Cortex XSOAR Content Release Notes for version 20.11.0 (181764)#

Published on 10 November 2020#

Breaking Changes#

Several packs include breaking changes.

New: Anomali Enterprise Pack v1.0.0#

Integrations#

Anomali Enterprise#

Use Anomali Enterprise to search indicators and enrich domains.

Playbooks#

Anomali Enterprise Forensic Search#

Initiates a forensic search on IOCs in Anomali Enterprise.


New: Barracuda Pack v1.0.0 (Community Contributed)#

Integrations#

Barracuda Reputation Block List (BRBL)#

Enables reputation checks against IP addresses from the Barracuda Reputation Block List (BRBL).


New: ConcentricAI Pack v1.0.0 (Partner Supported)#

Classifiers#

ConcentricAi#

Classifies incoming incidents in Cortex XSOAR.

ConcentricAi-mapper#

Maps incoming Concentric alert fields.

Incident Types#

ConcentricAI Security Event

Integrations#

ConcentricAI#

Concentric’s Semantic Intelligence™ solution discovers and protects business critical, unstructured data. The solution uses deep learning to identify risky sharing, inappropriate third party access, assets in the wrong location, mis-classified documents, or lateral movement of data – all without rules or complex upfront configuration.

Playbooks#

ConcentricAI Demo Playbook#

This playbook shows how to handle a risk incident and fetch all appropriate file details related to it along with user details for the owner of the file.


New: EmailRepIO Pack v1.0.0#

Integrations#

EmailRep.io#

Provides reputation and reports for email addresses.


New: ExtFilter Pack v1.0.0 (Community Contributed)#

Scripts#

ExtFilter#

Enables you to create filters with complex conditions.


New: FireEyeNX Pack v1.0.0#

Classifiers#

FireEye NX - Classifier#

Classifies FireEye NX incidents.

FireEye NX Incoming Mapper#

Maps incoming FireEye NX incident fields.

Incident Fields#

  • FireEye NX Alert Action - Action of the alert.
  • FireEye NX Alert ID - ID of the alert.
  • FireEye NX Alert Malware Name - Malware name of the alert.
  • FireEye NX Alert SC Version - SC version of the alert.
  • FireEye NX Alert Target IP - Destination IP address of the alert.
  • FireEye NX Alert Target MAC Address - Destination MAC address of the alert.
  • FireEye NX Alert Target Port - Destination port address of the alert.
  • FireEye NX Alert Type - The type of the alert.
  • FireEye NX Alert URL - URL of the alert.
  • FireEye NX Alert UUID - UUID of the alert.
  • FireEye NX Alert Victim IP - Source IP address of the alert.
  • FireEye NX Alert Victim MAC Address - Source MAC address of the alert.
  • FireEye NX Alert Victim Port - Source port address of the alert.
  • FireEye NX Event Attacker IP - Destination IP address of the event.
  • FireEye NX Event CVE ID - CVE ID of the event.
  • FireEye NX Event Destination MAC Address - Destination MAC address of the event.
  • FireEye NX Event Destination Port - Destination port address of the event.
  • FireEye NX Event ID - ID of the event.
  • FireEye NX Event Rule - Rule of the event.
  • FireEye NX Event Source MAC Address - Source MAC address of the event.
  • FireEye NX Event Victim IP - Source IP address of the event.
  • FireEye NX Event Victim Port - Source port of the event.

Incident Types#

  • FireEye NX Alert
  • FireEye NX IPS Event

Integrations#

FireEye NX#

FireEye Network Security is an effective cyber threat protection solution that helps organizations minimize the risk of costly breaches by accurately detecting and immediately stopping advanced, targeted, and other evasive attacks hiding in internet traffic.

Layouts#

  • FireEye NX Alert - Summary
  • FireEye NX IPS Event - Summary
  • FireEye NX Alert - Mobile
  • FireEye NX IPS Event - Mobile
  • FireEye NX Alert - Quick View
  • FireEye NX IPS Event - Quick View

New: Pulsedive Pack v1.0.0 (Community Contributed)#

Integrations#

Pulsedive#

Enriches and analyzed any domain, URL, or IP address. Pivot to search on data points and linked indicators to investigate risky properties.


New: Shift Management - Assign to Next Shift Pack v1.0.0 (Community Contributed)#

Playbooks#

Assign Active Incidents to Next Shift#

This playbook reassigns active incidents to the current users on call. It requires shift management to be setup. You can run this as a job a few minutes after the scheduled shift change occurs.

You can update the playbook input with a different search query. It will branch if there are no incidents that match the query and no users on call.

By default, the query returns 100 search result incidents.

Scripts#

AssignToNextShift#

Randomly assigns the incidents to users on call. (Requires shift management to be set up.)

The input is a comma-separated list of incident IDs.


AWS - ACM Pack v1.0.2#

Integrations#

AWS - ACM#
  • Fixed an issue where moving the integration to STS failed if the access key was previously populated.
  • Updated the Docker image to: demisto/boto3py3:1.0.0.13191.

AWS - AccessAnalyzer (Beta) Pack v1.0.3#

Integrations#

AWS - AccessAnalyzer (Beta)#

Fixed an issue where moving the integration to STS failed if the access key was previously populated.


AWS - Athena (Beta) Pack v1.0.2#

Integrations#

AWS - Athena (Beta)#

Fixed an issue where moving the integration to STS failed if the access key was previously populated.


AWS - CloudTrail Pack v1.0.3#

Integrations#

AWS - CloudTrail#
  • Fixed an issue where datetime objects were mishandled in the aws-cloudtrail-lookup-events command.
  • Fixed an issue where moving the integration to STS failed if the access key was previously populated.
  • Updated the Docker image to: demisto/boto3:2.0.0.13188.

AWS - EC2 Pack v1.1.4#

Integrations#

AWS - EC2#
  • Fixed an issue where moving the integration to STS failed if the access key was previously populated.
  • Updated the Docker image to: demisto/boto3:2.0.0.13188.

AWS - IAM Pack v1.0.1#

Integrations#

AWS - IAM#
  • Fixed an issue where moving the integration to STS failed if the access key was previously populated.
  • Updated the Docker image to: demisto/boto3:2.0.0.13188.

AWS - Lambda Pack v1.0.2#

Integrations#

AWS - Lambda#
  • Fixed an issue where moving the integration to STS failed if the access key was previously populated.
  • Updated the Docker image to: demisto/boto3py3:1.0.0.13191.

AWS - S3 Pack v1.0.3#

Integrations#

AWS - S3#
  • Fixed an issue where the aws-s3-get-bucket-policy command failed if the policy did not have an ID.
  • Fixed an issue where moving the integration to STS failed if the access key was previously populated.
  • Updated the Docker image to: demisto/boto3:2.0.0.13188.

AWS - Security Hub Pack v1.0.3#

Integrations#

AWS - Security Hub#
  • Fixed an issue where moving the integration to STS failed if the access key was previously populated.
  • Updated the Docker image to: demisto/boto3py3:1.0.0.13191.

AWS Feed Pack v1.0.6#

Classifiers#

AWS Feed - Classifier#

Fixed an issue where the classifier's ID was incorrect.

AWS Feed - Incoming Mapper#

Fixed an issue where the mapper's ID was incorrect.

Integration#

AWS Feed#

Updated the Docker image to: demisto/jmespath:1.0.0.12410.


Active Directory Query Pack v1.1.0#

Classifiers#

New: User Profile - Active Directory (Outgoing)#

Maps User Profile data to Active Directory user data.

New: User Profile - Active Directory (Incoming)#

Maps Active Directory user data to User Profile data.

Integrations#

Active Directory Query v2#
  • Added the following CRUD commands, which support use cases for the IAM premium pack.
    • create-user
    • get-user
    • update-user
    • enable-user
    • disable-user
  • Fixed an issue where setting the attributes argument to "*" did not work in the search-computer command.
  • Updated the integration description.

Script#

New: IAMInitADUser#

Generates a password, sets an AD user account with this password, and enables the account. It then sends an email to the user with tha account information. This script runs the send-mail command. You must configure a matching integration.

New: Generate_AD_Password#

This scripts generates a 12 letter password, that contains letters, numbers, and symbols.


Amazon DynamoDB Pack v1.0.3#

Integrations#

Amazon DynamoDB#
  • Fixed an issue where moving the integration to STS failed if the access key was previously populated.
  • Updated the Docker image to: demisto/boto3py3:1.0.0.13191.

Anomali ThreatStream Pack v1.0.6#

Integrations#

Anomali ThreatStream v2#
  • Fixed an issue where the DBotScore vendor was set to Analyst instead of ThreatStream.
  • Updated the Docker image to: demisto/emoji:1.0.0.12410.
  • Updated the integration image.

AutoFocus Pack v1.1.9#

Integrations#

Palo Alto Networks AutoFocus v2#

Updated the following reputation commands to return a different result for each indicator.

  • ip
  • url
  • domain
  • file

Azure Compute Pack v1.0.2#

Integrations#

Azure Compute v2#

Maintenance and stability enhancements.


Azure Log Analytics Pack v1.0.1#

Integrations#

Azure Log Analytics (Beta)#

Maintenance and stability enhancements.


Azure Security Center Pack v1.1.3#

Integrations#

Azure Security Center v2#

Maintenance and stability enhancements.


AzureSentinel Pack v1.0.3#

Integrations#

Azure Sentinel (Beta)#

Maintenance and stability enhancements.


Base Pack v1.3.33#

Scripts#

CommonServerPython#
  • Deprecated CommandResults.indicators, which is replaced by CommandResults.indicator.
  • Fixed an issue where the tableToMarkdown method mishandled pipe characters (|) in the table headers.
  • Added support for lists of CommandResults objects in the return_results function.
  • Added ACCOUNT to DBotScoreType.
  • Added Account indicator context to Common.
  • Improved sensitive data masking in the logger object.
  • Improved initial logging for debug-mode.
  • Maintenance and stability enhancements.
GetMLModelEvaluation#

Fixed a bug related to metrics display.

DBotTrainTextClassifierV2#

Converted the script to Python 3.

DBotPredictPhishingWords#

Converted the script to Python 3.

SanePdfReports#
  • Updated the script to stop all Chromium zombie processes when the script finishes.
  • Updated the Docker image to: demisto/sane-pdf-reports:1.0.0.13239.
SaneDocReportsV2#

Updated the Docker image to: demisto/sane-doc-reports:1.0.0.13194.

CommonServerPowerShell#
  • Fixed a bug in tableToMarkdown where boolean values of False were not shown.
  • Fixed parsing of nested lists in tableToMarkdown.

Carbon Black Cloud Enterprise EDR Pack v1.1.0#

Integrations#

VMware Carbon Black Enterprise EDR#
  • Added the following commands.
    • cb-eedr-process-search - Creates a process search job.
    • cb-eedr-process-search-results - Retrieves the process search results for a given job ID.
    • cb-eedr-events-by-process-get - Retrieves the events associated with a given process.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.

Playbooks#

Added the Carbon Black EDR Search Process generic polling playbook, which enables you to search a process by query or parameters.


Check Point Firewall Pack v2.0.3#

Integrations#

Check Point Firewall v2#

Added the checkpoint-package-list command, which enables you to retrieve a detailed list of Checkpoint packages.


Cisco Email Security (Beta) Pack v1.0.1#

Integrations#

Cisco Email Security (Beta)#
  • Fixed an issue where test-module failed on an incorrect timeout argument.
  • In the cisco-email-security-messages-search command, the timestamp column is now the first column.
  • Made several improvements to the cisco-email-security-report-get command.
    • Updated the descriptions for the start date and end date arguments to state that the minutes and seconds needs to be "00".
    • Added the device group name argument. The argument's initial value is Hosted_Cluster. Also fixed an issue where this command always returned the results as zero.
    • Fixed an issue where some counters returned an error.

Cisco Threat Grid Pack v1.1.2#

Integrations#

Cisco Threat Grid#

Maintenance and stability enhancements.


Common Scripts Pack v1.2.74#

Scripts#

SetGridField#

Fixed an issue where the script did not display single dictionary outputs correctly.

UnzipFile#
  • Fixed an issue where the script failed to extract files with long filenames from zip files.
  • Updated the Docker image to: demisto/unzip:1.0.0.12410.
FeedRelatedIndicatorsWidget#
  • You can now use links, strings, and comma-separated lists of links and strings in the Description field.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.
ParseEmailFiles#
  • Fixed an issue where the sending address was invalid in case the email's 'From' header contained '\r\n'.
  • Fixed an issue where the script raised an error for emails with an empty file content.
  • Fixed an issue where the script does not decode the content payload with its charset.
AfterRelativeDate#

Fixed an issue where the script was not initiated properly.

ExtractDomainAndFQDNFromUrlAndEmail#
  • Fixed an issue where the script created an empty domain indicator.
  • Updated the Docker image to: tld:1.0.0.12410.
ExtractIndicatorsFromTextFile#

Fixed an issue where .txt files with Portuguese characters were not parsed successfully.


Common Types Pack v2.2.1#

Incident Fields#

  • Added the following incident fields:
    • Personal Email
    • Title
    • Job Family
    • Job Function
    • Location Region
    • Work Phone
    • Cost Center
    • Job Code
    • Zip Code
    • Event Action
  • Added association to the IAM incident type.
    • State
    • City
    • Username

Indicator Fields#

  • Added the following indicator fields:
    • Mobile Phone
    • Manager Name
    • Manager Email Address
    • Location
    • Department
    • Surname
    • Email
    • Street Address
    • Leadership
    • Country Name
    • City
    • Given Name
    • State
    • Cost Center Code
  • Display Name - Added association to the User Profile indicator type.

Layouts#

STIX Report

  • Report details section is now divided into two new sections: XSOAR Details and STIX Report Details.
  • The Actions section was removed.

Compliance Pack v1.0.6#

Incident Fields#

Management Notification - Added association to US Breach Notification.


CrowdStrike Falcon Pack v1.2.6#

Integrations#

CrowdStrike Falcon#
  • Added the Incidents fetch query integration parameter to allow incidents and detections to be filtered separately.
  • Fixed an issue where the same incidents were fetched multiple times.
  • Fixed an issue where the cs-falcon-list-incident-summaries command printed incorrect information.

CrowdStrike Falcon Intel Pack v2.0.7#

Integrations#

CrowdStrike Falcon Intel v2#
  • Updated the following commands to return a different result for each indicator:
    • ip
    • url
    • file
    • domain
    • cs-indicators
  • The following commands now support a comma-separated list of values:
    • url
    • file
    • ip
    • domain
  • Maintenance and stability enhancements.

CrowdStrike Falcon Streaming Pack v1.0.10#

Integrations#

CrowdStrike Falcon Streaming v2#
  • Added handling for cases where the integration cache contained data of an unexpected type by converting it to the proper state.
  • Updated the Docker image to: demisto/aiohttp:1.0.0.12815.

Crowdstrike Falcon Intel Feed Pack v1.0.2#

Integrations#

Crowdstrike Falcon Intel Feed#
  • Documentation and metadata improvements.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.

CyberTotal Pack v1.0.2 (Partner Supported)#

Integrations#

CyberTotal#

Updated the following reputation commands to return a different result for each indicator:

  • ip

  • url

  • domain

  • file


Cylance Protect Pack v1.0.1#

Integrations#

Cylance Protect v2#
  • Fixed an issue where arguments' names in the python code, such as pageNumber and pageSize, did not match the arguments' names in the configuration file.
  • Updated the Docker image to: demisto/pyjwt:1.0.0.12779.

EWS Pack v1.4.0#

Integrations#

EWS v2#
  • Improved the implementation of the Trust any certificate (not secure) parameter to start immediately and not on container restart when clearing the parameter checkbox.
  • Fixed an issue where the fetch-incidents command failed due to protected emails.
EWS O365#

Maintenance and stability enhancements.


ExtFilter Pack v1.0.1#

Playbooks#

Test - ExtFilter Main#

Removed the DeleteContext task from the playbook.


ExtraHop Reveal(x) Pack v1.0.5 (Partner Supported)#

Layouts#

ExtraHop Detection

  • Updated the incident information layout to content pack format.
  • Removed the legacy summary.

Playbooks#

ExtraHop - Default#

Reference the new Ticket Tracking v2 playbook.


Farsight DNSDB Pack v2.1.0 (Partner Supported)#

Integrations#

Farsight DNSDB v2#
  • Add raw to the following commands:
    • dnsdb-rdata
    • dnsdb-summarize-rdata
  • Updated DNSDB API version 2 with Flexible Search.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.

FireEye Feed Pack v2.0.0#

Integrations#

FireEye Feed#

FireEye Feed is now used as an incremental feed.


Genians Pack v1.0.2 (Partner Supported)#

Integrations#

Genians#
  • Description and content modification.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.

Get License ID Pack v1.0.1#

Scripts#

GetLicenseID#
  • Fixed the context output to match the output definition of License.ID.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.

Gmail Pack v1.1.1#

Integrations#

Gmail#
  • Added the following commands:
    • gmail-send-as-add - Creates a custom "from" send-as alias.
    • gmail-forwarding-address-add - Creates a forwarding address.
  • Added new arguments in the gmail-set-autoreply command.
  • Updated the Docker image to: demisto/google-api:1.0.0.12690.
  • Fixed an issue where the test-module didn't run properly with fetch incidents.

HelloWorld Pack v1.1.12#

Integrations#

HelloWorld#

The following commands were changed to return multiple entries (entry per indicator) instead of a single entry:

  • ip
  • domain
  • helloworld-scan-results

IBM QRadar Pack v1.1.7#

Integrations#

IBM QRadar v2#
  • Reverted the integration cache handling changes made in version 1.1.4.
  • Added the LinkToOffense field to fetched incidents. It links to the offense in the QRadar console.
  • Fixed an issue where the source argument did not work when passing more than one value to the qradar-update-reference-set-value command.
IBM QRadar#

Fixed an issue where the source argument did not work when passing more than one value to the qradar-update-reference-set-value command.


Integrations & Incidents Health Check Pack v1.1.5#

Playbooks#

JOB - Integrations and Playbooks Health Check#

Fixed the report name.

Scripts#

GetFailedTasks#
  • Updated the Docker image to the latest version.
  • Maintenance and stability enhancements.

MITRE ATT&CK Pack v1.1.6#

Integrations#

MITRE ATT&CK Feed#
  • Fixed an issue where the mitrecreated and mitremodified fields were not populated correctly.
  • Updated the Docker image to: demisto/taxii2:1.0.0.12410.

Machine Learning Pack v1.2.1#

Scripts#

HashIncidentsFields#

Fixed an issue where custom fields were returned by default as part of the incident object.


Manage Engine Service Desk Plus Pack v1.2.1#

Integrations#

Service Desk Plus#
  • Updated the assign and close API endpoints because the previous ones are scheduled to be deprecated on November 15th, 2020.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.

Micro Focus Service Manager Pack v1.0.2#

Integrations#

Micro Focus Service Manager#

Added the customFields argument to the hpsm-create-incident command.


Microsoft Cloud App Security Pack v1.0.9#

Integrations#

Microsoft Cloud App Security#
  • Breaking Change: The microsoft-cas-activities-list command now returns multiple entries (entry per indicator) instead of a single entry.
  • Fixed an issue where fetch-incident ignored the First fetch time integration parameter and fetched the same incident multiple times.
  • Documentation and metadata improvements.
Microsoft Cloud App Security_test#
  • Fixed an issue where fetch-incident would fetch the same incident multiple times.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.

Microsoft Defender Advanced Threat Protection Pack v1.2.4#

Integrations#

Microsoft Defender Advanced Threat Protection#

Maintenance and stability enhancements.


Microsoft Graph Calendar Pack v1.0.3#

Integrations#

Microsoft Graph Calendar#

Maintenance and stability enhancements.


Microsoft Graph Device Management Pack v1.0.3#

Integrations#

Microsoft Graph Device Management (Microsoft Intune)#

Maintenance and stability enhancements.


Microsoft Graph Files Pack v1.0.2#

Integrations#

Microsoft Graph Files#

Maintenance and stability enhancements.


Microsoft Graph Groups Pack v1.0.2#

Integrations#

Microsoft Graph Groups#

Maintenance and stability enhancements.


Microsoft Graph Mail Pack v1.0.13#

Integrations#

Microsoft Graph Mail#
  • Added the Message ID field to the msgraph-mail-list-emails command output.
  • Fixed an issue where the fetch-incidents command failed on emails with reference attachments.
  • Fixed an issue where the received email headers were empty.
  • Improved the last fetch timestamp calculation in the fetch incidents flow.
  • Updated the Docker image to: demisto/crypto:1.0.0.12979.
  • Maintenance and stability enhancements.

Microsoft Graph Mail Single User Pack v1.0.9#

Integrations#

Microsoft Graph Mail Single User#
  • Added support for the self deployed option.
  • Improved the last fetch timestamp calculation in the fetch incidents flow.
  • Updated the Docker image to: demisto/crypto:1.0.0.12979.

Microsoft Graph Security Pack v2.0.4#

Integrations#

Microsoft Graph Security#

Maintenance and stability enhancements.


Microsoft Graph User Pack v1.3.4#

Integrations#

Microsoft Graph User#

Maintenance and stability enhancements.


Microsoft Management Activity API (O365/Azure Events) Pack v1.1.2#

Integrations#

Microsoft Management Activity API (O365 Azure Events)#

Maintenance and stability enhancements.


OTRS Service Management XSOAR Pack Pack v1.0.2#

Integrations#

OTRS#
  • Fixed an issue where the integration created a new session each time a command was executed.
  • Updated the Docker image to: demisto/pyotrs:1.0.0.12421.

OpenLDAP (Beta) Pack v1.0.2#

Integrations#

OpenLDAP (Beta)#

Added the User Defined Attributes parameter, which enables you to specify attributes in the user query filter.


OpenPhish Pack v2.0.1#

Integrations#

New: OpenPhish v2#

Breaking Change: The url command now returns multiple entries (entry per indicator) instead of a single entry.


PAN-OS Pack v1.6.4#

Integrations#

Palo Alto Networks PAN-OS#
  • Fixed an issue where the panorama-get-url-category-from-host command failed when querying a URL.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.
  • Documentation and metadata improvements.

Palo Alto Networks Cortex XDR - Investigation and Response Pack v2.4.8#

Integrations#

Palo Alto Networks Cortex XDR - Investigation and Response#
  • Maintenance and stability enhancements.
Palo Alto Networks Cortex XDR - Investigation and Response rate limit#
  • Improved handling the API rate limit error during the fetch incidents process. The integration will not fail, but will create the remaining incidents in the next fetch.
  • Improved handling of the API rate limit error in the incoming mirroring process. The sync loop will be stopped and will resume from the last incident.

Palo Alto Networks PAN-OS EDL Service Pack v1.0.4#

Integrations#

Palo Alto Networks PAN-OS EDL Service#
  • Fixed an issue where an error was raised if there were no results for the indicators query.
  • Updated the Docker image to: demisto/teams:1.0.0.13080.

Phishing Pack v1.10.7#

Scripts#

PhishingDedupPreprocessingRule#
  • Added support to recognize emails as duplicate when there is a single word difference.
  • Added arguments that enable setting the threshold to close as duplicate and de-duplication.
  • Changed the default value of incidentTypes to 30 days.

Prisma Cloud Compute Pack v1.0.4#

Integrations#

Palo Alto Networks - Prisma Cloud Compute#

Updated the endpoint that the integration calls.


Qualys Pack v1.0.2#

Integrations#

Qualys#

Added outputs for the qualys-vm-scan-fetch command.


RSA Archer Pack v1.1.3#

Integrations#

RSA Archer v2#
  • Improved error handling in the login process.
  • You can now pass list fields to the fieldsToValues argument without [] in the archer-create-record and archer-update-record commands. For example: use fieldsToValues={"Priority":"High"} instead of " fieldsToValues={"Priority":"[High]"}.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.

RecordedFuture v2 Pack v1.0.2 (Partner Supported)#

Integrations#

Recorded Future v2#

Breaking Change: The following reputation commands now return multiple entries (entry per indicator) instead of a single entry.

  • ip
  • domain
  • hash
  • url

Remedy On-Demand Pack v1.0.2#

Integrations#

Remedy On-Demand#

Fixed an issue where the integration test would fail on a timeout.


SentinelOne Pack v1.0.3#

Integrations#

SentinelOne v2#

Deprecated the sentinelone-expire-site command.


ServiceNow Pack v1.3.9#

Integrations#

ServiceNow v2#
  • Fixed an issue where closing incidents or tickets did not work for the sc_task ticket type when using mirroring.
  • Fixed an issue where tickets were not assigned to the “Standard” type in the following commands:
    • servicenow-create-ticket
    • servicenow-update-ticket

Shift Management Pack v1.1.3#

Scripts#

GetOnCallHoursPerUser#

Fixed an issue where the output format was incorrect.


Sixgill Darkfeed - Annual Subscription Pack v1.2.2 (Partner Supported)#

Integrations#

Sixgill_Darkfeed#

Metadata improvements.


ThreatConnect Pack v2.0.9#

Integrations#

ThreatConnect v2#
  • Fixed an issue in the reputation commands where fetching indicators from multiple owners did not work.
  • Updated the Docker image to: demisto/threatconnect-py3-sdk:1.0.0.12410.

Unit42 Feed Pack v1.1.0#

Integrations#

Unit42 Feed#
  • STIX Report indicators are now fetched from the feed.
  • The feed now uses multiprocessing.

VirusTotal Pack v1.0.2#

Integrations#

VirusTotal#

Breaking Change: The file command now returns multiple entries (entry per indicator) instead of a single entry.


VirusTotal - Private API Pack v1.0.5#

Integrations#

VirusTotal - Private API#

Added the ResponseContentSHA256 and ResponseHeaders outputs to the vt-private-get-url-report command. These outputs are returned when the allInfo argument is set.


Workday Pack v1.0.4#

Classifiers#

New: Workday Classifier#

Added a classifier for Workday incidents.

New: IAM Sync User - Workday#

Maps a User Profile data to a Workday user data.

Integrations#

New: Workday IAM#
  • Use the Workday IAM integration as part of the Identity Lifecycle Management premium pack.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.

Zimperium Pack v1.0.5#

Integrations#

Zimperium#

Breaking Change: The file command now returns multiple entries (entry per indicator) instead of a single entry.


iDefense Pack v2.0.0#

Integrations#

New: iDefense v2#

Added a new version for the iDefense integration that provides intelligence regarding security threats and vulnerabilities.

iDefense (Deprecated)#

Deprecated. Use the iDefense v2 integration instead.


okta Pack v2.0.0#

Classifiers#

New: User Profile - Okta (Incoming)#

Maps an Okta user data to a User Profile data.

New: User Profile - Okta (Outgoing)#

Maps a User Profile data to an Okta user data.

Integrations#

New: Okta IAM#
  • Integrate with Okta's Identity Access Management service to streamline users' lifecycle processes.
  • Updated the Docker image to: demisto/python3:3.8.5.10845.

urlscan.io Pack v1.0.5#

Integrations#

urlscan.io#

Added support for IPv6 addresses in the urlscan-search command.


Assets#