Cortex XSOAR Content Release Notes for version 20.10.1 (159259)#

Published on 27 October 2020#

New: Cisco Umbrella Cloud Security Pack v1.0.0 (Community Contributed)#

Integrations#

Cisco Umbrella Cloud Security#

Adds domains to the Umbrella block list.


New: Cisco WebEx Feed Pack v1.0.0 (Community Contributed)#

Integrations#

Cisco WebEx Feed#

The WebEx IP Address and Domain website provided by Cisco documents IP addresses and domains used by WebEx. The WebEx Feed integration fetches indicators from the web page from which you can create a list (whitelist, blacklist, EDL, etc.) for your SIEM or firewall service to ingest and apply policy rules.


New: ExportToXLSX Pack v1.0.0#

Scripts#

ExportToXLSX#

Exports context data to a Microsoft Excel Open XML Spreadsheet (XLSX) file.


New: Graylog Pack v1.0.0 (Community Contributed)#

Integrations#

Graylog#

Searches for logs and events.


New: Hatching Triage Pack v1.0.0 (Community Contributed)#

Integrations#

Hatching Triage#

Submits a large number of samples to run in a sandbox and to view reports.


New: Majestic Million Feed Pack v1.0.0#

Integrations#

Majestic Million Feed#

Free search and download of the top million websites.


New: Synapse Pack v1.0.0 (Community Contributed)#

Integrations#

Synapse#

A Synapse intelligence analysis platform.


Active Directory Query Pack v1.0.6#

Integrations#

Active Directory Query v2#
  • Fixed an issue where the DN parameter within a query in the search-computer command was incorrect.
  • Updated the Docker image to: demisto/ldap:1.0.0.12410.

Aella Star Light Pack v1.0.1#

Integrations#

Aella_StarLight#

Documentation and metadata improvements.


Alexa Rank Indicator Pack v1.1.0#

Integrations#

Alexa Rank Indicator#

Added the Alexa Benign Parameter for Good Domains.


AlienVault Feed Pack v1.0.6#

Integrations#

AlienVault Reputation Feed#

Maintenance and stability enhancements.


Amazon DynamoDB Pack v1.0.2#

Integrations#

Amazon DynamoDB#
  • Documentation and metadata improvements.
  • Updated the Docker image to: demisto/boto3py3:1.0.0.12514.

Analyst1 Pack v1.0.4 (Partner Supported)#

Integrations#

illuminate (Deprecated)#

Deprecated. Use the Analyst1 integration instead.

Playbooks#

Illuminate Integration Demonstration#

Deprecated. Use the Analyst1 Integration Demonstration playbook instead.

Analyst1 Integration Demonstration#

Demonstrates the various Analyst1 enrichment commands.


ApiModules Pack v1.1.5#

Scripts#

CSVFeedApiModule#
  • Maintenance and stability enhancements.
  • Added the limit and value_field parameters for fetch indicators.
  • Updated the Docker image to: jmespath:1.0.0.12410.

Atlassian Jira Pack v1.2.0#

Classifiers#

New: classifier-mapper-incoming-JiraV2#

Jira V2 mirror-in classifier.

Integrations#

Atlassian Jira v2#
  • Fixed an issue in the jira-create-issue command where the arguments projectKey and issueTypeId were not specified as mandatory.
  • Updated the Docker image to: demisto/oauthlib:1.0.0.12447.
  • Added mirror-in support (from Cortex XSOAR version 6.0.0). Mirror-in incidents (Issues/Tickets) come from the remote server (Jira).

AutoFocus Pack v1.1.6#

Integrations#

Palo Alto AutoFocus (Deprecated)#

Deprecated. Use the Palo Alto Networks AutoFocus v2 integration instead.

Palo Alto Networks AutoFocus v2#

Maintenance and stability enhancements.


Bambenek Consulting Feed Pack v1.0.4#

Integrations#

Bambenek Consulting Feed#

Maintenance and stability enhancements.


Base Pack v1.3.20#

Scripts#

DBotPreProcessTextData#

Updated the script to Python 3.

CommonServerPython#

Added the following classes, which are used in IAM integrations.

  • IAMUserProfile
  • IAMVendorActionResult
  • IAMErrors
  • Modified the set_integration_context function to be agnostic to the version argument type.
GetMLModelEvaluation#

Updated the script to Python 3.


Bastille Networks Pack v1.0.1 (Partner Supported)#

Integrations#

Bastille Networks#
  • Documentation and metadata improvements.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.

BitDam Pack v1.0.1 (Partner Supported)#

Integrations#

BitDam#

Documentation and metadata improvements.


CSV Feed Pack v1.0.5#

Integrations#

CSV Feed#

Maintenance and stability enhancements.


Carbon Black Enterprise Response Pack v1.1.1#

Playbooks#

Block Endpoint - Carbon Black Response#

Added playbook outputs.


CaseManagement-Generic Pack v1.1.0#

Dashboards#

Incidents Overview#

Added the Active Incidents by Source widget.

Layouts#

Reports#

New: Case Report#

Investigation Summary Report from the Case Management pack.

Scripts#

TimersOnOwnerChange#

Updated the automation to use the latest python3 Docker image (3.8.6.12176).

LinkIncidentsButton#

Updated the automation to use the latest python3 Docker image (3.8.6.12176).

GenerateSummaryReportButton#

Updated the automation to use the latest python3 Docker image (3.8.6.12176).

AssignToMeButton#

Updated the automation to use the latest python3 Docker image (3.8.6.12176).

Widgets#

New: My Mean Time to Remediation (Remediation SLA)#

The mean time (average time) to remediation across all incidents where the remediation SLA timer completed and where the owner is the current user. The widget takes into account incidents from the last 30 days by default.

New: Mean Time to Remediation (Remediation SLA)#

The mean time (average time) to remediation across all incidents where the remediation SLA timer completed. The widget takes into account incidents from the last 30 days by default.

New: Mean Time to Assignment (Time to Assignment)#

The mean time (average time) to remediation across all incidents where the time to assignment SLA timer completed. The widget takes into account incidents from the last 30 days by default.

New: Participating Incidents#

Displays a table of the active incidents where the current user is not the owner but is an investigation team member.

New: Participating Incidents Count#

Displays a count of the active incidents where the current user is not the owner but is an investigation team member.

New: My Incidents by Type#

Displays the incidents assigned to the current user, by type.


Check Point Firewall Pack v2.0.2#

Integrations#

Check Point Firewall (Deprecated)#

Deprecated. Use the Check Point Firewall v2 integration instead.

Check Point Firewall v2#
  • Updated the integration display name.
  • Documentation improvements.

Cisco Threat Grid Pack v1.1.1#

Integrations#

Cisco Threat Grid#

Fixed an issue where analysis files with no domains caused an error.


Claroty Pack v1.0.6 (Partner Supported)#

Integrations#

Claroty#

Documentation and metadata improvements.


Code42 Pack v2.0.6 (Partner Supported)#

Integrations#

Code42#

Updated the Docker image to: 1.0.0.12174.


Common Playbooks Pack v1.8.5#

Playbooks#

Isolate Endpoint - Generic#
  • Fixed issues regarding sub-playbook inputs.
  • Added playbook outputs indicating the isolation state.
Email Address Enrichment - Generic v2.1#

Fixed an issue where emails were not checked for domain-squatting due to the WhereFieldEquals transformer not working as expected.


Common Scripts Pack v1.2.65#

Scripts#

FindSimilarIncidents#

Fixed an issue where the script did not handle special characters.

SetIfEmpty#

Maintenance and stability enhancements.

New: IsInternalDomainName#

This script accepts multiple values for the domain_to_check and domains_to_compare arguments and iterates through each of the domains to check if the specified subdomains are located in at least one of the specified main domains. If the tested subdomain is in one of the main domains, the result will be true. For example, if the domain_to_check values are apps.paloaltonetworks.com and apps.paloaltonetworks.bla and the domains_to_compare values are paloaltonetworks.com and demisto.com, the result for apps.paloaltonetworks.com will be true since it is a part of the paloaltonetworks.com domain. The result for apps.paloaltonetworks.bla will be false since it is not a part of the paloaltonetworks.com or demisto.com domain.

New: UnEscapeIndicatorIPv6#

Extracts IPv6 addresses from specific characters.

SetGridField#
  • Fixed an issue where the script set values in incorrect fields.
  • Updated the Docker image to: demisto/pandas:1.0.0.12410.
FailedInstances#

Returns an empty list if no failed instances are found.

New: AfterRelativeDate#

Added a new filter that checks that the given time occurred after the relative time.

UnEscapeIndicatorIPv6#

Fixed an issue where the script did not work as intended.

ParseEmailFiles#

Fixed an issue where parsing failed due to incorrect email payload filtering.


Common Types Pack v2.1.1#

Indicator Fields#

Domain Indicator Fields#

Added the following indicator fields:

  • Domain IDN Name
  • Domain Referring Subnets
  • Domain Referring IPs

Indicator Types#

IPv6#

Upgrade IPv6 regex to extract the address only if it is surrounded by special characters.


Common Widgets Pack v1.0.5#

Scripts#

GetLargestInputsAndOuputsInIncidents#

Fixed an issue where the wrong automation was called.


Cortex Data Lake Pack v1.2.7#

Integrations#

Cortex Data Lake#
  • Added the Fetch Table integration parameter, which enables you to select the table incidents will be fetched from.
  • Added the firewall.file_data fetch table.
  • Added the Fetch Fields integration parameter, which takes a comma-separated list of fields that will be fetched with every incident. For example,
    pcap,session_id. Enter "*" for all possible fields.
  • Fixed an issue where the auth token was refreshed before it expired.

CrowdStrike Falcon Streaming Pack v1.0.9#

Integrations#

CrowdStrike Falcon Streaming v2#
  • Modified the integration to store the fetched event offset in the integration cache immediately on event fetch instead of storing it according to a schedule.
  • Updated the Docker image to: demisto/aiohttp:1.0.0.12423.

CyberTotal Pack v1.0.1 (Partner Supported)#

Integrations#

CyberTotal#

Documentation and metadata improvements.


Cybereason Pack v1.0.4#

Playbooks#

Isolate Endpoint - Cybereason#

Added playbook outputs.


Cymulate Pack v1.0.6 (Partner Supported)#

Integrations#

Cymulate#

Documentation and metadata improvements.


Demisto REST API Pack v1.1.2#

Integrations#

Demisto REST API#

Maintenance and stability enhancements.


EWS Pack v1.3.7#

Integrations#

EWS O365#
  • Fixed an issue where the get-items and get-items-as-eml commands failed when the target-mailbox argument was different than the one in the integration parameters.
  • Fixed an issue in the send-mail command where the body argument was not ignored if the htmlBody argument was provided.
  • Updated the Docker image to: demisto/py3ews:1.0.0.12717.
EWS v2#
  • Fixed an issue where the integration used the proxy even if the Use system proxy settings integration parameter checkbox was not selected.
  • Maintenance and stability enhancements.
  • Documentation and metadata improvements.

Elasticsearch Pack v1.1.3#

Integrations#

Elasticsearch v2#
  • Fixed an issue where the integration used the proxy even if the Use system proxy settings integration parameter was unchecked.
  • Updated the Docker image to: demisto/elasticsearch:1.0.0.12410.
  • Fixed an issue where the test module did not check the server URL properly.

Expanse Pack v1.1.3 (Partner Supported)#

Integrations#

Expanse#
  • Addressed an issue where the domains command failed in some circumstances.
  • Updated the Docker image from: 3.8.5.10845 to 3.8.6.12176.

ExtraHop Reveal(x) Pack v1.0.4 (Partner Supported)#

Playbooks#

ExtraHop - Ticket Tracking v2#
  • This playbook is no longer deprecated and is now available.
  • Fixed an issue where the script was hidden.

Farsight DNSDB Pack v2.0.1 (Partner Supported)#

Integrations#

Farsight DNSDB#

Added the content pack README.


FeodoTracker Feed Pack v1.0.2#

Integrations#

Feodo Tracker Hashes Feed (Deprecated)#

Deprecated. Feodo Tracker no longer supports this feed.


FireEye Feed Pack v1.0.2#

Integrations#

FireEye Feed#
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.

Genians Pack v1.0.1 (Partner Supported)#

Integrations#

Genians#

Documentation and metadata improvements.


Gmail Pack v1.0.7#

Integrations#

Gmail#
  • Fixed an issue where scheduled reports were not sent as attachments.
  • Updated the Docker image to: demisto/google-api:1.0.0.11841.

Google Cloud Functions Pack v1.0.1#

Integrations#

Google Cloud Functions#
  • Fixed an issue where not entering the default region and default project ID integration parameters caused an error.
  • Updated the Docker image to: demisto/google-api-py3:1.0.0.12248.

HelloWorld Pack v1.1.11#

Integration#

HelloWorld#

Updated the Docker image to: demisto/python3:3.8.6.12176.

Integrations#

HelloWorld#

Improved handling of datetime objects.

Scripts#

HelloWorldScript#
  • Updated to newer code conventions (CommandResults).
  • Updated the Docker image to: demisto/python3:3.8.6.12176.

IBM QRadar Pack v1.1.4#

Integrations#

IBM QRadar#

Updated the API documentation links for the fetch-incidents filter syntax.

IBM QRadar v2#
  • Modified the integration to use the set_to_integration_context_with_retries function instead of the set_integration_context function.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.

IBM X-Force Exchange Pack v1.0.4#

Integrations#

IBM X-Force Exchange v2#

Maintenance and stability enhancements.


Indeni Pack v1.0.6 (Partner Supported)#

Integrations#

Indeni#

Documentation and metadata improvements.


Integrations & Incidents Health Check Pack v1.1.4#

Playbooks#

Integrations and Playbooks Health Check - Running Scripts#

Fixed an issue with empty lists.

Scripts#

CopyLinkedAnalystNotes#
  • Fixed an issue where incident grid rows were not sorted by the creation date.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.
IncidentsCheck-Widget-NumberofErrors#
  • Maintenance and stability enhancements.
  • Updated the Docker image to the latest version.
IncidentsCheck-Widget-PlaybookNames#
  • Maintenance and stability enhancements.
  • Updated the Docker image to the latest version.
  • Maintenance and stability enhancements.
IncidentsCheck-Widget-CreationDate#
  • Maintenance and stability enhancements.
  • Updated the Docker image to the latest version.
InstancesCheck-FailedCategories#
  • Maintenance and stability enhancements.
  • Updated the Docker image to the latest version.
IncidentsCheck-Widget-CommandsNames#
  • Maintenance and stability enhancements.
  • Updated the Docker image to the latest version.
IncidentsCheck-Widget-IncidentsErrorsInfo#
  • Maintenance and stability enhancements.
  • Updated the Docker image to the latest version.
IncidentsCheck-PlaybooksHealthNames#
  • Maintenance and stability enhancements.
  • Updated the Docker image to the latest version.
IncidentsCheck-PlaybooksFailingCommands#
  • Maintenance and stability enhancements.
  • Updated the Docker image to the latest version.
IntegrationsCheck-Widget-IntegrationsCategory#
  • Maintenance and stability enhancements.
  • Updated the Docker image to the latest version.
IntegrationsCheck-Widget-IntegrationsErrorsInfo#
  • Maintenance and stability enhancements.
  • Updated the Docker image to the latest version.

Lacework Pack v1.0.1 (Community Contributed)#

Integrations#

Lacework#
  • Updated the description of the integration to be more accurate.
  • Changed 'instance' to 'account' across Lacework projects to maintain consistency.
  • Updated the Docker image to: demisto/lacework:1.0.0.12410.

Luminate Pack v1.0.1 (Community Contributed)#

Integrations#

Luminate#

Documentation and metadata improvements.


MITRE ATT&CK Pack v1.1.5#

Dashboards#

MITRE ATT&CK#

Updated the default time range to last 7 days.

Scripts#

MITREIndicatorsByOpenIncidents#
  • Added support for the to and from time range arguments.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.
  • Improved the implementation of the to and from time range arguments.

Microsoft Defender Advanced Threat Protection Pack v1.2.3#

Integrations#

Microsoft Defender Advanced Threat Protection#
  • Improved error handling in the test module.
  • Updated the Docker image to: demisto/crypto:1.0.0.12410.

Microsoft Graph Device Management Pack v1.0.2#

Integrations#

Microsoft Graph Device Management (Microsoft Intune)#
  • General documentation improvements.
  • Updated the Docker image to: demisto/crypto:1.0.0.12410.

Microsoft Graph User Pack v1.3.3#

Integrations#

Microsoft Graph User#
  • Added the msgraph-user-get-manager command, which retrieves the properties of the specified user's manager.
  • Added the msgraph-user-assign-manager command, which assigns a manager to the specified user.

Microsoft Teams Pack v1.0.4#

Integrations#

Microsoft Teams#
  • Fixed an issue where the to argument was missing in the send-notification command.
  • Updated the Docker image to: demisto/teams:1.0.0.12455.

Minerva Labs Anti-Evasion Platform Pack v1.0.1 (Partner Supported)#

Integrations#

MinervaLabsAntiEvasionPlatform#

Documentation and metadata improvements.


PCAP Analysis Pack v2.3.6#

Playbooks#

PCAP Parsing And Indicator Enrichment#

Updated the order of the incident fields.

PCAP Search#

Updated the order of the incident fields.


Palo Alto Networks Cortex XDR - Investigation and Response Pack v2.4.5#

Classifiers#

Cortex XDR - Incoming Mapper#

Fixed an issue where labels were populated.

Integrations#

Palo Alto Networks Cortex XDR - Investigation and Response#
  • Fixed an issue where incidents were not fetched in cases where some incident fields were not entered.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.
  • Fixed an issue where the outgoing mirror failed to close an incident with the Other status.
Cortex XDR - IOC#
  • Fixed an issue where severity was listed as med instead of medium.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.

Playbooks#

Cortex XDR - Isolate Endpoint#

Added playbook outputs.


PassiveTotal Pack v2.0.4 (Partner Supported)#

Integrations#

PassiveTotal#

Documentation and metadata improvements.


PhishTank Pack v2.0.0#

Integrations#

New: PhishTank V2#

Added the PhishTank V2 integration. Previous functionality was maintained.

PhishTank (Deprecated)#

Deprecated. Use the PhishTank v2 integration instead.


Phishing Pack v1.10.5#

Scripts#

PhishingDedupPreprocessingRule#
  • Updated de-duplication logic to close a duplicate incident and link it to the oldest duplicate incident.
  • Added support for custom type field.

PolySwarm Pack v1.0.2 (Partner Supported)#

Integrations#

PolySwarm#

Documentation and metadata improvements.


Polygon Pack v1.0.1 (Partner Supported)#

Integrations#

Polygon#

Documentation and metadata improvements.


Proofpoint Threat Response (Beta) Pack v1.0.2#

Integrations#

Proofpoint Threat Response (Beta)#

Fixed an issue where the proofpoint-tr-update-incident-comment command was not implemented correctly.


Rapid7 Nexpose Pack v1.0.2#

Integrations#

Rapid7 Nexpose#

Fixed an issue where the integration used the proxy even if the Use system proxy settings integration parameter was unchecked.


Recorded Future Feed Pack v1.0.5#

Integrations#

Recorded Future RiskList Feed#
  • Fixed an issue where duplicate indicators were created in Cortex XSOAR.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.

RiskIQ Digital Footprint Pack v1.0.3 (Partner Supported)#

Integrations#

RiskIQDigitalFootprint#

Documentation and metadata improvements.


RiskSense Pack v1.0.3 (Partner Supported)#

Integrations#

RiskSense#

Documentation and metadata improvements.


SCADAfence CNM Pack v1.0.2 (Partner Supported)#

Integrations#

SCADAFence_CNM#

Documentation and metadata improvements.


Security Intelligence Services Feed Pack v1.0.2 (Partner Supported)#

Integrations#

SecurityIntelligenceServicesFeed#

Documentation and metadata improvements.


SentinelOne Pack v1.0.2#

Integrations#

SentinelOne v2#
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.

Sepio Pack v1.0.1 (Partner Supported)#

Integrations#

Sepio#

Documentation and metadata improvements.


ServiceNow Pack v1.3.7#

Integrations#

ServiceNow v2#
  • Improved file handling in the get-remote-data command.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.

Silverfort Pack v1.0.3 (Partner Supported)#

Integrations#

Silverfort#

Documentation and metadata improvements.


Sixgill Darkfeed - Annual Subscription Pack v1.2.1 (Partner Supported)#

Integrations#

Sixgill_Darkfeed#

Documentation and metadata improvements.


Slack Pack v1.3.7#

Integrations#

Slack v2#
  • Fixed an issue where failing to invite users to a mirrored channel would cause the mirroring to fail.
  • Updated the Docker image to: demisto/slack:1.0.0.12410.

Smokescreen IllusionBLACK Pack v1.0.5 (Partner Supported)#

Integrations#

Smokescreen_IllusionBLACK#

Documentation and metadata improvements.


Tanium Threat Response Pack v1.0.2#

Integrations#

Tanium Threat Response#
  • Fixed an issue where the in progress filter for fetch incidents and the tanium-tr-list-alerts command did not work as expected.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.

Troubleshoot Pack v1.1.0#

Scripts#

CertificatesTroubleshoot#

Added the following certificate details:

  • NotValidAfter
  • NotValidBefore
  • Version
  • IssuerAlternateNames
  • SubjectAlternateNames

Whois Pack v1.1.6#

Integrations#

Whois#
  • Fixed an issue where an error was caused due to dates being mishandled.
  • Updated the Docker image to: demisto/ippysocks:1.0.0.11896.

Zscaler Pack v1.0.6#

Integrations#

Zscaler#
  • Added the following new parameters:
    • Auto Activate Changes - When enabled, the integration activates the Zscaler command changes after each execution. If disabled, the user will have to call the zscaler-activate-changes command to activate Zscaler command changes.
    • Auto Logout - When enabled, the integration will logout with each command execution.
  • Added the following new commands:
    • zscaler-login - Manually create a Zscaler login session. This command will also try to log out of the previous session.
    • zscaler-logout - Log out of the current Zscaler session. To be used when the Auto Logout parameter is disabled.
    • zscaler-activate-changes - Activate the changes executed by other Zscaler commands. To be used when the Auto Activate Changes parameter is disabled.
  • Added array handling for the following commands:
    • ip - The comma-separated list of IP addresses will be handled in a single command execution.
    • zscaler-category-remove-ip - The comma-separated list of IP addresses will be handled in a single command execution.
    • zscaler-whitelist-ip - The comma-separated list of IP addresses will be handled in a single command execution.
    • zscaler-undo-whitelist-ip - The comma-separated list of IP addresses will be handled in a single command execution.
    • zscaler-blacklist-ip - The comma-separated list of IP addresses will be handled in a single command execution.
    • zscaler-undo-blacklist-ip - The comma-separated list of IP addresses will be handled in a single command execution.
    • url - The comma-separated list of URLs will be handled in a single command execution.
    • zscaler-whitelist-url - The comma-separated list of URLs will be handled in a single command execution.
    • zscaler-undo-whitelist-url - The comma-separated list of URLs will be handled in a single command execution.
    • zscaler-blacklist-url - The comma-separated list of URLs will be handled in a single command execution.
    • zscaler-undo-blacklist-url - The comma-separated list of URLs will be handled in a single command execution.

abuse.ch SSL Blacklist Feed Pack v1.0.4#

Integrations#

abuse.ch SSL Blacklist Feed#

Maintenance and stability enhancements.


Assets#