Microsoft Intune Feed (Available from Cortex XSOAR 5.5) Use the Microsoft Intune Feed integration to get indicators from the feed.
Palo Alto Networks Prisma Access Egress IP feed (Available from Cortex XSOAR 5.5) Dynamically retrieve and whitelist IPs that Prisma Access uses to egress traffic to the internet and SaaS apps.
Smokescreen IllusionBLACK Smokescreen IllusionBLACK is a deception-based threat defense platform designed to accurately and efficiently detect targeted threats including reconnaissance, lateral movement, malware-less attacks, social engineering, Man-in-the-Middle attacks, and ransomware in real-time.
ServiceNow v2 Use the ServiceNow integration to help streamline security-related service management and IT operations.
Palo Alto Networks Prisma Access Integrate with Prisma Access to monitor the status of the Service, alert, and take actions.
Microsoft Management Activity API (O365 Azure Events) The Microsoft Management Activity API integration enables you to subscribe or unsubscribe to different audits, receive their content, and fetch new content as incidents.
Google Cloud Functions Google Cloud Functions is an event-driven serverless compute platform that enables you to run your code locally or in the cloud without having to provision servers.
Fixed an issue where resilient.co3 warnings were not disabled.
Fixed an issue where the rs-get-incident command failed on key error.
Anomali ThreatStream v2 Added support for emojis in file names, when uploading a file to the sandbox.
EWS v2 Fixed an issue where the fetch-incidents command caused a timeout from EWS.
Whois
Fixed an issue where duplicate fields were created by the domain and whois command outputs.
Added support for the Domain.Whois.QueryValue context output in the whois command.
You can now query Whois with subdomains.
Fixed an issue where Whois fails when too many requests are sent.
Fixed an issue where Whois was overwritten with the DBostScore of other vendors.
Microsoft Graph User Added support to authenticate using a self-deployed Azure application.
CVE Search v2 Added support to input multiple CVE IDs in the cve command.
Export Indicators Service Removed the default initial value for the Listen Port parameter.
urlscan.io Fixed an issue where a "download" error message constantly appeared.
AWS Feed Added support for service field mapping.
Expanse Fixed an issue where incident polling did not behave as expected in some situations.
Tor Exit Addresses Feed Fixed an issue where the integration did not fetch indicators.
Palo Alto Networks WildFire v2 Fixed an issue where the wildfire-upload command failed uploading some files.
Fastly Feed Fixed an issue where the integration did not fetch indicators.
Palo Alto Networks PAN-OS EDL Service Removed the default initial value for the Listen Port parameter.
ArcSight ESM v2 Added the as-delete-entries command, which allows the user to delete entries using the resourceId argument.
Generic SQL
Fixed an issue where MySQL default tables where not available for querying.
Added support for stack trace and the query error message.
Added support to Oracle connection.
Added support for limit and skip command arguments in context output.
Palo Alto Networks PAN-OS EDL Management Removed http/https from the *list_items argument in the *pan-os-edl-update** command due to the 3rd-party limitation of not being able to parse with http/https*.
Securonix
Added the action_parameters argument to the securonix-perform-action-on-incident command.
Improved the name of the fetched incidents to reflect the incident reason.
Fixed an issue where the Incidents to fetch parameter was not taken into account when fetching incidents.
AbuseIPDB Fixed an issue where the API quota limit error was not handled properly.
Palo Alto Networks PAN-OS
panorama-commit-status command: Added warnings as a list of strings to Entry Context, which will allow the user to know if aany warnings triggered even if the commit succeeded.
*panorama-push-status command: Added warnings as a list of strings to Entry Context, which will allow the user to know if any warnings triggered even if the push succeeded.
GitHub Added support for GitHub bots.
PolySwarm Added the file argument to the file command.
Palo Alto Networks Cortex XDR - Investigation and Response Fixed an issue where the xdr-get-endpoints command failed when returning all the endpoints if no filters were specified.
abuse.ch SSL Blacklist Feed Fixed an issue where indicators were associated with the creationdate field instead of the firstseenbysource field.
Palo Alto Networks AutoFocus v2
Fixed an issue where the file command only accepted a lower-case hash.
Added the artifact argument to the autofocus-search-samples command, which by default is set to "true", and retrieves the artifacts of the sample.
HelloWorld
Added 2 commands:
domain
helloworld-update-alert-status
Improved documentation and comments.
TAXII Server Removed the default initial value for the Listen Port parameter.
TruSTAR
Added 3 commands:
trustar-get-phishing-submissions
trustar-get-phishing-indicators
trustar-set-triage-status
Deprecated the following commands due to changes in the TruSTAR service:
file
url
ip
domain
Microsoft Graph Security
Fixed an issue where filters were not properly implemented in the msg-search-alerts command. (Note: Existing msg-search-alerts command results might change the next time the command is executed).
Added support to authenticate using a self-deployed Azure application.
TAXII Feed
Fixed an issue where the test module did not work as expected.
Google BigQuery
Fixed an issue where date objects were not handled correctly.
Mimecast v2
Fixed an issue where the time calculation for the first fetch was incorrect.
Microsoft Graph Calendar
Added support to authenticate using a self-deployed Azure application.
ServiceNowCreateIncident This script is used to wrap the generic create-record command in ServiceNow. You can add fields that you want to create the record with as script arguments or in the code and easily work with the records.
ServiceNowUpdateIncident This script is used to wrap the generic update-record command in ServiceNow. You can add fields that you want to update the record with as script arguments or in the code and easily work with the records.
ServiceNowQueryIncident This script is used to wrap the generic query-table command in ServiceNow. You can add fields that you want to use as inputs and outputs from the record as script arguments or in the code and easily work with the records.
GetUsersOnCall Retrieves users that are currently on-call.
LowerCidrNumAddresses Checks if the number of available addresses in IPv4 CIDR is lower than the given number.
IPNetwork Queries and returns details on CIDR for: Broadcast_address, CIDR, First_address, Last address, Max prefix len, Num addresses, Private and IP Version.
GetNumberOfUsersOnCall Retrieves the number of users that are currently on-call.
GetOnCallHoursPerUser Retrieves the number of on-call hours per user.
GetRolesPerShift Retrieves roles per shift.
LookupCSV Parses a CSV file and looks for a specific value in a specific column, returning a dict of the entire matching row. If no column value is specified, the entire CSV is read into the context.
CompareLists Compares two lists and adds the differences to context.
GreaterCidrNumAddresses Checks if the number of available addresses in IPv4 or IPv6 CIDR is greater than the given number.
Isolate Endpoint - Cybereason Isolates an endpoint based on the provided hostname.
Port Scan - Internal Source Remediates port scans originating within the network.
Port Scan - External Source Remediates port scans originating outside of the organization's network.
Port Scan - Generic
Investigates a port scan incident. The incident may originate from outside or within the network. The playbook.
Enriches the hostname and IP address of the attacking endpoint.
Escalates the incident in case a critical asset is involved.
Hunts malware associated with the alerts across the organization.
Blocks detected malware associated with the incident.
Blocks IP addresses associated with the malware, if a malicious file was involved.
Pivots from the attacking IP to detect and block malicious domains hosted on the IP (for an external scan).
Isolates the attacking endpoint (for an internal scan).
Allows manual blocking of ports through an email communication task.
If you're using one or more of the following products, make sure to configure their corresponding playbook inputs, respectively.
Splunk - "Splunk Indicator Hunting".
QRadar - "QRadar Indicator Hunting v2".
Palo Alto Networks Cortex Data Lake/Panorama/Autofocus/Analytics - "PANW - Hunting and threat detection by indicator type V2".
IP Whitelist - AWS Security Group Syncs a list of IP addresses to an AWS Security Group.
HelloWorld Scan Simulates a vulnerability scan using the "HelloWorld" sample integration. It's used to demonstrate how to use the GenericPolling mechanism to run jobs that take several seconds or minutes to complete. It is designed to be used as a sub-playbook, but you can also use it as a standalone playbook, by providing the ${Endpoint.Hostname} input in the Context.
IP Whitelist - GCP Firewall Sets a list of IP addresses in the GCP firewall.
Search Endpoints By Hash - Cybereason Uses Cybereason to hunt for endpoint activity by hash.
Smokescreen IllusionBLACK Default Enriches IllusionBLACK incidents with events related to the incident.
Palo Alto Networks Prisma Access Whitelist Egress IPs on SaaS Services Retrieves Prisma Access Egress IP for specific geographic zones and populates in security groups within cloud services.
Palo Alto Networks Prisma Access - Logout User Forces logout of a specific user and computer from Prisma Access.
Search Endpoints By Hash - Generic Hunts endpoints using available tools.
TIM - Process CIDR Indicators By Size Processes CIDR indicators of both IPV4 and IPV6. By specifying in the inputs the maximum number of hosts allowed per CIDR, the playbook tags any CIDR that exceeds the number as pending_review. If the maximum CIDR size is not specified in the inputs, the playbook does not run.
