Cortex XSOAR Content Release Notes for version 20.7.0 (61242)

Published on 07 July 2020

Welcome to the 20.7.0 Content release for Cortex XSOAR. Starting from the 20.6.0 release, we restructured our release notes to be based upon Content Packs. One of our team's top priorities is making our Content more accessible and understandable for both users and contributors. In this effort, we recently moved our Content repo to work in Packs format were there is a clear separation and grouping of Content artifacts. Each Content Pack provides a clear grouping of related Content artifacts used to either implement a use case, implement an integration or provide a clear set of functionality. Our new release notes are structured around Content Packs and you will see related Content artifacts grouped together according to Packs. We hope you will find this new format useful and clear.


End Of Life Notice

The following Integrations were deprecated in November 2019:

  • Azure Compute
  • Azure Security Center

These integrations will reach end of life on July 31, 2020, due to changes to the backend authentication services needed for these integrations. Use the Azure Compute v2 and Azure Security Center v2 integrations instead.


New: CrowdStrike Falcon X Pack v1.0.0

Integrations

CrowdStrike Falcon X

Use the CrowdStrike Falcon X integration to submit files, file hashes, URLs, and FTPs for sandbox analysis and to retrieve reports.

Playbooks

Detonate File - CrowdStrike Falcon X

Detonates a file using CrowdStrike Falcon X sandbox.

Detonate URL - CrowdStrike Falcon X

Detonates one or more files using the CrowdStrike Falcon Sandbox integration. This playbook returns relevant reports to the War Room and file reputations to the context data.


New: DeHashed Pack v1.0.0

Integrations

DeHashed

This integration allows you to check if your personal information, such as your email, username, or password, has been compromised.


New: Google Kubernetes Engine Pack v1.0.0

Integrations

Google Kubernetes Engine

The Google Kubernetes Engine integration is used for building and managing container-based applications in Google Cloud Platform (GCP), powered by the open source Kubernetes technology.

Playbooks

Google Kubernetes Engine Operations Generic Polling

This playbook checks the operation status of the Google Kubernetes Engine. It runs until the operation completes, and facilitates the waiting between steps in Cluster configuration.


New: Manage Engine Service Desk Plus Pack v1.0.0

Integrations

Service Desk Plus

Use this integration to manage Service Desk Plus requests. The integration allows you to create, update, and delete requests, assign groups and technicians to requests, and link/unlink requests and modify their resolution.


New: Microsoft Azure AD Connect Health Feed Pack v1.0.0

Integrations

Azure AD Connect Health Feed

Use the Microsoft Azure AD Connect Health Feed integration to get indicators from the feed.


New: Quest Kace Pack v1.0.0

Integrations

Quest KACE Systems Management Appliance (Beta)

Use the Quest KACE integration to provision, manage, secure, and service all network-connected devices.


New: Unit42 Feed Pack v1.0.0

Integrations

Unit42 Feed

Unit42 feed of published IOCs, which contains known malicious indicators.


New: Workday Pack v1.0.0

Integrations

Workday

Use the Workday integration to manage workers and employees.


New: Zoom Feed Pack v1.1.0

Integrations

Zoom Feed

You can now use the new Zoom site configuration using the feed.


New: TAXII 2 Feed Pack v.1.0.0

Integrations

TAXII Feed

Ingests indicator feeds from TAXII 2.0 and 2.1 servers.


ApiModules Pack v1.0.3

Scripts

CSVFeedApiModule

Added the Tags parameter.


ArcSight ESM Pack v1.0.3

Integrations

ArcSight ESM v2
  • Fixed a bug in which some fetches returned duplicate alerts.
  • Added the Use REST Endpoints integration parameter, which enables using REST endpoints for the as-get-entries and as-clear-entries commands.

Attivo Botsink Pack v1.0.1

Integrations

Attivo Botsink

Fixed an issue where errors were not handled as expected.


Bambenek Consulting Feed Pack v1.0.1

Integrations

Bambenek Consulting Feed

Added the Tags parameter.


Base Pack v1.1.0

Scripts

SaneDocReports
  • Fixed SVG image rendering in doc reports.
  • Added the ability to add customer logos to doc reports.
  • Reverted changes made in v1.0.12.
SanePdfReports
  • Fixed word overlapping in graphs.
  • Rolled back the Docker image to fix a conflict issue.
  • Updated the sane-pdf-reports Docker tag, which fixes the graph labels overlap bug.
CommonServerPython
  • Fixed an issue where the to_context function did not return the proper outputs when the CommandResult object was supplied with only readable_outputs.
  • Fixed and issue where the to_context function returned null instead of an empty list when supplied with empty outputs.
  • Added wrapper functions for getting and setting integration context.

CSV Feed Pack v1.0.2

Integrations

CSVFeed

Added the Tags parameter.


Carbon Black Enterprise Protection Pack v1.0.2

Playbooks

Carbon black Protection Rapid IOC Hunting

Updated the playbook to use the Carbon Black Enterprise Protection v2 integration .


Check Point Firewall Pack v1.0.3

Integrations

Check Point

Fixed an issue where the checkpoint command did not work as expected.


Common Playbooks Pack v1.5.1

Playbooks

Block IP - Generic v2

Added the FortiGate Ban IP command to the Block IP - Generic v2 playbook.


Common Scripts Pack v1.2.3

Scripts

ParseEmailFiles
  • Fixed an issue where errors were not handled as expected.
  • Fixed an issue where EMLfiles with the content type "message/rfc822" were not recognized as expected.
SetGridField

Fixed an issue where the script failed on mixed-types error.

JSONtoCSV

Improved the error message when an invalid JSON entry is given.


Common Types Pack v1.4.0

Layouts

domainRepUnified

Added the Feed Related Indicators section to the layout.

unifiedFileRep

Added the Feed Related Indicators section to the layout.

ipRep

Added the Feed Related Indicators section to the layout.

urlRep

Added the Feed Related Indicators section to the layout.


FalconHost Pack v1.1.2

Integrations

FalconHost
  • Added support for IPv4 and IPv6 indicator types to the cs-device-ran-on command.
    • Deprecated the following commands:
      • cs-resolve-detection: Use the cs-falcon-resolve-detection command from the CrowdStrike Falcon integration instead.
      • cs-detection-details: Use the cs-falcon-search-detection command from the CrowdStrike Falcon integration instead.
      • cs-detection-search: Use the cs-falcon-search-detection command from the CrowdStrike Falcon integration instead.

Infocyte Pack v1.0.1

Integrations

Infocyte

Fixed a bug where fetch_incidents printed an error message if no new incidents/alerts were found.


JsonWhoIs Pack v1.0.3

Integrations

JsonWhoIs

Fixed a bug when running the integration resulted in the exceptions must derive from BaseException error.


Kafka Pack v1.0.1

Integrations

Kafka V2
  • Fixed an issue in which the offset for the fetch did not function as expected.
  • Improved error handling in the kafka-print-topics command.

Kenna Pack v1.0.3

Integrations

Kennav2

Fixed an issue where the limit argument did not work when set above 25 in the kenna-search-fixes command.


Machine Learning Pack v1.1.0

Scripts

HashIncidentsFields

Search for incidents by arguments with an option to hash some of the incident's fields.


Office 365 Feed Pack v1.1.2

Integrations

Office 365 Feed

Added the Tags parameter.


PAN-OS Pack v1.2.0

Integrations

Panorama
  • Added outputs to the panorama-get-logs command.
  • Added the source_zone and destination_zone arguments to the panorama-create-rule command.

PANW Comprehensive Investigation Pack v1.2.0

Layouts

PANW Endpoint Malware

Added the new layout Palo Alto Networks - Endpoint Malware Investigation v2.

Playbooks

Palo Alto Networks - Endpoint Malware Investigation v2

Added the new playbook Palo Alto Networks - Endpoint Malware Investigation v2.


PCAP Analysis Pack v2.1.0

Playbooks

New: PCAP Search

This playbook is used to parse and search within PCAP files.

New: PCAP Parsing And Indicator Enrichment.

This playbook is used to parse and extract indicators within PCAP files and perform enrichment on the detected indicators.


Palo Alto Networks BPA Pack v1.2.0

Layout

Panorama Best Practice Assessment

Added the Panorama Best Practice Assessment incident layout.

Playbooks

Run Panorama Best Practice Assessment

Marked the generate_zip_bundle fiter to fetch the report bundle ZIP file.

Comprehensive PAN-OS Best Practice Assessment

Added Comprehensive PAN-OS Best Practice Assessment to the pack.


Palo Alto Networks Cortex XDR - Investigation and Response Pack v2.0.0

Playbooks

New: Cortex XDR - Malware Investigation

Investigates a Cortex XDR incident that contains internal malware alerts. The playbook does the following:

  • Enriches the infected endpoint details.
  • Lets the analyst manually retrieve the malicious file.
  • Performs file detonation.

The playbook is used as a sub-playbook in the Cortex XDR Incident Handling - v2 playbook.

New: Cortex XDR - Port Scan - Adjusted

Investigates a Cortex XDR incident that contains internal port scan alerts. The playbook does the following:

  • Syncs data with Cortex XDR.
  • Notifies management about a compromised host.
  • Escalates the incident in case of lateral movement alert detection.

The playbook is used as a sub-playbook in the Cortex XDR Incident Handling - v2.

New: Cortex XDR Alerts Handling

This playbook is used to loop over every alert in a Cortex XDR incident. Supported alert categories:

  • Malware
  • Port Scan
New: Cortex XDR Incident Handling v2

This playbook is triggered by fetching a Palo Alto Networks Cortex XDR incident.


Palo Alto Networks PAN-OS EDL Service Pack v1.0.3

Playbooks

PAN-OS EDL Service Configuration

Added a conditional task that validates if an EDL security rule with the same name already exists.


Phishing Pack v1.7.0

Playbooks

Process Email - Generic

The task that updates the email headers in the layout will no longer continue on errors.

Process Email - Core

The task that updates the email headers in the layout will no longer continue on errors.


Proofpoint Feed Pack v1.0.1

Integrations

Proofpoint Feed

Added the Tags parameter.


Rasterize Pack v1.0.3

Integrations

Rasterize
  • Fixed an issue where the rasterize-image command returned an image instead of a PDF file.
  • Added support for additional languages.

Recorded Future Feed Pack v1.0.2

Integrations

Recorded Future RiskList Feed

Added the Tags parameter.


Remedy On-Demand Pack v1.0.1

Integrations

Remedy On-Demand

Fixed an issue where the remedy-incident-update and remedy-get-incident commands required the request ID instead of the entry ID.


RiskSense Pack v1.0.1

Integrations

RiskSense

Added the *risksense-apply-tag, which applies tags as part of the playbook.

Playbooks

CVE Exposure - RiskSense

Blocks IP addresses and applies the tag to assets that are vulnerable to the specified CVE.

Scripts

DisplayCVEChartScript

Displays a bar chart based on the CVEs count and the trending CVEs count with the different colors.


ServiceNow Pack v1.1.5

Integrations

ServiceNow v2

Fixed the test button to work with debug mode.


Slack Pack v1.3.1

Integrations

SlackV2

Increased integration context reliability by using versions (supported in Cortex XSOAR v6.0 and later).


Symantec Management Center Pack v1.0.1

Integrations

Symantec Management Center

Added support for the content type LOCAL_CATEGORY_DB.


TAXII Feed Pack v1.0.1

Integrations

TAXII Feed

Added the Tags parameter.


ThreatConnect Pack v2.0.1

Integrations

ThreatConnect

Deprecated. Use the ThreatConnect v2 integration instead.

New: ThreatConnect v2

Use the ThreatConnect v2 integration to manage your threat intelligence environment.


ThreatQ Pack v1.0.3

Integrations

ThreatQ v2

Fixed an issue where the the URL schema was enforced in the url command.


TruSTAR Pack v2.0.0

Integrations

TruSTAR v2

The TruSTAR v2 integration introduces rewritten code, tests, docstrings on code functions, and new commands. For commands that return indicators, the data is put in 3 contexts:

  • The standard context, without the malicious field because TruSTAR doesn't currently have a score for every indicator.
  • DBotScore context with score as 0 for the same reason.
  • TruSTAR context with all the information returned by the command.
    • trustar-get-reports
    • trustar-get-enclaves
    • trustar-related-indicators
    • trustar-indicators-metadata
    • trustar-indicator-summaries
    • trustar-get-whitelisted-indicators
    • trustar-move-report
    • trustar-trending-indicators
    • trustar-get-indicators-for-report
    • trustar-search-indicators
    • trustar-submit-report
    • trustar-delete-report
    • trustar-correlated-reports
    • trustar-add-to-whitelist
    • trustar-remove-from-whitelist
    • trustar-report-details
    • trustar-update-report
    • trustar-search-reports
    • trustar-get-phishing-indicators
    • trustar-get-phishing-submissions
    • trustar-set-triage-status
    • trustar-copy-report
TruSTAR

Deprecated - Use the TruSTAR v2 integration instead.


US - Breach Notification Pack v1.0.3

Layout

US Breach Notification
  • Added a new widget to the layout.
  • Added Notifications status to the layout.

Playbooks

Illinois - Breach Notification

Added setincidents to the playbook for the new layout.

New York - Breach Notification

Added setincidents to the playbook for the new layout.

California - Breach Notification

Added setincidents to the playbook for the new layout.

Residents Notification - Breach Notification

Added setincidents to the playbook for the new layout.


Zscaler Pack v1.0.2

Integrations

Zscaler
  • Added the multiple argument to the url command, which when set to "false" enables users to submit singular URLs that contain commas.
  • Improved list handling for the zscaler-category-add-url and zscaler-category-add-ip commands.

iDefense Pack v1.0.1

Integrations

iDefense

Fixed an issue where the Set API token parameter was visible in the integration configuration window.


Okta Pack v1.0.3

Integrations

Okta

Deprecated. Use the Okta v2 integration instead.


Assets