Cortex XSOAR Content Release Notes for version 20.10.0 (142601)

Published on 13 October 2020

New: Cisco Email Security (Beta) Pack v1.0.0

Integrations

Cisco Email Security (Beta)

Cisco Email Security is an email security gateway. It detects and blocks a wide variety of email-born threats, such as malware, spam, and phishing.


New: Coralogix Pack v1.0.0 (Partner Supported)

Integrations

Coralogix

Fetches incidents, searches for supporting data and tags interesting datapoints in or from your Coralogix account.


New: Feed OpenCTI Pack v1.0.0

Integrations

OpenCTI Feed

Ingests indicator feeds from OpenCTI.


New: Integrations & Incidents Health Check Pack v1.0.0 (Server 6.0+)

Enables system users to review all of the failed integrations, incidents, and playbooks. As part of this pack, you will get out-of-the-box, full layouts, dashboards, an incident type, and incident fields. All of these are easily customizable to suit the needs of your organization. You can configure a job on an hourly/daily/weekly basis to perform the health check. The job will run the checkup playbook that tests all enabled integrations and searches for open incidents with errors to get their status and retrieve the error information. Additionally, this job will update the dashboards for visibility.

Dashboards

  • Incidents Health
  • Integrations Health

Incident Fields

  • Created Date Failed Incidents
  • Integrations Categories
  • Integrations Failed Categories
  • Number of Entries ID Errors
  • Number of Failed Incidents
  • Playbook Names With Failed Tasks
  • Playbook Tasks Errors
  • Playbooks Failed Commands
  • Playbooks With Failed Tasks
  • Total Failed Instances
  • Total Good Instances
  • Total Instances
  • Unassigned Incidents
  • failed incidents created date
  • similarIncident

Incident Types

Integrations and Incidents Health Check

Playbooks

Integrations and Playbooks Health Check - Running Scripts

This playbook is triggered by a JOB - Integrations and Playbooks Health playbook and is responsible for running failed integrations and failed incidents scripts. The playbook may run separately from the main playbook to run health tests on enabled integrations and open incidents.

JOB - Integrations and Playbooks Health Check

This playbook checks the health of all enabled integrations and open incidents. You should run this playbook as a scheduled job.

JOB - Integrations and Playbooks Health Check - Lists handling

This playbook is triggered by a JOB - Integrations and Playbooks Health playbook and is responsible for creating or updating related Cortex XSOAR lists.

Reports

Integrations and Incidents Health Check

Reports all failed enabled integrations and failed open incident.

Scripts

CopyLinkedAnalystNotes

Copies the analyst notes from the integrations and incidents grid.

GetFailedTasks

Gets failed tasks details for incidents based on a query.

IncidentsCheck-NumberofIncidentsNoOwner

Displays the number of unassigned incidents in the Health Check dynamic section.

IncidentsCheck-NumberofIncidentsWithErrors

Displays the number of failed incidents in the Health Check dynamic section.

IncidentsCheck-NumberofTotalEntriesErrors

Displays the total number of errors in failed incidents in the Health Check dynamic section.

IncidentsCheck-PlaybooksFailingCommands

Displays the top ten commands of the failed incidents in a pie chart in the Health Check dynamic section.

IncidentsCheck-PlaybooksHealthNames

Displays the top ten playbook names of the failed incidents in a bar chart in the Health Check dynamic section.

IncidentsCheck-Widget-CommandsNames

Data output script for populating the dashboard pie graph widget with the top failing incident commands.

IncidentsCheck-Widget-CreationDate

Data output script for populating the dashboard line graph widget with the creation date of failing incidents.

IncidentsCheck-Widget-IncidentsErrorsInfo

Data output script for populating the dashboard table graph widget with information about failing incidents.

IncidentsCheck-Widget-NumberFailingIncidents

Data output script for populating the dashboard number graph widget with the number of failing incidents.

IncidentsCheck-Widget-NumberofErrors

Data output script for populating the dashboard number graph widget with the number of entry ID errors.

IncidentsCheck-Widget-PlaybookNames

Data output script for populating the dashboard bar graph widget with the top failing playbooks name.

IncidentsCheck-Widget-UnassignedFailingIncidents

Data output script for populating the dashboard number graph widget with the number of unassigned failing incidents.

InstancesCheck-FailedCategories

Displays the top ten categories of the failed integrations in a pie chart in the Health Check dynamic section.

InstancesCheck-NumberofEnabledInstances

Displays the total number of checked integrations in the Health Check dynamic section.

InstancesCheck-NumberofFailedInstances

Displays the total number of failed integrations in the Health Check dynamic section.

IntegrationsCheck-Widget-IntegrationsCategory

Data output script for populating the dashboard pie graph widget with the failing integrations.

IntegrationsCheck-Widget-IntegrationsErrorsInfo

Data output script for populating the dashboard table graph widget with information about failing integrations.

IntegrationsCheck-Widget-NumberChecked

Data output script for populating the dashboard number graph widget with the number of checked integrations.

IntegrationsCheck-Widget-NumberFailingInstances

Data output script for populating the dashboard number graph widget with the number of failing integrations.

Widgets

Number of Checked Integrations

A widget displaying the number of checked integrations.

Failed Incidents Information

A widget displaying the failed incidents information in a table.

Failed Instances Category

A pie widget displaying the failed instances category.

Failed Instances Information

A table widget displaying the failed instances information.

Number Of Failed Instances

A number widget displaying the failed integrations.

Top Failed Commands

A pie chart displaying the top failed commands.

Top Failed Playbook Names

A bar chart displaying the top failed playbook names.

Creation Date of Failed Incidents

A line widget displaying the creation date of the failed incidents.

Number of Errors

A number widget displaying the total number of errors (entries ID).

Number of Failed Incidents

A number widget displaying the number of the failed incidents.

Number of Failed Unassigned Incidents

A number widget displaying the total number of unassigned failed incidents.


New: Lacework Pack v1.0.0 (Community Contributed)

Integrations

Lacework

Lacework provides customers with visibility and control over their cloud operations at cloud scale to the monitoring of all activities across all cloud components.


New: Microsoft Endpoint Configuration Manager Pack v1.0.0

Integrations

Microsoft Endpoint Configuration Manager

The configuration manager provides the overall Configuration Management (CM) infrastructure and environment to the product development team (formerly known as SCCM).


New: RegexReplace Pack v1.0.0 (Community Contributed)

Scripts

RegexReplace

Searches for and replaces occurrences of a pattern (regular expression) inside a string. If the regex does not match any pattern, the original value is returned.


New: RiskIQ Digital Footprint Pack v1.0.0 (Partner Supported)

Incident Fields

  • RiskIQ Asset AWS Security Group Name
  • RiskIQ Asset Contact
  • RiskIQ Asset GCP Firewall Name
  • RiskIQ Asset Name
  • RiskIQ Asset Okta Zone ID
  • RiskIQ Asset Owner
  • RiskIQ Asset Type
  • RiskIQ Skip Manual Tasks
  • RiskIQ Support Contact

Incident Types

  • RiskIQ Asset Management

IndicatorFields

RiskIQAsset Added To Inventory

Date and time when the asset was added to the RiskIQ Digital Footprint inventory.

RiskIQAsset Brands

Names of the brands applied to the asset.

RiskIQAsset Confidence

Discovery confidence level of the asset.

RiskIQAsset CVEs

CVEs detected from the details of the asset.

RiskIQAsset Enterprise Asset

Whether the asset has been designated as an enterprise asset by RiskIQ Digital Footprint.

RiskIQAsset First Seen

Date and time when the asset was first observed on RiskIQ Digital Footprint.

RiskIQAsset Inventory Status

Inventory status of the asset.

RiskIQAsset Last Seen

Date and time when the asset was most recently observed on RiskIQ Digital Footprint.

RiskIQAsset Last Updated

Date and time when the most recent update was performed on the asset by a user action on RiskIQ Digital Footprint.

RiskIQAsset Organizations

Names of the organizations applied to the asset.

RiskIQAsset Priority

Priority of the asset.

RiskIQAsset Tags

Names of the tags applied to the asset.

RiskIQAsset Type

The type of the asset.

RiskIQAsset UUID

The unique identifier of the asset on RiskIQ Digital Footprint.

IndicatorTypes

Packs/RiskIQDigitalFootprint/IndicatorTypes/reputation-RiskIQAsset.json

Integrations

RiskIQ Digital Footprint

The RiskIQ Digital Footprint integration enables your security team to manage assets outside your firewall. Using the integration, you can view asset details, add or update assets, and analyze your digital footprint from the adversary's perspective.

Layouts

  • RiskIQ Asset Management - Summary
  • RiskIQ Asset Management - New/Edit
  • RiskIQ Asset Management - Mobile
  • RiskIQ Asset Management - Quick View

Playbooks

Enrich Incident With Asset Details - RiskIQ Digital Footprint

Enriches the incident with asset details, and enriches the asset with the incident URL on the RiskIQ Digital Footprint platform. This playbook also sends an email containing the owner's information to the primary or secondary contact of the asset and provides the user with an opportunity to update or remove the asset. Supported integration: RiskIQ Digital Footprint.

Update Or Remove Assets - RiskIQ Digital Footprint

Using various user inputs, this playbook checks if the user wants to update or remove an asset, and performs the respective actions. Supported integration: RiskIQ Digital Footprint.


New: Spamcop Pack v1.0.0 (Community Contributed)

Integrations

Spamcop

SpamCop is an email spam reporting service. The integration enables checking the reputation of an IP address.


New: Troubleshoot Pack v1.0.0

Scripts

CertificatesTroubleshoot

Exports all certificate-related information from the Python Docker container and decodes it using RFC. It also gets the certificate located in the specified endpoint.


New: WootCloud Pack v1.0.0 (Partner Supported)

Integrations

WootCloud

Appends HyperContext™ insights to your SIEM data and feeds them into your orchestration workflows.


New: XSOAR Mirroring Pack v1.0.0

Classifiers

  • XSOAR Mirror
  • XSOAR Mirror In
  • XSOAR Mirror Out

Incident Fields

From Pong

Incident Types

  • Ping
  • Pong

Integrations

XSOAR Mirroring

Facilitates mirroring of XSOAR incidents between different XSOAR tenants.


AWS - EC2 Pack v1.1.3

Integrations

AWS - EC2

Added clarification to the fromPort and toPort arguments for the aws-ec2-authorize-security-group-ingress-rule and aws-ec2-revoke-security-group-ingress-rule commands.


Active Directory Query Pack v1.0.5

Integrations

Active Directory Query v2
  • Fixed several typos.
  • Updated the Docker image to: demisto/ldap:1.0.0.11282.

Aella Star Light Pack v1.0.1

Integrations

Aella_StarLight

Documentation and metadata improvements.


Anomali ThreatStream Pack v1.0.4

Integrations

Anomali ThreatStream v2
  • Maintenance and stability enhancements.
  • Fixed an issue in the threatstream-import-indicator-with-approval command where indicators were not imported to the Anomali ThreatStream platform.

AutoFocus Pack v1.1.4

Integrations

AutoFocus Feed
  • Maintenance and stability enhancements.
  • Updated the Docker image to: 3.8.5.11789.

Base Pack v1.3.15

Scripts

CommonServerPython
  • Maintenance and stability enhancements.
  • Fixed an issue where an unneeded import error was raised.
WordTokenizerNLP

Fixed a performance issue.

DBotTrainTextClassifierV2

Added a validation to check that the phishingLabels argument is consistent with the input incidents.git.

GetIncidentsByQuery
  • Queries incidents in batches (paging). You can set the batch range by passing the pageSize argument. The default is 500.
  • Updated the script to Python 3.

Carbon Black Enterprise Response Pack v1.1.0

Playbook

Get File Sample From Path - Carbon Black Enterprise Response
  • Deprecated the CBLiveGetFile automation command. Use the CBLiveGetFile_V2 automation command instead.
  • Updated playbook outputs with the CBLiveGetFile_V2 command.

Scripts

CBLiveFetchFiles
  • Deprecated the CBLiveGetFile automation command. Use the CBLiveGetFile_V2 automation command instead.
  • Changed the automation structure to Package format.
New: CBLiveGetFile_V2

This automation translates an endpoint's hostname/IP address to the Carbon Black sensor ID. It then opens a session to the endpoint to download the specified file paths and closes the session.


CaseManagement-Generic Pack v1.0.1

Layouts

Updated the ID of the layouts.

  • layout-close-Case_layout-Case.json
  • layout-detailsV2-Case_layout-Case.json
  • layout-edit-Case_layout-Case.json
  • layout-mobile-Case_layout-Case.json
  • layout-quickView-Case_layout-Case.json
  • Case layout

Incident Types

Case Updated the bounded layout.


Check Point Firewall Pack v2.0.0

Integrations

New: Check Point Firewall v2

Reads information and sends commands to the Check Point Firewall server.

Playbooks

Checkpoint - Block IP - Custom Block Rule

Blocks IP addresses using custom block rules in the Checkpoint firewall.

Checkpoint - Block URL

Blocks URLs using the Checkpoint firewall through custom URL categories.

Checkpoint - Publish&Install configuration

Publishes the Checkpoint firewall configuration and installs a policy over all the gateways that are available.

Scripts

CheckpointFWCreateBackup

Connects to a Checkpoint firewall appliance using SSH and triggers a task to create a configuration backup of the device. The user account that accesses the device must be set up to use the SSH shell and not the built-in Checkpoint CLI. Consult the Checkpoint documentation for instructions on how to set up the user account to use the SSH shell.

CheckpointFWBackupStatus

Connects a Checkpoint firewall appliance using SSH and retrieves the status of the backup tasks. The user account that accesses the device must be set up to use the SSH shell and not the built-in Checkpoint CLI. Consult the Checkpoint documentation for instructions on how to set up the user account to use the SSH shell.

CheckPointDownloadBackup

Downloads the CheckPoint policy backup to the Cortex XSOAR War Room.


Chronicle Pack v1.1.2 (Partner Supported)

Pack has been certified.


Code42 Pack v2.0.5 (Partner Supported)

Pack has been certified.


Cofense Triage Pack v1.1.6 (Partner Supported)

Integrations

Cofense Triage v2
  • Added the cofense-search-inbox-reports command.
  • Added the mailbox_location parameter to control the source of the periodic incident poll.
  • Expanded the cofense-search-reports command to support specifying a reporter by its email address. The cofense-search-inbox-reports command already supports this.
  • Updateed the Docker image to: 1.0.0.12337.

Common Playbooks Pack v1.8.2

Playbooks

New: Field Polling - Generic

This playbook polls a field to check if a specific value exists.


Common Scripts Pack v1.2.54

Scripts

FindSimilarIncidents

Fixed an issue where the script failed to find incidents by numeric field values.

New: CheckFieldValue

This script checks that a field exists (and contains data), and optionally checks the value of the field for a match against an input value. If a regex is not supplied, the script checks that the field is not empty. This script can be used with the GenericPolling playbook to poll whether the field is populated or that the field contains a specific value.

SetByIncidentId

Updated the script to execute using the DBot role.

jmespath
  • Fixed an issue where the JMESpath transformer did not handle list data as expected.
  • Updated the Docker image to: demisto/jmespath:1.0.0.10854.
New: URLEncode

Encodes a URL string by replacing special characters in the string using the %xx escape. For example: https://example.com converts to https:%2F%2Fexample.com.

SearchIncidentsV2
  • Improved the description of the size argument.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.

Common Widgets Pack v1.0.4

Scripts

GetLargestInvestigations
  • Fixed an issue where the script would fail if no investigations were found.
  • Updated the Docker image to: 3.8.5.11789.
  • Fixed an issue where the results were not sorted properly.
  • Removed the MB suffix from the values of the Size column.
  • Changed the table header name Size to Size(MB).
  • Changed the table header IncidentID to a hyperlink to the incident.
  • Changed the default result format to Markdown.
  • Added handling for Playground investigation.
  • Added the table_result argument, which returns a result in either Markdown or in a format suitable for a table widget. By default, the result is in Markdown.
GetLargestInputsAndOuputsInIncidents
  • Fixed an issue where the script would fail if no inputs or outputs were found.
  • Updated the Docker image to: 3.8.5.11789.
  • Removed the MB suffix from the values of the Size column.
  • Changed the table header name Size to Size(MB).
  • Changed the table header IncidentID to a hyperlink to the incident.
  • Changed the table header TaskID to a hyperlink to the task.
  • Changed the default result format to Markdown.

Widgets

Largest Investigations

Fixed an issue where the widget did not pull information from the correct script.

Largest Inputs And Outputs In Incidents
  • Documentation and metadata improvements.
  • Removed the MB suffix from the values of the Size column.
  • Changed the table header name Size to Size(MB).
  • Changed the table header IncidentID to a hyperlink to the incident.
  • Changed the table header TaskID to a hyperlink to the task.
Largest Incidents by Storage Size
  • Removed the MB suffix from the values of the Size column.
  • Changed the table header name Size to Size(MB).
  • Changed the table header IncidentID to a hyperlink to the incident.

Cortex Data Lake Pack v1.2.5

Integrations

Cortex Data Lake

Maintenance and stability enhancements.


CrowdStrike Falcon Pack v1.2.5

Classifiers

Added 2 new classifiers:.

  • CrowdStrike Falcon Classifier - CrowdStrike Falcon Incident Classifier
  • CrowdStrike Falcon Mapper - CrowdStrike Falcon Mapper for incidents and detections.

Incident Fields

Added 3 new incident fields:

  • Behaviour Tactic
  • Behaviour Scenario
  • Behaviour Objective

Integrations

CrowdStrike Falcon
  • Added the cs-device-ran-on command, which gets a list of device IDs on which an indicator ran.
  • Updated the Docker image to: 3.8.5.11789.
  • Added 2 new commands.
  • cs-falcon-list-incident-summaries
  • cs-falcon-list-detection-summaries
  • Added the ability to fetch incidents, detections, or both.
  • Fixed an issue where the Choose what to fetch integration parameter was used to fetch only detections.
  • Added the following IOC API commands:
    • cs-falcon-search-iocs
    • cs-falcon-get-ioc
    • cs-falcon-upload-ioc
    • cs-falcon-update-ioc
    • cs-falcon-delete-ioc
    • cs-falcon-device-count-ioc
    • cs-falcon-processes-ran-on
    • cs-falcon-process-details
  • Deprecated the cs-device-ran-on command. Use the cs-falcon-device-ran-on command instead.
  • Updated the Docker image to the latest version.

CrowdStrike Falcon Intel Pack v2.0.1

Integrations

CrowdStrike Falcon Intel v2
  • Improved the credentials display name.
  • Updated the Docker image to: 3.8.6.12176.

Cymulate Pack v1.0.6 (Partner Supported)

Integrations

Cymulate

Documentation and metadata improvements.


DUO Admin Pack v2.0.3

Integrations

DUO Admin

Maintenance and stability enhancements.


Expanse Pack v1.1.2 (Partner Supported)

Pack has been certified.


FalconHost Pack v1.1.3

Integrations

FalconHost (Deprecated)

Deprecated the FalconHost integration. Use the CrowdStrike Falcon integration instead.


FireEye HX Pack v1.0.5

Integrations

FireEye HX
  • Maintenance and stability enhancements.
  • Fixed an issue where the fireeye-hx-host-containment command failed when using an API version higher than v3.

Genians Pack v1.0.1 (Partner Supported)

Integrations

Genians

Documentation and metadata improvements.


IBM QRadar Pack v1.1.2

Integrations

IBM QRadar v2
  • Added the get-mapping-fields command and schema.
  • Updated the Docker image to the latest version.
  • Added the qradar-get-custom-properties command.
  • Simplified the way asset properties are displayed in fetched incidents. This may adversely affect existing asset mapping.
  • Fixed an issue where the time occurred field for fetched incidents would store a timestamp value instead of an ISO formatted time string.

IBM X-Force Exchange Pack v1.0.3

Integrations

IBM X-Force Exchange (Deprecated)
  • Moved the deprecated XFE integration to this pack.
  • Removed the IBM X-Force Exchange pack.
  • Updated fromVersion

Illusive Networks Pack v1.0.5 (Partner Supported)

Pack has been certified.


Indeni Pack v1.0.6 (Partner Supported)

Integrations

Indeni

Documentation and metadata improvements.


Luminate Pack v1.0.1

Integrations

Luminate

Documentation and metadata improvements.


Malwarebytes Pack v1.1.0 (Partner Supported)

Integrations

Malwarebytes
  • Fixed so that events show up in the classification mapping.
  • Updated the Docker image to: 1.0.0.11697.

McAfee ESM Pack v1.1.1

Integrations

McAfee ESM v2
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/python3:3.8.5.11789.

McAfee ESM v10 and v11 Pack v1.0.5

Integrations

McAfee ESM v10 and v11 (Deprecated)

Maintenance and stability enhancements.


Microsoft Defender Advanced Threat Protection Pack v1.2.2

Integrations

Microsoft Defender Advanced Threat Protection
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/crypto:1.0.0.11650.

Microsoft Graph Mail Pack v1.0.8

Integrations

Microsoft Graph Mail

Modified the integration to fetch email messages by received date.


Microsoft Graph Mail Single User Pack v1.0.7

Integrations

Microsoft Graph Mail Single User
  • Modified the integration to fetch email messages by received date.
  • Updated the integration Docker image to: demisto/crypto:1.0.0.11650.

Microsoft Management Activity API (O365/Azure Events) Pack v1.1.1

Integrations

Microsoft Management Activity API (O365 Azure Events)

Maintenance and stability enhancements.


MicrosoftCloudAppSecurity Pack v1.0.5

Integrations

Microsoft Cloud App Security
  • Fixed an issue in fetch incidents, where the order of the incidents was incorrect.
  • Updated the Docker image to: 3.8.5.11789.
  • Fixed an issue where the Incident severity and Incident resolution status integration parameters were used to filter out fetch incidents.

Minerva Labs Anti-Evasion Platform Pack v1.0.1 (Partner Supported)

Integrations

MinervaLabsAntiEvasionPlatform

Documentation and metadata improvements.


OpenPhish Pack v2.0.0

Integrations

New: OpenPhish v2

Added the OpenPhish V2 integration to provide enrichment for URLs.

OpenPhish (Deprecated)

This integration is deprecated. Use the OpenPhish v2 integration instead.


PAN-OS Pack v1.6.3

Integrations

Palo Alto Networks PAN-OS
  • Fixed an issue where the panorama command failed when using the export type.
  • Updated the Docker image to: demisto/python3:3.8.5.11789.
  • Added the deviceName and sessionID arguments to the panorama-get-pcap command.
  • Added the edl_type, location, and vsys arguments to the panorama-refresh-edl command, which allows refreshing of an EDL object that resides on Panorama.

Palo Alto Networks Cortex XDR - Investigation and Response Pack v2.4.1

Classifiers

Cortex XDR - Incoming Mapper

Added support for severity mapping from Cortex XDR incident to Cortex XSOAR incident.

Cortex XDR - Outgoing Mapper

Added outgoing mapper from XSOAR incident to XDR incidents.

Integrations

Palo Alto Networks Cortex XDR - Investigation and Response
  • Added support for incident mirroring between Cortex XDR to Cortex XSOAR. Available from version 6.0.0.
  • Added the Sync Incident Owners integration parameter that synchronizes the owners between XSOAR and XDR incidents. Note that this feature will only work when the users are registered both in XDR and XSOAR.
  • Added the Fetch incident alerts and artifacts integration parameter to get extra incident data when fetching XDR incidents.
  • Fixed an issue where incidents were not fetched in cases where some incident fields were not entered.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.

Layouts

Cortex XDR Incident

Playbooks

Cortex XDR Incident Sync
  • Updated the playbook description.
  • Do not use this playbook as a default playbook when using the newly added mirroring feature in Cortex XSOAR version 6.0.0. For more information, see the the XDR Incident Mirroring section in the integration documentation.
Cortex XDR incident handling v3

Improved implementation of the Cortex XDR incident handling v2 playbook to work with incident mirroring between Cortex XDR and Cortex XSOAR.

Scripts

XDRSyncScript

Deprecated from version 6.0.0. Use the mirroring feature instead.


PassiveTotal Pack v2.0.3 (Partner Supported)

Integrations

PassiveTotal

Documentation and metadata improvements.


PolySwarm Pack v1.0.2 (Partner Supported)

Integrations

PolySwarm
  • Maintenance and stability enhancements.
  • Documentation and metadata improvements.

RSA Archer Pack v1.1.1

Integrations

RSA Archer (Deprecated)

Deprecated. Use the RSA Archer v2 integration instead.


RecordedFuture v2 Pack v1.0.1 (Partner Supported)

Pack has been certified.


RiskIQ Digital Footprint Pack v1.0.3 (Partner Supported)

Integrations

get_asset_ip_address_hr.md

Maintenance and stability enhancements.

RiskIQ Digital Footprint

Maintenance and stability enhancements.

RiskIQDigitalFootprint

Documentation and metadata improvements.


RiskSense Pack v1.0.3 (Partner Supported)

Integrations

RiskSense

Documentation and metadata improvements.


SMIME Messaging Pack v1.0.1

Integrations

SMIME Messaging

Added support for .p7m format files.


SNDBOX Pack v1.0.1

Integrations

SNDBOX

Fixed an issue where printed errors would not include the verbose reason.


SafeBreach - Breach and Attack Simulation platform Pack v1.1.1 (Partner Supported)

Integrations

SafeBreach v2

Updated the total simulations amount to exclude the internal failures results in the safebreach-get-test-status command.


Security Intelligence Services Feed Pack v1.0.2 (Partner Supported)

Integrations

SecurityIntelligenceServicesFeed

Documentation and metadata improvements.


Sepio Pack v1.0.1 (Partner Supported)

Integrations

Sepio

Documentation and metadata improvements.


ServiceNow Pack v1.3.6

Integrations

ServiceNow v2
  • Fixed an issue where an empty username or password in the instance configuration resulted in an unclear error.
  • Updated the Docker image.

Playbooks

  • ServiceNow Ticket State Polling
    Added a new playbook for polling the state of a ServiceNow Ticket.
  • Mirror ServiceNow Ticket
    Added a new playbook to mirror a ticket from ServiceNow.
  • Create ServiceNow Ticket
    Added a wrapper playbook for creating a new ticket with state polling or mirror as sync.

Incident Types

Added a new incident type with the new layout.

  • ServiceNow Create Ticket and Mirror

Incident Fields

Added new incident fields. ServiceNow incident fields are now associated to all incident types to support mirroring.

  • ServiceNow Closed By
  • ServiceNow Resolution Code
  • ServiceNow Caller ID
  • ServiceNow Urgency
  • ServiceNow Category
  • ServiceNow Caller
  • ServiceNow Assignment Group
  • ServiceNow Assigned To
  • ServiceNow State
  • ServiceNow Severity
  • ServiceNow Resolved Time
  • ServiceNow Resolution Notes
  • ServiceNow Priority
  • ServiceNow Opened Date
  • ServiceNow Notify
  • ServiceNow Impact
  • ServiceNow Escalation
  • ServiceNow Due Date
  • ServiceNow Description
  • ServiceNow Closed Date
  • ServiceNow Ticket Number

Layouts

  • ServiceNow Create Ticket and Mirror
    Added a new layout for the Mirror playbook.
  • ServiceNow Ticket
    Updated the ServiceNow Ticket layout to support the ticket state widget.

Classifiers

Added new mappers for incoming and outgoing mirroring to support the Mirror playbook.

  • ServiceNow Create Ticket - Outgoing Mapper
  • ServiceNow Create Ticket - Incoming Mapper

Scripts

Added a script to populate the ServiceNow Ticket State.

  • ServiceNowIncidentStatus

Silverfort Pack v1.0.3 (Partner Supported)

Integrations

Silverfort

Documentation and metadata improvements.


Sixgill Darkfeed - Core Edition Pack v1.2.0 (Partner Supported)

Integrations

Sixgill DarkFeed Threat Intelligence

New Sixgill logo.

Playbooks

Darkfeed Threat hunting-research

The playbook now uses the new SixgillSearchIndicators script.

Scripts

New: SixgillSearchIndicators

Search for Indicators.

SearchIndicators

Deprecated. Use the SixgillSearchIndicators script instead.


Slack Pack v1.3.6

Integrations

Slack v2

Updated the Docker image to: demisto/slack:1.0.0.11588 due to a hotfix in python-slackclient.


SlashNext Phishing Incident Response Pack v1.1.0 (Partner Supported)

Integrations

SlashNext Phishing Incident Response

Added Extend context for the slashnext-api-quota command.


SplunkPy Pack v1.2.4

Integrations

SplunkPy
  • Added optional functionality to the fields parameter in the splunk-submit-event-hec command.
  • Added usage of handle_proxy() for all requests.
  • Updated the Docker image to: demisto/splunksdk:1.0.0.11989.
  • Added support for the Select Schema feature of XSOAR 6.0 by providing the get-mapping-fields command.

SumoLogic Pack v1.0.2

Integrations

SumoLogic

Fixed an issue where the fetch-incident command did not retrieve all the events.


TAXII Feed Pack v1.0.5

Integrations

TAXII Feed

Maintenance and stability enhancements.


ThreatQ Pack v1.0.7 (Partner Supported)

Integrations

ThreatQ v2
  • Fixed an issue where the domain argument validation in the domain command did not work as expected.
  • Updated the Docker image to: demisto/python3:3.8.5.11789.

Tufin Pack v1.2.0 (Partner Supported)

Pack has been certified.


Twilio Pack v1.0.1

Integrations

Twilio

Fixed several typos.


VirusTotal - Private API Pack v1.0.4

Integrations

VirusTotal - Private API

Maintenance and stability enhancements.


WootCloud Pack v1.0.1 (Partner Supported)

Integrations

WootCloud

Documentation and metadata improvements.


Zscaler Pack v1.0.5

Integrations

Zscaler

Maintenance and stability enhancements.


illuminate Pack v1.0.3 (Partner Supported)

Integrations

illuminate

Documentation and metadata improvements.


urlscan.io Pack v1.0.4

Integrations

urlscan.io

Maintenance and stability enhancements.


Assets