Cortex XSOAR Content Release Notes for version 20.7.1 (70449)
Published on 21 July 2020
Welcome to the 20.7.1 Content Release for Cortex XSOAR. Starting from the 20.6.0 release, we restructured our release notes to be based on Content Packs. One of our team's top priorities is making our Content more accessible and understandable for both users and contributors. In this effort, we recently moved our Content repo to work in Pack format, in which there is a clear separation and grouping of Content artifacts. Each Content Pack provides a clear grouping of related Content artifacts used to either implement a use case, implement an integration or provide a clear set of functionality. Our new release notes are structured around Content Packs and you will see related Content artifacts grouped together according to Packs. We hope you will find this new format useful and clear.
For Cortex XSOAR version 5.5 and earlier, you can still install content updates directly in the platform.
End Of Life Notice
The following integrations were deprecated in November 2019:
- Azure Compute
- Azure Security Center
These integrations will reach end of life on July 31, 2020, due to changes to the backend authentication services needed for these integrations. Use the Azure Compute v2 and Azure Security Center v2 integrations instead.
New: Blueliv ThreatCompass Pack v1.0.0
Integrations
Blueliv ThreatCompass
Blueliv ThreatCompass systematically looks for information about companies,products, people, brands, logos, assets, technology and other information, depending on your needs. Blueliv ThreatCompass allows you to monitor and track all this information to keep your data, your organization and its employees safe
New: Blueliv ThreatContext Pack v1.0.0
Integrations
Blueliv ThreatContext
The Threat Context module provides SOC, Incident Response, and Threat Intelligence teams with continuously updated and intuitive information around threat actors, campaigns, malware indicators, attack patterns, tools, signatures and CVEs.
New: Zimperium Pack v1.0.0
Classifiers
Zimperium - Classifier
Classifies Zimperium incidents.
Zimperium - Incoming Mapper
Maps incoming Zimperium incident fields.
IncidentTypes
Zimperium event
Integrations
Zimperium
Zimperium is a mobile security platform that generates alerts based on anomalous or unauthorized activities detected on a user's mobile device.
Layouts
Zimperium Event - Summary
Playbooks
Zimperium Incident Enrichment
Enriches Zimperium incidents.
AWS Feed Pack v1.0.2
Integrations
AWS Feed
Added the Tags parameter.
Active Directory Query Pack v1.0.2
Integrations
Active Directory Query v2
Added the time_limit argument to the ad-get-group-members command. Default is 180 seconds.
AlienVault Feed Pack v1.0.1
Integrations
AlienVault OTX TAXII Feed
Added the Tags parameter.
Atlassian Jira Pack v1.0.2
Integrations
jira-v2
Fixed an issue where an error was raised when no issues matched the query.
AttackIQ Platform Pack v1.0.2
Integrations
AttackIQ Platform
Fixed the Job State and Assessment outputs in the attackiq-get-test-results command.
Azure Security Center Pack v1.0.1
Integrations
Azure Security Center v2
- Added support to authenticate using a self-deployed Azure application.
- Fixed an issue where the azure-sc-update-atp command failed due to an incorrect parameter being passed in the request body.
Base Pack v1.1.4
Scripts
SaneDocReports
Added additional arguments for increased functionality when using logos.
Brute Force Pack v1.1.2
Layouts
Brute Force Incident
Updated incident and indicator layouts to content pack format.
Cofense Feed Pack v1.0.4
Integrations
Cofense Feed
Added the Tags parameter.
Common Playbooks Pack v1.6.1
Playbooks
Detonate File - Generic
- Added the Detonate File - Group-IB TDS Polygon playbook as a sub-playbook
- Added the CrowdStrike Falcon X integration.
- Updated sub-playbook inputs to be inputs.File.
Detonate URL - Generic
- Added the Detonate File - Group-IB TDS Polygon playbook as a sub-playbook
- Added the CrowdStrike Falcon X integration.
Common Scripts Pack v1.2.5
Scripts
SetGridField
- Fixed an issue where "None" values caused the script to fail.
- Improved argument descriptions.
- Improved error messaging in cases of invalid grid ID.
- Added handling for empty values in cells and columns (i.e. context paths with no value).
- Changed the default value of the overwrite argument from false to true.
Compliance Pack v1.0.4
Scripts
BreachConfirmationHTML
Fixed a typo.
CrowdStrike Falcon Pack v1.1.0
Integrations
CrowdStrike Falcon
- Added the following real-time response API commands:
- cs-falcon-run-get-command
- cs-falcon-status-get-command
- cs-falcon-status-command
- cs-falcon-get-extracted-file
- cs-falcon-list-host-files
- cs-falcon-refresh-session
- Added the target argument to the cs-falcon-run-command command to support single and batch operations.
- Fixed entry context keys
- Fixed the cs-falcon-get-script command. A script entry returned from the command replaces the entry identifying with
ID
inCrowdStrike.Script
. - Fixed the cs-falcon-list-scripts command. Script entries returned from the command replace the entries identifying with
ID
s inCrowdStrike.Script
.
Elasticsearch Feed Pack v1.0.3
Integrations
Elasticsearch Feed
Added the Tags parameter.
Expanse Pack v1.1.0
Classifiers
Expanse
Updated the classifier to include mappings for all relevant Expanse Incident fields.
Integration
Expanse
Updated the integration to respect the configured page limit when fetching new incidents.
Expanse Behavior
Added a layout for Expanse Behavior Incidents.
Expanse Appearance
The layout for Expanse Appearance Incidents was updated to include new Incident Fields.
Playbook
New: Expanse Behavior Severity Update
This playbook updates the severity of an Expanse Behavior incident based on the presence of other active Exposures for the IP address.
GenericSQL Pack v1.0.3
Integrations
Generic SQL
- Added support for database connection pooling.
- Improved debug output when running commands with
debug-mode=true
.
IBM QRadar Pack v1.0.5
Integrations
IBM QRadar
Improved handling of unicode responses.
MITRE ATT&CK Pack v1.0.8
Integrations
MITRE ATT&CK Feed
Fixed an issue where a non-existing indicator query using the mitre-reputation command did not return results.
Scripts
New: MITREIndicatorsByOpenIncidents
This is a widget script that returns information for MITRE indicators for top indicators shown in incidents.
Microsoft Graph Mail Pack v1.0.2
Integrations
MicrosoftGraphMail
Fixed an issue where communication tasks were sending emails in text format only.
Microsoft Graph Mail Single User Pack v1.0.4
Integrations
Microsoft Graph Mail Single User
Fixed an issue where communication tasks were sending emails in text format only.
Microsoft Management Activity API (O365/Azure Events) Pack v1.0.1
Integrations
Microsoft Management Activity API (O365 Azure Events)
Fixed test module logic and the credentials error.
NIST Pack v1.0.3
Playbooks
Access Investigation - Generic - NIST
Added tasks that check if Active Directory is enabled.
Office 365 Feed Pack v1.1.3
Integrations
Office 365 Feed
Fixed an issue with the insecure parameter.
PAN-OS Pack v1.4.1
Integrations
Panorama
Added the following commands:
- panorama-block-vulnerability: Overrides single vulnerability signature and changes the default action.
- panorama-get-predefined-threats-list: Retrieves the entire signature database from a PAN-OS device.
- panorama-show-location-ip: Gets the location of an IP address.
Playbooks
NetOps - Firewall Version and Content Upgrade
Fixed DT syntax issues.
PCAP Analysis Pack v2.2.0
Playbooks
New: PCAP File Carving
This playbook is used to carve (extract) files from within PCAP files and perform enrichment and detonation of the extracted files.
Scripts
New: PcapFileExtractor
This script extract files from PCAP files using http, smb, tftp, imf and dicom protocols.
Prisma Access Pack v1.0.2
Integrations
Prisma Access Egress IP feed
Fixed an issue where the Location parameter was not handled correctly.
Pwned Pack v1.0.1
Integrations
Have I Been Pwned? v2
Fixed an issue where the Test button did not validate the API Key.
Slack Pack v1.3.3
Playbooks
Slack - General Failed Logins v2.1
The playbook now checks if the Active Directory Query v2 integration is enabled before expiring a user password.
SplunkPy Pack v1.0.4
Integrations
SplunkPy
Changed the fetch limit parameter to handle cases where this field is left empty in the instance configuration.
TIM - SIEM Integration Pack v1.0.2
Playbooks
TIM - Add All Indicator Types To SIEM
Improved the indicator query to include only active indicators.
Tenable.io Pack v1.0.1
Integrations
Tenable.io
Fixed an issue in the tenable-io-launch-scan command where the scanTargets argument was ignored.
VMware Pack v1.0.1
Integrations
VMware
Added support for additional TLS versions. The highest supported version will be used.
VirusTotal - Private API Pack v1.0.1
Integrations
VirusTotal - Private API
Fixed an issue wiht the output paths for the vt-private-search-file command.
Whois Pack v1.1.1
Playbooks
TIM - Process Domains With Whois
Added a task that checks if the Whois integration is enabled.
Workday Pack v1.0.2
Integrations
Workday
General performance and reliability improvements.
Assets
- Download: content_new.zip
- Browse the Source Code: Content Repo @ 20.7.1