Cortex XSOAR Content Release Notes for version 20.6.1 (59306)

Published on 23 June 2020

Welcome to the 20.6.1 Content release for Cortex XSOAR. Starting from the 20.6.0 release, we restructured our release notes to be based upon Content Packs. One of our team's top priorities is making our Content more accessible and understandable for both users and contributors. In this effort, we recently moved our Content repo to work in Packs format were there is a clear separation and grouping of Content artifacts. Each Content Pack provides a clear grouping of related Content artifacts used to either implement a use case, implement an integration or provide a clear set of functionality. Our new release notes are structured around Content Packs and you will see related Content artifacts grouped together according to Packs. We hope you will find this new format useful and clear.


End Of Life Notice

The following Integrations were deprecated on Nov 2019:

  • Azure Compute
  • Azure Security Center

These integrations will reach the end of life on July 31, 2020, due to changes to the backend authentication services needed for these Integrations. Use the Azure Compute v2 and Azure Security Center v2 integrations instead.


New: HIPAA - Breach Notification Pack v1.0.0

IncidentFields

  • HIPAA Notification

IncidentTypes

  • HIPAA Breach Notification

Layouts

  • HIPAA Breach Notification - Summary
  • HIPAA Breach Notification - New/Edit

Playbooks

HIPAA - Breach Notification

USA Health Insurance Portability and Accountability Act of 1996 (HIPAA) covers organizations that use, store, or process Private Health Information (PHI). The HIPAA Breach Notification Rule requires companies that deal with health information to disclose cybersecurity breaches; the disclosure will include notification to individuals, to the media, and the Secretary of Health and Human Services. This playbook is triggered by a HIPAA breach notification incident and follows through with the notification procedures.

DISCLAIMER: Please consult with your legal team before implementing this playbook.

** Source: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html


New: Infocyte Pack v1.0.0

Integrations

Infocyte

Infocyte can pivot off incidents to automate triage, validate events with forensic data and enabling dynamic response actions against any or all host using both agentless or agented endpoint access.


New: PCAP Analysis Pack v1.0.0

Scripts

PcapMinerV2

PcapMIner V2 enables you to parse PCAP files by displaying all of the relevant data, including IP addresses, ports, flows, specific protocol breakdown, searching by regex, decrypting encrypted traffic, and more. This automation takes about a minute to process 20,000 packets (which is approximately 10MB). If you want to mine large files you can either: a) Use the pcap_filter parameter to filter your PCAP file and thereby make it smaller. b) Copy the automation and change the default timeout parameter, as necessary.


New: Polygon Pack v1.0.0

Integrations

Group-IB TDS Polygon

TDS Polygon is a Malware Detonation & Research platform designed for deep dynamic analysis and enhanced indicators extraction. TDS Polygon analyzes submitted files and urls and extracts deep IOCs that appear when malicious code is triggered and executed. Polygon could be used either for application-level tasks (like smtp-based mail filtering) and analytical purposes (files/urls analysis for verdict, report and indicators).

Playbooks

Detonate File - Group-IB TDS Polygon

Detonates files using the Group-IB TDS Polygon integration. This playbook returns relevant reports to the War Room and file reputations to the context data.

Detonate URL - Group-IB TDS Polygon

Detonates URLs using the Group-IB TDS Polygon integration.


AWS - EC2 Pack v1.1.1

Scripts

AwsEC2GetPublicSGRules

Added support for security groups with only one ingress rule.

Playbooks

IP Whitelist - AWS Security Group

Syncs a list of IP addresses with an AWS Security Group. Moved from IPWhitelisting pack.


Base Pack v1.0.10

Scripts

CommonServerPython
  • Added support for the CVE indicator class.
  • Added safeget from the Python dict function.
  • Fixed an issue where the argToList function did not behave as expected. This fix breaks backward compatibility.
  • Fixed incorrect time zone parsing for timestamp_to_datestring.
CommonServerPowerShell

Updated the ReturnOutputs function to support object types.


BigFix Pack v1.0.1

Integrations

BigFix

Added the get_endpoints_details argument to the bigfix-get-endpoints command to see if details of endpoints should be retrieved or not.


CSV Feed Pack v1.0.1

Integrations

CSVFeed

Updated the Docker image to support the auto-detection function.


Carbon Black Enterprise Response Pack v1.0.3

Integrations

Carbon Black Enterprise Response v2

Fixed an issue where the file context did not behave as expected in the cb-get-processes command.

Playbook

Search Endpoints By Hash - Carbon Black Response V2

Searches for endpoints by hash.


Check Point Firewall Pack v1.0.2

Integrations

Check Point

Deprecated the ipname argument from the checkpoint-block-ip command.


Chronicle Pack v1.1.0

Integrations

Google Chronicle Backstory
  • Added the gcb-list-events command.
  • Added deep link to all commands.

Cisco Threat Grid Pack v1.0.2

Integrations

Threat Grid

Fixed a bug in threat-grid-get-analysis-by-id command, which failed on a syntax error.


Common Playbooks Pack v1.5.0

Playbooks

New: Entity Enrichment - Generic v3

Enrich entities using one or more integrations.

Send Investigation Summary Reports

Updated the SearchIncidents command to SearchIncidentsV2.

Get Original Email - Generic

Added an output of email headers.


Common Scripts Pack v1.1.9

Scripts

SetGridField

Fixed an issue in which non-alphabetically sorted values given to the columns were not processed as expected.

VerifyJSON

Updated the Docker image to PowerShell 7.

TimeStampCompare

Removed an empty tag from the TimeStampCompare script.

DateStringToISOFormat

Added a new transformer script for converting arbitrary date strings to ISO-8601 format.


Common Types Pack v1.2.1

IndicatorTypes

domainRepUnified

Updated the Domain indicator type's default mapping to use the new transformer DateStringToISOFormat (where relevant).


Compliance Pack v1.0.1

IncidentFields

New: Secretary Notification
New: Management Notification
New: DPO Notification
New: Media Notification
New: Individuals Notification

Cortex Data Lake Pack v1.0.3

Integrations

Cortex Data Lake

Adjusted the integration to work with a setup of non-root user in a Docker container.


Cortex XDR - IOC Pack v1.0.1

Integrations

Cortex XDR - IOC

Fixed an issue where trying to push a non-existing indicator in xdr-iocs-push raised an error that failed the command.


Deprecated Content Pack v1.2.0

Playbooks

Malware Playbook - Manual

Deprecated. Use "Malware Investigation - Manual" playbook instead.


EWS Pack v1.1.2

Integrations

New: EWSO365

The new EWS O365 integration uses OAuth 2.0 protocol and can be used with Exchange Online and Office 365 (mail).

EWS v2
  • Fixed a bug in the test module which failed on a delegated mailbox.
  • Improved handling of errors raised in the incident fetch flow.

Elasticsearch Feed Pack v1.0.2

Integrations

ElasticsearchFeed

Fixed an issue where the Feed Type was not processed as expected while fetching indicators.


FalconHost Pack v1.1.1

Integrations

FalconHost

Added support for 3 commands from the Threat graph API:

  • cs-threatgraph-summary
  • cs-threatgraph-processes
  • cs-threatgraph-detections

Playbooks

Added rapid ioc hunting v2 playbook and replaced deprecated scripts.


FireEye ETP Pack v1.0.1

Integrations

FireEye ETP

Improved empty response handling.


FortiSIEM Pack v1.0.1

Integrations

FortiSIEM
  • Fixed an issue where the authentication did not work properly.
  • Fixed an issue where the fortisiem-get-events-by-incident command did not return results.

Google Cloud Compute Pack v1.0.1

Playbooks

IP Whitelist - GCP Firewall

Playbook to sync a list of IPs with a GCP Firewall. Moved from IPWhitelisting pack.


HelloWorld Pack v1.1.6

Integrations

HelloWorld
  • Improved the fetch-incidents command to prevent duplicate incidents.
  • Minor updates to documentation.

IBM QRadar Pack v1.0.3

Integrations

QRadar

Improved handling of unexpected responses.


Intezer Pack v1.0.1

Integrations

Intezer v2

Updated the integration to the latest Docker image.


JSON Feed Pack v1.0.1

Integrations

JSON Feed

Updated the description of the indicator type field.


Joe Security Pack v1.0.2

Integrations

Joe Security

Fixed a bug in the joe-analysis-info command where a DBotScore.Indicator wasn't returned when a URL was passed.


Malware Pack v1.1.0

Playbooks

New: Malware Investigation - Manual

Master manual playbook for investigating suspected malware presence on an endpoint.

IncidentTypes

Malware

Associated the new playbook Malware Investigation - Manual to the malware incident type.


McAfee DXL Pack v1.0.0

Playbook

Enrich DXL with ATD verdict v2 Playbook

Replaced deprecated scripts.

Enrich McAfee DXL using 3rd party sandbox v2 Playbook

Replaced deprecated scripts.


McAfee ePO Pack v1.0.1

Playbook

McAfee ePO Endpoint Compliance Playbook v2

Replaced deprecated scripts.

McAfee ePO Repository Compliance Playbook

Replaced deprecated scripts.

McAfee ePO Endpoint Connectivity Diagnostics Playbook

Replaced deprecated scripts.


Microsoft Defender Advanced Threat Protection Pack v1.1.2

Integrations

Microsoft Defender Advanced Threat Protection

Updated the permission scope for self-deployed applications to be Microsoft Defender Advanced Threat Protection default.


Microsoft Teams Pack v1.0.2

Integrations

Microsoft Teams

Fixed an issue where notifications to be sent to the dedicated channel were not handled appropriately.


Mimecast Pack v1.0.2

Integrations

MimecastV2

Added a pagination mechanism for URL log requests.


MongoDB Pack v1.0.4

Integrations

MongoDB

Fixed an issue where nested dictionaries containing a datetime object were not parsed properly.


PAN-OS Pack v1.0.5

Playbooks

PAN-OS - Create Or Edit Rule

Removed transformers that were no longer needed.

PAN-OS DAG Configuration

Removed transformers that were no longer needed.

Integrations

Panorama

Added logs for uncommitted items.


Palo Alto Networks BPA Pack v1.1.0

Integrations

BPA

Added the option to exclude passed checks in the pan-os-bpa-get-job-results command.


Palo Alto Networks Cortex XDR - Investigation and Response Pack v2.0.0

Integrations

Cortex XDR - IR
  • Fixed a bug in the xdr-get-endpoint command where only the last endpoint was displayed in context.
  • Added 6 commands.
    • xdr-blacklist-files
    • xdr-whitelist-files
    • xdr-quarantine-files
    • xdr-get-quarantine-status
    • xdr-restore-file
    • xdr-endpoint-scan

Playbooks

New: Cortex XDR - Malware Investigation

Investigates a Cortex XDR incident containing internal malware alerts. The playbook:

  • Enriches the infected endpoint details.
  • Lets the analyst manually retrieve the malicious file.
  • Performs file detonation. The playbook is used as a sub- playbook in 'Cortex XDR Incident Handling - v2'
New: Cortex XDR - Port Scan - Adjusted

Investigates a Cortex XDR incident containing internal port scan alerts. The playbook:

  • Syncs data with Cortex XDR.
  • Notifies management about a compromised host.
  • Escalates the incident in case of lateral movement alert detection. The playbook is used as a sub- playbook in 'Cortex XDR Incident Handling - v2'
New: Cortex XDR Alerts Handling

This playbook is used to loop over every alert in a Cortex XDR incident. Supported alert categories: - Malware - Port Scan

New: Cortex XDR Incident Handling v2

This playbook is triggered by fetching a Palo Alto Networks Cortex XDR incident. The playbook syncs and updates new XDR alerts that construct the incident and triggers a sub-playbook to handle each alert by type. Then, the playbook performs enrichment on the incident's indicators and hunting for related IOCs. Based on the severity, it lets the analyst decide whether to continue to the remediation stage or close the investigation as a false positive. After the remediation, if there are no new alerts, the playbook stops the alert sync and closes the XDR incident and investigation.

PaloAltoNetworks_XDR

Added a test for the quarantine file playbook.

Cortex XDR - quarantine file

Added a playbook that gets the status of a quarantined file.


Phishing Pack v1.6.0

Playbooks

Get Original Email - EWS

Added the email headersmap output. This enables phishing incidents to display email headers if the original email was retrieved.

Phishing - Core
  • Fixed an issue where URL screenshots did not display in the layout.
  • Merged 2 conditions into 1 to clean up playbook.
  • Added checks to verify that the Rasterize integration is enabled before attempting to rasterize HTML-formatted emails, and before taking URL screenshots.
Process Email - Core
  • Added checks to verify that the Rasterize integration is enabled before attempting to rasterize HTML-formatted emails, and before taking URL screenshots.
  • Email headers will now show in phishing incident layouts.
Process Email - Generic
  • Added a check that verifies whether the Rasterize integration is enabled before attempting to rasterize HTML-formatted emails.
  • Added a check that verifies whether the Rasterize integration is enabled before attempting to rasterize HTML-formatted emails.
  • Simplified the flow of the playbook by merging tasks where possible and renaming tasks to better reflect their purpose.
  • Email headers will now show in phishing incident layouts.
Get Original Email - EWS

Added an output of email headers.

Layout

Phishing

The phishing layout now displays the email headers if the email was attached as file or was retrieved using mail listener integrations.


Plain Text Feed Pack v1.0.1

Integrations

Plain Text Feed

Updated the Docker image to support the auto-detection function.


Prisma Access Pack v1.0.1

Playbooks

Prisma Access Whitelist Egress IPs on SaaS Services
  • Added a call for the Okta Zones subplaybook.
  • Moved the names of the AWS security group, GCP firewall, and Okta Zone into playbook inputs. If the input is not set, the related subplaybook will be skipped.

Prisma Cloud Pack v1.2.0

Integrations

RedLock
  • Added a default classifier and mapper.
  • Added support for multi-environment instances.
  • Added the get-remediation-details command.

Proofpoint Protection Server Pack v1.0.2

Integrations

Proofpoint Server Protection
  • Improved parsing of responses returned from Proofpoint.
  • Added support for Proofpoint Protection Server version 8.14.2.

RTIR Pack v1.0.3

Integrations

RTIR
  • Fixed an issue where headers with 'ID' in their name got malformed when running rtir-search-ticket command and in fetch-incidents.
  • Improved parsing of ticket attachments.

Recorded Future Feed Pack v1.0.1

Integrations

Recorded Future Feed

Improved parsing of IOC objects.


Red Canary Pack v1.0.2

Integrations

RedCanary
  • Removed timeline details for a detection fetched as an incident.
  • Fixed an issue in which acknowledged detections were fetched as incidents.
  • Improved processing of outputs for endpoint details.

Securonix Pack v1.1.1

Integrations

Securonix
  • Added the max parameter to the securonix-list-incidents command.
  • Added the max_fetch parameter to the integration configuration. The default and maximum value is 50.
  • Fixed an issue where duplicate incidents were fetched.

SentinelOne Pack v1.0.1

Integrations

SentinelOne V2

Improved processing of datetime strings.


ServiceNow Pack v1.1.4

Integrations

ServiceNow v2

Improved handling of authentication errors returned from ServiceNow.


Slack Pack v1.2.1

Integrations

SlackV2

Added stability improvements for long-running execution.


VirusTotal Pack v1.0.1

Integrations

VirusTotal

Fixed an issue where the url command lacked the default url argument.


Zscaler Pack v1.0.1

Integrations

Zscaler

Added the multiple argument to the url command, which when set to "false" enables users to submit singular URLs that contain commas.


ipinfo Pack v1.0.1

Integrations

ipinfo

Added support for HTTPS connection.


okta Pack v1.0.2

Integrations

Okta v2

Added 3 commands.

  • okta-get-zone
  • okta-update-zone
  • okta-list-zones

Playbooks

Allow IP - Okta Zone

Syncs a list of IP addresses with an Okta Zone.


Assets