Cortex XSOAR Content Release Notes for version 20.6.0 (56612)

Published on 09 June 2020

Welcome to the 20.6.0 Content release for Cortex XSOAR. Starting with this release we are restructuring our release notes to be based upon Content Packs. One of our team's top priorities is making our Content more accessible and understandable for both users and contributors. In this effort, we recently moved our Content repo to work in Packs format were there is a clear separation and grouping of Content artifacts. Each Content Pack provides a clear grouping of related Content artifacts used to either implement a use case, implement an integration or provide a clear set of functionality. Our new release notes are structured around Content Packs and you will see related Content artifacts grouped together according to Packs. We hope you will find this new format useful and clear.


End Of Life Notice

The following Integrations were deprecated on Nov 2019:

  • Azure Compute
  • Azure Security Center

These integrations will reach the end of life on July 31, 2020, due to changes to the back-end authentication services needed for these Integrations. Use the Azure Compute v2 and Azure Security Center v2 Integrations instead.


New: DeepInstinct Pack v1.0.0

Integrations

Deep Instinct

The Deep Learning cybersecurity platform, for zero time prevention.


New: Carbon Black Cloud Enterprise EDR Pack v1.0.0

Integrations

Carbon Black Enterprise EDR

VMware Carbon Black Enterprise EDR is an advanced threat hunting and incident response solution delivering continuous visibility for top security operations centers (SOCs) and incident response (IR) teams. (formerly known as ThreatHunter)


New: Cortex XDR - IOC Pack v1.0.0

Integrations

Cortex XDR - IOC

Use the Cortex XDR - IOCs feed integration to sync indicators from Cortex XSOAR to Cortex XDR and back to Cortex XSOAR. Cortex XDR is the world's first detection and response app that natively integrates network, endpoint and cloud data to stop sophisticated attacks.


New: Humio Pack v1.0.0

Integrations

Humio

Integrate with Humio. Humio operates as a time-series logging and aggregation platform designed for unrestricted and comprehensive event analysis.

Playbooks
Humio QueryJob Poll

Run and poll a Humio Query Job.


Active Directory Query Pack v1.0.1

Integrations

Active Directory Query v2

Improved parsing of custom attributes in the ad-get-user command.


Awake Security Pack v1.0.1

Integrations

Awake Security

Fixed an issue where the context did not update properly for the awake-query-activities, awake-query-devices, and awake-query-activities commands.


Base Pack v1.0.6

Scripts

CommonServerPython
  • Fixed IPv4 regex to only catch IPv4 addresses, not CIDR ranges.
  • Added the auto_detect_indicator_type function to indicate the type of indicator.
  • Added the Endpoint Common class.
  • Updated the handle_proxy function to remove relevant environment variables when either the unsecure or insecure parameters are set.
  • Improved logging when running with the debug-mode argument.
  • Added support for the CVE indicator class.
CommonServerPowerShell

Removed override of the Write-Output function.


CVE Search Pack v1.0.1

Integrations

CVE Search v2

Added DBot score to the cve command.


Carbon Black Defense Pack v1.1.0

Integrations

Carbon Black Defense

Fixed a bug in the cbd-find-events command where hash arguments were not processed correctly.


Carbon Black Enterprise Live Response Pack v1.0.1

Integrations

Carbon Black Enterprise Live Response

Fixed an error when pulling a file in the get-file-from-endpoint command.


Carbon Black Enterprise Response Pack v1.0.3

Integrations

Carbon Black Enterprise Response
  • Added new context outputs for the cb-get-processes command:
    • File.Name
    • File.MD5
    • File.Path
    • Endpoint.Hostname
  • Fixed an issue where the file context did not behave as expected in the cb-get-processes command.

Check Point Firewall Pack v1.0.1

Integrations

Check Point

Added the command argument in the checkpoint command. This argument is the command to run in the firewall.


Cofense Feed Pack v1.0.2

Integrations

Cofense Feed
  • Fixed a bug where the Test button always returned a positive result.
  • Removed the phish threat type .

Cofense Triage Pack v1.1.0

Integrations

Cofense Triage

Deprecated - Use Cofense Triage v2 instead (available from 5.0.0).

Cofense Triage v2

Added support for the cofense-get-report-png-by-id and cofense-get-threat-indicators commands.


Common Scripts Pack v1.1.3

Scripts

ParseEmailFiles

  • Fixed an issue parsing EML files encoded with a BOM.
  • Fixed an issue with header parsing.
SetGridField
  • Fixed an issue with a dictionary element.
  • Added support for lists of values.
  • Added support for unpacking nested elements.
  • The keys argument is no longer mandatory, all the keys will be taken by default.
IsIPInRanges

Added private IP address ranges.

GetTime

Added support for subtracting days and years from the current date using the daysAgo and yearsAgo arguments.


Cortex Data Lake Pack v1.0.1

Integrations

Cortex Data Lake

Fixed a bug in the cdl-query-logs command when no records are found for a given query.


CrowdStrike Falcon Streaming Pack v1.0.2

Integrations

New: CrowdStrike Falcon Streaming v2

The integration is now GA.


Demisto REST API Pack v1.0.1

Integrations

Demisto REST API

Fixed an issue in which URL endpoints given with a forward slash character as prefix were not processed as expected.


Elasticsearch Feed Pack v1.0.1

Integrations

Elasticsearch Feed

Fixed an issue where the integration would handle Generic Feed as Cortex XSOAR Feed.


Expanse Pack v1.0.1

Integrations

Expanse

Added support for filtering incident creation by the Expanse Exposure severity level.


FalconHost Pack v1.1.0

Integrations

FalconHost

Added support for 3 commands from the Threat Graph API:

  • cs-threatgraph-summary
  • cs-threatgraph-processes
  • cs-threatgraph-detections

Fidelis Elevate Network Pack v1.0.1

Integrations

Fidelis Elevate Network

Fixed file download functionality in the fidelis-download-malware-file command.


FireEye Helix Pack v1.0.1

Integrations

FireEyeHelix

Fixed an issue in the fireeye-helix-search command where the headers argument was not processed as expected.


FortiSIEM Pack v1.0.0

Integrations

FortiSIEM

Fixed an issue where authentication did not work properly.


IBM Resilient Systems Pack v1.0.1

Integrations

IBM Resilient Systems

Fixed an issue where the fetch-incident command did not pull all incidents.


JsonWhoIs Pack v1.0.1

Integrations

JsonWhoIs

Prints an error when an error is returned from the API.


MITRE ATT&CK Pack v1.0.2

Integrations

MITRE ATT&CK

Fixed an issue where the insecure and proxy parameters were not passed while fetching indicators.

IndicatorTypes

reputation-mitreAttck.json

Added the mitre-reputation command under the MITRE indicator type.


Microsoft Defender Advanced Threat Protection Pack v1.1.0

Integrations

Microsoft Defender Advanced Threat Protection

Added support to authenticate using a self-deployed Azure application.


Microsoft Graph Mail Single User Pack v1.0.2

Integrations

Microsoft Graph Mail Single User

Fixed an issue in which some emails were not fetched as incidents.


Microsoft Graph Security Pack v2.0.0

Integrations

Microsoft Graph

Added fetch-incidents functionality and a unit test.


Microsoft Teams Pack v1.0.1

Integrations

Microsoft Teams

Improved error handling.


Mimecast Pack v1.0.1

Integrations

MimecastV2

Fixed parsing of responses for the create-mimecast-incident command.


MongoDB Pack v1.0.1

Integrations

MongoDB

Fixed an issue when pulling a object that contains a date.


PAN-OS Pack v1.0.2

Integrations

Panorama
  • Replaced the spaces in the URL context output of the panorama-create-edl command to %20.
  • POST request parameters are now passed in the request body, not the URI.

Palo Alto Networks PAN-OS EDL Service Pack v1.0.2

Integrations

EDL

Added request parameters passed in the URL.

Playbooks

PAN-OS EDL Service Configuration

Added a new playbook to the EDL pack - EDL Service Configuration. It is a single-run playbook that enables Cortex XSOAR's built-in External Dynamic List (EDL) as a service with PAN-OS native EDL Objects to create firewall policy rules that continuously updates with Cortex XSOAR built-in indicator managment cpabilities.


Palo Alto Networks WildFire Pack v1.0.1

Integrations

WildFire-v2

Fixed an issue in which the wildfire-get-sample command returned the wrong filename.


Phishing Pack v1.2.0

Layouts

Phishing

Removed custom fields that raised warnings from the incident Quick View layout.

Playbooks

Phishing - Core
  • Fixed an issue where URL screenshots did not display in the layout.
  • Streamlined the playbook by merging two conditions to a single condition.

Prisma Cloud Pack v1.1.0

Playbooks

Prisma Cloud Remediation - GCP VPC Network Misconfiguration

New Prisma Cloud remediations:

  • GCP Default Firewall rule should not have any rules (except http and https)
  • GCP Firewall with Inbound rule overly permissive to All Traffic
Prisma Cloud Remediation - GCP VPC Network Firewall Misconfiguration

New Prisma Cloud remediations:

  • GCP Default Firewall rule should not have any rules (except http and https)
  • GCP Firewall with Inbound rule overly permissive to All Traffic

ProtectWise Pack v1.0.0

Scripts

PWObservationPcapDownload

Fixed an issue where an error was raised when only one sensor ID was provided.


RTIR Pack v1.0.1

Integrations

RTIR

Improved parsing of ticket history and ticket links.


Recorded Future Pack v1.0.1

Integrations

Recorded Future

Fixed an issue in output from the recorded-future-get-related-entities command was mishandled.


Red Canary Pack v1.0.1

Integrations

RedCanary
  • Removed timeline details for a detection fetched as an incident.
  • Fixed an issue in which acknowledged detections were fetched as incidents.

ServiceNow Pack v1.1.2

Integrations

ServiceNow v2
  • Added the incident_name parameter, which enables the user to choose the column from ServiceNow on which the fetched incidents will be named.
  • Fixed an issue where system proxy settings were always being used.
  • Fixed an issue where fetch-incidents command did not work as expected when it included attachments.
  • Fixed the timestamp field parameter description.
  • Fixed an issue in which the ServiceNow ticket column to be set as the incident name parameter was not initialized with the default value as expected.

Shodan Pack v1.0.1

Integrations

Shodan_v2

Fixed an issue in which searching for an IP address without information raised an error.


Signal Sciences WAF Pack v1.0.1

Integrations

Signal Sciences WAF

Added verification to the Corporation Name parameter to match the required pattern.


Slack Pack v1.2.0

Integrations

SlackV2

Updated default integration parameter to new brand name Palo Alto Networks Cortex XSOAR (formerly Demisto).

Scripts

SlackAsk

Added an option to include which user responded and what the response was.


Stealthwatch Cloud Pack v1.0.1

Integrations

Stealthwatch Cloud

Fixed an issue where the sw-update-alert command was not updating the alert as expected.


SumoLogic Pack v1.0.1

Integrations

SumoLogic

Changed the integration image from CSV to PNG.


Symantec Data Loss Prevention (Beta) Pack v1.1.0

Integrations

Symantec Data Loss Prevention
  • Updated the Docker image.
  • Improved cached DB initialization to support off-line deployments.
  • Fixed parsing incidents with missing fields.

TIM - Processing Pack v1.1.1

Playbooks

New: TIM - Indicators Exclusion By Related Incidents (Available from Cortex XSOAR 6.0)

This playbooks allows you to exclude indicators according to the number of incidents the indicator is related to. The indicator query is "investigationsCount:>=X" where X is the number of related incidents to the indicator that you set. Excluded indicators are located in the Cortex XSOAR exclusion list and are removed from all of their related incidents and future ones. The purpose of excluding these indicators is to reduce the amount internal and common indicators appearing in many incidents and showing only relevant indicators. Creating exclusions can also accelerate performance.

TIM - Indicator Auto Processing

Added a sub-playbook for Whois.


ThreatMiner Pack v1.0.1

Integrations

ThreatMiner

Fixed a bug in the ip command when searching for IP addresses that don't have reports in ThreatMiner.


ThreatQ Pack v1.0.2

Integrations
ThreatQ v2

Fixed an issue where indicators were duplicated in the context data.


US - Breach Notification Pack v1.0.2

Playbooks

New: Illinois - Breach Notification

This playbook helps an analyst determine if the breached data meets the criteria for breach notification according to Illinois law and, if necessary, follows through with the notification procedures. DISCLAIMER: Please consult with your legal team before implementing this playbook.

Residents Notification - Breach Notification

Changed the playbook input "AutoNotification" to False

US - Breach Notification

Added a new sub-playbook "Illinois - Breach Notification"

Layout

US Breach Notification

Added the "New \ Edit Form".


Access Investigation Pack v1.1.4

Playbooks

Access Investigation - Generic

Starting with Demisto 4.5, this playbook uses newer versions of previously used playbooks.


Whois Pack v1.0.2

Playbooks

New: TIM - Process Domain registrant With Whois

Uses several sub playbooks to process and tag indicators based on the results of the Whois tool.

New: TIM - Process Domain Age With Whois

This playbook compares the domain registrant against the Cortex XSOAR list of approved registrants provided in the inputs. A registrant is the company or entity that owns the domain.

New: TIM - Process Domains With Whois

This playbook compares the domain creation time against a provided time value such as one month ago. The period can be configured within the playbook inputs MinimumAgeOfDomainMonths or MinimumAgeOfDomainHours. The playbook calculates the timestamp for the relevant period and compares it to the domain creation time value provided by Whois. The domains are outputted accordingly if they were created before or after the compared time, respectively.


Assets