Cortex XSOAR Content Release Notes for version 20.12.0 (214195)

Published on 08 December 2020

Breaking Changes

The following packs include breaking changes.

New: Google Drive Pack v1.0.0

Classifiers

Google Drive - Classifier

Classifies Google Drive Incidents.

Google Drive - Incoming Mapper

Maps incoming Google Drive incident fields.

Incident Fields

  • Google Drive Activity Added Parents - The added parent object(s).
  • Google Drive Activity Added Permissions - The set of permissions added by this change.
  • Google Drive Activity Assigned Current User - True if this is the user making the request.
  • Google Drive Activity Assigned Deleted User - A user whose account has since been deleted.
  • Google Drive Activity Assigned Person Name - The user to whom the comment was assigned.
  • Google Drive Activity Assigned Unknown User - A user about whom nothing is currently known.
  • Google Drive Activity Assignment Subtype - The sub-type of this event.
  • Google Drive Activity Copied Folder Type - The type of a Drive folder.
  • Google Drive Activity Copied Item Is File - A Drive item which is a file.
  • Google Drive Activity Copied Item Name - The target Drive item. The format is "items/ITEM_ID".
  • Google Drive Activity Copied Item Title - The title of the Drive item.
  • Google Drive Activity Copied Shared Drive Name - The resource name of the shared drive.
  • Google Drive Activity Copied Shared Drive Title - The title of the shared drive.
  • Google Drive Activity Created New - Indicates the object was newly created (e.g., as a blank document), not derived from a Drive object or external object.
  • Google Drive Activity DLP Change Type - The type of Data Leak Prevention (DLP) change.
  • Google Drive Activity Delete Type - The type of delete action taken.
  • Google Drive Activity Identified As - The actions that are identified with the event.
  • Google Drive Activity Mentioned Users - Users who are mentioned in this comment.
  • Google Drive Activity New Title - The new title of the drive object.
  • Google Drive Activity Old Title - The previous title of the drive object.
  • Google Drive Activity Post Subtype - The sub-type of this event.
  • Google Drive Activity Reference Type - The reference type corresponding to this event.
  • Google Drive Activity Removed Parents - The removed parent object(s).
  • Google Drive Activity Removed Permissions - The set of permissions removed by this change.
  • Google Drive Activity Restore Type - The type of restore action taken.
  • Google Drive Activity Restriction Changes - The set of changes made to the restrictions.
  • Google Drive Activity Suggestion Subtype - The sub-type of this event.
  • Google Drive Activity Targets - The targets of the event.
  • Google Drive Activity Uploaded - Indicates the object originated externally and was uploaded to the Drive.

Incident Types

Google Drive Activity

Integrations

Google Drive

Google Drive enables users to store files on their servers, synchronize files across devices, and share files. This integration helps you to create a new drive, query past activity, and view change logs performed by the users.

Layouts

  • Google Drive Activity - Summary
  • Google Drive Activity - Mobile
  • Google Drive Activity - Quick View

New: IAM SCIM Pack v1.0.0

Classifiers

User Profile - SCIM (Incoming)
User Profile - SCIM (Outgoing)

New: Microsoft Graph API Pack v1.0.0

Integrations

Microsoft Graph API

Use the Microsoft Graph API integration to interact with Microsoft APIs that do not have dedicated integrations in Cortex XSOAR, for example, Mail Single-User.


New: RSS Pack v1.0.0 (Community Contributed)

Integrations

RSS

Simple RSS reader that can ingest new items as incidents.


New: XM Cyber Pack v1.0.1 (Partner Supported)

Classifiers

XM Cyber Incident Classifier

Classifies XM Cyber alerts and events as one of four incident types.

XM Cyber Entity from Crowdstrike

Maps Crowdstrike Falcon incident data to XM Cyber fields for automatic enrichment.

XM Cyber Incident Mapper

Maps fields from XM Cyber incidents.

Incident Fields

  • Critical Assets at Risk
  • Affected Entities
  • Affected Entities List
  • Average Complexity Level
  • Average Complexity of Compromise
  • Compromising Techniques
  • Critical Assets At Risk
  • Critical Assets at Risk Level
  • Critical Assets at Risk List
  • Entity ID
  • Entity IP Address
  • Entity Name
  • Entity Report
  • Entity Type
  • Is Entity Critical Asset
  • Security Score
  • Security Score Grade
  • Security Score Trend
  • Technique Advices
  • Technique Affected Assets
  • Technique Affected Assets Trend
  • Technique Best Practice
  • Technique Choke Points
  • Technique Description
  • Technique Mitre
  • Technique Name
  • XM Cyber Dashboard
  • XM Cyber Technique Report

Incident Types

  • XM Cyber Choke Point
  • XM Cyber Critical Asset
  • XM Cyber Security Score
  • XM Cyber Technique

Integrations

XM Cyber

XM Cyber continuously finds attack vectors to critical assets. This integration fetches events (incidents) on changes in the overall risk score, risk to assets, or impacting attack techniques. Additionally, incidents are enriched with incoming attack vectors to the incident's endpoints, and critical assets at risk from the incident.

Playbooks

Create Jira Ticket - XM Cyber

XM Cyber generates a Jira ticket based on the trend in the Security Score.

Endpoint Enrichment - XM Cyber

Enriches an endpoint by hostname using the XM Cyber integration. Outputs include affected assets, affected entities, complexity of compromise, and more.

IP Enrichment - XM Cyber

Enriches IP addresses using the XM Cyber integration.

  • Resolve IP address to the entity.
  • Get entity information for the IP addresses regarding the impact on critical assets and complexity of compromise.
Scan and Isolate - XM Cyber

An example of a playbook using data from the XM Cyber integration to help decide about scanning and isolating a threat.


New: xMatters Pack v1.0.0 (Partner Supported)

Integrations

xMatters

Enables security personnel to trigger events in xMatters to notify a user and then process their response.

Playbooks

xMatters - Example Conditional Actions

Example playbook showing how to use the Trigger and Wait sub-playbook to fire an event to xMatters and wait for a response from a user. This playbook then inspects the user's chosen response and branches accordingly.

xMatters - Wait for Response

Trigger an xMatters workflow to notify a user for a response.

Scripts

CloseTaskSetContext

Close a task with the closeComplete command and add the "comments" to the incident context.

WaitForKey

A simple loop to inspect the context for a specific key. If the key is not found after the "iterations" loops, the script exits with a message.


AbuseIPDB Pack v1.0.1

Integrations

AbuseIPDB

Fixed an issue where the ip command failed when unknown categories were returned.


Akamai WAF Pack v1.0.2

Integrations

Akamai WAF
  • Added support for the extended and include_elements arguments in the akamai-get-network-lists command.
  • Updated the Docker image to: demisto/akamai:1.0.0.13142.

AlphaSOC Network Behavior Analytics Pack v1.0.2 (Partner Supported)

Integrations

AlphaSOC Network Behavior Analytics

Fixed an issue where the minimum severity was not used when fetching incidents.


ArcSight ESM Pack v1.0.7

Integrations

ArcSight ESM v2

Improved the error message that is returned when an invalid Query Viewer ID is entered.


Atlassian Jira Pack v1.2.7

Integrations

Atlassian Jira v2
  • Fixed an issue where dates were not handled properly when mirroring.
  • Fixed an issue where unsupported commands were not handled correctly.
  • Fixed an issue where the projectKey and issueTypeId parameters were marked as mandatory, which caused a backwards compatibility issue. Both parameters are now optional.
  • Fixed an issue where the OAuth 1.0 configuration did not work properly in the jira-issue-upload-file command.
  • Internal code improvements.
  • Updated the Docker image to: demisto/oauthlib:1.0.0.13983.

AutoFocus Pack v1.1.11

Integrations

Palo Alto Networks AutoFocus v2

Fixed an issue where the file command returned a 404 status code.


Azure Compute Pack v1.0.3

Integrations

Azure Compute v2

Maintenance and stability enhancements.


Azure Log Analytics Pack v1.0.2

Integrations

Azure Log Analytics (Beta)

Maintenance and stability enhancements.


Azure Security Center Pack v1.1.4

Integrations

Azure Security Center v2

Maintenance and stability enhancements.


AzureSentinel Pack v1.0.5

Integrations

Azure Sentinel (Beta)
  • Added the expand_entity_information argument in the azure-sentinel-get-entity-by-id command. This argument indicates whether to retrieve additional information about the entity.
  • Maintenance and stability enhancements.

Base Pack v1.4.2

Scripts

CommonServerPython
  • Added the following classes to support the get-modified-remote-d mirroring command.
    • GetModifiedRemoteDataArgs
    • GetModifiedRemoteDataResponse
  • Added the following classes to support the Certificate standard context.
    • Common.Certificate
    • Common.CertificatePublicKey
    • Common.CertificateExtension
    • Common.GeneralName
  • Added the arg_to_number function.
  • Added the arg_to_datetime function.
  • Improved how CommandResults handles empty lists provided as outputs.
  • Fixed an issue encountered when using the demisto/python3:latest Docker image. The Automation/Integration was failing with an error: 'timezone' is not defined.
  • Fixed minor bugs in the CommandResults class.

BeyondTrust Password Safe Pack v1.0.2

Integrations

BeyondTrust Password Safe
  • Fixed an issue where context was overwritten in the get-managed-accounts command.
  • Added support for simultaneous requests.
  • Improved debugging messages.
  • Updated the Docker image to: 3.8.6.13358.

Box Pack v1.0.1

Integrations

Box

Fixed an issue where the force argument was sent as a string instead of a boolean in the box_delete_user command.


Carbon Black Cloud Enterprise EDR Pack v1.1.1

Integrations

VMware Carbon Black Enterprise EDR
  • Fixed an issue where the sort_field argument had invalid options in the cb-eedr-list-alerts command.
  • Updated the Docker image to: demisto/python3:3.8.6.13358.

Carbon Black Enterprise Response Pack v1.1.2

Integrations

VMware Carbon Black EDR

Renamed the VMware Carbon Black EDR v2 integration to VMware Carbon Black EDR.


Check Point Firewall Pack v2.0.5

Integrations

Check Point Firewall v2
  • Breaking Change: Updated the checkpoint-package-list command output. Changed the output prefix from: CheckPoint.Packages to CheckPoint.Package.
  • Fixed an issue in the checkpoint-host-delete command where the identifier argument was not processed properly.
  • Updated the Docker image to: demisto/python3:3.8.6.13358.

Cisco ISE Pack v1.0.1

Integrations

Cisco ISE
  • Added 2 commands:
    • cisco-ise-get-session-data-by-ip
    • cisco-ise-remove-policy
  • Updated the Docker image to: demisto/python3:3.8.6.13358.

Cisco Threat Grid Pack v1.1.3

Playbooks

Detonate URL - ThreatGrid

Fixed an issue where the playbook outputs did not match the integration outputs.

Detonate File - ThreatGrid

Fixed an issue where the playbook outputs did not match the integration outputs.


Common Scripts Pack v1.2.85

Scripts

RunPollingCommand

Added support for non-english characters in the ids argument.

URLDecode
  • Added unit testing and linting.
  • Updated the Docker image to: demisto/python3:3.8.6.13358.
PCAPMiner
  • Deprecated. Use the PCAPMinerV2 pack instead.
  • Updated the Docker image to: demisto/dempcap:1.0.0.14059
New: GetDomainDNSDetails

Returns DNS details for a domain.

New: AddKeyToList

Adds/replaces a key in the key/value store backed by an XSOAR list.

New: RemoveKeyFromList

Removes a key from the key/value store backed by an XSOAR list.

New: CopyNotesToIncident

Copy all entries marked as notes from the current incident to another incident.

New: GenerateRandomUUID

Generates a random UUID (UUID 4).


Common Types Pack v2.4.0

Incident Fields

  • Alert ID -
    ID of the alert.
  • Alert Name -
    Name of the alert.
  • Error Message - Long-text field that provides a detailed description of the error.
  • Error Code - UID for the error type that occurred.
  • User Id - UID for the user in the application.

Cortex Data Lake Pack v1.2.9

Integrations

Cortex Data Lake

Added the transform_results argument to the cdl-query-logs command. This argument indicates whether query results should be mapped into the standard command context.


CrowdStrike Falcon Sandbox Pack v1.0.3

Integrations

CrowdStrike Falcon Sandbox

Breaking Change - Replaced the API endpoint used for the crowdstrike-get-environments command as it was changed in the product.


CrowdStrike Falcon Streaming Pack v1.0.13

Integrations

CrowdStrike Falcon Streaming v2
  • Improved handling of cases where event stream resources were not discovered.
  • Added a validation that checks if the app ID complies with the legal format (i.e., maximum of 32 alphanumeric characters (a-z,A-Z,0-9)).
  • Updated the Docker image to: demisto/aiohttp:1.0.0.13810.

Cybereason Pack v1.0.6

Integrations

Cybereason

Fixed an issue where a process without a type caused the cybereason-malop-processes command to fail.


Devo Pack v1.0.1

Integrations

Devo v2
  • Fixed an issue where the Trust any certificate (not secure) integration parameter did not work as expected.
  • Updated the Docker image to: demisto/devo:1.0.0.13898.

EWS Pack v1.4.3

Integrations

EWS O365

Maintenance and stability enhancements.


FireEye HX Pack v1.0.7

Integrations

FireEye HX
  • Improved implementation of how the integration commands process outputs.
  • Fixed an issue where the version was not handled properly in the fireeye-hx-host-containment command.

Generic Webhook Pack v1.0.1

Integrations

Generic Webhook

Fixed an issue where the integration did not reset the credentials if the credentials were deleted.


GenericSQL Pack v1.0.8

Integrations

Generic SQL
  • Added support for an empty database name when specifying service_name for Oracle connection arguments.
  • Updated the Docker image to: demisto/genericsql:1.1.0.13618.

GitHub Pack v1.1.2

Integrations

New: GitHub IAM

Integrates with GitHub's services to perform Identity Lifecycle Management operations.


Google Cloud Functions Pack v1.0.2

Integrations

Google Cloud Functions
  • Improved handling in cases where Google Cloud functions were found.
  • Updated the Docker image to: demisto/google-api-py3:1.0.0.13945.

HelloWorld Pack v1.1.13 (Community Contributed)

Integrations

HelloWorld

Moved several helper functions to the CommonServerPython script.


IntSights Pack v1.0.1

Integrations

IntSights

General documentation improvements.


Integrations & Incidents Health Check Pack v1.1.8

Scripts

GetFailedTasks

Improved error handling in the event that the Cortex XSOAR REST API integration fails.


Logz.io Pack v1.1.2 (Partner Supported)

Integrations

Logz.io

Updated the Docker image to: demisto/python3:3.8.6.13358.


Luminate Pack v1.0.2 (Community Contributed)

Integrations

Luminate

Updated the Docker image to: demisto/luminate:1.0.0.14061.


McAfee ESM Pack v1.1.2

Integrations

McAfee ESM v2
  • Fixed an issue where the timeout argument was not handled correctly in the esm-search command.
  • Fixed an issue where no results were returned if the limit argument was set to a product of the number 50 (e.g., 100, 150, 200, etc.) in the esm-search command.
  • Updated the Docker image to: demisto/python3:3.8.6.13358.

Microsoft Defender Advanced Threat Protection Pack v1.2.5

Integrations

Microsoft Defender Advanced Threat Protection

Maintenance and stability enhancements.


Microsoft Endpoint Configuration Manager Pack v1.0.1

Integrations

Microsoft Endpoint Configuration Manager
  • Added 2 commands:
    • ms-ecm-device-get-collection-member-
      Gets a Configuration Manager device by querying the SMS_CM_RES_COLL_SMS00001 class.
    • ms-ecm-device-get-resource-
      Gets a Configuration Manager device by querying the SMS_R_System class.
  • Removed the ms-ecm-user-get-primary command and added the ms-ecm-get-user-device-affinity command instead.
  • Modified the ms-ecm-device-list command to return only the name and resource ID.
  • Fixed a typo in the following:
    • The ms-ecm-user-last-log-on command output.
    • The collection type argument for the ms-ecm-collection-list command.
  • Fixed a bug in the following service commands:
    • ms-ecm-service-start
    • ms-ecm-service-stop
    • ms-ecm-service-restart
  • Supports polling for the following commands:
    • ms-ecm-service-start
    • ms-ecm-service-stop
    • ms-ecm-service-restart
    • ms-ecm-script-invocation-results

Microsoft Graph Calendar Pack v1.0.4

Integrations

Microsoft Graph Calendar

Maintenance and stability enhancements.


Microsoft Graph Device Management Pack v1.0.4

Integrations

Microsoft Graph Device Management (Microsoft Intune)

Maintenance and stability enhancements.


Microsoft Graph Files Pack v1.0.3

Integrations

Microsoft Graph Files

Maintenance and stability enhancements.


Microsoft Graph Groups Pack v1.0.3

Integrations

Microsoft Graph Groups

Maintenance and stability enhancements.


Microsoft Graph Mail Pack v1.0.14

Integrations

Microsoft Graph Mail

Maintenance and stability enhancements.


Microsoft Graph Mail Single User Pack v1.0.11

Integrations

Microsoft Graph Mail Single User

Maintenance and stability enhancements.


Microsoft Graph Security Pack v2.0.6

Integrations

Microsoft Graph Security

Maintenance and stability enhancements.


Microsoft Graph User Pack v1.3.5

Integrations

Microsoft Graph User

Maintenance and stability enhancements.


Microsoft Management Activity API (O365/Azure Events) Pack v1.1.4

Integrations

Microsoft Management Activity API (O365 Azure Events)

Maintenance and stability enhancements.


PAN-OS Pack v1.6.8

Integrations

Palo Alto Networks PAN-OS
  • Added the Panorama.Monitor.Logs.Vsys output field in the panorama-get-logs command.
  • Documentation and metadata improvements.

Playbooks

Panorama Query Logs

Added the Panorama.Monitor.Logs.Vsys output in the sub-playbook outputs.


Palo Alto Networks Cortex XDR - Investigation and Response Pack v2.4.13

Integrations

Palo Alto Networks Cortex XDR - Investigation and Response
  • Added support for the get-modified-remote-data command which returns a list of modified incidents since the last update. The get-remote-data incoming mirror command, will run only on the modified incidents identified by this command. For more information, see our documentation.
  • Added PaloAltoNetworksXDR.Incident.alerts.host_ip_list to the context output for the xdr-get-incident-extra-data command.
  • Updated the Docker image to: demisto/python3:3.8.6.13358.

Phishing Pack v1.11.0

Playbooks

Phishing - Core

Improved the email message that is sent to the user who reported the suspicious email.


RSA Archer Pack v1.1.6

Integrations

RSA Archer v2
  • Fixed an issue where the archer-create-record command did not create records.
  • Fixed an issue in the fetch-incident command where there was a mismatch between timezones.
  • Added support for the Use European Time format integration parameter in the fetch-incidents command. Use this parameter when RSA Archer is using European date notations (e.g., DD/MM/YYYY).
  • Added support for associating a file with a record in the archer-upload-file command.
  • Improved documentation by adding explanations and examples for the archer-create-record command.
  • Updated the Docker image to: demisto/python3:3.8.6.13358.

Rundeck Pack v1.0.1

Integrations

Rundeck

Added an image to the integration.


ServiceNow Pack v2.0.1

Classifiers

New: User Profile - ServiceNow (Incoming)

Maps ServiceNow user data to User Profile data.

New: User Profile - ServiceNow (Outgoing)

Maps User Profile data to ServiceNow user data.

Integrations

ServiceNow v2
  • Fixed an issue where unsupported commands were not handled correctly.
  • Added support for OAuth 2.0 authentication.
  • Updated the Docker image to: demisto/oauthlib:1.0.0.13983.
New: ServiceNow IAM

Integrates with ServiceNow's services to perform Identity Lifecycle Management operations.


SplunkPy Pack v1.2.5

Playbooks

Splunk Indicator Hunting

Fixed the playbook is enabled task.


SumoLogic Pack v1.0.3

Integrations

SumoLogic

Fixed an issue where duplicate aggregate records were fetched.


Tanium Pack v1.0.4

Integrations

Tanium v2
  • Fixed an issue where parameters were not handled properly if they contained the characters '=' or ';'.
  • Updated the Docker image to: demisto/python3:3.8.6.13358.

VMware Pack v1.1.0

Integrations

VMware
  • Added the vmware-change-nic-state command, which changes the state of a VM NIC.
  • General documentation improvements.

okta Pack v2.1.1

Classifiers

New: Okta IAM - App Sync (mapper)

Maps Okta log event attributes to incident fields (used for Identity and Lifecycle Management).

New: Okta IAM - App Sync (classifier)

Classifies Okta log events (used for Identity and Lifecycle Management).

Integrations

Okta IAM
  • Added the fetch-incidents command to support application synchronization for Identity and Lifecycle Management.
  • Added the okta-get-assigned-user-for-app command.
  • Maintenance and stability enhancements.

Assets