#
Cortex XSOAR Content Release Notes for version 20.9.1 (114694)#
Published on 15 September 2020#
New: Azure Log Analytics Pack v1.0.0#
Integrations#
Azure Log Analytics (Beta)Log Analytics is a service that helps you collect and analyze data generated by resources in your cloud and on-premises environments.
#
Playbooks#
Azure Log Analytics - Query From Saved SearchExecutes a query from a saved search in Azure Log Analytics.
#
New: Microsoft Cloud App Security Pack v1.0.0#
Classifiers#
Microsoft CAS ClassifierClassifies Microsoft CAS Alerts.
#
Microsoft CASMaps incoming Microsoft CAS fields.
#
Integrations#
Microsoft Cloud App SecurityMicrosoft Cloud App Security is a multimode Cloud Access Security Broker (CASB). It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyber threats across all your cloud services. Use the integration to view and resolve alerts, view activities, view files, and view user accounts.
#
New: Palo Alto Networks IoT Pack v1.0.0#
IncidentFields- IoT Incident URL
- ServiceNow Record ID
- ServiceNow Table Name
#
IncidentTypes- IoT Alert
- IoT Vulnerability
#
Integrations#
Palo Alto Networks IoTThe Palo Alto Networks IoT security (previously Zingbox) integration is used for exporting the alerts and vulnerabilities found in the IoT security portal to XSOAR for incident response and enrichment.
#
Playbooks#
PANW IoT ServiceNow Tickets CheckA playbook used in a recurring job to check the ServiceNow ticket status for the Palo Alto Networks IoT (previously Zingbox) alerts or vulnerabilities.
#
PANW IoT Incident Handling with ServiceNowCreates a ServiceNow ticket after an incident is enriched by the Palo Alto Networks IoT security portal (previously Zingbox Cloud).
#
Scripts#
iot-security-alert-post-processingA post-processing script that resolves an alert in the IoT security portal using the API.
#
iot-security-check-servicenowCloses an XSOAR incident when the corresponding IoT ServiceNow ticket is closed. You should run this script in a job.
#
iot-security-get-raciThe RACI model of the IoT incident used to evaluate the Responsible (R) and Informed (I) parties in the RACI model.
#
iot-security-vuln-post-processingA post-processing script that resolves a vulnerability incident in the IoT security portal using the API.
#
New: Security Intelligence Services Feed Pack v1.0.0 (Partner Supported)#
IndicatorFields#
SISCategoryCategory of the indicator.
#
SISExpirationExpiration time of the indicator.
#
SISMalwareTypeType of malware received from the feed.
#
SISMatchTypeMatch type of the indicator.
#
Integrations#
Security Intelligence Services FeedA PassiveTotal with Security Intelligence Services Feed that provides you with newly observed domains, malware, phishing, content, and scam blacklists. Supports hourly ingestion.
#
New: ServerLogs Pack v1.0.0#
Dashboards#
Server LogsDashboard to tail the latest server and Docker logs.
#
Scripts#
ServerLogsUses the SSH integration to grab the host server logs.
#
ServerLogs_dockerUses the SSH integration to grab the Docker host server logs.
#
New: ThreatConnect Feed Pack v1.0.0#
Integrations#
ThreatConnect FeedFetches indicators from ThreatConnect.
#
AWS - Security Hub Pack v1.0.2#
Integrations#
AWS - Security HubMaintenance and stability enhancements.
#
AlienVault OTX Pack v1.0.2#
Integrations#
AlienVault OTX v2- Updated the Docker image.
- Fixed the file command so that it does not fail for hashes for which there is no analysis.
#
Amazon DynamoDB Pack v1.0.1#
Integrations#
Amazon DynamoDBGeneral documentation improvements.
#
ApiModules Pack v1.0.6#
Scripts#
MicrosoftApiModule- Added support for authorization to multiple resources.
- Updated Docker image to the latest version.
#
ArcSight ESM Pack v1.0.6#
Integrations#
ArcSight ESM v2Increased the maximum per fetch limit to 300. The recommended limit is 50.
#
Base Pack v1.3.0#
Scripts#
CommonServerPython- Maintenance and stability enhancements.
- Added the return_results function and the CommandResults class to the Script Helper documentation.
- Enhanced the dict_safe_get function, which now supports a nested list/dictionary and returns the type validation.
- Added the build_number argument to the is_demisto_version_ge function and adjusted the is_versioned_context_available function accordingly.
- Added the timeline object to the CommandResult class.
#
SaneDocReports- Fixed a trend percentage calculation issue.
- Maintenance and stability enhancements.
#
New: GetIndicatorsByQueryReturns indicators that match the defined query and exports them to a file.
#
DBotMLFetchData- Added the Created field to the collected features.
- Maintenance and stability enhancements.
#
DBotPredictPhishingWords- Maintenance and stability enhancements.
- Changed the name of the labelProbabilityThreshold argument to confidenceThreshold.
- Changed the default value of the run once parameter to true.
#
CommonServerPowerShellAdded the TableToMarkdown method.
#
DBotTrainTextClassifierV2Fixed a typo in an error message.
#
DBotSuggestClassifierMappingMaintenance and stability enhancements.
#
SanePdfReportsMaintenance and stability enhancements.
#
Blueliv ThreatCompass Pack v1.0.1#
Integrations#
Blueliv ThreatCompassDocumentation and metadata improvements.
#
CVE Search Pack v1.0.2#
Scripts#
cveSearchMaintenance and stability enhancements.
#
cveLatestMaintenance and stability enhancements.
#
Cisco Threat Grid Pack v1.1.0#
Playbooks#
Detonate File - ThreatGridSamples are now submitted as private by default.
#
Common Playbooks Pack v1.8.0#
Playbooks#
Detonate File - GenericFixed a bug where a change in the Detonate File - ThreatGrid inputs did not populate into the Detonate File - Generic playbook. Detonate File - ThreatGrid now submits private samples by default.
#
Common Scripts Pack v1.2.41#
Scripts#
ParseEmailFiles- Fixed an issue where S/MIME .eml files were not parsed properly.
- Fixed a bug in which a double period (
..
) in a new line was not processed correctly due to the SMTP standard.
#
RunPollingCommandImproved error handling.
#
SetAndHandleEmptyThe stringify and append parameters now work as expected.
#
LookupCSVAdded support for values that contain commas in CSV files.
#
JSONtoCSVMaintenance and stability enhancements.
#
DeleteContextUpdated the script to execute using the DBot role.
#
Cortex Data Lake Pack v1.2.2#
Integrations#
Cortex Data Lake- Fixed an error with parsing of authentication responses.
- Updated the Docker image from 1.0.0.10370 to 1.0.0.10828.
#
CrowdStrike Falcon Pack v1.2.0#
Integrations#
CrowdStrike FalconUpdated the fetch_incidents function to be more comprehensive and handle a high volume of incidents.
#
CrowdStrike FalconX Pack v1.0.2#
Integrations#
CrowdStrike Falcon X- Maintenance and stability enhancements.
- Updated the Docker image.
#
Cybereason Pack v1.0.2#
Integrations#
Cybereason- Enhanced access to the dictionary/list. Accesses the dictionary and list in a safe manner in order to produce an informative error log entry, if it exists.
- Fixed filters in the cybereason-query-malops command.
- Fixed the cybereason-query-malops and fetch-incidents commands to retrieve all Malop types.
#
DUO Admin Pack v2.0.2#
Integrations#
DUO AdminMaintenance and stability enhancements.
#
Demisto REST API Pack v1.1.1#
Scripts#
DemistoUploadFileMaintenance and stability enhancements.
#
Developer Tools Pack v1.0.1#
Scripts#
VerifyContextFieldsMaintenance and stability enhancements.
#
VerifyContextMaintenance and stability enhancements.
#
StringContainsMaintenance and stability enhancements.
#
WhileLoopMaintenance and stability enhancements.
#
DomainTools Iris Pack v1.0.3 (Partner Supported)#
Integrations#
DomainTools IrisUpdated the Content Pack support information.
#
EWS Pack v1.3.0#
Integrations#
EWS v2Maintenance and stability enhancements.
#
EWS O365- Added the send-mail command.
- Maintenance and stability enhancements.
#
Elasticsearch Pack v1.1.1#
Integrations#
Elasticsearch v2- Added support for schema mapping per index.
- Updated the integration Docker image to the latest version.
#
Elasticsearch Feed Pack v1.0.6#
Integrations#
Elasticsearch Feed- Changed the default Feed Type from Cortex XSOAR Feed to Cortex XSOAR MT Shared Feed.
- Updated the Docker image.
#
Email Communication Pack v1.2.2#
LayoutsA new layout for the Email Communication pack, which assists with communicating and responding to emails in the Cortex XSOAR system.
#
Endace Pack v1.1.1 (Partner Supported)#
Playbooks#
Endace Search Archive and DownloadMaintenance and stability enhancements.
#
Endace Search Archive Download PCAPMaintenance and stability enhancements.
#
Google Vault Pack v1.0.2#
Integrations#
Google VaultFixed a bug that caused excessive memory usage.
#
IBM QRadar Pack v1.0.9#
Playbooks#
QRadar - Get offense correlationsMaintenance and stability enhancements.
#
Scripts#
QRadarFullSearchMaintenance and stability enhancements.
#
QRadarGetOffenseCorrelationsMaintenance and stability enhancements.
#
QRadarClassifierMaintenance and stability enhancements.
#
QRadarGetCorrelationLogsMaintenance and stability enhancements.
#
IBM X-Force Exchange Pack v1.0.1#
Integrations#
IBM X-Force Exchange v2- Fixed an issue where the url and domain commands failed for URLs that don't exist in the server.
- Updated the Docker image.
#
Infinipoint Pack v1.0.2 (Partner Supported)#
Integrations#
Infinipoint- Updated the infinipoint-run-queries command name to infinipoint-execute-action.
- Documentation and metadata improvements.
- Updated the integration Docker image to the latest version.
#
IronDefense Pack v1.1.2 (Partner Supported)#
Integrations#
IronDefenseUpdated the Content Pack support information.
#
MISP Pack v1.0.3#
Scripts#
misp_download_sampleMaintenance and stability enhancements.
#
misp_upload_sampleMaintenance and stability enhancements.
#
Machine Learning Pack v1.2.0#
Scripts#
HashIncidentsFields- Added support for wildcards in the fieldsToHash field.
- Added the un-populate and removeLabels arguments.
#
DBotPredictOutOfTheBoxChanged the name of the labelProbabilityThreshold argument to confidenceThreshold.
#
MailListener - POP3 (Beta) Pack v1.0.1#
Integrations#
MailListener - POP3 BetaFixed an issue where fetch-incidents failed for emails that contain special characters.
#
Microsoft Graph Security Pack v2.0.1#
Integrations#
Microsoft Graph SecurityFixed an issue in which some alerts were not being fetched.
#
Mimecast Pack v1.1.2#
Integrations#
Mimecast v2Fixed an issue where the mimecast-get-group-members command failed if only one group existed in the context.
#
MongoDB Pack v1.1.0#
Integrations#
MongoDB- Fixed an issue where it was not possible to apply filters in the _id field.
- Added the sort argument to the mongodb-query command.
#
OTRS Service Management XSOAR Pack Pack v1.0.1#
Integrations#
OTRSFixed an issue where running the otrs-create-ticket and otrs-update-ticket commands with the attachment parameter failed.
#
PAN-OS Pack v1.6.0#
Integrations#
Palo Alto Networks PAN-OSAdded 19 commands.
- panorama-get-licences
- panorama-get-security-profiles
- panorama-apply-security-profile
- panorama-get-ssl-decryption-rules
- panorama-get-wildfire-configuration
- panorama-get-wildfire-best-practice
- panorama-enforce-wildfire-best-practice
- panorama-url-filtering-block-default-categories
- panorama-get-anti-spyware-best-practice
- panorama-get-file-blocking-best-practice
- panorama-get-antivirus-best-practice
- panorama-get-vulnerability-protection-best-practice
- panorama-get-url-filtering-best-practice
- panorama-create-anti-spyware-best-practice-profile
- panorama-create-antivirus-best-practice-profile
- panorama-create-vulnerability-best-practice-profiles
- panorama-create-url-filtering-best-practice-profile
- panorama-create-file-blocking-best-practice-profile
- panorama-create-wildfire-best-practice-profile
Updated the Docker image to the latest tag.
#
PANW Comprehensive Investigation Pack v1.3.2#
Playbooks#
Palo Alto Networks - Endpoint Malware Investigation v3Added a new playbook, which includes bug fixes for an earlier version and a new hunting sub-playbook.
#
PCAP Analysis Pack v2.3.3#
Playbooks#
PCAP Parsing And Indicator EnrichmentFixed a typo in some fields taken from the context.
#
Scripts#
PcapMinerV2Fixed a bug in the SMTP extraction process.
#
Palo Alto Networks Cortex XDR - Investigation and Response Pack v2.3.9#
Integrations#
Palo Alto Networks Cortex XDR - Investigation and Response- Maintenance and stability enhancements.
- Added the HTTP Timeout parameter, which sets the timeout for HTTP requests to the Cortex XDR API.
- Added the Maximum number of incidents per fetch integration parameter.
#
Playbooks#
Cortex XDR - Malware InvestigationAdded a check to see if the malicious file already exists before retrieving it.
#
Scripts#
XDRSyncScriptAdded the playbook_to_run argument.
#
Palo Alto Networks WildFire Pack v1.2.0#
Playbooks#
WildFire - Detonate fileAdded support for the PE file type.
#
PassiveTotal Pack v2.0.0 (Partner Supported)#
Integrations#
PassiveTotal v2New PassiveTotal integration with enhancement scripts.
#
PassiveTotal#
Scripts#
PTEnrich (Deprecated)Fixed an issue with the integration display and description.
#
RiskIQPassiveTotalComponentsScriptAn enhancement script to enrich PassiveTotal components for Domain and IP indicator values.
#
RiskIQPassiveTotalHostPairChildrenScriptAn enhancement script to enrich PassiveTotal Host Pair of children for Domain and IP indicator values.
#
RiskIQPassiveTotalHostPairParentsScriptAn enhancement script to enrich PassiveTotal Host Pair of parents for Domain and IP indicator values.
#
RiskIQPassiveTotalPDNSScriptAn enhancement script to enrich PDNS information for Domain and IP indicator values.
#
RiskIQPassiveTotalSSLScriptAn enhancement script to enrich SSL information for email, RiskIQSHA1, and RiskIQSerialNumber indicator values.
#
RiskIQPassiveTotalTrackersScriptAn enhancement script to enrich web trackers information for Domain and IP indicator values.
#
RiskIQPassiveTotalWhoisScriptAn enhancement script to enrich Whois information for Domain and email indicator values.
#
Phishing Pack v1.10.3#
Scripts#
New: PhishingDedupPreprocessingRuleAn out-of-the-box, deduplication pre-processing script based on a machine learning algorithm.
#
Prisma Cloud Pack v1.2.4#
Integrations#
Prisma Cloud (RedLock)Added the Redlock.Alert.AlertRules output to the redlock-get-alert-details command, which lists the names of the alert rules that triggered the alert.
#
QueryAI Pack v1.0.2 (Partner Supported)#
Integrations#
Query.AIUpdated the Request Timeout field.
#
QueryAI_description.mdDocumentation and metadata improvements.
#
Red Canary Pack v1.0.4#
Integrations#
Red CanaryFixed an issue where the redcanary-get-detection command would cause a timeout.
#
SafeBreach - Breach and Attack Simulation platform Pack v1.0.7 (Partner Supported)#
Integrations#
SafeBreach v2- Maintenance and stability enhancements.
- Fixed an issue where test-module failed with an SSL issue even when Trust any certificate is enabled.
- Updated the Docker image.
#
ServiceNow Pack v1.3.0#
Classifiers#
ServiceNow - Incoming Mapper- Fixed an issue where the date format was incorrect.
- Updated the classifier with the new integration parameters.
#
ServiceNow v2Added the following integration parameters.
- Incident Mirroring Direction
- File Entry Tag
- Work Note Entry Tag
- Comment Entry Tag
#
Integrations#
ServiceNow v2- Maintenance and stability enhancements.
- Fixed a minor bug in the servicenow-create-ticket command.
#
LayoutsFixed a typo in the tab name.
#
Sixgill Darkfeed - Core Edition Pack v1.1.4 (Partner Supported)#
Integrations#
Sixgill DarkFeed Threat Intelligence- Added support for additional sub-feeds with a larger variety of IOCs from the underground.
- Updated the connector.
#
Script#
SearchIndicatorsMaintenance and stability enhancements.
#
SplunkPy Pack v1.2.1#
Integrations#
SplunkPyAdded a validation for HEC URL and HEC tokens in the test function.
#
Scripts#
SplunkPySearchMaintenance and stability enhancements.
#
Tanium Pack v1.0.3#
Integrations#
Tanium v2Updated the tn-ask-question command to automatically parse parameters from question text.
#
ThreatConnect Pack v2.0.8#
Integrations#
ThreatConnect v2- Added support for fetching indicators from multiple owners.
- The DBotScore calculation now works as expected.
#
ThreatQ Pack v1.0.5 (Partner Supported)#
Integrations#
ThreatQ v2- Added Content-Type to request headers.
- Updated the Docker image.
#
TruSTAR Pack v2.1.0 (Partner Supported)#
Integrations#
TruSTAR v2- Added support for multiple new filtering arguments to the trustar-search-indicators and the trustar-search-reports commands.
- Added the redact argument to the trustar-submit-report command, which gives users the option to redact a report before submission.
- Fixed an issue where the trustar-get-phishing-submissions and the trustar-get-phishing-indicators commands did not work due to changes in the TruSTAR API.
- Added support for the limit argument in the trustar-get-phishing-submissions and the trustar-get-phishing-indicators commands.
#
Whois Pack v1.1.5#
Integrations#
WhoisMaintenance and stability enhancements.
#
Yara Pack v1.0.1#
Scripts#
YaraScanMaintenance and stability enhancements.
#
Zscaler Pack v1.0.4#
Integrations#
ZscalerFixed an issue where URLs were sent to the Zscaler server with the protocol prefix.
#
illuminate Pack v1.0.2 (Partner Supported)#
Integrations#
illuminateUpdated the Content Pack support information.
#
urlscan.io Pack v1.0.2#
Integrations#
urlscan.io- Fixed an issue with the submission visibility in the following commands.
- qurlscan-submit.
- urlscan-submit-url-command.
- Improved the error message when the rate limit has been breached.
- Added a warning when the rate limit is 10 or less.
#
Assets- Download Content Zip (Cortex XSOAR 5.5 and earlier): content_new.zip
- Download Marketplace Packs (Cortex XSOAR 6.0 and later): content_marketplace_packs.zip
- Browse the Source Code: Content Repo @ 20.9.1