Cortex XSOAR Content Release Notes for version 20.9.0 (98126)

This content release includes new content packs and updates to existing content packs.

Published on 1 September 2020

New Content Packs


New: Email Communication Pack v1.2.0

Do you have to send multiple emails to end users? This content pack helps you streamline the process and automate updates, notifications and more.

IncidentFields

  • Add CC To Email

IncidentTypes

  • Email Communication

Scripts

PreprocessEmail

Preprocessing script for email communication layout. This script checks if the incoming email contains an Incident ID to link the mail to an existing incident, and tags the email as "email-thread".

For more information about the preprocessing rules, refer to: https://demisto.developers.paloaltonetworks.com/docs/incidents/incident-pre-processing

SendEmailReply

Sends email massages with the configured mail sender integration.


New: Genians Pack v1.0.0 (Partner Supported)

Integrations

Genians

Use the Genians integration to block IP addresses using the assign tag and unassign tag.


New: McAfee ESM Pack v1.0.0

Integrations

McAfee ESM v2

Run queries and receive alarms from McAfee ESM. The integration supports McAfee version 10 and above.


New: Microsoft Advanced Threat Analytics Pack v1.0.0

Classifiers

Microsoft Advanced Threat Analytics - Classification

Classifies Microsoft Advanced Threat Analytics suspicious activities.

Microsoft Advanced Threat Analytics
Microsoft Advanced Threat Analytics - Incoming Mapper

Maps Microsoft Advanced Threat Analytics suspicious activity fields.

IncidentFields

  • Suspicious Activity End Time
  • Suspicious Activity ID
  • Suspicious Activity Severity
  • Suspicious Activity Start Time
  • Suspicious Activity Status

IncidentTypes

  • Microsoft ATA Suspicious Activity

Integrations

Microsoft Advanced Threat Analytics

Use Microsoft Advanced Threat Analytics integration to manage suspicious activities, and monitor alerts and entities.


New: NTT Cyber Threat Sensor Pack v1.0.0 (Partner Supported)

Classifiers

NTT Cyber Threat Sensor - Classifier

Classifies NTT Cyber Threat Sensor incidents.

NTT Cyber Threat Sensor
NTT Cyber Threat Sensor - Incoming Mapper

Maps incoming NTT Cyber Threat Sensor fields.

IncidentFields

  • FAERE Description
  • Graph Plot

IncidentTypes

  • TD Incident

Integrations

NTT Cyber Threat Sensor

Retrieves alerts and recommendations from NTT CTS.

Playbooks

Handle TD events

Enriches TD events


New: PiHole Pack v1.0.0 (Community Supported)

Integrations

PiHole

Pi-hole is a network-level advertisement and Internet tracker blocking application that acts as a DNS sinkhole and optionally a DHCP server, intended for use on a private network.


New: QueryAI Pack v1.0.0 (Partner Supported)

Integrations

Query.AI

Query.AI is a decentralized data access and analysis technology that simplifies security investigations across disparate platforms without data duplication.

Updated Content Packs


Access Investigation Pack v1.2.2

Layouts

layout-edit-Access.json

Set the default incident type for the layout

layout-details-Access.json

Set the default incident type for the layout


Base Pack v1.1.17

Scripts

WordTokenizerNLP

Updated the script Docker image to the latest version.

CommonServerPython
  • Added the following code objects, which simplifies creating widgets.
    • TextWidget
    • TrendWidget
    • NumberWidget
    • BarColumnPieWidget
    • LineWidget
    • TableOrListWidget
  • Fixed an issue with the mirroring mapper scheme.
  • Fixed an issue in the return_outputs function where the content type was incorrect.
SaneDocReports

Fixed an issue with the table readable headers.


CheckPhish Pack v1.0.1

Integrations

CheckPhish
  • Updated the default API URL.
  • Adjusted the error handling to use the new API format.

Cisco AMP Pack v1.0.1

Integrations

Cisco AMP

Fixed an issue that caused the amp_move_computer to fail.


Cisco Umbrella Investigate Pack v1.0.1

Integrations

Cisco Umbrella Investigate

Fixed an issue where the umbrella-ip-dns-history command failed when no IP results were found.


Code42 Pack v2.0.3 (Partner Supported)

Integrations

Code42

Fixed a bug where File Category would not map correctly when creating incidents from Code42 alerts.


Cofense Triage Pack v1.1.4 (Partner Supported)

Integrations

Cofense Triage v2

Fixed an issue in the cofense-get-attachment command.


Common Playbooks Pack v1.7.1

Playbooks

Extract Indicators From File - Generic v2

Added support for UTF-8 Unicode text files.


Common Scripts Pack v1.2.34

Scripts

WhereFieldEquals

Fixed an issue where WhereFieldEquals returned a string instead of a list.

FeedRelatedIndicatorsWidget

Fixed an issue where the indicator link value was incorrect.


Common Types Pack v1.8.8

Layouts

  • File Indicator
  • layout-edit-Vulnerability.json
  • layout-details-Vulnerability.json

CrowdStrike Falcon Streaming Pack v1.0.7

Integrations

CrowdStrike Falcon Streaming v2
  • Improved error handling of unsupported media types.
  • Improved handling when the stream response client is not completed.
  • Maintenance and stability enhancements.

CyberArk Pack v1.0.2

Integrations

CyberArk PAS
  • Added documentation for the integration.
  • Updated the the cyberark-pas-credentials-verify command to use the new API.
  • Added the cyberark-pas-account-get-details command.

DUO Admin Pack v2.0.1

Integrations

DUO Admin

Updated the integration Docker image to the latest version.


Endace Pack v1.1.0 (Partner Supported)

Integrations

Endace
  • Added support for directionless IP and port search.
  • Improved error handling messages.
  • The hostname parameter is now mandatory.

Playbooks

Endace Search Archive and Download

This playbook is deprecated. Use the Endace Search Archive Download PCAP v2 playbook instead.

Deprecated: Endace Search Archive Download PCAP

This playbook is deprecated. Use the Endace Search Archive Download PCAP v2 instead.

Endace Search Archive Download PCAP v2
  • Added support for directionless IP and port search, user friendly timeframe values.
  • Updated the playbook input and output variables and their definitions.

Expanse Pack v1.1.1 (Partner Supported)

Integrations

Expanse

Updated the version number in the user-agent header.


GDPR Pack v1.0.5

Layouts

  • layout-edit-GDPR_Data_Breach.json
  • layout-details-GDPR_Data_Breach.json

GitHub Pack v1.1.1

Integrations

GitHub

Improved error handling of parameter errors.


Gmail Pack v1.0.5

Integrations

Gmail

Removed the event argument from the gmail-list-users command. If you currently use this argument it will be ignored when executing the command. If you do not install this upgrade, the following integration components will fail:

  • Test button
  • gmail-list-users command
  • gmail-search-all-mailboxes command

IBM QRadar Pack v1.0.8

Integrations

IBM QRadar

Added a parameter that enables you to specify the number of addresses to enrich per API call.


IronDefense Pack v1.1.1 (Partner Supported)

Classifiers

IronDefense

Added a new classifier.

IronDefense - Incoming Mapper

Added a new incoming mapper.

IronDefense - Classifier

Added a new classifier.

Integrations

IronDefense
  • Added the ability to retrieve IronDefense alerts and events.
  • Improved integration descriptions.

Layouts

  • layout-details-IronDefense_IronDome_Notification.json
  • layout-details-IronDefense_Event_Notification.json
  • layout-details-IronDefense_Alert_Notification.json

Malware Pack v1.2.3

Layouts

  • layout-edit-Malware.json
  • layout-details-Malware.json

Malwarebytes Pack v1.0.2 (Partner Supported)

Integrations

Malwarebytes

Added Code for Usage Analytics.


McAfee ESM v10 and v11 Pack v1.0.3

Integrations

Deprecated: McAfee ESM v10 and v11

Use the McAfee ESM v2 integration instead.


Microsoft Graph User Pack v1.2.0

Integrations

Microsoft Graph User

Fixed an issue where the next_page argument in the msgraph-user-list command did not work as expected.


Palo Alto Networks Cortex XDR - Investigation and Response Pack v2.3.3

Integrations

Palo Alto Networks Cortex XDR - Investigation and Response

Added a default classifier and mapper.


PassiveTotal Pack v1.0.1

Integrations

PassiveTotal

Limited the number of related domains that display in the War Room for enrichment commands.


Phishing Pack v1.10.2

Layouts

layout-quickView-Phishing

Set the default incident type for the layout.

layout-mobile-Phishing

Set the default incident type for the layout.

Phishing Incident

Set the default incident type for the layout.

layout-edit-Phishing

Set the default incident type for the layout.


Proofpoint TAP Pack v1.1.0

Integrations

Proofpoint TAP v2

Fixed an issue in the proofpoint-get-forensics command where the command failed when getting a threat by campaignId.


ServiceNow Pack v1.2.1

Classifiers

New: ServiceNow Classifier

Classifies ServiceNow tickets.

New: ServiceNow - Outgoing Mapper

Maps outgoing ServiceNow incident fields.

New: ServiceNow - Incoming Mapper

Maps incoming ServiceNow incident fields.

Integrations

ServiceNow v2
  • Added the ability to mirror tickets between ServiceNow and Cortex XSOAR.
  • Removed unnecessary import.

Layouts

ServiceNow Ticket


SplunkPy Pack v1.1.3

Integrations

SplunkPy
  • Fixed an issue where the splunk-parse-raw command failed when the raw argument received input in JSON format.
  • Fixed an issue in which some incidents were not fetched.

Symantec Endpoint Protection Pack v1.0.2

Integrations

Symantec Endpoint Protection v2

Fixed an issue in which the domain parameter was not parsed correctly.


Tanium Pack v1.0.2

Integrations

Tanium v2

Added the completion-percantage argument to the following commands.

  • tn-get-saved-question-result
  • tn-get-question-result

ThreatConnect Pack v2.0.5

Integrations

ThreatConnect v2

Fixed an issue where the DBotScore calculation did not work as expected.


Assets