Cortex XSOAR Content Release Notes for version 20.9.1 (114694)
Published on 15 September 2020
New: Azure Log Analytics Pack v1.0.0
Integrations
Azure Log Analytics (Beta)
Log Analytics is a service that helps you collect and analyze data generated by resources in your cloud and on-premises environments.
Playbooks
Azure Log Analytics - Query From Saved Search
Executes a query from a saved search in Azure Log Analytics.
New: Microsoft Cloud App Security Pack v1.0.0
Classifiers
Microsoft CAS Classifier
Classifies Microsoft CAS Alerts.
Microsoft CAS
Maps incoming Microsoft CAS fields.
Integrations
Microsoft Cloud App Security
Microsoft Cloud App Security is a multimode Cloud Access Security Broker (CASB). It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyber threats across all your cloud services. Use the integration to view and resolve alerts, view activities, view files, and view user accounts.
New: Palo Alto Networks IoT Pack v1.0.0
IncidentFields
- IoT Incident URL
- ServiceNow Record ID
- ServiceNow Table Name
IncidentTypes
- IoT Alert
- IoT Vulnerability
Integrations
Palo Alto Networks IoT
The Palo Alto Networks IoT security (previously Zingbox) integration is used for exporting the alerts and vulnerabilities found in the IoT security portal to XSOAR for incident response and enrichment.
Playbooks
PANW IoT ServiceNow Tickets Check
A playbook used in a recurring job to check the ServiceNow ticket status for the Palo Alto Networks IoT (previously Zingbox) alerts or vulnerabilities.
PANW IoT Incident Handling with ServiceNow
Creates a ServiceNow ticket after an incident is enriched by the Palo Alto Networks IoT security portal (previously Zingbox Cloud).
Scripts
iot-security-alert-post-processing
A post-processing script that resolves an alert in the IoT security portal using the API.
iot-security-check-servicenow
Closes an XSOAR incident when the corresponding IoT ServiceNow ticket is closed. You should run this script in a job.
iot-security-get-raci
The RACI model of the IoT incident used to evaluate the Responsible (R) and Informed (I) parties in the RACI model.
iot-security-vuln-post-processing
A post-processing script that resolves a vulnerability incident in the IoT security portal using the API.
New: Security Intelligence Services Feed Pack v1.0.0 (Partner Supported)
IndicatorFields
SISCategory
Category of the indicator.
SISExpiration
Expiration time of the indicator.
SISMalwareType
Type of malware received from the feed.
SISMatchType
Match type of the indicator.
Integrations
Security Intelligence Services Feed
A PassiveTotal with Security Intelligence Services Feed that provides you with newly observed domains, malware, phishing, content, and scam blacklists. Supports hourly ingestion.
New: ServerLogs Pack v1.0.0
Dashboards
Server Logs
Dashboard to tail the latest server and Docker logs.
Scripts
ServerLogs
Uses the SSH integration to grab the host server logs.
ServerLogs_docker
Uses the SSH integration to grab the Docker host server logs.
New: ThreatConnect Feed Pack v1.0.0
Integrations
ThreatConnect Feed
Fetches indicators from ThreatConnect.
AWS - Security Hub Pack v1.0.2
Integrations
AWS - Security Hub
Maintenance and stability enhancements.
AlienVault OTX Pack v1.0.2
Integrations
AlienVault OTX v2
- Updated the Docker image.
- Fixed the file command so that it does not fail for hashes for which there is no analysis.
Amazon DynamoDB Pack v1.0.1
Integrations
Amazon DynamoDB
General documentation improvements.
ApiModules Pack v1.0.6
Scripts
MicrosoftApiModule
- Added support for authorization to multiple resources.
- Updated Docker image to the latest version.
ArcSight ESM Pack v1.0.6
Integrations
ArcSight ESM v2
Increased the maximum per fetch limit to 300. The recommended limit is 50.
Base Pack v1.3.0
Scripts
CommonServerPython
- Maintenance and stability enhancements.
- Added the return_results function and the CommandResults class to the Script Helper documentation.
- Enhanced the dict_safe_get function, which now supports a nested list/dictionary and returns the type validation.
- Added the build_number argument to the is_demisto_version_ge function and adjusted the is_versioned_context_available function accordingly.
- Added the timeline object to the CommandResult class.
SaneDocReports
- Fixed a trend percentage calculation issue.
- Maintenance and stability enhancements.
New: GetIndicatorsByQuery
Returns indicators that match the defined query and exports them to a file.
DBotMLFetchData
- Added the Created field to the collected features.
- Maintenance and stability enhancements.
DBotPredictPhishingWords
- Maintenance and stability enhancements.
- Changed the name of the labelProbabilityThreshold argument to confidenceThreshold.
- Changed the default value of the run once parameter to true.
CommonServerPowerShell
Added the TableToMarkdown method.
DBotTrainTextClassifierV2
Fixed a typo in an error message.
DBotSuggestClassifierMapping
Maintenance and stability enhancements.
SanePdfReports
Maintenance and stability enhancements.
Blueliv ThreatCompass Pack v1.0.1
Integrations
Blueliv ThreatCompass
Documentation and metadata improvements.
CVE Search Pack v1.0.2
Scripts
cveSearch
Maintenance and stability enhancements.
cveLatest
Maintenance and stability enhancements.
Cisco Threat Grid Pack v1.1.0
Playbooks
Detonate File - ThreatGrid
Samples are now submitted as private by default.
Common Playbooks Pack v1.8.0
Playbooks
Detonate File - Generic
Fixed a bug where a change in the Detonate File - ThreatGrid inputs did not populate into the Detonate File - Generic playbook. Detonate File - ThreatGrid now submits private samples by default.
Common Scripts Pack v1.2.41
Scripts
ParseEmailFiles
- Fixed an issue where S/MIME .eml files were not parsed properly.
- Fixed a bug in which a double period (
..) in a new line was not processed correctly due to the SMTP standard.
RunPollingCommand
Improved error handling.
SetAndHandleEmpty
The stringify and append parameters now work as expected.
LookupCSV
Added support for values that contain commas in CSV files.
JSONtoCSV
Maintenance and stability enhancements.
DeleteContext
Updated the script to execute using the DBot role.
Cortex Data Lake Pack v1.2.2
Integrations
Cortex Data Lake
- Fixed an error with parsing of authentication responses.
- Updated the Docker image from 1.0.0.10370 to 1.0.0.10828.
CrowdStrike Falcon Pack v1.2.0
Integrations
CrowdStrike Falcon
Updated the fetch_incidents function to be more comprehensive and handle a high volume of incidents.
CrowdStrike FalconX Pack v1.0.2
Integrations
CrowdStrike Falcon X
- Maintenance and stability enhancements.
- Updated the Docker image.
Cybereason Pack v1.0.2
Integrations
Cybereason
- Enhanced access to the dictionary/list. Accesses the dictionary and list in a safe manner in order to produce an informative error log entry, if it exists.
- Fixed filters in the cybereason-query-malops command.
- Fixed the cybereason-query-malops and fetch-incidents commands to retrieve all Malop types.
DUO Admin Pack v2.0.2
Integrations
DUO Admin
Maintenance and stability enhancements.
Demisto REST API Pack v1.1.1
Scripts
DemistoUploadFile
Maintenance and stability enhancements.
Developer Tools Pack v1.0.1
Scripts
VerifyContextFields
Maintenance and stability enhancements.
VerifyContext
Maintenance and stability enhancements.
StringContains
Maintenance and stability enhancements.
WhileLoop
Maintenance and stability enhancements.
DomainTools Iris Pack v1.0.3 (Partner Supported)
Integrations
DomainTools Iris
Updated the Content Pack support information.
EWS Pack v1.3.0
Integrations
EWS v2
Maintenance and stability enhancements.
EWS O365
- Added the send-mail command.
- Maintenance and stability enhancements.
Elasticsearch Pack v1.1.1
Integrations
Elasticsearch v2
- Added support for schema mapping per index.
- Updated the integration Docker image to the latest version.
Elasticsearch Feed Pack v1.0.6
Integrations
Elasticsearch Feed
- Changed the default Feed Type from Cortex XSOAR Feed to Cortex XSOAR MT Shared Feed.
- Updated the Docker image.
Email Communication Pack v1.2.2
Layouts
A new layout for the Email Communication pack, which assists with communicating and responding to emails in the Cortex XSOAR system.
Endace Pack v1.1.1 (Partner Supported)
Playbooks
Endace Search Archive and Download
Maintenance and stability enhancements.
Endace Search Archive Download PCAP
Maintenance and stability enhancements.
Google Vault Pack v1.0.2
Integrations
Google Vault
Fixed a bug that caused excessive memory usage.
IBM QRadar Pack v1.0.9
Playbooks
QRadar - Get offense correlations
Maintenance and stability enhancements.
Scripts
QRadarFullSearch
Maintenance and stability enhancements.
QRadarGetOffenseCorrelations
Maintenance and stability enhancements.
QRadarClassifier
Maintenance and stability enhancements.
QRadarGetCorrelationLogs
Maintenance and stability enhancements.
IBM X-Force Exchange Pack v1.0.1
Integrations
IBM X-Force Exchange v2
- Fixed an issue where the url and domain commands failed for URLs that don't exist in the server.
- Updated the Docker image.
Infinipoint Pack v1.0.2 (Partner Supported)
Integrations
Infinipoint
- Updated the infinipoint-run-queries command name to infinipoint-execute-action.
- Documentation and metadata improvements.
- Updated the integration Docker image to the latest version.
IronDefense Pack v1.1.2 (Partner Supported)
Integrations
IronDefense
Updated the Content Pack support information.
MISP Pack v1.0.3
Scripts
misp_download_sample
Maintenance and stability enhancements.
misp_upload_sample
Maintenance and stability enhancements.
Machine Learning Pack v1.2.0
Scripts
HashIncidentsFields
- Added support for wildcards in the fieldsToHash field.
- Added the un-populate and removeLabels arguments.
DBotPredictOutOfTheBox
Changed the name of the labelProbabilityThreshold argument to confidenceThreshold.
MailListener - POP3 (Beta) Pack v1.0.1
Integrations
MailListener - POP3 Beta
Fixed an issue where fetch-incidents failed for emails that contain special characters.
Microsoft Graph Security Pack v2.0.1
Integrations
Microsoft Graph Security
Fixed an issue in which some alerts were not being fetched.
Mimecast Pack v1.1.2
Integrations
Mimecast v2
Fixed an issue where the mimecast-get-group-members command failed if only one group existed in the context.
MongoDB Pack v1.1.0
Integrations
MongoDB
- Fixed an issue where it was not possible to apply filters in the _id field.
- Added the sort argument to the mongodb-query command.
OTRS Service Management XSOAR Pack Pack v1.0.1
Integrations
OTRS
Fixed an issue where running the otrs-create-ticket and otrs-update-ticket commands with the attachment parameter failed.
PAN-OS Pack v1.6.0
Integrations
Palo Alto Networks PAN-OS
Added 19 commands.
- panorama-get-licences
- panorama-get-security-profiles
- panorama-apply-security-profile
- panorama-get-ssl-decryption-rules
- panorama-get-wildfire-configuration
- panorama-get-wildfire-best-practice
- panorama-enforce-wildfire-best-practice
- panorama-url-filtering-block-default-categories
- panorama-get-anti-spyware-best-practice
- panorama-get-file-blocking-best-practice
- panorama-get-antivirus-best-practice
- panorama-get-vulnerability-protection-best-practice
- panorama-get-url-filtering-best-practice
- panorama-create-anti-spyware-best-practice-profile
- panorama-create-antivirus-best-practice-profile
- panorama-create-vulnerability-best-practice-profiles
- panorama-create-url-filtering-best-practice-profile
- panorama-create-file-blocking-best-practice-profile
- panorama-create-wildfire-best-practice-profile
Updated the Docker image to the latest tag.
PANW Comprehensive Investigation Pack v1.3.2
Playbooks
Palo Alto Networks - Endpoint Malware Investigation v3
Added a new playbook, which includes bug fixes for an earlier version and a new hunting sub-playbook.
PCAP Analysis Pack v2.3.3
Playbooks
PCAP Parsing And Indicator Enrichment
Fixed a typo in some fields taken from the context.
Scripts
PcapMinerV2
Fixed a bug in the SMTP extraction process.
Palo Alto Networks Cortex XDR - Investigation and Response Pack v2.3.9
Integrations
Palo Alto Networks Cortex XDR - Investigation and Response
- Maintenance and stability enhancements.
- Added the HTTP Timeout parameter, which sets the timeout for HTTP requests to the Cortex XDR API.
- Added the Maximum number of incidents per fetch integration parameter.
Playbooks
Cortex XDR - Malware Investigation
Added a check to see if the malicious file already exists before retrieving it.
Scripts
XDRSyncScript
Added the playbook_to_run argument.
Palo Alto Networks WildFire Pack v1.2.0
Playbooks
WildFire - Detonate file
Added support for the PE file type.
PassiveTotal Pack v2.0.0 (Partner Supported)
Integrations
PassiveTotal v2
New PassiveTotal integration with enhancement scripts.
PassiveTotal
Scripts
PTEnrich (Deprecated)
Fixed an issue with the integration display and description.
RiskIQPassiveTotalComponentsScript
An enhancement script to enrich PassiveTotal components for Domain and IP indicator values.
RiskIQPassiveTotalHostPairChildrenScript
An enhancement script to enrich PassiveTotal Host Pair of children for Domain and IP indicator values.
RiskIQPassiveTotalHostPairParentsScript
An enhancement script to enrich PassiveTotal Host Pair of parents for Domain and IP indicator values.
RiskIQPassiveTotalPDNSScript
An enhancement script to enrich PDNS information for Domain and IP indicator values.
RiskIQPassiveTotalSSLScript
An enhancement script to enrich SSL information for email, RiskIQSHA1, and RiskIQSerialNumber indicator values.
RiskIQPassiveTotalTrackersScript
An enhancement script to enrich web trackers information for Domain and IP indicator values.
RiskIQPassiveTotalWhoisScript
An enhancement script to enrich Whois information for Domain and email indicator values.
Phishing Pack v1.10.3
Scripts
New: PhishingDedupPreprocessingRule
An out-of-the-box, deduplication pre-processing script based on a machine learning algorithm.
Prisma Cloud Pack v1.2.4
Integrations
Prisma Cloud (RedLock)
Added the Redlock.Alert.AlertRules output to the redlock-get-alert-details command, which lists the names of the alert rules that triggered the alert.
QueryAI Pack v1.0.2 (Partner Supported)
Integrations
Query.AI
Updated the Request Timeout field.
QueryAI_description.md
Documentation and metadata improvements.
Red Canary Pack v1.0.4
Integrations
Red Canary
Fixed an issue where the redcanary-get-detection command would cause a timeout.
SafeBreach - Breach and Attack Simulation platform Pack v1.0.7 (Partner Supported)
Integrations
SafeBreach v2
- Maintenance and stability enhancements.
- Fixed an issue where test-module failed with an SSL issue even when Trust any certificate is enabled.
- Updated the Docker image.
ServiceNow Pack v1.3.0
Classifiers
ServiceNow - Incoming Mapper
- Fixed an issue where the date format was incorrect.
- Updated the classifier with the new integration parameters.
ServiceNow v2
Added the following integration parameters.
- Incident Mirroring Direction
- File Entry Tag
- Work Note Entry Tag
- Comment Entry Tag
Integrations
ServiceNow v2
- Maintenance and stability enhancements.
- Fixed a minor bug in the servicenow-create-ticket command.
Layouts
Fixed a typo in the tab name.
Sixgill Darkfeed - Core Edition Pack v1.1.4 (Partner Supported)
Integrations
Sixgill DarkFeed Threat Intelligence
- Added support for additional sub-feeds with a larger variety of IOCs from the underground.
- Updated the connector.
Script
SearchIndicators
Maintenance and stability enhancements.
SplunkPy Pack v1.2.1
Integrations
SplunkPy
Added a validation for HEC URL and HEC tokens in the test function.
Scripts
SplunkPySearch
Maintenance and stability enhancements.
Tanium Pack v1.0.3
Integrations
Tanium v2
Updated the tn-ask-question command to automatically parse parameters from question text.
ThreatConnect Pack v2.0.8
Integrations
ThreatConnect v2
- Added support for fetching indicators from multiple owners.
- The DBotScore calculation now works as expected.
ThreatQ Pack v1.0.5 (Partner Supported)
Integrations
ThreatQ v2
- Added Content-Type to request headers.
- Updated the Docker image.
TruSTAR Pack v2.1.0 (Partner Supported)
Integrations
TruSTAR v2
- Added support for multiple new filtering arguments to the trustar-search-indicators and the trustar-search-reports commands.
- Added the redact argument to the trustar-submit-report command, which gives users the option to redact a report before submission.
- Fixed an issue where the trustar-get-phishing-submissions and the trustar-get-phishing-indicators commands did not work due to changes in the TruSTAR API.
- Added support for the limit argument in the trustar-get-phishing-submissions and the trustar-get-phishing-indicators commands.
Whois Pack v1.1.5
Integrations
Whois
Maintenance and stability enhancements.
Yara Pack v1.0.1
Scripts
YaraScan
Maintenance and stability enhancements.
Zscaler Pack v1.0.4
Integrations
Zscaler
Fixed an issue where URLs were sent to the Zscaler server with the protocol prefix.
illuminate Pack v1.0.2 (Partner Supported)
Integrations
illuminate
Updated the Content Pack support information.
urlscan.io Pack v1.0.2
Integrations
urlscan.io
- Fixed an issue with the submission visibility in the following commands.
- qurlscan-submit.
- urlscan-submit-url-command.
- Improved the error message when the rate limit has been breached.
- Added a warning when the rate limit is 10 or less.
Assets
- Download Content Zip (Cortex XSOAR 5.5 and earlier): content_new.zip
- Download Marketplace Packs (Cortex XSOAR 6.0 and later): content_marketplace_packs.zip
- Browse the Source Code: Content Repo @ 20.9.1