Cortex XSOAR Content Release Notes for version 20.8.0 (80195)

Published on 4 August 2020

Welcome to the 20.8.0 Content Release for Cortex XSOAR. Starting from the 20.6.0 release, we restructured our release notes to be based on Content Packs. One of our team's top priorities is making our Content more accessible and understandable for both users and contributors. In this effort, we recently moved our Content repo to work in Pack format, in which there is a clear separation and grouping of Content artifacts. Each Content Pack provides a clear grouping of related Content artifacts used to either implement a use case, implement an integration or provide a clear set of functionality. Our new release notes are structured around Content Packs and you will see related Content artifacts grouped together according to Packs. We hope you will find this new format useful and clear.

For Cortex XSOAR version 5.5 and earlier, you can still install content updates directly in the platform.


New: CVSS Pack v1.0.0

Scripts

CVSSCalculator

This script calculates the CVSS Base Score, Temporal Score, and Environmental Score using either the CVSS 3.0 or CVSS 3.1 calculator. You can learn more about calculations here: https://www.first.org/cvss/.


New: CrowdStrike Malquery Pack v1.0.0

Integrations

CrowdStrike Malquery

Use the MalQuery Integration to query the contents of clean and malicious binary files, which forms part of Falcon's search engine.

Playbooks

CrowdStrikeMalquery - Multidownload and Fetch

Schedule samples for download. Using samples-multidownload is a three-step process: 1. Schedule the download with samples-multidownload, which returns a request ID. 2. Provide that request ID to the cs-malquery-get-request, in order to check the status of the operation. 3. When the request status is “done”, use cs-malquery-sample-fetch to download the results as a password-protected archive Use this playbook as a sub-playbook to schedule samples for download. This playbook implements polling by continuously running the get-request command until the operation completes. Once the request status is done the sub-playbook runs cs-malquery-sample-fetch.

The remote action should have the following structure:
1. Initiate the operation - insert the sample SHA256 ids.
2. Poll to check if the operation completed.
3. Get the results of the operation.
CrowdStrikeMalquery - Search

Use this playbook as a sub-playbook to query the contents of binary files. This playbook implements polling by continuously running the get-request command until the operation completes. The remote action should have the following structure:

  1. Initiate the operation - insert the type of search command (hunt or exact-search) and it's additional arguments if necessary.
  2. Poll to check if the operation completed.
  3. Get the results of the operation.

New: CyberTotal Pack v1.0.0

Integrations

CyberTotal

CyberTotal is a cloud-based threat intelligence service developed by CyCraft.

Playbooks

CyberTotal Auto Enrichment - CyCraft

This playbook automatically enriches indicators (including IPs, URLs, domains; MD5, SHA-1, and SHA-256 file hashes). Playbook input: the indicators you want to enrich. Playbook output: detection engine results, positive detections, detection ratios; as well as severity, confidence, and threat scores.

CyberTotal Whois - CyCraft

This playbook is used to automatically retrieve Whois information regarding IPs, URLs and domains. Playbook input: IPs, URLs, domains. Playbook output: Whois lookup information.


New: Imperva WAF Pack v1.0.0

Integrations

Imperva WAF

Use the Imperva WAF integration to manage IP groups and web security policies in Imperva WAF.


New: Ivanti Heat Pack v1.0.0

Integrations

Ivanti Heat

Use the Ivanti Heat integration to manage issues and create Cortex XSOAR incidents from Ivanti Heat.

Scripts

IvantiHeatCloseIncidentExample

This is a sample script that demonstrates how to close an incident in Ivanti Heat. The script generates data of the closed incident in JSON format and writes it to the IvantiHeat.CloseIncidentJSON context path.

IvantiHeatCreateIncidentExample

This is a sample script that demonstrates how to create an incident in Ivanti Heat. The script generates data of the created incident in JSON format and writes it to the IvantiHeat.CreateIncidentJSON context path.

IvantiHeatCreateProblemExample

This is a sample script that demonstrates how to create a problem in Ivanti Heat. The script generates data of the created problem in JSON format and writes it to the IvantiHeat.CreateProblemJSON context path.


New: Nozomi Networks Pack v1.0.0

Integrations

Nozomi Networks

The Nozomi Networks Guardian platform is a hardware or virtual appliance that is used to monitor OT/IoT/IT networks. It combines asset discovery, network visualization, vulnerability assessment, risk monitoring and threat detection in a single solution. This integration is used to gather alerts and assets information from Nozomi.


New: RecordedFuture v2 Pack v1.0.0

Integrations

Recorded Future v2

Unique threat intel technology that automatically serves up relevant insights in real time.

Playbooks

Recorded Future CVE Intelligence

CVE enrichment using Recorded Future intelligence.

Recorded Future CVE Reputation

CVE reputation with Recorded Future SOAR enrichment.

Recorded Future Domain Intelligence

Domain enrichment using Recorded Future intelligence.

Recorded Future Domain Reputation

Domain reputation using Recorded Future SOAR enrichment.

Recorded Future File Intelligence

File enrichment using Recorded Future intelligence.

Recorded Future File Reputation

File reputation using Recorded Future SOAR enrichment.

Recorded Future IOC Reputation

Entity Reputation using sub-playbooks.

Recorded Future IP Intelligence

IP Address Enrichment using Recorded Future Intelligence.

Recorded Future IP Reputation

IP address reputation using Recorded Future SOAR enrichment.

Recorded Future Threat Assessment

Threat Assessment using the Recorded Future SOAR Triage API and the context Phishing.

Recorded Future URL Intelligence

URL Enrichment using Recorded Future intelligence.

Recorded Future URL Reputation

URL reputation using Recorded Future SOAR enrichment.


New: Sepio Pack v1.0.0

IncidentTypes

Sepio Systems

Integrations

Sepio

Get Agent, Switches, and Events from your Sepio Prime environment.


RSA Archer Pack 1.1.0

Integrations

New: RSA Archer v2

The RSA Archer GRC Platform provides a common foundation for managing policies, controls, risks, assessments and deficiencies across lines of business.

Scripts

New: ArcherCreateIncidentExample

This script is an example script of how to create an Incident in Archer. The script generates the create incident data in JSON format and execute the command archer-create-record.


AWS - Security Hub Pack v1.0.1

Integrations

AWS - Security Hub
  • Added the aws-securityhub-batch-update-findings command, which enables you to update information in a finding. Master accounts can update findings for their account and members accounts, such as confidence, note, criticality, severity, etc. Member accounts can only update can update the Note object.
  • Added arguments to the following commands.
    • aws-securityhub-disable-security-hub
    • aws-securityhub-enable-security-hub
    • aws-securityhub-list-members
    • aws-securityhub-get-findings
  • Fetched incidents can be set as NOTIFIED, and can no longer be archived.

AWS Feed Pack v1.0.3

Integrations

AWS Feed

Added default classifiers and mappers. (Available from Cortex XSOAR 6.0)


Active Directory Query Pack v1.0.3

Integrations

Active Directory Query v2

Added the disable-nested-search argument to the ad-get-group-members command, which enables you to disable recursive retrieval of a user's group memberships.


Anomali ThreatStream Pack v1.0.1

Integrations

Anomali ThreatStream v2

Fixed an issue in the threatstream-import-indicator-with-approval command where it would not import indicators properly.


Atlassian Jira Pack v1.1.0

Integrations

Atlassian Jira v2
  • Internal code improvements.
  • The Test button will now test the fetch incidents flow.

AutoFocus Pack v1.1.0

Integrations

AutoFocus Daily Feed

The AutoFocus Daily Feed integration is now a part of the AutoFocus pack.

AutoFocus Feed

The AutoFocus Feed integration is now a part of the AutoFocus pack.


Base Pack v1.1.7

Scripts

CommonServerPython

Removed an unnecessary variable assignment.

SaneDocReports
  • Updated the sane-doc-reports Docker image.
  • Fixed markdown HTML tag inconsistencies.
  • Fixed trend direction icons and rare cases when there are large values.
  • Fixed Markdown placeholder styles.
  • Fixed an issue where an array would be returned instead of 0 when the number is zero.
  • Fixed empty Markdown page break elements that were not working as expected.

Brute Force Pack v1.2.0

Playbooks

Brute Force Investigation - Generic

Now verifies that the Active Directory Query v2 integration is enabled before using it.


Carbon Black Cloud Enterprise EDR Pack v1.0.2

Integrations

VMware Carbon Black Enterprise EDR
  • Renamed the integration Carbon Black Enterprise EDR to VMware Carbon Black Enterprise EDR.

Carbon Black Defense Pack v1.1.1

Integrations

VMware Carbon Black Endpoint Standard

Renamed the integration Carbon Black Defense to VMware Carbon Black Endpoint Standard.


Carbon Black Enterprise Live Response Pack v1.0.2

Integrations

VMware Carbon Black EDR (Live Response API)

Renamed the integration Carbon Black Enterprise (Live) Response to VMware Carbon Black EDR (Live Response API).


Carbon Black Enterprise Protection Pack v1.0.3

Integrations

VMware Carbon Black App Control v2

Renamed the integration Carbon Black Enterprise Protection v2 to VMware Carbon Black App Control v2.


Carbon Black Enterprise Response Pack v1.0.4

Integrations

VMware Carbon Black EDR v2

Renamed the integration Carbon Black Enterprise Response v2 to VMware Carbon Black EDR v2.


Cherwell Pack v1.0.2

Integrations

Cherwell

Removed assignment of a variable to itself.


Chronicle Pack v1.1.1

Integrations

Chronicle

Removed a redundant 'else'.


Claroty Pack v1.0.5

Integrations

Claroty

Added default classifiers and mappers. (Available from Cortex XSOAR 6.0)


Code42 Pack v2.0.0

Classifiers

Code42

New classifier

Integrations

Code42
  • Internal code improvements.
  • Added new commands:
    • code42-departingemployee-get-all
    • code42-highriskemployee-add
    • code42-highriskemployee-remove
    • code42-highriskemployee-get-all
    • code42-highriskemployee-add-risk-tags
    • code42-highriskemployee-remove-risk-tags
    • code42-user-deactivate
    • code42-user-reactivate
    • code42-user-block
    • code42-user-unblock
    • code42-user-create
    • code42-legalhold-add-user
    • code42-legalhold-remove-user
    • code42-file-download
  • Improved error messages for all commands to include exception details.
  • Fixed a bug in the Fetch function where errors occurred when FileCategory was set to include only one category.
  • Fixed a bug in the Fetch function to handle the new Code42 exposure type Outside trusted domains.
  • Improved the Fetch function to better handle unsupported exposure types.

Layouts

Code42 Security Alert

Internal code improvements.

Playbooks

Code42 File Download

This playbook downloads a file via Code42 by either MD5 or SHA256 hash.

Code42 Exfiltration Playbook

The playbook now downloads the file in replace of a manual step for retrieving file contents.


Common Scripts Pack v1.2.21

Scripts

ReadPDFFileV2
  • Removed an unnecessary 'pass' statement.
  • Fixed an issue where PDFs with multiple different encoding types were not handled.
NumberOfPhishingAttemptPerUser

Changed the default query to search only for incidents from the last 30 days.

ParseEmailFiles
  • Fixed an issue where the body text of the email was None.
  • Fixed an issue where the headers of the email were None.
New: If-Then-Else

A transformer for simple if-then-else logic. This can potentially reduce the number of tasks required for a given playbook.

ParseCSV

Fixed script arguments descriptions.

GenerateSummaryReports

Fixed various script descriptions.

IncreaseIncidentSeverity

The automation optionally increases the incident severity to the new value if it is greater than the existing severity.

Set

Improved the script description.

SetAndHandleEmpty

Improved the script description.

PrintRaw

Added new Automation PrintRaw, which prints a raw representation of a string or object, visualising things likes tabs and newlines. This is useful for debugging issues where things aren't behaving as expected, such as when parsing a string with a regular expression.

IsUrlPartOfDomain

Changed the way localhost is handled. URLs starting with localhost are universally returned as internal.

GetTime

Fixed an issue where the script failed if it was executed from another script or with raw-response=true.

CalculateEntropy

Calculates the entropy of the given data. -response=true.


Common Types Pack v1.7.2

IndicatorFields

Category

Added the Category indicator field.

Layouts

domainRepUnified

Updated the design for the Domain indicator layout.

  • Replaced the Info tab with the Summary and Additional Details tabs.
  • In the Info tab:
    • Added the following widgets: Actions, Highest Reliability, Assignee, Community Score. The Actions widget provides the ability to enrich or expire indicators.
    • Removed the Aggregated Reliability and Tags fields from the Domain Details widget.
    • Renamed the Tags widget to Tags and TLP (Traffic Light Protocol) and added the ability to add and remove tags.
    • Moved the Custom Details, and Extended Details widgets to the Additional Details tab.
  • In the Additional Details tab:
    • Added the Tags and Feed Related Indicators fields to the Extended Details widget.
  • In the Quick View tab:
    • Renamed the Tags widget to Tags and TLP (Traffic Light Protocol).
    • Added the Domain details and Whois widget.
ipRep

Updated the design for the IP indicator layout.

  • Replaced the Info tab with the Summary and Additional Details tabs.
  • In the Info tab:
    • Added the following widgets: Actions, Highest Reliability, Assignee, Community Score. The Actions widget provides the ability to enrich or expire indicators.
    • Removed the Aggregated Reliability field from the IP Details widget.
    • Renamed the Tags widget to Tags and TLP (Traffic Light Protocol) and added the ability to add and remove tags.
    • Moved the Custom Details and Extended Details widgets to the Additional Details tab.
  • In the Additional Details tab:
    • Added the Tags and Feed Related Indicators fields to the Extended Details widget.
  • In the Quick View tab:
    • Renamed the Tags widget to Tags and TLP (Traffic Light Protocol).
    • Added the IP details widget.
unifiedFileRep

Updated the design for the File indicator layout.

  • Replaced the Info tab with the Summary and Additional Details tabs.
  • In the Info tab:
    • Added the following widgets: Actions, Highest Reliability, Assignee, Community Score. The Actions widget provides the ability to enrich or expire indicators.
    • Moved the SHA512 field from the Hashes widget to the File Details widget.
    • Removed the Aggregated Reliability and Tags fields from the File Details widget.
    • Renamed the Tags widget to Tags and TLP (Traffic Light Protocol) and added the ability to add and remove tags.
    • Renamed the Signatures widget to File signature.
    • Moved the Custom Details and Extended Details widgets to the Additional Details tab.
  • In the Additional Details tab:
    • Added the Tags and Feed Related Indicators fields to the Extended Details widget.
  • In the Quick View tab:
    • Renamed the Tags widget to Tags and TLP (Traffic Light Protocol).
    • Added the IP details widget.
emailRep

Updated the design for the Email indicator layout.

  • Replaced the Info tab with the Summary and Additional Details tabs.
  • In the Info tab:
    • Added the following widgets: Actions, Highest Reliability, Assignee, Community Score. The Actions widget provides the ability to enrich or expire indicators.
    • Removed the Aggregated Reliability field from the Account Details widget.
    • Removed the Close Notes field from the Related Incidents widget.
    • Added the Severity and Owner fields to the Related Incidents widget.
    • Renamed the Sources Data widget to Sources.
    • Renamed the Tags widget to Tags and TLP (Traffic Light Protocol) and added the ability to add and remove tags.
    • Moved the Custom Details and Extended Details widgets to the Additional Details tab.
  • In the Additional Details tab:
    • Added the Tags field to the Extended Details widget.
  • In the Quick View tab:
    • Renamed the Tags widget to Tags and TLP (Traffic Light Protocol).
    • Added the Email details widget.
registryKey

Updated the design for the RegistryKey indicator layout.

  • Replaced the Info tab with the Summary and Additional Details tabs.
  • In the Info tab:
    • Added the following widgets: Actions, Highest Reliability, Assignee, Community Score. The Actions widget provides the ability to enrich or expire indicators.
    • Removed the Aggregated Reliability field from the Account Details widget.
    • Removed the Close Notes field from the Related Incidents widget.
    • Added the Severity and Owner fields to the Related Incidents widget.
    • Renamed the Sources Data widget to Sources.
    • Renamed the Tags widget to Tags and TLP (Traffic Light Protocol) and added the ability to add and remove tags.
    • Moved the Custom Details and Extended Details widgets to the Additional Details tab.
  • In the Additional Details tab:
    • Added the Tags field to the Extended Details widget.
  • In the Quick View tab:
    • Renamed the Tags widget to Tags and TLP (Traffic Light Protocol).
    • Added the Registry Key details widget.
hostRep

Updated the design for the Host indicator layout.

  • Replaced the Info tab with the Summary and Additional Details tabs.
  • In the Info tab:
    • Added the following widgets: Actions, Highest Reliability, Assignee, Community Score. The Actions widget provides the ability to enrich or expire indicators.
    • Removed the Aggregated Reliability field from the Account Details widget.
    • Removed the Close Notes field from the Related Incidents widget.
    • Added the Severity and Owner fields to the Related Incidents widget.
    • Renamed the Sources Data widget to Sources.
    • Renamed the Tags widget to Tags and TLP (Traffic Light Protocol) and added the ability to add and remove tags.
    • Moved the Custom Details and Extended Details widgets to the Additional Details tab.
  • In the Additional Details tab:
    • Added the Tags field to the Extended Details widget.
  • In the Quick View tab:
    • Renamed the Tags widget to Tags and TLP (Traffic Light Protocol).
    • Added the Host details widget.
accountRep

Updated the design for the Account indicator layout as follows:

  • Replaced the Info tab with the Summary and Additional Details tabs.
  • In the Info tab:
    • Added the following widgets: Actions, Highest Reliability, Assignee, Community Score. The Actions widget provides the ability to enrich or expire indicators.
    • Removed the Aggregated Reliability field from the Account Details widget.
    • Removed the Close Notes field from the Related Incidents widget.
    • Added the Severity field to the Related Incidents widget.
    • Renamed the Sources Data widget to Sources.
    • Renamed the Tags widget to Tags and TLP (Traffic Light Protocol) and added the ability to add and remove tags.
    • Moved the Custom Details and Extended Details widgets to the Additional Details tab.
  • In the Additional Details tab:
    • Added the Tags field to the Extended Details widget.
  • In the Quick View tab:
    • Renamed the Tags widget to Tags and TLP (Traffic Light Protocol).
    • Added the Account details widget.
cveRep

Updated the design for the CVE indicator layout.

  • Replaced the Info tab with the Summary and Additional Details tabs.
  • In the Info tab:
    • Added the following widgets: Actions, Highest Reliability, Assignee, Community Score. The Actions widget provides the ability to enrich or expire indicators.
    • Added the CVE Modified field to the Account Details widget.
    • Removed the Aggregated Reliability field from the Account Details widget.
    • Removed the Close Notes field from the Related Incidents widget.
    • Added the Severity field to the Related Incidents widget.
    • Renamed the Sources Data widget to Sources.
    • Renamed the Tags widget to Tags and TLP (Traffic Light Protocol) and added the ability to add and remove tags.
    • Moved the Custom Details and Extended Details widgets to the Additional Details tab.
  • In the Additional Details tab:
    • Added the Tags field to the Extended Details widget.
  • In the Quick View tab:
    • Renamed the Tags widget to Tags and TLP (Traffic Light Protocol).
    • Added the CVE details widget.

Cortex Data Lake Pack v1.1.0

Integrations

Cortex Data Lake
  • Fixed the default values for arguments in the cdl-query-logs.
  • Added the ip and port arguments to the cdl-query-threat-logs and the cdl-query-traffic-logs commands.
  • Added the cdl-query-url-logs command, which enables searching the URL log table.

Cymulate Pack v1.0.3

Integrations

Cymulate

dded default classifiers and mappers. (Available from Cortex XSOAR 6.0)


DUO Admin Pack v2.0.0

Integrations

DUO Admin

Improved implementation of logging and error handling.


Darkfeed™ - Current Customer Edition Pack v1.1.0

Dashboards

Sixgill Darkfeed

Providing high-level analytics and segmentations of Darkfeed™ IOCs and the context in which they were detected.

Integrations

Sixgill DarkFeed™ Threat Intelligence

New custom Sixgill fields added to the IOCs, providing greater context into where the IOCs were shared and by whom.

Playbooks

Darkfeed - malware download from feed

Set this playbook as an automated job in order to automatically download malware from new Darkfeed IOCs and run them through the "Darkfeed IOC detonation and proactive blocking" playbook.

Darkfeed IOC detonation and proactive blocking

Download malicious files from a Darkfeed IOC, detonate them in automated sandboxes, and extract and block any additional indicators and files.

Darkfeed Threat hunting-research

Automatically discover and enrich indicators with the same actor and source as the triggering IOC. Search for and isolate any compromised endpoints and proactively block IOCs from entering your network.

Script

SearchIndicators

Searches indicators based on a given query.

Widgets

Sixgill Darkfeed - Threads from the Underground

Highlighting IOC-related conversations from the cyber underground.

Sixgill Darkfeed Indicators by Type

Segmenting Darkfeed™ IOCs by type (URL, Domain, File, IP)

Sixgill Darkfeed - Subfeed Composition

Displaying the segmentation of the Darkfeed™ into the various Subfeeds.

Sixgill Darkfeed - Collected IOCs

Overall line chart of number of IOCs detected daily.

Sixgill Mitre ATT&CK Techniques

Segmentation of the Darkfeed™ by Mitre ATT&CK techniques.

Sixgill Darkfeed - Mitre ATT&CK Tactics

Segmentation of the Darkfeed™ by Mitre ATT&CK Tactics.

Sixgill Darkfeed - Top 10 Threat Actors

The top-ten threat actors who posted the largest number of Darkfeed™ IOCs.

Sixgill Darkfeed IOC detection rate by Virus Total

The detection rate of Darkfeed™ IOCs in Virus total.


DeHashed Pack v1.1.0

Integrations

DeHashed

Added the email command, which checks if an email address was compromised.


Deprecated Content Pack v1.5.4

Integrations

SafeBreach (deprecated)

Use the SafeBreach v2 integration instead.


DomainTools Iris Pack v1.0.1

Integrations

DomainTools Iris

Internal code improvements.


EWS Pack v1.1.5

Integrations

EWS v2
  • Removed assignment of a variable to itself.
  • Added default classifiers and mappers. (Available from Cortex XSOAR 6.0)

Elasticsearch Pack v1.0.2

Integrations

Elasticsearch Feed

Fixed an issue where API key authentication didn't work correctly for some users.

Elasticsearch v2

Fixed an issue where API key authentication didn't work correctly for some users.


Elasticsearch Feed Pack v1.0.4

Integrations

Elasticsearch Feed

Fixed an issue where API key authentication didn't work correctly for some users.


Fetch Indicators From File Pack v1.0.1

Scripts

FetchIndicatorsFromFile

Added supported file types to the script description.


FireEye HX Pack v1.0.3

Integrations

FireEye HX

Documentation and metadata improvements.


GenericSQL Pack v1.0.5

Integrations

Generic SQL
  • Disabled warnings from the Oracle driver.
  • Added the pgsql-query command, which simplifies migrating from PostgreSQL.
  • Marked the query command as deprecated. Use the sql-command command instead.

GitHub Pack v1.1.0

Integrations

GitHub

Added the Github-get-github-actions-usage command, which monitors GitHub actions usage for private repositories.


Gmail Single User (Beta) Pack v1.0.2

Integrations

Gmail Single User (Beta)

Added default classifiers and mappers. (Available from Cortex XSOAR 6.0)


HIPAA - Breach Notification Pack v1.0.5

Playbooks

HIPAA - Breach Notification

General documentation improvements.


HelloWorld Pack v1.1.9

Integrations

HelloWorld

Added default classifiers and mappers. (Available from Cortex XSOAR 6.0)


IBM QRadar Pack v1.0.7

Integrations

IBM QRadar

Added default classifiers and mappers. (Available from Cortex XSOAR 6.0)


Illusive Networks Pack v1.0.4

Classifiers

IllusiveNetworks
  • Updated the mapper with 2 fields.
    • Illusive Networks Deception Families
    • Illusive Networks Events Number

Integrations

IllusiveNetworks
  • Added default classifiers and mappers. (Available from Cortex XSOAR 6.0)
  • Added 4 commands.
    • illusive-get-incident-events
    • illusive-get-forensics-analyzers
    • illusive-get-forensics-triggering-process-info
    • illusive-get-forensics-artifacts

Layouts

Illusive Networks Incident

Added new fields to Illusive Networks Incident layout

Playbooks

Illusive-Collect-Forensics-On-Demand

This playbook is used to collect forensics on-demand on any compromised host and retrieve the forensics timeline upon successful collection.

Illusive - Incident Escalation

Added a playbook that performs incident escalation.

Illusive - Data Enrichment

Added a playbook that enriches data.


Impossible Traveler Pack v1.2.0

Playbooks

Impossible Traveler

The playbook now checks if the Rasterize integration is enabled before using it.


Indeni Pack v1.0.5

Integrations

Indeni

Added default classifiers and mappers. (Available from Cortex XSOAR 6.0)


Logz.io Pack v1.1.0

Integrations

Logz.io

Fixed search logs with "human date".

Playbooks

New: Logz.io Indicator Hunting

Added a new hunting playbook.


MISP Pack v1.0.2

Integrations

MISP v2

Fixed a syntax error.


Manage Engine Service Desk Plus Pack v1.2.0

Integrations

ServiceDeskPlus

Added support for closure information in the close command.

Playbook

Service Desk Plus - Generic Polling

Performs polling of a request given by the request ID input. The request status is polled until the request is closed.


Microsoft Graph Mail Pack v1.0.4

Integrations

Microsoft Graph Mail
  • Updated the description of the message_id argument in all relevant commands.
  • Fixed an issue where using the OData parameter in the msgraph-mail-list-emails and msgraph-mail-get-email commands caused the command to fail with a Bad Request error.

Microsoft Graph Mail Single User Pack v1.0.5

Integrations

Microsoft Graph Mail Single User

Added default classifiers and mappers. (Available from Cortex XSOAR 6.0)


Non Supported Pack v1.0.1

Playbooks

QRadar - Get offense correlations

Moved playbook to Non-Supported.


OnboardingIntegration Pack v1.0.2

Integrations

OnboardingIntegration

Added default classifiers and mappers. (Available from Cortex XSOAR 6.0)


PAN-OS Pack v1.5.1

Integrations

Palo Alto Networks PAN-OS
  • PAN-OS - Panorama get url category
    • Added DBot outputs.
  • PAN-OS - url
    • Added the url command, based on URL filtering.

Playbooks

PAN-OS - Delete Static Routes

Replaced the deprecated playbook PanoramaCommitConfiguration with the PAN-OS Commit Configuration playbook.

PAN-OS - Add Static Routes

Replaced the deprecated playbook PanoramaCommitConfiguration with the PAN-OS Commit Configuration playbook.


PANW Comprehensive Investigation Pack v1.2.2

Playbooks

Palo Alto Networks - Malware Remediation

Handled dependencies for the playbook.

Palo Alto Networks - Endpoint Malware Investigation v2

Handled dependencies for the playbook.

Palo Alto Networks - Endpoint Malware Investigation

Handled dependencies for the playbook.


PCAP Analysis Pack v2.3.0

Playbooks

PCAP File Carving

Added new playbook input to validate if detonation is required.

New: PCAP Analysis

Added a playbook that analyzes a PCAP file.

PCAP Parsing And Indicator Enrichment
  • Improved task name.
  • Fixed setting to ExternalIPAddresses context key.

Palo Alto Networks Cortex XDR - Investigation and Response Pack v2.3.1

Integrations

Cortex XDR - IOC
  • The Cortex XDR - IOC is now a part of the Palo Alto Networks Cortex XDR - Investigation and Response pack.
  • Fixed an issue where the additional info for the Cortex XDR - IOC integration parameter did not appear as expected.
  • Updated parameter name.
Palo Alto Networks Cortex XDR - Investigation and Response
  • Fixed an issue where the xdr-endpoint-scan command did not work when the hostname argument was passed.
  • Added standards output to the xdr-get-endpoints and xdr-get-incident-extra-data commands.

Playbooks

Cortex XDR incident handling v2

Fixed a bug in the "Find similar incidents" task, and added default input values.


Palo Alto Networks WildFire Pack v1.1.0

Integrations

Palo Alto Networks WildFire v2

Added the url argument to the wildfire-report command, which enables retrieving reports using the new WildFire analysis. Currently this is only available for US cloud.

Playbooks

Detonate URL - WildFire v2.1

Added the Detonate URL - WildFire v2.1 playbook, which supports the new WildFire URL analysis.


PhishTank Pack v1.0.1

Integrations

PhishTank
  • Fixed the output types of the url command.
  • Fixed integration descriptions.

Phishing Pack v1.8.0

Playbooks

Process Email - Generic

The task that updates the incident layout with email headers will not stop on errors.

Process Email - Core

The task that updates the incident layout with email headers will not stop on errors.


Prisma Access Pack v1.0.3

Integrations

Prisma Access Egress IP feed

Added the Tags parameter.


Prisma Cloud Pack v1.2.3

Integrations

Prisma Cloud (RedLock)

Added default classifiers and mappers. (Available from Cortex XSOAR 6.0)

Playbooks

Prisma Cloud Remediation - GCP VPC Network Firewall Misconfiguration

Handled dependencies for the playbook.

Prisma Cloud Remediation - AWS CloudTrail Misconfiguration

Handled dependencies for the playbook.

Prisma Cloud Remediation - GCP Compute Engine Instance Misconfiguration

Handled dependencies for the playbook.

Prisma Cloud Remediation - GCP VPC Network Misconfiguration

Handled dependencies for the playbook.

Prisma Cloud Remediation - AWS IAM Policy Misconfiguration

Handled dependencies for the playbook.

Prisma Cloud Remediation - AWS CloudTrail Is Not Integrated With CloudWatch Logs

Handled dependencies for the playbook.

Prisma Cloud Remediation - GCP Compute Engine Misconfiguration

Handled dependencies for the playbook.

Prisma Cloud Remediation - AWS Security Groups Allows Internet Traffic To TCP Port

Handled dependencies for the playbook.

Prisma Cloud Remediation - AWS IAM Password Policy Misconfiguration

Handled dependencies for the playbook.

Prisma Cloud Remediation - AWS EC2 Instance Misconfiguration

Handled dependencies for the playbook.

Prisma Cloud Remediation - AWS EC2 Security Group Misconfiguration

Handled dependencies for the playbook.

Prisma Cloud Remediation - AWS CloudTrail Trail Misconfiguration

Handled dependencies for the playbook.

Prisma Cloud Remediation - GCP VPC Network Project Misconfiguration

Handled dependencies for the playbook.

Prisma Cloud Remediation - AWS IAM User Policy Misconfiguration

Handled dependencies for the playbook.


Red Canary Pack v1.0.3

Integrations

Red Canary

Fixed an issue where the same detection was fetched multiple times.


RiskSense Pack v1.0.2

Integrations

RiskSense

Improved error messages.


SANS Pack v1.1.0

Playbooks

Brute Force Investigation - Generic - SANS

Now verifies that the Active Directory Query v2 integration is enabled before using it.


SafeBreach - Breach and Attack Simulation platform Pack v1.0.4

Integrations

SafeBreach v2

Added the Tags parameter.

Layouts

Playbooks

New: SafeBreach - Create Incidents per Insight and Associate Indicators

This is a sub-playbook that creates incidents per SafeBreach insight, enriched with all the related indicators and additional SafeBreach insight contextual information. Used in main SafeBreach playbooks, such as "SafeBreach - Process Behavioral Insights Feed” and "SafeBreach - Process Non-Behavioral Insights Feed".

New: SafeBreach - Process Non-Behavioral Insights Feed

Automatically remediates all non-behavioral indicators generated from SafeBreach Insights. To validate the remediation, it reruns the related insights and classifies the indicators as Remediated or Not Remediated.

New: SafeBreach - Rerun Single Insight

This is an auxiliary sub-playbook that reruns a single insight using a specified Insight Id as an input. It is used to loop over insights as part of the main rerun playbook - "SafeBreach Rerun Insights".

New: SafeBreach - Rerun Insights

Reruns a SafeBreach insight based on Insight ID and waits until it completes.

New: SafeBreach - Compare and Validate Insight Indicators

Compares Insight indicators before and after being processed. It receives an Insight and its indicators before validation, fetches updated indicators after rerunning the Insight, and then compares the results to validate mitigation. Indicators are classified as Remediated or Not Remediated based on their validated status and the appropriate field (SafeBreach Remediation Status) is updated.

Scripts

JoinListsOfDicts

Joins two list of dictionaries by a key. If the key name differs between the two lists, specify both key (for left list) and rightkey (for right list).

ListGroupBy

Groups an output field from a list using multiple keys.


Securonix Pack v1.1.2

Integrations

Securonix

The Test button now tests the fetch incidents flow.


ServiceNow Pack v1.1.7

Integrations

ServiceNow v2

Added the input_display_value argument to the following commands:

  • servicenow-update-ticket
  • servicenow-update-record
  • servicenow-create-ticket
  • servicenow-create-record

Slack Pack v1.3.4

Integrations

Slack v2

Removed unnecessary 'pass' statements.

Playbooks

Slack - General Failed Logins v2.1

Added a task that checks if the Active Directory Query v2 is enabled before expiring a user password.


Smokescreen IllusionBLACK Pack v1.0.4

Integrations

Smokescreen IllusionBLACK

Added default classifiers and mappers.


SplunkPy Pack v1.1.0

Integrations

SplunkPy

Added default classifiers and mappers.


Thinkst Canary Pack v1.0.1

Integrations

Thinkst Canary

Fixed an issue where incidents were repeatedly fetched.


ThreatConnect Pack v2.0.2

Integrations

ThreatConnect v2

Fixed an issue where the tc-group-associate-indicator command failed to associate URL indicators.


Tufin Pack v1.1.0

Integrations

Tufin

Minor updates.

Playbooks

New: Tufin - Enrich IP Address(es)

Added a playbook that enriches a single IP address or multiple IP addresses.

New: Tufin - Get Network Device Info by IP Address

Added a playbook that gets network device information, by IP address.

New: Tufin - Investigate Network Alert

Added a playbook that investigates a network alert.

New: Tufin - Get Application Information from SecureApp

Added a playbook that gets application information from SecureApp.

New: Tufin - Enrich Source & Destination IP Information

Added a playbook that enriches source and destination IP address information.


Unit42 Feed Pack v1.0.1

Integrations

Unit42 Feed

Fixed an issue where the Feed Related Indicators indicator field was not populated.


Whois Pack v1.1.2

Integrations

Whois

Fixed an issue where arguments of type array were not processed correctly.


Zimperium Pack v1.0.3

Integrations

Zimperium

Added default classifiers and mappers. (Available from Cortex XSOAR 6.0)


Assets