Cortex XSOAR Content Release Notes for version 20.9.1 (114694)#

Published on 15 September 2020#

New: Azure Log Analytics Pack v1.0.0#

Integrations#

Azure Log Analytics (Beta)#

Log Analytics is a service that helps you collect and analyze data generated by resources in your cloud and on-premises environments.

Playbooks#

Azure Log Analytics - Query From Saved Search#

Executes a query from a saved search in Azure Log Analytics.


New: Microsoft Cloud App Security Pack v1.0.0#

Classifiers#

Microsoft CAS Classifier#

Classifies Microsoft CAS Alerts.

Microsoft CAS#

Maps incoming Microsoft CAS fields.

Integrations#

Microsoft Cloud App Security#

Microsoft Cloud App Security is a multimode Cloud Access Security Broker (CASB). It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyber threats across all your cloud services. Use the integration to view and resolve alerts, view activities, view files, and view user accounts.


New: Palo Alto Networks IoT Pack v1.0.0#

IncidentFields#

  • IoT Incident URL
  • ServiceNow Record ID
  • ServiceNow Table Name

IncidentTypes#

  • IoT Alert
  • IoT Vulnerability

Integrations#

Palo Alto Networks IoT#

The Palo Alto Networks IoT security (previously Zingbox) integration is used for exporting the alerts and vulnerabilities found in the IoT security portal to XSOAR for incident response and enrichment.

Playbooks#

PANW IoT ServiceNow Tickets Check#

A playbook used in a recurring job to check the ServiceNow ticket status for the Palo Alto Networks IoT (previously Zingbox) alerts or vulnerabilities.

PANW IoT Incident Handling with ServiceNow#

Creates a ServiceNow ticket after an incident is enriched by the Palo Alto Networks IoT security portal (previously Zingbox Cloud).

Scripts#

iot-security-alert-post-processing#

A post-processing script that resolves an alert in the IoT security portal using the API.

iot-security-check-servicenow#

Closes an XSOAR incident when the corresponding IoT ServiceNow ticket is closed. You should run this script in a job.

iot-security-get-raci#

The RACI model of the IoT incident used to evaluate the Responsible (R) and Informed (I) parties in the RACI model.

iot-security-vuln-post-processing#

A post-processing script that resolves a vulnerability incident in the IoT security portal using the API.


New: Security Intelligence Services Feed Pack v1.0.0 (Partner Supported)#

IndicatorFields#

SISCategory#

Category of the indicator.

SISExpiration#

Expiration time of the indicator.

SISMalwareType#

Type of malware received from the feed.

SISMatchType#

Match type of the indicator.

Integrations#

Security Intelligence Services Feed#

A PassiveTotal with Security Intelligence Services Feed that provides you with newly observed domains, malware, phishing, content, and scam blacklists. Supports hourly ingestion.


New: ServerLogs Pack v1.0.0#

Dashboards#

Server Logs#

Dashboard to tail the latest server and Docker logs.

Scripts#

ServerLogs#

Uses the SSH integration to grab the host server logs.

ServerLogs_docker#

Uses the SSH integration to grab the Docker host server logs.


New: ThreatConnect Feed Pack v1.0.0#

Integrations#

ThreatConnect Feed#

Fetches indicators from ThreatConnect.


AWS - Security Hub Pack v1.0.2#

Integrations#

AWS - Security Hub#

Maintenance and stability enhancements.


AlienVault OTX Pack v1.0.2#

Integrations#

AlienVault OTX v2#
  • Updated the Docker image.
  • Fixed the file command so that it does not fail for hashes for which there is no analysis.

Amazon DynamoDB Pack v1.0.1#

Integrations#

Amazon DynamoDB#

General documentation improvements.


ApiModules Pack v1.0.6#

Scripts#

MicrosoftApiModule#
  • Added support for authorization to multiple resources.
  • Updated Docker image to the latest version.

ArcSight ESM Pack v1.0.6#

Integrations#

ArcSight ESM v2#

Increased the maximum per fetch limit to 300. The recommended limit is 50.


Base Pack v1.3.0#

Scripts#

CommonServerPython#
  • Maintenance and stability enhancements.
  • Added the return_results function and the CommandResults class to the Script Helper documentation.
  • Enhanced the dict_safe_get function, which now supports a nested list/dictionary and returns the type validation.
  • Added the build_number argument to the is_demisto_version_ge function and adjusted the is_versioned_context_available function accordingly.
  • Added the timeline object to the CommandResult class.
SaneDocReports#
  • Fixed a trend percentage calculation issue.
  • Maintenance and stability enhancements.
New: GetIndicatorsByQuery#

Returns indicators that match the defined query and exports them to a file.

DBotMLFetchData#
  • Added the Created field to the collected features.
  • Maintenance and stability enhancements.
DBotPredictPhishingWords#
  • Maintenance and stability enhancements.
  • Changed the name of the labelProbabilityThreshold argument to confidenceThreshold.
  • Changed the default value of the run once parameter to true.
CommonServerPowerShell#

Added the TableToMarkdown method.

DBotTrainTextClassifierV2#

Fixed a typo in an error message.

DBotSuggestClassifierMapping#

Maintenance and stability enhancements.

SanePdfReports#

Maintenance and stability enhancements.


Blueliv ThreatCompass Pack v1.0.1#

Integrations#

Blueliv ThreatCompass#

Documentation and metadata improvements.


CVE Search Pack v1.0.2#

Scripts#

cveSearch#

Maintenance and stability enhancements.

cveLatest#

Maintenance and stability enhancements.


Cisco Threat Grid Pack v1.1.0#

Playbooks#

Detonate File - ThreatGrid#

Samples are now submitted as private by default.


Common Playbooks Pack v1.8.0#

Playbooks#

Detonate File - Generic#

Fixed a bug where a change in the Detonate File - ThreatGrid inputs did not populate into the Detonate File - Generic playbook. Detonate File - ThreatGrid now submits private samples by default.


Common Scripts Pack v1.2.41#

Scripts#

ParseEmailFiles#
  • Fixed an issue where S/MIME .eml files were not parsed properly.
  • Fixed a bug in which a double period (..) in a new line was not processed correctly due to the SMTP standard.
RunPollingCommand#

Improved error handling.

SetAndHandleEmpty#

The stringify and append parameters now work as expected.

LookupCSV#

Added support for values that contain commas in CSV files.

JSONtoCSV#

Maintenance and stability enhancements.

DeleteContext#

Updated the script to execute using the DBot role.


Cortex Data Lake Pack v1.2.2#

Integrations#

Cortex Data Lake#
  • Fixed an error with parsing of authentication responses.
  • Updated the Docker image from 1.0.0.10370 to 1.0.0.10828.

CrowdStrike Falcon Pack v1.2.0#

Integrations#

CrowdStrike Falcon#

Updated the fetch_incidents function to be more comprehensive and handle a high volume of incidents.


CrowdStrike FalconX Pack v1.0.2#

Integrations#

CrowdStrike Falcon X#
  • Maintenance and stability enhancements.
  • Updated the Docker image.

Cybereason Pack v1.0.2#

Integrations#

Cybereason#
  • Enhanced access to the dictionary/list. Accesses the dictionary and list in a safe manner in order to produce an informative error log entry, if it exists.
  • Fixed filters in the cybereason-query-malops command.
  • Fixed the cybereason-query-malops and fetch-incidents commands to retrieve all Malop types.

DUO Admin Pack v2.0.2#

Integrations#

DUO Admin#

Maintenance and stability enhancements.


Demisto REST API Pack v1.1.1#

Scripts#

DemistoUploadFile#

Maintenance and stability enhancements.


Developer Tools Pack v1.0.1#

Scripts#

VerifyContextFields#

Maintenance and stability enhancements.

VerifyContext#

Maintenance and stability enhancements.

StringContains#

Maintenance and stability enhancements.

WhileLoop#

Maintenance and stability enhancements.


DomainTools Iris Pack v1.0.3 (Partner Supported)#

Integrations#

DomainTools Iris#

Updated the Content Pack support information.


EWS Pack v1.3.0#

Integrations#

EWS v2#

Maintenance and stability enhancements.

EWS O365#
  • Added the send-mail command.
  • Maintenance and stability enhancements.

Elasticsearch Pack v1.1.1#

Integrations#

Elasticsearch v2#
  • Added support for schema mapping per index.
  • Updated the integration Docker image to the latest version.

Elasticsearch Feed Pack v1.0.6#

Integrations#

Elasticsearch Feed#
  • Changed the default Feed Type from Cortex XSOAR Feed to Cortex XSOAR MT Shared Feed.
  • Updated the Docker image.

Email Communication Pack v1.2.2#

Layouts#

A new layout for the Email Communication pack, which assists with communicating and responding to emails in the Cortex XSOAR system.


Endace Pack v1.1.1 (Partner Supported)#

Playbooks#

Endace Search Archive and Download#

Maintenance and stability enhancements.

Endace Search Archive Download PCAP#

Maintenance and stability enhancements.


Google Vault Pack v1.0.2#

Integrations#

Google Vault#

Fixed a bug that caused excessive memory usage.


IBM QRadar Pack v1.0.9#

Playbooks#

QRadar - Get offense correlations#

Maintenance and stability enhancements.

Scripts#

QRadarFullSearch#

Maintenance and stability enhancements.

QRadarGetOffenseCorrelations#

Maintenance and stability enhancements.

QRadarClassifier#

Maintenance and stability enhancements.

QRadarGetCorrelationLogs#

Maintenance and stability enhancements.


IBM X-Force Exchange Pack v1.0.1#

Integrations#

IBM X-Force Exchange v2#
  • Fixed an issue where the url and domain commands failed for URLs that don't exist in the server.
  • Updated the Docker image.

Infinipoint Pack v1.0.2 (Partner Supported)#

Integrations#

Infinipoint#
  • Updated the infinipoint-run-queries command name to infinipoint-execute-action.
  • Documentation and metadata improvements.
  • Updated the integration Docker image to the latest version.

IronDefense Pack v1.1.2 (Partner Supported)#

Integrations#

IronDefense#

Updated the Content Pack support information.


MISP Pack v1.0.3#

Scripts#

misp_download_sample#

Maintenance and stability enhancements.

misp_upload_sample#

Maintenance and stability enhancements.


Machine Learning Pack v1.2.0#

Scripts#

HashIncidentsFields#
  • Added support for wildcards in the fieldsToHash field.
  • Added the un-populate and removeLabels arguments.
DBotPredictOutOfTheBox#

Changed the name of the labelProbabilityThreshold argument to confidenceThreshold.


MailListener - POP3 (Beta) Pack v1.0.1#

Integrations#

MailListener - POP3 Beta#

Fixed an issue where fetch-incidents failed for emails that contain special characters.


Microsoft Graph Security Pack v2.0.1#

Integrations#

Microsoft Graph Security#

Fixed an issue in which some alerts were not being fetched.


Mimecast Pack v1.1.2#

Integrations#

Mimecast v2#

Fixed an issue where the mimecast-get-group-members command failed if only one group existed in the context.


MongoDB Pack v1.1.0#

Integrations#

MongoDB#
  • Fixed an issue where it was not possible to apply filters in the _id field.
  • Added the sort argument to the mongodb-query command.

OTRS Service Management XSOAR Pack Pack v1.0.1#

Integrations#

OTRS#

Fixed an issue where running the otrs-create-ticket and otrs-update-ticket commands with the attachment parameter failed.


PAN-OS Pack v1.6.0#

Integrations#

Palo Alto Networks PAN-OS#
  • Added 19 commands.

    • panorama-get-licences
    • panorama-get-security-profiles
    • panorama-apply-security-profile
    • panorama-get-ssl-decryption-rules
    • panorama-get-wildfire-configuration
    • panorama-get-wildfire-best-practice
    • panorama-enforce-wildfire-best-practice
    • panorama-url-filtering-block-default-categories
    • panorama-get-anti-spyware-best-practice
    • panorama-get-file-blocking-best-practice
    • panorama-get-antivirus-best-practice
    • panorama-get-vulnerability-protection-best-practice
    • panorama-get-url-filtering-best-practice
    • panorama-create-anti-spyware-best-practice-profile
    • panorama-create-antivirus-best-practice-profile
    • panorama-create-vulnerability-best-practice-profiles
    • panorama-create-url-filtering-best-practice-profile
    • panorama-create-file-blocking-best-practice-profile
    • panorama-create-wildfire-best-practice-profile
  • Updated the Docker image to the latest tag.


PANW Comprehensive Investigation Pack v1.3.2#

Playbooks#

Palo Alto Networks - Endpoint Malware Investigation v3#

Added a new playbook, which includes bug fixes for an earlier version and a new hunting sub-playbook.


PCAP Analysis Pack v2.3.3#

Playbooks#

PCAP Parsing And Indicator Enrichment#

Fixed a typo in some fields taken from the context.

Scripts#

PcapMinerV2#

Fixed a bug in the SMTP extraction process.


Palo Alto Networks Cortex XDR - Investigation and Response Pack v2.3.9#

Integrations#

Palo Alto Networks Cortex XDR - Investigation and Response#
  • Maintenance and stability enhancements.
  • Added the HTTP Timeout parameter, which sets the timeout for HTTP requests to the Cortex XDR API.
  • Added the Maximum number of incidents per fetch integration parameter.

Playbooks#

Cortex XDR - Malware Investigation#

Added a check to see if the malicious file already exists before retrieving it.

Scripts#

XDRSyncScript#

Added the playbook_to_run argument.


Palo Alto Networks WildFire Pack v1.2.0#

Playbooks#

WildFire - Detonate file#

Added support for the PE file type.


PassiveTotal Pack v2.0.0 (Partner Supported)#

Integrations#

PassiveTotal v2#

New PassiveTotal integration with enhancement scripts.

PassiveTotal#

Scripts#

PTEnrich (Deprecated)#

Fixed an issue with the integration display and description.

RiskIQPassiveTotalComponentsScript#

An enhancement script to enrich PassiveTotal components for Domain and IP indicator values.

RiskIQPassiveTotalHostPairChildrenScript#

An enhancement script to enrich PassiveTotal Host Pair of children for Domain and IP indicator values.

RiskIQPassiveTotalHostPairParentsScript#

An enhancement script to enrich PassiveTotal Host Pair of parents for Domain and IP indicator values.

RiskIQPassiveTotalPDNSScript#

An enhancement script to enrich PDNS information for Domain and IP indicator values.

RiskIQPassiveTotalSSLScript#

An enhancement script to enrich SSL information for email, RiskIQSHA1, and RiskIQSerialNumber indicator values.

RiskIQPassiveTotalTrackersScript#

An enhancement script to enrich web trackers information for Domain and IP indicator values.

RiskIQPassiveTotalWhoisScript#

An enhancement script to enrich Whois information for Domain and email indicator values.


Phishing Pack v1.10.3#

Scripts#

New: PhishingDedupPreprocessingRule#

An out-of-the-box, deduplication pre-processing script based on a machine learning algorithm.


Prisma Cloud Pack v1.2.4#

Integrations#

Prisma Cloud (RedLock)#

Added the Redlock.Alert.AlertRules output to the redlock-get-alert-details command, which lists the names of the alert rules that triggered the alert.


QueryAI Pack v1.0.2 (Partner Supported)#

Integrations#

Query.AI#

Updated the Request Timeout field.

QueryAI_description.md#

Documentation and metadata improvements.


Red Canary Pack v1.0.4#

Integrations#

Red Canary#

Fixed an issue where the redcanary-get-detection command would cause a timeout.


SafeBreach - Breach and Attack Simulation platform Pack v1.0.7 (Partner Supported)#

Integrations#

SafeBreach v2#
  • Maintenance and stability enhancements.
  • Fixed an issue where test-module failed with an SSL issue even when Trust any certificate is enabled.
  • Updated the Docker image.

ServiceNow Pack v1.3.0#

Classifiers#

ServiceNow - Incoming Mapper#
  • Fixed an issue where the date format was incorrect.
  • Updated the classifier with the new integration parameters.
ServiceNow v2#

Added the following integration parameters.

  • Incident Mirroring Direction
  • File Entry Tag
  • Work Note Entry Tag
  • Comment Entry Tag

Integrations#

ServiceNow v2#
  • Maintenance and stability enhancements.
  • Fixed a minor bug in the servicenow-create-ticket command.

Layouts#

Fixed a typo in the tab name.


Sixgill Darkfeed - Core Edition Pack v1.1.4 (Partner Supported)#

Integrations#

Sixgill DarkFeed Threat Intelligence#
  • Added support for additional sub-feeds with a larger variety of IOCs from the underground.
  • Updated the connector.

Script#

SearchIndicators#

Maintenance and stability enhancements.


SplunkPy Pack v1.2.1#

Integrations#

SplunkPy#

Added a validation for HEC URL and HEC tokens in the test function.

Scripts#

SplunkPySearch#

Maintenance and stability enhancements.


Tanium Pack v1.0.3#

Integrations#

Tanium v2#

Updated the tn-ask-question command to automatically parse parameters from question text.


ThreatConnect Pack v2.0.8#

Integrations#

ThreatConnect v2#
  • Added support for fetching indicators from multiple owners.
  • The DBotScore calculation now works as expected.

ThreatQ Pack v1.0.5 (Partner Supported)#

Integrations#

ThreatQ v2#
  • Added Content-Type to request headers.
  • Updated the Docker image.

TruSTAR Pack v2.1.0 (Partner Supported)#

Integrations#

TruSTAR v2#
  • Added support for multiple new filtering arguments to the trustar-search-indicators and the trustar-search-reports commands.
  • Added the redact argument to the trustar-submit-report command, which gives users the option to redact a report before submission.
  • Fixed an issue where the trustar-get-phishing-submissions and the trustar-get-phishing-indicators commands did not work due to changes in the TruSTAR API.
  • Added support for the limit argument in the trustar-get-phishing-submissions and the trustar-get-phishing-indicators commands.

Whois Pack v1.1.5#

Integrations#

Whois#

Maintenance and stability enhancements.


Yara Pack v1.0.1#

Scripts#

YaraScan#

Maintenance and stability enhancements.


Zscaler Pack v1.0.4#

Integrations#

Zscaler#

Fixed an issue where URLs were sent to the Zscaler server with the protocol prefix.


illuminate Pack v1.0.2 (Partner Supported)#

Integrations#

illuminate#

Updated the Content Pack support information.


urlscan.io Pack v1.0.2#

Integrations#

urlscan.io#
  • Fixed an issue with the submission visibility in the following commands.
    • qurlscan-submit.
    • urlscan-submit-url-command.
  • Improved the error message when the rate limit has been breached.
  • Added a warning when the rate limit is 10 or less.

Assets#