Cortex XSOAR Release Notes for version 20.5.2 (54359)

Published on 26 May 2020

Breaking Changes

  • TruSTAR
    • In the trustar-get-phishing-submissions and trustar-get-phishing-indicators, replaced the normalized_triage_score argument with the priority_event_score argument.
    • Updated context outputs in the trustar-get-phishing-submissions and trustar-get-phishing-indicators.
    • In the trustar-get-phishing-indicators command, replaced the normalized_source_score argument with the normalized_indicator_score argument.

End Of Life Notice

The Palo Alto Networks Cortex integration will reach end of life on May 31st due to the Cortex Data Lake move to API version 2.0. Use the Cortex Data Lake integration instead.

Integrations

4 New Integrations

  • IllusiveNetworks
    The Illusive Attack Management API enables you to retrieve detected incidents with a forensics timeline, attack surface insights, collect forensics on-demand, and manage a variety of operations with regard to deceptive entities, deception policies, and more.
  • Bastille Networks
    RF monitoring for wireless intrusion detection and policy enforcement. Visit https://www.bastille.net for additional details.
  • Logz.io
    Fetch and remediate security incidents identified by Logz.io Cloud SIEM.
  • Digital Guardian
    Use the Digital Guardian integration to fetch incidents and programmatically add or remove entries from watchlists and component lists.

26 Improved Integrations

  • TruSTAR
    • Fixed the description for the from_time argument to '24 hours ago' for the trustar-get-phishing-indicators and trustar-get-phishing-submissions commands.
    • Added -1 to list of default values in the priority_event_score argument for the trustar-get-phishing-submissions command.
    • Added -1 to the list of default values in the priority_event_score and normalized_indicator_score arguments for the trustar-get-phishing-indicators command.
  • Microsoft Graph Security
    Added fetch-incidents functionality.
  • IBM Resilient Systems
    Fixed an issue where the fetch-incident command did not pull all incidents.
  • ThreatQ v2
    Fixed an issue where indicators with custom indicator statuses, indicator types, event types, or attachment types would raise an error.
  • Shodan v2
    Fixed an issue where searching for an IP address without information raised an error.
  • Jask
    Fixed an issue where bad access to the SourceType key caused an error in the jask-get-insight-details command.
  • Whois
    Added the Domain.Whois.QueryResult output, which tells whether the query found a matching result.
  • Recorded Future
    Fixed an issue in the recorded-future-get-related-entities where the command output was mishandled.
  • Kafka v2
    Added support for lz4 compressed messages.
  • Palo Alto Networks PAN-OS
    • Added the option to list predefined applications in PAN-OS 9.X in the panorama-get-applications command using the predefined argument.
    • Fixed an issue where listing custom applications in PAN-OS 9.X using the panorama-get-applications command did not work properly.
    • Fixed an issue where running the panorama-get-url-category command multiple times, displayed previous results in the war room.
    • Replaced the spaces in the URL context output of the panorama-create-edl command to %20.
  • Generic SQL
    Fixed an issue where connecting to an MS SQL database using an encrypted connection failed.
  • Tanium
    Fixed an issue where the output of some results was malformed.
  • VirusTotal - Private API
    Fixed an issue where running file-related commands would raise an error.
  • Tanium Threat Response
    Fixed an issue where the tanium-tr-get-downloaded-file command retrieved a malformed file.
  • URLhaus
    • Added the Number of retries parameter which determines how many times a command should attempt to run before raising an error.
    • Fixed an issue where the urlhaus-download-sample command would raise an error in cases where results were found.
  • RTIR
    • Fixed an issue where the fetch-incidents and search-tickets commands did not behave as expected.
    • Fixed an issue where the test module did not work as expected.
    • Added the Fetch limit parameter to the instance configuration, which specified the maximum number of results to fetch.
    • Added the results_limit argument to the search-tickets command, which specifies the maximum number of results to return.
  • SplunkPy
    Added support for HTTPS handler, which uses the Python requests library.
  • Palo Alto Networks PAN-OS EDL Service
    • Removed the panos_compatible parameter. All indicators exported by this integration will be PAN-OS compatible.
    • Added request parameters that are passed in the URL.
  • OPSWAT-Metadefender v2
    Fixed an issue where running file-related commands would raise an error.
  • ServiceNow v2
    • Added the incident_name parameter, which enables users to select the column from ServiceNow on which the fetched incidents will be named.
    • Fixed an issue where system proxy settings were always used.
    • Fixed an issue where the fetch-incidents command with attachments did not work as expected.
  • RSA Archer
    • Fixed an issue where several commands would not work as expected when they were performed on app ID 411.
    • Fixed an issue where type 4 fields were not displayed in the results of the archer-search-records command.
  • Microsoft Graph Mail Single User
    Fixed an issue where some emails were not fetched as incidents.
  • Expanse
    Added support for filtering incident creation by Expanse Exposure severity level.
  • MongoDB
    Fixed an issue when pulling an object that contains a date.
  • Azure Compute v2
    Added support to authenticate using a self-deployed Azure application.
  • Palo Alto Networks BPA
    • Added an argument that enables you to download a Panorama report.
    • Fixed an issue where proxy settings were not handled properly.

Deprecated Integration

  • ServiceNow
    Use the ServiceNow v2 integration instead (available from Demisto v5.0.0).

Feeds

These feeds are available from Cortex XSOAR v5.5.

4 Improved Feeds

  • Microsoft Intune Feed
    Added IPv4 and CIDR indicators to the feed.
  • Cofense Feed
    Fixed a bug where the Test button always returned a positive result.
  • AutoFocus Feed
    • Added support for samples feed.
    • Added service mapping for indicators.
  • MITRE ATT&CK Feed
    Fixed an issue where the insecure and proxy parameters were not passed while fetching indicators.

Scripts

2 New Scripts

  • BetweenDates
    Checks whether the given value is within the specified date range.
  • BetweenHours
    Checks whether the given value is within the specified time (hour) range.

10 Improved Scripts

  • EmailDomainSquattingReputation
    Added support for domain arrays as a parameter, including empty domains.
  • DBotPredictOutOfTheBox
    Added the option to map automation output to out-of-the-box incidents fields.
  • GetMLModelEvaluation
    • You can now train a model even when not reaching the minimum precision target. In case the target is not reached, the closest threshold will be returned.
    • Added support for model evaluation using different confidence thresholds for each class.
  • FilterByList
    Added a delimiter argument, which defines the character that delimits fields.
  • SetGridField
    • Fixed an issue with a dictionary element.
    • Added support for lists of values.
    • Added support for unpacking nested elements.
    • The keys argument is no longer mandatory. By default, all keys are taken.
  • DBotTrainTextClassifierV2
    Added support for model evaluation using different confidence thresholds for each class.
  • PWObservationPcapDownload
    Fixed an issue where an error was raised when only one sensor ID was provided.
  • SearchIncidentsV2
    Fixed an issue where using \ caused a parsing error.
  • ParseEmailFiles
    • Fixed an issue parsing EML files encoded with a BOM.
    • Fixed an issue with header parsing.
  • AssignAnalystToIncident
    Added the onCall argument to assign only users that are on shift.

3 Deprecated Scripts

  • Elasticsearch
    Use the Elasticsearch v2 integration instead.
  • ElasticSearchDisplay
    Use the Elasticsearch v2 integration instead.
  • AwsGetInstanceInfo
    There is no replacement script.

Playbooks

10 New Playbooks

  • Logz.io Handle Alert
    Handles a Logz.io alert by retrieving the events that generated the alert.
  • New York - Breach Notification
    This playbook helps an analyst determine if the breached data meets the criteria for breach notification according to New York State law, and, if necessary, follows through with the notification procedures.
  • PAN-OS EDL Service Configuration
    This single-run playbook enables Cortex XSOAR built-in External Dynamic List (EDL) as a service for the system indicators, configures PAN-OS EDL Objects and the respective firewall policy rules. The EDLs will continually update for each indicator that matches the query syntax entered in the playbook.
  • PII Check - Breach Notification
    Checks for all various types of PII, however, each state determines what is considered PII, and which PII requires notification.
  • Residents Notification - Breach Notification
    This playbook is triggered by a breach notification playbook and is responsible for the resident notification process.
  • Illusive-Collect-Forensics-On-Demand
    Collects forensics on-demand on any compromised host and retrieve the forensics timeline upon successful collection.
  • Illusive-Retrieve-Incident
    Gets a detailed overview of a detected incident by retrieving the incident details and a forensics timeline if and when forensics have been successfully collected.
  • California - Breach Notification
    This playbook helps analysts determine if the breached data meets the criteria for breach notification according to California law, and, if necessary, follows through with the notification procedures.
  • Digital Guardian Demo Playbook
    This playbook will show how to handle an exfiltration event through Digital Guardian by emailing a user's manager and adding the user to a Digital Guardian Watchlist.
  • US - Breach Notification
    This playbook is triggered by a breach notification incident and then proceeds to the breach notification playbook for the relevant state.

10 Improved Playbooks

  • TIM - QRadar Add IP Indicators
    Fixed a task condition.
  • TIM - Run Enrichment For Hash Indicators
    Fixed an input name.
  • TIM - Process Indicators - Manual Review
    Fixed a typo.
  • TIM - Run Enrichment For IP Indicators
    Fixed an input name.
  • TIM - Run Enrichment For Domain Indicators
    Fixed an input name.
  • TIM - Run Enrichment For Url Indicators
    Fixed an input name.
  • ExtraHop - Ticket Tracking
    Incidents are searched using the SearchIncidentsV2 automation instead of the deprecated SearchIncidents automation.
  • Email Address Enrichment - Generic v2.1
    Added a check that will prevent empty email addresses from being enriched.
  • URL Enrichment - Generic v2
    The playbook will not stop if Rasterize fails. This improves the playbook stability when rasterizing URLs of websites that are currently down.
  • Phishing Investigation - Generic v2
    • The playbook now uses Block Indicators - Generic v2 to block malicious indicators (off by default).
    • Replaced the deprecated SendEmail automation with the send-mail command.

Incident Fields

Added incident fields for:

  • Digital Guardian
  • Logz.io
  • US Breach Notification

Layouts

4 New Layouts

  • Digital Guardian Security Event - Summary
  • US Breach Notification - Summary
  • Illusive Networks Incident - Summary
  • Logz.io Alert - Summary

4 Improved Layouts

  • domainRepUnified - Indicator Details
    Fixed an issue where Extended Details would not display the Threat Category and Threat Category Confidence fields.
  • ipRep - Indicator Details
    Fixed an issue where Extended Details would not display the Threat Category and Threat Category Confidence fields.
  • unifiedFileRep - Indicator Details
    Fixed an issue where Extended Details would not display the Threat Category and Threat Category Confidence fields.
  • urlRep - Indicator Details
    Fixed an issue where Extended Details would not display the Threat Category and Threat Category Confidence fields.

Classification & Mapping

3 New Classification & Mapping

  • Logz.io
  • Digital Guardian
  • IllusiveNetworks

Assets