notes Jun 25, 2019 New indicator fields (#4047) Aug 8, 2019
demisto_content_logo.png add logo Mar 5, 2018 Update Aug 22, 2019 runas user for docker with fix for GetDuplicateMlv2, EWSMailSender, V… Jul 21, 2019 New release notes format (#3957) Aug 11, 2019
requirements.txt Add requirements packages (#3340) Apr 10, 2019
tox.ini Parse email raw to/from/cc headers (#3441) Apr 29, 2019

Content logo


Demisto Platform - Content Repository

This repo contains content provided by Demisto to automate and orchestrate your Security Operations. Here we will share our ever-growing list of playbooks, automation scripts, report templates and other useful content.

We security folks love to tinker, keep enhancing and sharpening our toolset and we decided to open up everything and make it a collaborative process for the entire security community. We want to create useful knowledge and build flexible, customizable tools, sharing them with each other as we go along.

We invite you to use the playbooks and scripts, modify them to suit your needs and see what works for you, get involved in the community discussion and of course remember to give back and contribute so that others can enjoy and learn from your hard work and build upon it to enhance it even further.


The Demisto Platform includes a visual playbook editor - you can add and modify tasks, create control flow according to answers returned by your queries, and automate everything with your existing security tools, services and products. You can also export your work to a file in the COPS format, and import playbooks shared by your peers who have done the same.

We will be releasing more and more playbooks for interesting scenarios, so stay tuned. If you are working on an interesting playbook of your own, feel free to send us a Pull Request and let's build it together.

The spec for our open playbook format, COPS, can be found here.


These scripts written in Python or Javascript perform Security Operations tasks. The scripts are built to run inside the Demisto Platform - they can query or send commands to a long list of existing security products, and react based on the output.

You can take your logic and the way you want to work and write your own scripts, allowing for maximum flexibility. The services and products you use can be online Cloud-based or on-premises setups, and we have tools to support more complex topologies such as when the product's subnet is firewalled off.


Integrations written in Javascript or Python enable the Demisto Platform to orchestrate security and IT products. Each integration provides capabilities in the form of commands and each command usually reflects a product capability (API) and returns both a human readable and computer readable response.

Creating an Integration

Let's look at Demisto and get started on your first integration.

Follow the steps here to learn about the Demisto IDE

Code Conventions

The Demisto Code Conventions will help you understand how we format our Integrations and some of the tips and tricks we have developed over the years.

Learn about the Demisto Code Conventions

Context and Outputs

The Demisto platform relies heavily on collecting data from various endpoints (integrations) and creating a "Context" for them. This allows customers to be able to use the data to perform various tasks they may need to accomplish.

Click here to learn about Context and Outputs

Context Standards

When we are working with data that is generic across all platforms, we format them according to our context standards. This helps integrations work interchangeably inside other playbooks.

Learn about our Context Standards here


In some cases, it will be necessary to create a docker image to enable your integration to run. When this happens, we must create a new docker image using the steps outlined here:

Create a Docker Image


Demisto Platform support flexible reports written in JSON. All of our standard reports calculating various incident statistics and metrics are stored in this repo.

Contributing Content

For instructions about adding/modifying playbooks and scripts please see our contributor guide.

Enjoy and feel free to reach out to us on the DFIR Community Slack channel, or at

Release Notes

For information about content release notes conventions, refer to our release notes documentation.

Git configuration

Copy the pre-commit hook from .hooks to .git/hooks. Run the following command from the repository root:

cp .hooks/* .git/hooks

Documentation Directory

Link Description
Tutorial Video A step-by-step introduction to creating an integration
Getting Started A brief explanation of the Demisto IDE
Code Conventions Our Code Conventions
Context and Outputs Brief overview of Context and Outputs
Context Conventions Conventions for the Demisto Standard Context
Contributing How to contribute to the Content Repo
Creating Playbooks How to create a Playbook
DBot Score How the DBot Score works
Demisto Transform Language (DT) Understanding Demisto Transform Language (DT)
Docker How to use Docker
Fetching Incidents How to Fetch Incidents
Fetching Credentials How to Fetch Credentials
Integration Documentation How to generate documentation for an integration
YAML File Explanation of the Demisto YAML structure
Integration Parameter Types Description of the various integration parameter types
You can’t perform that action at this time.