Cortex XSOAR Content Release Notes for version 20.9.1 (114694)

Published on 15 September 2020

New: Azure Log Analytics Pack v1.0.0

Integrations

Azure Log Analytics (Beta)

Log Analytics is a service that helps you collect and analyze data generated by resources in your cloud and on-premises environments.

Playbooks

Azure Log Analytics - Query From Saved Search

Executes a query from a saved search in Azure Log Analytics.


New: Microsoft Cloud App Security Pack v1.0.0

Classifiers

Microsoft CAS Classifier

Classifies Microsoft CAS Alerts.

Microsoft CAS

Maps incoming Microsoft CAS fields.

Integrations

Microsoft Cloud App Security

Microsoft Cloud App Security is a multimode Cloud Access Security Broker (CASB). It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyber threats across all your cloud services. Use the integration to view and resolve alerts, view activities, view files, and view user accounts.


New: Palo Alto Networks IoT Pack v1.0.0

IncidentFields

  • IoT Incident URL
  • ServiceNow Record ID
  • ServiceNow Table Name

IncidentTypes

  • IoT Alert
  • IoT Vulnerability

Integrations

Palo Alto Networks IoT

The Palo Alto Networks IoT security (previously Zingbox) integration is used for exporting the alerts and vulnerabilities found in the IoT security portal to XSOAR for incident response and enrichment.

Playbooks

PANW IoT ServiceNow Tickets Check

A playbook used in a recurring job to check the ServiceNow ticket status for the Palo Alto Networks IoT (previously Zingbox) alerts or vulnerabilities.

PANW IoT Incident Handling with ServiceNow

Creates a ServiceNow ticket after an incident is enriched by the Palo Alto Networks IoT security portal (previously Zingbox Cloud).

Scripts

iot-security-alert-post-processing

A post-processing script that resolves an alert in the IoT security portal using the API.

iot-security-check-servicenow

Closes an XSOAR incident when the corresponding IoT ServiceNow ticket is closed. You should run this script in a job.

iot-security-get-raci

The RACI model of the IoT incident used to evaluate the Responsible (R) and Informed (I) parties in the RACI model.

iot-security-vuln-post-processing

A post-processing script that resolves a vulnerability incident in the IoT security portal using the API.


New: Security Intelligence Services Feed Pack v1.0.0 (Partner Supported)

IndicatorFields

SISCategory

Category of the indicator.

SISExpiration

Expiration time of the indicator.

SISMalwareType

Type of malware received from the feed.

SISMatchType

Match type of the indicator.

Integrations

Security Intelligence Services Feed

A PassiveTotal with Security Intelligence Services Feed that provides you with newly observed domains, malware, phishing, content, and scam blacklists. Supports hourly ingestion.


New: ServerLogs Pack v1.0.0

Dashboards

Server Logs

Dashboard to tail the latest server and Docker logs.

Scripts

ServerLogs

Uses the SSH integration to grab the host server logs.

ServerLogs_docker

Uses the SSH integration to grab the Docker host server logs.


New: ThreatConnect Feed Pack v1.0.0

Integrations

ThreatConnect Feed

Fetches indicators from ThreatConnect.


AWS - Security Hub Pack v1.0.2

Integrations

AWS - Security Hub

Maintenance and stability enhancements.


AlienVault OTX Pack v1.0.2

Integrations

AlienVault OTX v2
  • Updated the Docker image.
  • Fixed the file command so that it does not fail for hashes for which there is no analysis.

Amazon DynamoDB Pack v1.0.1

Integrations

Amazon DynamoDB

General documentation improvements.


ApiModules Pack v1.0.6

Scripts

MicrosoftApiModule
  • Added support for authorization to multiple resources.
  • Updated Docker image to the latest version.

ArcSight ESM Pack v1.0.6

Integrations

ArcSight ESM v2

Increased the maximum per fetch limit to 300. The recommended limit is 50.


Base Pack v1.3.0

Scripts

CommonServerPython
  • Maintenance and stability enhancements.
  • Added the return_results function and the CommandResults class to the Script Helper documentation.
  • Enhanced the dict_safe_get function, which now supports a nested list/dictionary and returns the type validation.
  • Added the build_number argument to the is_demisto_version_ge function and adjusted the is_versioned_context_available function accordingly.
  • Added the timeline object to the CommandResult class.
SaneDocReports
  • Fixed a trend percentage calculation issue.
  • Maintenance and stability enhancements.
New: GetIndicatorsByQuery

Returns indicators that match the defined query and exports them to a file.

DBotMLFetchData
  • Added the Created field to the collected features.
  • Maintenance and stability enhancements.
DBotPredictPhishingWords
  • Maintenance and stability enhancements.
  • Changed the name of the labelProbabilityThreshold argument to confidenceThreshold.
  • Changed the default value of the run once parameter to true.
CommonServerPowerShell

Added the TableToMarkdown method.

DBotTrainTextClassifierV2

Fixed a typo in an error message.

DBotSuggestClassifierMapping

Maintenance and stability enhancements.

SanePdfReports

Maintenance and stability enhancements.


Blueliv ThreatCompass Pack v1.0.1

Integrations

Blueliv ThreatCompass

Documentation and metadata improvements.


CVE Search Pack v1.0.2

Scripts

cveSearch

Maintenance and stability enhancements.

cveLatest

Maintenance and stability enhancements.


Cisco Threat Grid Pack v1.1.0

Playbooks

Detonate File - ThreatGrid

Samples are now submitted as private by default.


Common Playbooks Pack v1.8.0

Playbooks

Detonate File - Generic

Fixed a bug where a change in the Detonate File - ThreatGrid inputs did not populate into the Detonate File - Generic playbook. Detonate File - ThreatGrid now submits private samples by default.


Common Scripts Pack v1.2.41

Scripts

ParseEmailFiles
  • Fixed an issue where S/MIME .eml files were not parsed properly.
  • Fixed a bug in which a double period (..) in a new line was not processed correctly due to the SMTP standard.
RunPollingCommand

Improved error handling.

SetAndHandleEmpty

The stringify and append parameters now work as expected.

LookupCSV

Added support for values that contain commas in CSV files.

JSONtoCSV

Maintenance and stability enhancements.

DeleteContext

Updated the script to execute using the DBot role.


Cortex Data Lake Pack v1.2.2

Integrations

Cortex Data Lake
  • Fixed an error with parsing of authentication responses.
  • Updated the Docker image from 1.0.0.10370 to 1.0.0.10828.

CrowdStrike Falcon Pack v1.2.0

Integrations

CrowdStrike Falcon

Updated the fetch_incidents function to be more comprehensive and handle a high volume of incidents.


CrowdStrike FalconX Pack v1.0.2

Integrations

CrowdStrike Falcon X
  • Maintenance and stability enhancements.
  • Updated the Docker image.

Cybereason Pack v1.0.2

Integrations

Cybereason
  • Enhanced access to the dictionary/list. Accesses the dictionary and list in a safe manner in order to produce an informative error log entry, if it exists.
  • Fixed filters in the cybereason-query-malops command.
  • Fixed the cybereason-query-malops and fetch-incidents commands to retrieve all Malop types.

DUO Admin Pack v2.0.2

Integrations

DUO Admin

Maintenance and stability enhancements.


Demisto REST API Pack v1.1.1

Scripts

DemistoUploadFile

Maintenance and stability enhancements.


Developer Tools Pack v1.0.1

Scripts

VerifyContextFields

Maintenance and stability enhancements.

VerifyContext

Maintenance and stability enhancements.

StringContains

Maintenance and stability enhancements.

WhileLoop

Maintenance and stability enhancements.


DomainTools Iris Pack v1.0.3 (Partner Supported)

Integrations

DomainTools Iris

Updated the Content Pack support information.


EWS Pack v1.3.0

Integrations

EWS v2

Maintenance and stability enhancements.

EWS O365
  • Added the ews-send-mail command.
  • Maintenance and stability enhancements.

Elasticsearch Pack v1.1.1

Integrations

Elasticsearch v2
  • Added support for schema mapping per index.
  • Updated the integration Docker image to the latest version.

Elasticsearch Feed Pack v1.0.6

Integrations

Elasticsearch Feed
  • Changed the default Feed Type from Cortex XSOAR Feed to Cortex XSOAR MT Shared Feed.
  • Updated the Docker image.

Email Communication Pack v1.2.2

Layouts

A new layout for the Email Communication pack, which assists with communicating and responding to emails in the Cortex XSOAR system.


Endace Pack v1.1.1 (Partner Supported)

Playbooks

Endace Search Archive and Download

Maintenance and stability enhancements.

Endace Search Archive Download PCAP

Maintenance and stability enhancements.


Google Vault Pack v1.0.2

Integrations

Google Vault

Fixed a bug that caused excessive memory usage.


IBM QRadar Pack v1.0.9

Playbooks

QRadar - Get offense correlations

Maintenance and stability enhancements.

Scripts

QRadarFullSearch

Maintenance and stability enhancements.

QRadarGetOffenseCorrelations

Maintenance and stability enhancements.

QRadarClassifier

Maintenance and stability enhancements.

QRadarGetCorrelationLogs

Maintenance and stability enhancements.


IBM X-Force Exchange Pack v1.0.1

Integrations

IBM X-Force Exchange v2
  • Fixed an issue where the url and domain commands failed for URLs that don't exist in the server.
  • Updated the Docker image.

Infinipoint Pack v1.0.2 (Partner Supported)

Integrations

Infinipoint
  • Updated the infinipoint-run-queries command name to infinipoint-execute-action.
  • Documentation and metadata improvements.
  • Updated the integration Docker image to the latest version.

IronDefense Pack v1.1.2 (Partner Supported)

Integrations

IronDefense

Updated the Content Pack support information.


MISP Pack v1.0.3

Scripts

misp_download_sample

Maintenance and stability enhancements.

misp_upload_sample

Maintenance and stability enhancements.


Machine Learning Pack v1.2.0

Scripts

HashIncidentsFields
  • Added support for wildcards in the fieldsToHash field.
  • Added the un-populate and removeLabels arguments.
DBotPredictOutOfTheBox

Changed the name of the labelProbabilityThreshold argument to confidenceThreshold.


MailListener - POP3 (Beta) Pack v1.0.1

Integrations

MailListener - POP3 Beta

Fixed an issue where fetch-incidents failed for emails that contain special characters.


Microsoft Graph Security Pack v2.0.1

Integrations

Microsoft Graph Security

Fixed an issue in which some alerts were not being fetched.


Mimecast Pack v1.1.2

Integrations

Mimecast v2

Fixed an issue where the mimecast-get-group-members command failed if only one group existed in the context.


MongoDB Pack v1.1.0

Integrations

MongoDB
  • Fixed an issue where it was not possible to apply filters in the _id field.
  • Added the sort argument to the mongodb-query command.

OTRS Service Management XSOAR Pack Pack v1.0.1

Integrations

OTRS

Fixed an issue where running the otrs-create-ticket and otrs-update-ticket commands with the attachment parameter failed.


PAN-OS Pack v1.6.0

Integrations

Palo Alto Networks PAN-OS
  • Added 19 commands.

    • panorama-get-licences
    • panorama-get-security-profiles
    • panorama-apply-security-profile
    • panorama-get-ssl-decryption-rules
    • panorama-get-wildfire-configuration
    • panorama-get-wildfire-best-practice
    • panorama-enforce-wildfire-best-practice
    • panorama-url-filtering-block-default-categories
    • panorama-get-anti-spyware-best-practice
    • panorama-get-file-blocking-best-practice
    • panorama-get-antivirus-best-practice
    • panorama-get-vulnerability-protection-best-practice
    • panorama-get-url-filtering-best-practice
    • panorama-create-anti-spyware-best-practice-profile
    • panorama-create-antivirus-best-practice-profile
    • panorama-create-vulnerability-best-practice-profiles
    • panorama-create-url-filtering-best-practice-profile
    • panorama-create-file-blocking-best-practice-profile
    • panorama-create-wildfire-best-practice-profile
  • Updated the Docker image to the latest tag.


PANW Comprehensive Investigation Pack v1.3.2

Playbooks

Palo Alto Networks - Endpoint Malware Investigation v3

Added a new playbook, which includes bug fixes for an earlier version and a new hunting sub-playbook.


PCAP Analysis Pack v2.3.3

Playbooks

PCAP Parsing And Indicator Enrichment

Fixed a typo in some fields taken from the context.

Scripts

PcapMinerV2

Fixed a bug in the SMTP extraction process.


Palo Alto Networks Cortex XDR - Investigation and Response Pack v2.3.9

Integrations

Palo Alto Networks Cortex XDR - Investigation and Response
  • Maintenance and stability enhancements.
  • Added the HTTP Timeout parameter, which sets the timeout for HTTP requests to the Cortex XDR API.
  • Added the Maximum number of incidents per fetch integration parameter.

Playbooks

Cortex XDR - Malware Investigation

Added a check to see if the malicious file already exists before retrieving it.

Scripts

XDRSyncScript

Added the playbook_to_run argument.


Palo Alto Networks WildFire Pack v1.2.0

Playbooks

WildFire - Detonate file

Added support for the PE file type.


PassiveTotal Pack v2.0.0 (Partner Supported)

Integrations

PassiveTotal v2

New PassiveTotal integration with enhancement scripts.

PassiveTotal

Scripts

PTEnrich (Deprecated)

Fixed an issue with the integration display and description.

RiskIQPassiveTotalComponentsScript

An enhancement script to enrich PassiveTotal components for Domain and IP indicator values.

RiskIQPassiveTotalHostPairChildrenScript

An enhancement script to enrich PassiveTotal Host Pair of children for Domain and IP indicator values.

RiskIQPassiveTotalHostPairParentsScript

An enhancement script to enrich PassiveTotal Host Pair of parents for Domain and IP indicator values.

RiskIQPassiveTotalPDNSScript

An enhancement script to enrich PDNS information for Domain and IP indicator values.

RiskIQPassiveTotalSSLScript

An enhancement script to enrich SSL information for email, RiskIQSHA1, and RiskIQSerialNumber indicator values.

RiskIQPassiveTotalTrackersScript

An enhancement script to enrich web trackers information for Domain and IP indicator values.

RiskIQPassiveTotalWhoisScript

An enhancement script to enrich Whois information for Domain and email indicator values.


Phishing Pack v1.10.3

Scripts

New: PhishingDedupPreprocessingRule

An out-of-the-box, deduplication pre-processing script based on a machine learning algorithm.


Prisma Cloud Pack v1.2.4

Integrations

Prisma Cloud (RedLock)

Added the Redlock.Alert.AlertRules output to the redlock-get-alert-details command, which lists the names of the alert rules that triggered the alert.


QueryAI Pack v1.0.2 (Partner Supported)

Integrations

Query.AI

Updated the Request Timeout field.

QueryAI_description.md

Documentation and metadata improvements.


Red Canary Pack v1.0.4

Integrations

Red Canary

Fixed an issue where the redcanary-get-detection command would cause a timeout.


SafeBreach - Breach and Attack Simulation platform Pack v1.0.7 (Partner Supported)

Integrations

SafeBreach v2
  • Maintenance and stability enhancements.
  • Fixed an issue where test-module failed with an SSL issue even when Trust any certificate is enabled.
  • Updated the Docker image.

ServiceNow Pack v1.3.0

Classifiers

ServiceNow - Incoming Mapper
  • Fixed an issue where the date format was incorrect.
  • Updated the classifier with the new integration parameters.
ServiceNow v2

Added the following integration parameters.

  • Incident Mirroring Direction
  • File Entry Tag
  • Work Note Entry Tag
  • Comment Entry Tag

Integrations

ServiceNow v2
  • Maintenance and stability enhancements.
  • Fixed a minor bug in the servicenow-create-ticket command.

Layouts

Fixed a typo in the tab name.


Sixgill Darkfeed - Core Edition Pack v1.1.4 (Partner Supported)

Integrations

Sixgill DarkFeed Threat Intelligence
  • Added support for additional sub-feeds with a larger variety of IOCs from the underground.
  • Updated the connector.

Script

SearchIndicators

Maintenance and stability enhancements.


SplunkPy Pack v1.2.1

Integrations

SplunkPy

Added a validation for HEC URL and HEC tokens in the test function.

Scripts

SplunkPySearch

Maintenance and stability enhancements.


Tanium Pack v1.0.3

Integrations

Tanium v2

Updated the tn-ask-question command to automatically parse parameters from question text.


ThreatConnect Pack v2.0.8

Integrations

ThreatConnect v2
  • Added support for fetching indicators from multiple owners.
  • The DBotScore calculation now works as expected.

ThreatQ Pack v1.0.5 (Partner Supported)

Integrations

ThreatQ v2
  • Added Content-Type to request headers.
  • Updated the Docker image.

TruSTAR Pack v2.1.0 (Partner Supported)

Integrations

TruSTAR v2
  • Added support for multiple new filtering arguments to the trustar-search-indicators and the trustar-search-reports commands.
  • Added the redact argument to the trustar-submit-report command, which gives users the option to redact a report before submission.
  • Fixed an issue where the trustar-get-phishing-submissions and the trustar-get-phishing-indicators commands did not work due to changes in the TruSTAR API.
  • Added support for the limit argument in the trustar-get-phishing-submissions and the trustar-get-phishing-indicators commands.

Whois Pack v1.1.5

Integrations

Whois

Maintenance and stability enhancements.


Yara Pack v1.0.1

Scripts

YaraScan

Maintenance and stability enhancements.


Zscaler Pack v1.0.4

Integrations

Zscaler

Fixed an issue where URLs were sent to the Zscaler server with the protocol prefix.


illuminate Pack v1.0.2 (Partner Supported)

Integrations

illuminate

Updated the Content Pack support information.


urlscan.io Pack v1.0.2

Integrations

urlscan.io
  • Fixed an issue with the submission visibility in the following commands.
    • qurlscan-submit.
    • urlscan-submit-url-command.
  • Improved the error message when the rate limit has been breached.
  • Added a warning when the rate limit is 10 or less.

Assets