Cortex XSOAR Content Release Notes for version 20.7.1 (70449)

Published on 21 July 2020

Welcome to the 20.7.1 Content Release for Cortex XSOAR. Starting from the 20.6.0 release, we restructured our release notes to be based on Content Packs. One of our team's top priorities is making our Content more accessible and understandable for both users and contributors. In this effort, we recently moved our Content repo to work in Pack format, in which there is a clear separation and grouping of Content artifacts. Each Content Pack provides a clear grouping of related Content artifacts used to either implement a use case, implement an integration or provide a clear set of functionality. Our new release notes are structured around Content Packs and you will see related Content artifacts grouped together according to Packs. We hope you will find this new format useful and clear.

For Cortex XSOAR version 5.5 and earlier, you can still install content updates directly in the platform.

End Of Life Notice

The following integrations were deprecated in November 2019:

  • Azure Compute
  • Azure Security Center

These integrations will reach end of life on July 31, 2020, due to changes to the backend authentication services needed for these integrations. Use the Azure Compute v2 and Azure Security Center v2 integrations instead.


New: Blueliv ThreatCompass Pack v1.0.0

Integrations

Blueliv ThreatCompass

Blueliv ThreatCompass systematically looks for information about companies,products, people, brands, logos, assets, technology and other information, depending on your needs. Blueliv ThreatCompass allows you to monitor and track all this information to keep your data, your organization and its employees safe


New: Blueliv ThreatContext Pack v1.0.0

Integrations

Blueliv ThreatContext

The Threat Context module provides SOC, Incident Response, and Threat Intelligence teams with continuously updated and intuitive information around threat actors, campaigns, malware indicators, attack patterns, tools, signatures and CVEs.


New: Zimperium Pack v1.0.0

Classifiers

Zimperium - Classifier

Classifies Zimperium incidents.

Zimperium - Incoming Mapper

Maps incoming Zimperium incident fields.

IncidentTypes

Zimperium event

Integrations

Zimperium

Zimperium is a mobile security platform that generates alerts based on anomalous or unauthorized activities detected on a user's mobile device.

Layouts

Zimperium Event - Summary

Playbooks

Zimperium Incident Enrichment

Enriches Zimperium incidents.


AWS Feed Pack v1.0.2

Integrations

AWS Feed

Added the Tags parameter.


Active Directory Query Pack v1.0.2

Integrations

Active Directory Query v2

Added the time_limit argument to the ad-get-group-members command. Default is 180 seconds.


AlienVault Feed Pack v1.0.1

Integrations

AlienVault OTX TAXII Feed

Added the Tags parameter.


Atlassian Jira Pack v1.0.2

Integrations

jira-v2

Fixed an issue where an error was raised when no issues matched the query.


AttackIQ Platform Pack v1.0.2

Integrations

AttackIQ Platform

Fixed the Job State and Assessment outputs in the attackiq-get-test-results command.


Azure Security Center Pack v1.0.1

Integrations

Azure Security Center v2
  • Added support to authenticate using a self-deployed Azure application.
  • Fixed an issue where the azure-sc-update-atp command failed due to an incorrect parameter being passed in the request body.

Base Pack v1.1.4

Scripts

SaneDocReports

Added additional arguments for increased functionality when using logos.


Brute Force Pack v1.1.2

Layouts

Brute Force Incident

Updated incident and indicator layouts to content pack format.


Cofense Feed Pack v1.0.4

Integrations

Cofense Feed

Added the Tags parameter.


Common Playbooks Pack v1.6.1

Playbooks

Detonate File - Generic
  • Added the Detonate File - Group-IB TDS Polygon playbook as a sub-playbook
  • Added the CrowdStrike Falcon X integration.
  • Updated sub-playbook inputs to be inputs.File.
Detonate URL - Generic
  • Added the Detonate File - Group-IB TDS Polygon playbook as a sub-playbook
  • Added the CrowdStrike Falcon X integration.

Common Scripts Pack v1.2.5

Scripts

SetGridField
  • Fixed an issue where "None" values caused the script to fail.
  • Improved argument descriptions.
  • Improved error messaging in cases of invalid grid ID.
  • Added handling for empty values in cells and columns (i.e. context paths with no value).
  • Changed the default value of the overwrite argument from false to true.

Compliance Pack v1.0.4

Scripts

BreachConfirmationHTML

Fixed a typo.


CrowdStrike Falcon Pack v1.1.0

Integrations

CrowdStrike Falcon
  • Added the following real-time response API commands:
    • cs-falcon-run-get-command
    • cs-falcon-status-get-command
    • cs-falcon-status-command
    • cs-falcon-get-extracted-file
    • cs-falcon-list-host-files
    • cs-falcon-refresh-session
  • Added the target argument to the cs-falcon-run-command command to support single and batch operations.
  • Fixed entry context keys
  • Fixed the cs-falcon-get-script command. A script entry returned from the command replaces the entry identifying with ID in CrowdStrike.Script.
  • Fixed the cs-falcon-list-scripts command. Script entries returned from the command replace the entries identifying with IDs in CrowdStrike.Script.

Elasticsearch Feed Pack v1.0.3

Integrations

Elasticsearch Feed

Added the Tags parameter.


Expanse Pack v1.1.0

Classifiers

Expanse

Updated the classifier to include mappings for all relevant Expanse Incident fields.

Integration

Expanse

Updated the integration to respect the configured page limit when fetching new incidents.

Expanse Behavior

Added a layout for Expanse Behavior Incidents.

Expanse Appearance

The layout for Expanse Appearance Incidents was updated to include new Incident Fields.

Playbook

New: Expanse Behavior Severity Update

This playbook updates the severity of an Expanse Behavior incident based on the presence of other active Exposures for the IP address.


GenericSQL Pack v1.0.3

Integrations

Generic SQL
  • Added support for database connection pooling.
  • Improved debug output when running commands with debug-mode=true.

IBM QRadar Pack v1.0.5

Integrations

IBM QRadar

Improved handling of unicode responses.


MITRE ATT&CK Pack v1.0.8

Integrations

MITRE ATT&CK Feed

Fixed an issue where a non-existing indicator query using the mitre-reputation command did not return results.

Scripts

New: MITREIndicatorsByOpenIncidents

This is a widget script that returns information for MITRE indicators for top indicators shown in incidents.


Microsoft Graph Mail Pack v1.0.2

Integrations

MicrosoftGraphMail

Fixed an issue where communication tasks were sending emails in text format only.


Microsoft Graph Mail Single User Pack v1.0.4

Integrations

Microsoft Graph Mail Single User

Fixed an issue where communication tasks were sending emails in text format only.


Microsoft Management Activity API (O365/Azure Events) Pack v1.0.1

Integrations

Microsoft Management Activity API (O365 Azure Events)

Fixed test module logic and the credentials error.


NIST Pack v1.0.3

Playbooks

Access Investigation - Generic - NIST

Added tasks that check if Active Directory is enabled.


Office 365 Feed Pack v1.1.3

Integrations

Office 365 Feed

Fixed an issue with the insecure parameter.


PAN-OS Pack v1.4.1

Integrations

Panorama

Added the following commands:

  • panorama-block-vulnerability: Overrides single vulnerability signature and changes the default action.
  • panorama-get-predefined-threats-list: Retrieves the entire signature database from a PAN-OS device.
  • panorama-show-location-ip: Gets the location of an IP address.

Playbooks

NetOps - Firewall Version and Content Upgrade

Fixed DT syntax issues.


PCAP Analysis Pack v2.2.0

Playbooks

New: PCAP File Carving

This playbook is used to carve (extract) files from within PCAP files and perform enrichment and detonation of the extracted files.

Scripts

New: PcapFileExtractor

This script extract files from PCAP files using http, smb, tftp, imf and dicom protocols.


Prisma Access Pack v1.0.2

Integrations

Prisma Access Egress IP feed

Fixed an issue where the Location parameter was not handled correctly.


Pwned Pack v1.0.1

Integrations

Have I Been Pwned? v2

Fixed an issue where the Test button did not validate the API Key.


Slack Pack v1.3.3

Playbooks

Slack - General Failed Logins v2.1

The playbook now checks if the Active Directory Query v2 integration is enabled before expiring a user password.


SplunkPy Pack v1.0.4

Integrations

SplunkPy

Changed the fetch limit parameter to handle cases where this field is left empty in the instance configuration.


TIM - SIEM Integration Pack v1.0.2

Playbooks

TIM - Add All Indicator Types To SIEM

Improved the indicator query to include only active indicators.


Tenable.io Pack v1.0.1

Integrations

Tenable.io

Fixed an issue in the tenable-io-launch-scan command where the scanTargets argument was ignored.


VMware Pack v1.0.1

Integrations

VMware

Added support for additional TLS versions. The highest supported version will be used.


VirusTotal - Private API Pack v1.0.1

Integrations

VirusTotal - Private API

Fixed an issue wiht the output paths for the vt-private-search-file command.


Whois Pack v1.1.1

Playbooks

TIM - Process Domains With Whois

Added a task that checks if the Whois integration is enabled.


Workday Pack v1.0.2

Integrations

Workday

General performance and reliability improvements.


Assets