Cortex XSOAR Content Release Notes for version 20.6.1 (59306)#

Published on 23 June 2020#

Welcome to the 20.6.1 Content release for Cortex XSOAR. Starting from the 20.6.0 release, we restructured our release notes to be based upon Content Packs. One of our team's top priorities is making our Content more accessible and understandable for both users and contributors. In this effort, we recently moved our Content repo to work in Packs format were there is a clear separation and grouping of Content artifacts. Each Content Pack provides a clear grouping of related Content artifacts used to either implement a use case, implement an integration or provide a clear set of functionality. Our new release notes are structured around Content Packs and you will see related Content artifacts grouped together according to Packs. We hope you will find this new format useful and clear.


End Of Life Notice#

The following Integrations were deprecated on Nov 2019:

  • Azure Compute
  • Azure Security Center

These integrations will reach the end of life on July 31, 2020, due to changes to the backend authentication services needed for these Integrations. Use the Azure Compute v2 and Azure Security Center v2 integrations instead.


New: HIPAA - Breach Notification Pack v1.0.0#

IncidentFields#

  • HIPAA Notification

IncidentTypes#

  • HIPAA Breach Notification

Layouts#

  • HIPAA Breach Notification - Summary
  • HIPAA Breach Notification - New/Edit

Playbooks#

HIPAA - Breach Notification#

USA Health Insurance Portability and Accountability Act of 1996 (HIPAA) covers organizations that use, store, or process Private Health Information (PHI). The HIPAA Breach Notification Rule requires companies that deal with health information to disclose cybersecurity breaches; the disclosure will include notification to individuals, to the media, and the Secretary of Health and Human Services. This playbook is triggered by a HIPAA breach notification incident and follows through with the notification procedures.

DISCLAIMER: Please consult with your legal team before implementing this playbook.

** Source: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html


New: Infocyte Pack v1.0.0#

Integrations#

Infocyte#

Infocyte can pivot off incidents to automate triage, validate events with forensic data and enabling dynamic response actions against any or all host using both agentless or agented endpoint access.


New: PCAP Analysis Pack v1.0.0#

Scripts#

PcapMinerV2#

PcapMIner V2 enables you to parse PCAP files by displaying all of the relevant data, including IP addresses, ports, flows, specific protocol breakdown, searching by regex, decrypting encrypted traffic, and more. This automation takes about a minute to process 20,000 packets (which is approximately 10MB). If you want to mine large files you can either: a) Use the pcap_filter parameter to filter your PCAP file and thereby make it smaller. b) Copy the automation and change the default timeout parameter, as necessary.


New: Polygon Pack v1.0.0#

Integrations#

Group-IB TDS Polygon#

TDS Polygon is a Malware Detonation & Research platform designed for deep dynamic analysis and enhanced indicators extraction. TDS Polygon analyzes submitted files and urls and extracts deep IOCs that appear when malicious code is triggered and executed. Polygon could be used either for application-level tasks (like smtp-based mail filtering) and analytical purposes (files/urls analysis for verdict, report and indicators).

Playbooks#

Detonate File - Group-IB TDS Polygon#

Detonates files using the Group-IB TDS Polygon integration. This playbook returns relevant reports to the War Room and file reputations to the context data.

Detonate URL - Group-IB TDS Polygon#

Detonates URLs using the Group-IB TDS Polygon integration.


AWS - EC2 Pack v1.1.1#

Scripts#

AwsEC2GetPublicSGRules#

Added support for security groups with only one ingress rule.

Playbooks#

IP Whitelist - AWS Security Group#

Syncs a list of IP addresses with an AWS Security Group. Moved from IPWhitelisting pack.


Base Pack v1.0.10#

Scripts#

CommonServerPython#
  • Added support for the CVE indicator class.
  • Added safeget from the Python dict function.
  • Fixed an issue where the argToList function did not behave as expected. This fix breaks backward compatibility.
  • Fixed incorrect time zone parsing for timestamp_to_datestring.
CommonServerPowerShell#

Updated the ReturnOutputs function to support object types.


BigFix Pack v1.0.1#

Integrations#

BigFix#

Added the get_endpoints_details argument to the bigfix-get-endpoints command to see if details of endpoints should be retrieved or not.


CSV Feed Pack v1.0.1#

Integrations#

CSVFeed#

Updated the Docker image to support the auto-detection function.


Carbon Black Enterprise Response Pack v1.0.3#

Integrations#

Carbon Black Enterprise Response v2#

Fixed an issue where the file context did not behave as expected in the cb-get-processes command.

Playbook#

Search Endpoints By Hash - Carbon Black Response V2#

Searches for endpoints by hash.


Check Point Firewall Pack v1.0.2#

Integrations#

Check Point#

Deprecated the ipname argument from the checkpoint-block-ip command.


Chronicle Pack v1.1.0#

Integrations#

Google Chronicle Backstory#
  • Added the gcb-list-events command.
  • Added deep link to all commands.

Cisco Threat Grid Pack v1.0.2#

Integrations#

Threat Grid#

Fixed a bug in threat-grid-get-analysis-by-id command, which failed on a syntax error.


Common Playbooks Pack v1.5.0#

Playbooks#

New: Entity Enrichment - Generic v3#

Enrich entities using one or more integrations.

Send Investigation Summary Reports#

Updated the SearchIncidents command to SearchIncidentsV2.

Get Original Email - Generic#

Added an output of email headers.


Common Scripts Pack v1.1.9#

Scripts#

SetGridField#

Fixed an issue in which non-alphabetically sorted values given to the columns were not processed as expected.

VerifyJSON#

Updated the Docker image to PowerShell 7.

TimeStampCompare#

Removed an empty tag from the TimeStampCompare script.

DateStringToISOFormat#

Added a new transformer script for converting arbitrary date strings to ISO-8601 format.


Common Types Pack v1.2.1#

IndicatorTypes#

domainRepUnified#

Updated the Domain indicator type's default mapping to use the new transformer DateStringToISOFormat (where relevant).


Compliance Pack v1.0.1#

IncidentFields#

New: Secretary Notification#
New: Management Notification#
New: DPO Notification#
New: Media Notification#
New: Individuals Notification#

Cortex Data Lake Pack v1.0.3#

Integrations#

Cortex Data Lake#

Adjusted the integration to work with a setup of non-root user in a Docker container.


Cortex XDR - IOC Pack v1.0.1#

Integrations#

Cortex XDR - IOC#

Fixed an issue where trying to push a non-existing indicator in xdr-iocs-push raised an error that failed the command.


Deprecated Content Pack v1.2.0#

Playbooks#

Malware Playbook - Manual#

Deprecated. Use "Malware Investigation - Manual" playbook instead.


EWS Pack v1.1.2#

Integrations#

New: EWSO365#

The new EWS O365 integration uses OAuth 2.0 protocol and can be used with Exchange Online and Office 365 (mail).

EWS v2#
  • Fixed a bug in the test module which failed on a delegated mailbox.
  • Improved handling of errors raised in the incident fetch flow.

Elasticsearch Feed Pack v1.0.2#

Integrations#

ElasticsearchFeed#

Fixed an issue where the Feed Type was not processed as expected while fetching indicators.


FalconHost Pack v1.1.1#

Integrations#

FalconHost#

Added support for 3 commands from the Threat graph API:

  • cs-threatgraph-summary
  • cs-threatgraph-processes
  • cs-threatgraph-detections

Playbooks#

Added rapid ioc hunting v2 playbook and replaced deprecated scripts.


FireEye ETP Pack v1.0.1#

Integrations#

FireEye ETP#

Improved empty response handling.


FortiSIEM Pack v1.0.1#

Integrations#

FortiSIEM#
  • Fixed an issue where the authentication did not work properly.
  • Fixed an issue where the fortisiem-get-events-by-incident command did not return results.

Google Cloud Compute Pack v1.0.1#

Playbooks#

IP Whitelist - GCP Firewall#

Playbook to sync a list of IPs with a GCP Firewall. Moved from IPWhitelisting pack.


HelloWorld Pack v1.1.6#

Integrations#

HelloWorld#
  • Improved the fetch-incidents command to prevent duplicate incidents.
  • Minor updates to documentation.

IBM QRadar Pack v1.0.3#

Integrations#

QRadar#

Improved handling of unexpected responses.


Intezer Pack v1.0.1#

Integrations#

Intezer v2#

Updated the integration to the latest Docker image.


JSON Feed Pack v1.0.1#

Integrations#

JSON Feed#

Updated the description of the indicator type field.


Joe Security Pack v1.0.2#

Integrations#

Joe Security#

Fixed a bug in the joe-analysis-info command where a DBotScore.Indicator wasn't returned when a URL was passed.


Malware Pack v1.1.0#

Playbooks#

New: Malware Investigation - Manual#

Master manual playbook for investigating suspected malware presence on an endpoint.

IncidentTypes#

Malware#

Associated the new playbook Malware Investigation - Manual to the malware incident type.


McAfee DXL Pack v1.0.0#

Playbook#

Enrich DXL with ATD verdict v2 Playbook#

Replaced deprecated scripts.

Enrich McAfee DXL using 3rd party sandbox v2 Playbook#

Replaced deprecated scripts.


McAfee ePO Pack v1.0.1#

Playbook#

McAfee ePO Endpoint Compliance Playbook v2#

Replaced deprecated scripts.

McAfee ePO Repository Compliance Playbook#

Replaced deprecated scripts.

McAfee ePO Endpoint Connectivity Diagnostics Playbook#

Replaced deprecated scripts.


Microsoft Defender Advanced Threat Protection Pack v1.1.2#

Integrations#

Microsoft Defender Advanced Threat Protection#

Updated the permission scope for self-deployed applications to be Microsoft Defender Advanced Threat Protection default.


Microsoft Teams Pack v1.0.2#

Integrations#

Microsoft Teams#

Fixed an issue where notifications to be sent to the dedicated channel were not handled appropriately.


Mimecast Pack v1.0.2#

Integrations#

MimecastV2#

Added a pagination mechanism for URL log requests.


MongoDB Pack v1.0.4#

Integrations#

MongoDB#

Fixed an issue where nested dictionaries containing a datetime object were not parsed properly.


PAN-OS Pack v1.0.5#

Playbooks#

PAN-OS - Create Or Edit Rule#

Removed transformers that were no longer needed.

PAN-OS DAG Configuration#

Removed transformers that were no longer needed.

Integrations#

Panorama#

Added logs for uncommitted items.


Palo Alto Networks BPA Pack v1.1.0#

Integrations#

BPA#

Added the option to exclude passed checks in the pan-os-bpa-get-job-results command.


Palo Alto Networks Cortex XDR - Investigation and Response Pack v2.0.0#

Integrations#

Cortex XDR - IR#
  • Fixed a bug in the xdr-get-endpoint command where only the last endpoint was displayed in context.
  • Added 6 commands.
    • xdr-blacklist-files
    • xdr-whitelist-files
    • xdr-quarantine-files
    • xdr-get-quarantine-status
    • xdr-restore-file
    • xdr-endpoint-scan

Playbooks#

New: Cortex XDR - Malware Investigation#

Investigates a Cortex XDR incident containing internal malware alerts. The playbook:

  • Enriches the infected endpoint details.
  • Lets the analyst manually retrieve the malicious file.
  • Performs file detonation. The playbook is used as a sub- playbook in 'Cortex XDR Incident Handling - v2'
New: Cortex XDR - Port Scan - Adjusted#

Investigates a Cortex XDR incident containing internal port scan alerts. The playbook:

  • Syncs data with Cortex XDR.
  • Notifies management about a compromised host.
  • Escalates the incident in case of lateral movement alert detection. The playbook is used as a sub- playbook in 'Cortex XDR Incident Handling - v2'
New: Cortex XDR Alerts Handling#

This playbook is used to loop over every alert in a Cortex XDR incident. Supported alert categories:

- Malware
- Port Scan
New: Cortex XDR Incident Handling v2#

This playbook is triggered by fetching a Palo Alto Networks Cortex XDR incident. The playbook syncs and updates new XDR alerts that construct the incident and triggers a sub-playbook to handle each alert by type. Then, the playbook performs enrichment on the incident's indicators and hunting for related IOCs. Based on the severity, it lets the analyst decide whether to continue to the remediation stage or close the investigation as a false positive. After the remediation, if there are no new alerts, the playbook stops the alert sync and closes the XDR incident and investigation.

PaloAltoNetworks_XDR#

Added a test for the quarantine file playbook.

Cortex XDR - quarantine file#

Added a playbook that gets the status of a quarantined file.


Phishing Pack v1.6.0#

Playbooks#

Get Original Email - EWS#

Added the email headersmap output. This enables phishing incidents to display email headers if the original email was retrieved.

Phishing - Core#
  • Fixed an issue where URL screenshots did not display in the layout.
  • Merged 2 conditions into 1 to clean up playbook.
  • Added checks to verify that the Rasterize integration is enabled before attempting to rasterize HTML-formatted emails, and before taking URL screenshots.
Process Email - Core#
  • Added checks to verify that the Rasterize integration is enabled before attempting to rasterize HTML-formatted emails, and before taking URL screenshots.
  • Email headers will now show in phishing incident layouts.
Process Email - Generic#
  • Added a check that verifies whether the Rasterize integration is enabled before attempting to rasterize HTML-formatted emails.
  • Added a check that verifies whether the Rasterize integration is enabled before attempting to rasterize HTML-formatted emails.
  • Simplified the flow of the playbook by merging tasks where possible and renaming tasks to better reflect their purpose.
  • Email headers will now show in phishing incident layouts.
Get Original Email - EWS#

Added an output of email headers.

Layout#

Phishing#

The phishing layout now displays the email headers if the email was attached as file or was retrieved using mail listener integrations.


Plain Text Feed Pack v1.0.1#

Integrations#

Plain Text Feed#

Updated the Docker image to support the auto-detection function.


Prisma Access Pack v1.0.1#

Playbooks#

Prisma Access Whitelist Egress IPs on SaaS Services#
  • Added a call for the Okta Zones subplaybook.
  • Moved the names of the AWS security group, GCP firewall, and Okta Zone into playbook inputs. If the input is not set, the related subplaybook will be skipped.

Prisma Cloud Pack v1.2.0#

Integrations#

RedLock#
  • Added a default classifier and mapper.
  • Added support for multi-environment instances.
  • Added the get-remediation-details command.

Proofpoint Protection Server Pack v1.0.2#

Integrations#

Proofpoint Server Protection#
  • Improved parsing of responses returned from Proofpoint.
  • Added support for Proofpoint Protection Server version 8.14.2.

RTIR Pack v1.0.3#

Integrations#

RTIR#
  • Fixed an issue where headers with 'ID' in their name got malformed when running rtir-search-ticket command and in fetch-incidents.
  • Improved parsing of ticket attachments.

Recorded Future Feed Pack v1.0.1#

Integrations#

Recorded Future Feed#

Improved parsing of IOC objects.


Red Canary Pack v1.0.2#

Integrations#

RedCanary#
  • Removed timeline details for a detection fetched as an incident.
  • Fixed an issue in which acknowledged detections were fetched as incidents.
  • Improved processing of outputs for endpoint details.

Securonix Pack v1.1.1#

Integrations#

Securonix#
  • Added the max parameter to the securonix-list-incidents command.
  • Added the max_fetch parameter to the integration configuration. The default and maximum value is 50.
  • Fixed an issue where duplicate incidents were fetched.

SentinelOne Pack v1.0.1#

Integrations#

SentinelOne V2#

Improved processing of datetime strings.


ServiceNow Pack v1.1.4#

Integrations#

ServiceNow v2#

Improved handling of authentication errors returned from ServiceNow.


Slack Pack v1.2.1#

Integrations#

SlackV2#

Added stability improvements for long-running execution.


VirusTotal Pack v1.0.1#

Integrations#

VirusTotal#

Fixed an issue where the url command lacked the default url argument.


Zscaler Pack v1.0.1#

Integrations#

Zscaler#

Added the multiple argument to the url command, which when set to "false" enables users to submit singular URLs that contain commas.


ipinfo Pack v1.0.1#

Integrations#

ipinfo#

Added support for HTTPS connection.


okta Pack v1.0.2#

Integrations#

Okta v2#

Added 3 commands.

  • okta-get-zone
  • okta-update-zone
  • okta-list-zones

Playbooks#

Allow IP - Okta Zone#

Syncs a list of IP addresses with an Okta Zone.


Assets#