Cortex XSOAR Content Release Notes for version 20.11.1 (196572)

Published on 22 November 2020

Breaking Changes

Several packs include breaking changes.

New: Asset Pack v1.0.0

Base pack with incident fields for any packs requiring asset fields.

Incident Fields

  • Asset Table - A table view of all assets related to the offense.
  • Description - Asset - The description of the asset.
  • ID - Asset - The ID of the asset.
  • IP Address - Asset - The IP address provided for the asset.
  • Location - Asset - The location of the asset.
  • MAC Address - Asset - The MAC address provided for the asset. Switch ID - Asset - The ID of the switch the asset is connected to.
  • Switch Port ID - Asset The ID of the switch port the asset is connected to.

New: Cisco ESA IronPort Email API Pack v1.0.0 (Community Contributed)

Integrations

Cisco IronPort EMail API

Searches IronPort email traffic for spam and quarantines relevant emails.


New: CyberX - Central Manager Pack v1.0.0 (Community Contributed)

Integrations

CyberX - Central Manager

Updates alerts in CyberX Central Manager. CyberX's Central Manager enables users and groups to be centrally managed from a single console, with varying permission levels.


New: FortiManager Pack v1.0.0

Integrations

FortiManager

FortiManager is a single console central management system that manages Fortinet devices.

Playbooks

FortiManager - Install Policy Package on Device

Installs a FortiManager firewall policy package on a given device.


New: G Suite Admin Pack v1.0.0

Integrations

G Suite Admin

G Suite, or Google Workspace Admin, is an integration that performs an action on IT infrastructure, creates users, updates settings, and performs additional administrative tasks.


New: Generic Webhook Pack v1.0.0

Integrations

Generic Webhook

The Generic Webhook integration is used to create incidents on event triggers. The trigger can be any query posted to the integration.


New: Google Calendar Pack v1.0.0

Integrations

Google Calendar

Google Calendar is a time-management and scheduling calendar service developed by Google. This integration helps you to perform various tasks on the access control list (ACL).


New: Palo Alto Networks Enterprise DLP Pack v1.0.0

Integrations

Palo Alto Networks Enterprise DLP

Use the Palo Alto Networks Enterprise DLP integration to discover and protect company data across every data channel and repository. Integrated Enterprise DLP enables data protection and compliance everywhere without complexity.


New: Palo Alto Networks Threat Vault Pack v1.0.0

Integrations

Palo Alto Networks Threat Vault

Use the Palo Alto Networks Threat Vault to research the latest threats (vulnerabilities/exploits, viruses, and spyware) that Palo Alto Networks next-generation firewalls can detect and prevent.

Playbooks

PANW Threat Vault - Signature Search

Initiates a Signature Search in the Palo Alto Networks Threat Vault.


New: Rundeck Pack v1.0.0

Integrations

Rundeck

Rundeck is a runbook automation for incident management, business continuity, and self-service operations. The integration enables you to install software on a list of machines or perform a task periodically. The integration can be used when you want to perform an update of the software to block a new attack.

Playbooks

Rundeck-job-execute-Generic

This playbook executes a job and exits when it successfully finishes.


New: Viper Pack v1.0.0 (Community Contributed)

Integrations

Viper

Viper is a binary analysis and management framework. It provides a solution to easily organize your collection of malware and exploit samples as well as the collection of scripts you created or found over time to facilitate your daily research.


AWS - CloudTrail Pack v1.0.4

Integrations

AWS - CloudTrail
  • Fixed an issue where an error was raised if an event was missing some fields in the aws-cloudtrail-lookup-events command.
  • Updated the Docker image to: demisto/boto3:2.0.0.13676.

AlienVault Feed Pack v1.0.7

Integrations

AlienVault OTX TAXII Feed
  • Added the First fetch timestamp parameter to enable incremental fetches.
  • Added the firstseenbysource field to the fetched indicators.
  • Updated the Docker image to: demisto/taxii:1.0.0.12553.

AlienVault USM Anywhere Pack v1.0.2

Integrations

AlienVault USM Anywhere
  • Fixed an issue where the alienvault-search-events command did not return events.
  • Updated the Docker image to: demisto/python3:3.8.6.13358.

AlphaSOC Network Behavior Analytics Pack v1.0.1 (Partner Supported)

Integrations

AlphaSOC Network Behavior Analytics

Changed the default value of the Ignore events below severity parameter from 3 to 4.


Anomali ThreatStream Pack v1.0.7

Integrations

Anomali ThreatStream v2

Fixed an issue where the threatstream-get-indicators command did not return more than 1,000 indicators.


ApiModules Pack v2.0.0

Scripts

CrowdStrikeApiModule

You can now use custom URLs using the Server URL integration parameter.

New: GSuiteApiModule

Common G Suite code that will be appended to each Google/GSuite integration when it is deployed. The GSuiteApiModule contains the authentication methods for the Google integrations along with some helper functions.


Atlassian Jira Pack v1.2.2

Integrations

Atlassian Jira v2
  • Fixed an issue in the jira-create-issue command where the reporter argument referred to the reporter’s name and not the reporter's account ID.
  • Updated the Docker image to: demisto/oauthlib:1.0.0.13073.

AutoFocus Pack v1.1.10

Integrations

Palo Alto Networks AutoFocus v2

Fixed an issue where the autofocus-sample-analysis command failed when data was 'Not Available'.


Azure Feed Pack v1.0.3

Integrations

Azure Feed
  • Added the Azure service in the Indicators field.
  • Updated the Docker image to the latest version.

Base Pack v1.3.40

Scripts

CommonServerPython
  • Removed the log print of the object stored in the integration cache.
  • Added support for the IgnoreAutoExtract argument in the CommandResults object.
  • Added a default value for the url_suffix argument in the BaseClient _http_request method.
  • Maintenance and stability enhancements.
GetIncidentsByQuery

Added support for wildcards in the incident types argument.

DBotMLFetchData

Updated support for custom phishing types in the incident fetch query.

DBotTrainTextClassifierV2

Updated the calculation of the minimum precision to be the minimum score of the precision per-class scores.

DBotPreProcessTextData

Removed log messages for texts that exceed the maximum allowed text length.

GetMLModelEvaluation

Merged two result entries to a single entry.

DBotBuildPhishingClassifier

Added an enhancement to fetch only incidents of labels which are relevant for model training.


Bastille Networks Pack v1.0.2 (Partner Supported)

Integrations

Bastille Networks
  • Updated the Docker image to: demisto/python3:3.8.6.12176.
  • Documentation and metadata improvements.

Bmc Helix Remedyforce Pack v1.0.2

Integrations

BMC Helix Remedyforce
  • Added support for the impact_id argument in the following commands.
    • bmc-remedy-incident-create
    • bmc-remedy-incident-update
  • Updated the Docker image to: demisto/python3:3.8.6.13358.

CVE Search Pack v1.0.3

Integrations

CVE Search v2

Updated the following commands to return a different result for each indicator.

  • cve
  • cve-latest

Scripts

cveReputation

Fixed an issue where the script returned DBotScore 3 when no CVE was found.


Carbon Black Enterprise Live Response Pack v1.1.0

Integrations

VMware Carbon Black EDR (Live Response API)
  • The cb-file-get command is no longer deprecated and is available for use.
  • Added the download argument to the cb-get-file-from-endpoint command. If "true", will download the file from the CarbonBlack server. Default is "true". Set to false for large files.

Playbooks

New: Carbon Black Live Response - Download File

Downloads a file from a sensor.

New: Carbon Black Live Response - Wait Until Command Complete

Polls the command status until the playbook finishes with an error or it completes.

New: Carbon Black Live Response - Create active session

Creates an active session. If the active session already exists, will use the existing session.


Chronicle Pack v1.1.3 (Partner Supported)

Incident Fields

Added the following incident fields:

  • Chronicle Last Seen
  • Chronicle IOC Ingest Time
  • Chronicle First Seen
  • Chronicle Domain Name
  • Chronicle DBot Score
  • Chronicle Auto Block Entities

Incident Types

Chronicle IOC Domain Matches

Indicator Fields

Added the following indicator fields:

  • ChronicleAssetHostname - Hostname associated with the ChronicleAsset
  • ChronicleAssetIP - IP Address associated with the ChronicleAsset
  • ChronicleAssetMAC - MAC Address associated with the ChronicleAsset
  • ChronicleAssetProductID - Product ID associated with ChronicleAsset

Indicator Types

ChronicleAsset

Integrations

Chronicle

Removed a redundant 'else'.

Layouts

Added the following new layouts:

  • layout-quickView-Chronicle_IOC_Domain_Matches.json
  • layout-mobile-Chronicle_IOC_Domain_Matches.json
  • layout-edit-Chronicle_IOC_Domain_Matches.json

Playbooks

Threat Hunting - Chronicle
  • Use this playbook to investigate and remediate suspicious IOC domain matches with recent activity found in the enterprise.
  • This playbook also creates indicators for the entities fetched while investigating and enriches them.
Investigate On Bad Domain Matches - Chronicle
  • Use this playbook to investigate and remediate bad IOC domain matches with recent activity found in the enterprise.
  • With this playbook, you can notify the SOC lead and network team about bad IOC domain matches with recent activity found in the enterprise.

Scripts

ExtractDomainFromIOCDomainMatchRes

Extracts a domain and its details from the Chronicle IOC Domain match response.

ConvertDomainToURLs

Converts domain(s) into URL(s).

ChronicleDomainIntelligenceSourcesWidgetScript

A widget script for layouts that shows the details of the sources in the Chronicle Domain Intelligence Sources section of the incident.

ChronicleDBotScoreWidgetScript

A widget script for layouts that shows the DBot score and the reputation of the domain.

ChronicleAssetIdentifierScript

Collects all asset identifiers in the context: hostname, IP address, and MAC address.

ListDeviceEventsScript

Lists all of the events discovered within your enterprise on a particular device.

ChronicleAsset

New asset type.


Cisco AMP Pack v1.1.0

Integrations

Cisco AMP
  • Fixed an issue where commands would fail due to a syntax error that occurred while creating their query parameters.
  • Added the following commands.
    • amp_delete_computers_isolation - Request to unlock a computer.
    • amp_put_computers_isolation - Request to lock a computer.
    • amp_get_computers_isolation - Returns the isolation status of a computer.

Cisco Umbrella Investigate Pack v1.0.2

Integrations

Cisco Umbrella Investigate

Fixed an issue where the regex for email address validation in the umbrella-get-domains-for-email-registrar command did not work as intended.


Cisco WebEx Feed Pack v1.1.1

Integrations

Cisco WebEx Feed
  • Removed the duplicate parameter Fetches Indicators from the feed configuration.
  • Updated the Docker image to: btfl-soup:1.0.1.12410.
  • Maintenance and stability enhancements.

Playbooks

New: Check WebEx Feed
  • Checks that the WebEx webpage is reachable and does not create an error.
  • Updated the Docker image to: demisto/btfl-soup:1.0.1.12768.

Code42 Pack v2.0.7 (Partner Supported)

Documentation and metadata improvements.


Common Scripts Pack v1.2.82

Scripts

New: OnionURLReputation

This script adds the reputation to Onion URL indicators. The script is automatically triggered when a Onion URL indicator is auto-extracted. For instance, if you run a Cortex XSOAR CLI on a valid Onion URL, the indicators are extracted automatically and this script is triggered for the extracted indicators.

ExtractIndicatorsFromWordFile

Fixed an issue where the script could not process all of the files.

ExtractDomainAndFQDNFromUrlAndEmail

Fixed an issue where the script recognized emails as domains.

New: VerifyIPv6Indicator
  • Formatting script for IPv6 to verify that the address is a valid IPv6 address.
  • Removed the UnEscapeIPv6Indicator formatting script.
SearchIncidentsV2
  • Fixed an issue where multiple context results were outputted for the same incident ID.
  • Updated the Docker image to: demisto/python3:3.8.6.13358.
DockerHardeningCheck
  • Updated the description with an updated link to the Docker Hardening Guide.
  • Updated the Docker image to: demisto/python3:3.8.6.13358.
ParseEmailFiles

Added support for ISO-8859 text in the smime.p7m file type.

DeleteContext

Fixed an issue where all of the context data in the current sub-playbook were not deleted when all = yes and subplaybook = yes/auto.


Common Types Pack v2.2.4

Incident Fields

  • Post Nat Destination IP
  • Src Ports
  • Start Time
  • Source IPs
  • Raw Event
  • Destination IPs
  • High Level Categories
  • Post Nat Source Port
  • Closing User
  • Pre Nat Destination Port
  • Close Time
  • Post Nat Destination Port
  • DNS Name
  • Dst Ports
  • Technical Owner
  • Traffic Direction
  • Post Nat Source IP
  • Pre Nat Source IP
  • Device Time
  • Usernames
  • Source IPV6
  • Source MAC Address
  • Destination Geolocation
  • Source Geolocation
  • Destination IPV6
  • Pre Nat Source Port
  • Technical User
  • Technical Owner Contact
  • Event Names
  • Destination MAC Address
  • Closing Reason
  • Low Level Categories Events
  • CVSS Collateral Damage Potential
  • Number Of Log Sources
  • Last Update Time
  • CVSS Integrity Requirement
  • CVSS Availability Requirement
  • Events
  • Log Source Type
  • Protocol - Event
  • Compliance Notes
  • Category Count
  • List Of Rules - Event
  • Log Source Name
  • CVSS Confidentiality Requirement
  • Follow Up
  • Event Descriptions

Indicator Types

IPv6 - Changed the regex so that it will extract only the common shape addresses of IPv6.


ConcentricAI Pack v1.0.1 (Partner Supported)

Documentation and metadata improvements.


Coralogix Pack v1.0.2 (Partner Supported)

Documentation and metadata improvements.


Cortex Data Lake Pack v1.2.8

Integrations

Cortex Data Lake
  • Fixed an issue where fetch-incidents created duplicate incidents.
  • Updated the Docker image to: demisto/python_pancloud_v2:1.0.0.13088.

CrowdStrike Falcon Pack v1.2.8

Integrations

CrowdStrike Falcon
  • Fixed an issue where the test module failed on authentication.
  • Added support for running the cs-falcon-run-script command with a configurable timeout (in seconds), including a session refresh every 5 minutes.
  • Updated the Docker image to: demisto/python3:3.8.6.13358.

CrowdStrike Falcon Intel Pack v2.0.8

Integrations

CrowdStrike Falcon Intel v2

You can now use custom URLs using the Server URL integration parameter.


CrowdStrike Falcon Sandbox Pack v1.0.2

Integrations

CrowdStrike Falcon Sandbox
  • Fixed an issue where the crowdstrike-result command did not work in case the file argument was not provided.
  • Updated the report data download endpoint as the previous one was deprecated.

CrowdStrike Falcon Streaming Pack v1.0.12

Integrations

CrowdStrike Falcon Streaming v2
  • Fixed an issue in which the request to refresh the stream session was not sent properly.
  • General documentation improvements.

CrowdStrike Malquery Pack v1.0.1

Integrations

CrowdStrike Malquery

Breaking Change: The file command was changed to return multiple entries (entry per indicator) instead of a single entry.


Crowdstrike Falcon Intel Feed Pack v1.0.3

Integrations

Crowdstrike Falcon Intel Feed

Fixed a visual issue in the instance configuration.


Cuckoo Sandbox Pack v1.0.1

Integrations

Cuckoo Sandbox

Updated the get-task-report command to include file information in context.


CyberTotal Pack v1.0.3 (Partner Supported)

Documentation and metadata improvements.


Cybereason Pack v1.0.5

Integrations

Cybereason

Improved handling of authorization errors.


DomainTools Iris Pack v1.0.4 (Partner Supported)

Integrations

DomainTools Iris
  • Added the API URL configuration parameter.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.

EWS Pack v1.4.2

Integrations

EWS v2
  • Added the show_only_recipients argument to the ews-o365-get-compliance-search command, which will return recipients to context.
  • Added an error message when trying to pull incidents with an incorrect exchange version.

EWS Mail Sender Pack v1.1.0

Integrations

EWS Mail Sender
  • Added the reply-mail command which sends an email reply to a given message using EWS.
  • Updated the Docker image to: demisto/py2-exchangelib:1.0.0.13559.

Email Communication Pack v1.3.1

Classifiers

New: Gmail - Classifier - Email Communication -

Classifies Gmail email messages.

New: Gmail - Incoming Mapper - Email Communication

Maps incoming Gmail email message fields.

New: EWS - Incoming Mapper - Email Communication

Maps incoming EWS email message fields.

New: EWS - Classifier - Email Communication

Classifies EWS email messages.

New: EWS v2

Maps incoming EWS email message fields.

Layouts

Email Communication - Changed the original email details section to support email inline images.

Scripts

New: DisplayEmailHtml

Displays the original email in HTML format.

DisplayEmailHtml

Maintenance and stability enhancements.

PreprocessEmail
  • You can now view inline images and attachments for email communication incidents.
  • Updated the Docker image to: demisto/python3:3.8.6.13358.
SendEmailReply
  • Updated the script to reply to a given email message instead of sending a new message.
  • Updated the Docker image to: demisto/python3:3.8.6.13358.

ExtFilter Pack v1.1.0

Playbooks

Modified: Test - ExtFilter Main

Added examples for ExtFilter script additions.

Scripts

Modified: ExtFilter

Added the following operators.

  • switch-case
  • collects values
  • collects keys
  • flattens with values
  • flattens with keys

F5 Firewall Pack v1.2.0

Integrations

New: F5 Application Security Manager (WAF)

Use the F5 ASM integration to read information and to manage the F5 firewall.


Farsight DNSDB Pack v2.1.1 (Partner Supported)

Documentation and metadata improvements.


Gmail Pack v1.1.2

Integrations

Gmail
  • Fixed an issue where the test-module did not run properly with fetch incidents.
  • Added the reply-mail command which sends an email reply to a given message using Gmail.
  • Fixed the following issues in the send-mail command:
    • The additionalHeader argument was added to the request only if attachments were received.
    • Attachments were not attached correctly when both the htmlBody and body arguments were received.
  • Updated the Docker image to: demisto/google-api:1.0.0.13775.

Humio Pack v1.0.2 (Partner Supported)

Documentation and metadata improvements.


IBM QRadar Pack v1.2.1

Classifiers

New: QRadar - Generic Incoming Mapper

Default mapping for QRadar offenses, events, and assets.

Incident Fields

  • Offense Inactive
  • Severity - Offense
  • Domain - Offense
  • Destination Network - Offense
  • Description - Offense
  • Type - Offense
  • Credibility - Offense
  • Number Of Fetched Events
  • Number Of Flows
  • List of Rules - Offense
  • Source IP - Offense
  • Source Network - Offense
  • Relevance - Offense
  • Number Of Events In Offense
  • ID - Offense
  • Magnitude - Offense
  • Username Count - Offense
  • Low Level Categories - Offense
  • Status - Offense
  • Destination IP - Offense
  • Link To Offense

Incident Types

Qradar Generic - New incident type.

Layouts

New: Qradar Generic - Displays all of the main offenses, events, and assets data.

Playbooks

The following playbooks were changed so that the task that 'checks if the QRadar integration is enabled prior to executing it' matches the same task in QRadar V2.

  • QRadar - Get offense correlations v2
  • QRadar Indicator Hunting V2
  • TIM - QRadar Add Bad Hash Indicators
  • TIM - QRadar Add Domain Indicators
  • TIM - QRadar Add IP Indicators
  • TIM - QRadar Add Url Indicators
  • TIM - Access Investigation - QRadar

Scripts

New: QRadarPrintAssets

Prints the assets fetched from the offense in table format.

New: QRadarFetchedEventsSum

Displays the amount of fetched events vs the total amount of events in the offense.

New: QRadarPrintEvents

Prints the events fetched from the offense in table format.

New: QRadarMagnitude

Colors the fields in the table according to the magnitude of the QRadar offense. The scale is

  • 1-3 green
  • 4-7 yellow
  • 8-10 red

IBM X-Force Exchange Pack v1.0.5

Integrations

IBM X-Force Exchange v2
  • Fixed an issue where non-existing hashes returned an error in the file command.
  • Fixed an issue where submitting multiple hashes in the file command did not return the correct output.

Integrations & Incidents Health Check Pack v1.1.7

Scripts

GetFailedTasks
  • Added support for Cortex XSOAR multi-tenant environment.
  • Added Demisto-REST-API dependencies.
  • Updated the Docker image to: demisto/python3:3.8.6.13358.

IronDefense Pack v1.1.3 (Partner Supported)

Integrations

IronDefense

Updated the Docker image to: demisto/python3:3.8.6.13358.


Logz.io Pack v1.1.1 (Partner Supported)

Documentation and metadata improvements.


McAfee Advanced Threat Defense Pack v1.0.4

Integrations

McAfee Advanced Threat Defense
  • Fixed an issue where setting the submitType argument to '2' or '3' caused a failure in the atd-file-upload command.
  • Fixed an issue where arguments were not handled correctly in the atd-file-upload command.
  • Documentation and metadata improvements.

Playbook

New: Detonate Remote File from URL - McAfee ATD

Added a playbook that detonates a file from a URL using the McAfee Advanced Threat Defense sandbox integration.


Microsoft Cloud App Security Pack v1.0.11

Integrations

Microsoft Cloud App Security
  • Fixed an issue where an error was raised in fetch-incident in case there were no incidents to fetch.
  • Updated the endpoints for the following commands.
    • microsoft-cas-alert-dismiss-bulk
    • microsoft-cas-alert-resolve-bulk
  • Updated the Docker image to: demisto/python3:3.8.6.13358.

Microsoft Graph Mail Single User Pack v1.0.10

Integrations

Microsoft Graph Mail Single User

General documentation improvements.


Microsoft Graph Security Pack v2.0.5

Integrations

Microsoft Graph Security
  • Fixed an issue where alerts were not pulled in the fetch incidents flow.
  • Updated the Docker image to: demisto/crypto:1.0.0.12979.

Microsoft Management Activity API (O365/Azure Events) Pack v1.1.3

Integrations

Microsoft Management Activity API (O365 Azure Events)
  • Fixed the spelling of audit.general in the Content types to fetch integration parameter.
  • Updated the Docker image to: demisto/pyjwt3:1.0.0.13142.

Microsoft Teams Pack v1.0.5

Integrations

Microsoft Teams
  • Fixed an issue in which existing users were not found.
  • Updated the Docker image to: demisto/teams:1.0.0.13080.

MongoDB Pack v1.2.0

Integrations

MongoDB
  • Added an option to return only certain fields in the mongodb-query command.
  • Updated the Docker image to: demisto/pymongo:1.0.0.12410.

NTT Cyber Threat Sensor Pack v1.0.1 (Partner Supported)

Documentation and metadata improvements.


Nozomi Networks Pack v1.0.1

Documentation and metadata improvements.


PAN-OS Pack v1.6.6

Integrations

Palo Alto Networks PAN-OS
  • Breaking Change: The following commands now return multiple entries (an entry per indicator) instead of a single entry.
    • url
    • panorama-get-url-category
    • panorama-get-url-category-from-cloud
    • panorama-get-url-category-from-host
  • Added the profile-setting argument to the following commands.
    • panorama-create-rule
    • panorama-edit-rule
  • Updated the Docker image to: demisto/python3:3.8.6.13358.

PANW Comprehensive Investigation Pack v1.3.4

Playbooks

Palo Alto Networks - Hunting And Threat Detection

Fixed a bug in the is enabled tasks.


Palo Alto Networks Cortex XDR - Investigation and Response Pack v2.4.11

Playbooks

Cortex XDR - Port Scan

Fixed the ipRanges input.

Cortex XDR - Port Scan - Adjusted
  • Fixed the ipRanges input.
  • Deprecated the InternalIPRange input for this playbook. Use the InternalIPRanges input instead.

Palo Alto Networks IoT Pack v1.0.1

Documentation and metadata improvements.


Palo Alto Networks Threat Vault Pack v1.0.1

Documentation and metadata improvements.


PassiveTotal Pack v2.0.5 (Partner Supported)

Integrations

PassiveTotal v2

Breaking Change: The following commands now return multiple entries (entry per indicator) instead of a single entry.

  • pt-get-pdns-details
  • pt-whois-search
  • pt-get-components

PhishTank Pack v2.0.1

Integrations

PhishTank v2
  • Fixed an issue where the url command did not cache the data.
  • Updated the Docker image to: demisto/python3:3.8.6.13358.

Phishing Pack v1.10.8

Incident Fields

  • Associated the following incident fields to the Email Communication incident type.
    • Email To
    • Email Body Format
    • Email Received
    • Email Client Name
    • Attachment Name
    • Email HTML
    • Email Subject
    • Email Message ID
    • Attachment ID
    • Email Reply To
    • Email BCC
    • Email Body HTML
    • Email Body
    • Email Headers
    • Email From
    • Email CC
  • Added the following new incident fields
    • Email Latest Message
    • Email HTML Image
    • Email Labels

Prisma Cloud Pack v1.4.0

Classifiers

  • Updated the classifier for the new GCP Kubernetes playbooks.

    • Prisma Cloud - Classifier
    • Prisma Cloud App - Classifier
  • Updated for the new GCP Kubernetes playbooks.

    • RedLock
    • prismaCloud_app
  • Updated the mapper for the new GCP Kubernetes playbooks.
    • Prisma Cloud App - Incoming Mapper
    • Prisma Cloud - Incoming Mapper

Incident Fields

  • Updated the following incident fields.
    • Resource API Name
    • Subscription Type
    • Prisma Cloud Reason
  • Assigned the following incident fields to the GCP Kubernetes Engine Misconfiguration incident type.
    • RRN
    • Prisma Cloud Time
    • Subscription Description
    • Prisma Cloud Rules
    • Prisma Cloud Status
    • Prisma Cloud ID
    • Subscription Name
    • Subscription Updated On
    • Resource Cloud Type
    • Subscription Assigned By
    • System Default
    • Subscription Updated By
    • Subscription Created By
    • Subscription Created On
    • Subscription ID

Incident Types

GCP Kubernetes Engine Misconfiguration - New incident type.

Integrations

Prisma Cloud (RedLock)

Added the redlock-search-config command.

Layouts

The following are new layouts for the GCP Kubernetes Engine Misconfiguration incident types.

  • GCP Kubernetes Engine Misconfiguration Incident
  • GCP Kubernetes Engine Misconfiguration

Playbooks

New: Prisma Cloud Remediation - GCP Kubernetes Engine Misconfiguration

This playbook remediates Prisma Cloud GCP Kubernetes Engine alerts. It calls sub-playbooks that perform the actual remediation steps.

Remediation:

  • GCP Kubernetes Engine Clusters Basic Authentication is set to Enabled.
  • GCP Kubernetes Engine Clusters have HTTP load balancing disabled.
  • GCP Kubernetes Engine Clusters have Legacy Authorization enabled.
  • GCP Kubernetes Engine Clusters have Master authorized networks disabled.
  • GCP Kubernetes Engine Clusters have Network policy disabled.
  • GCP Kubernetes Engine Clusters have Stackdriver Logging disabled
  • GCP Kubernetes Engine Clusters have Stackdriver Monitoring disabled.
  • GCP Kubernetes Engine Clusters have binary authorization disabled.
  • GCP Kubernetes Engine Clusters web UI/dashboard is set to Enabled.
  • GCP Kubernetes Engine Clusters intra-node visibility is disabled.
New: Prisma Cloud Remediation - GCP Kubernetes Engine Cluster Misconfiguration

This playbook remediates the following Prisma Cloud GCP Kubernetes Engine Cluster alerts.

Prisma Cloud policies remediated:

  • GCP Kubernetes Engine Clusters Basic Authentication is set to Enabled.
  • GCP Kubernetes Engine Clusters have HTTP load balancing disabled.
  • GCP Kubernetes Engine Clusters have Legacy Authorization enabled.
  • GCP Kubernetes Engine Clusters have Master authorized networks disabled.
  • GCP Kubernetes Engine Clusters have Network policy disabled.
  • GCP Kubernetes Engine Clusters have Stackdriver Logging disabled.
  • GCP Kubernetes Engine Clusters have Stackdriver Monitoring disabled.
  • GCP Kubernetes Engine Clusters have binary authorization disabled.
  • GCP Kubernetes Engine Clusters web UI/Dashboard is set to Enabled.
  • GCP Kubernetes Engine Clusters intra-node visibility is disabled.

QueryAI Pack v1.0.3 (Partner Supported)

Documentation and metadata improvements.


RTIR Pack v1.0.5

Integrations

RTIR

Fixed an issue where the integration commands failed when non-ASCII characters were passed.


SafeBreach - Breach and Attack Simulation platform Pack v1.1.2 (Partner Supported)

Documentation and metadata improvements.


SentinelOne Pack v1.0.4

Integrations

SentinelOne v2

Updated the description for the sentinelone-get-hash command.


ServiceNow Pack v1.3.11

Integrations

ServiceNow v2

Fixed an issue where multiple query arguments were not allowed in the the following commands.

  • servicenow-query-tickets
  • servicenow-query-table

Shift Management - Assign to Next Shift Pack v1.0.1

Playbooks

Assign Active Incidents to Next Shift

Fixed the reference to the AssignToNextShift automation.


Symantec Data Loss Prevention (Beta) Pack v1.1.1

Integrations

Symantec Data Loss Prevention (Beta)

Fixed an issue where fetch-incidents created duplicate incidents.


Symantec Managed Security Services Pack v1.0.1

Integrations

Symantec Managed Security Services

Fixed an issue where the certificates were not handled appropriately.


VirusTotal - Private API Pack v1.0.6

Integrations

VirusTotal - Private API

Fixed an issue where empty behavior reports were not parsed correctly.


Whois Pack v1.1.7

Integrations

Whois

Added the Domain.Admin context standards to the following commands.

  • domain
  • whois

Workday Pack v1.0.5

Classifiers

IAM Sync User - Workday

Maintenance and stability enhancements.


XSOAR Mirroring Pack v1.0.1

Documentation and metadata improvements.


okta Pack v2.0.2

Integrations

Okta IAM

Maintenance and stability enhancements.


Assets