Cortex XSOAR Content Release Notes for version 21.1.0 (242690)

Published on 05 January 2021

Breaking Changes

The following packs include breaking changes.

New: Azure Network Security Groups Pack v1.0.0

Integrations

Azure Network Security Groups

Azure network security groups are used to filter network traffic to and from Azure resources in an Azure virtual network.


New: Azure WAF Pack v1.0.0

Integrations

Azure Web Application Firewall

The Azure WAF (Web Application Firewall) integration provides centralized protection of your web applications from common exploits and vulnerabilities. It enables you to control policies that are configured in the Azure Firewall management platform, and allows you to add, delete, or update policies, and also to get details of a specific policy or a list of policies.


New: BitcoinAbuse Pack v1.0.0

Integrations

BitcoinAbuse

Use the Bitcoin Abuse integration to access a public database of bitcoin addresses used by scammers, hackers, and criminals.


New: CloudShare Pack v1.0.2 (Community Contributed)

Integrations

CloudShare (Beta)

Cloudshare allows XSOAR to perform a subset of the actions that can be done on the web UI application: creating environments, checking environments’ statuses, taking snapshots of environments, and issuing invitations enabling users to access environments.


New: Expanse v2 Pack v1.0.0

The Expanse Content Pack for Cortex XSOAR provides full coverage of the Expander and Behavior product capabilities from Expanse to allow SOCs to automate the defense of their Company's attack surface.

Classifiers

  • ExpanseV2 - Classifier
  • ExpanseV2 - Incoming Mapper

Dashboards

  • Expanse Incidents
  • Expanse Perimeter

Incident Fields

  • Expanse Activity Status
  • Expanse Asset
  • Expanse Asset Organization Unit
  • Expanse Asset Owner
  • Expanse Assignee
  • Expanse Business Units
  • Expanse Category
  • Expanse Certificate
  • Expanse Created
  • Expanse Domain
  • Expanse Geolocation
  • Expanse IP
  • Expanse Initial Evidence
  • Expanse Issue ID
  • Expanse Issue Type
  • Expanse ML Features
  • Expanse Modified
  • Expanse Port
  • Expanse Priority
  • Expanse Progress Status
  • Expanse Protocol
  • Expanse Provider
  • Expanse Region
  • Expanse Service
  • Expanse Shadow IT
  • Expanse Tags

Incident Types

Expanse Issue

Indicator Fields

  • Expanse Asset Type
  • Expanse Business Units
  • Expanse Certificate Advertisement Status
  • Expanse Date Added
  • Expanse Dns Resolution Status
  • Expanse Domain
  • Expanse First Observed
  • Expanse Last Observed
  • Expanse Properties
  • Expanse Provider Name
  • Expanse Service Status
  • Expanse Source Domain
  • Expanse Tags
  • Expanse Tenant Name
  • Expanse Type

Integrations

Expanse v2

The Expanse v2 integration for Cortex XSOAR leverages the Expander API to create incidents from Expanse issues. It also leverages Expanse's unparalleled view of the Internet to enrich IP addresses, domains, and certificates using information from assets discovered by Expanse Expander and risky flows detected by Expanse Behavior.

Expanse Expander Feed

Use this feed to retrieve the discovered IP addresses, domains, and certificates from the Expanse Expander asset database.

Layouts

  • Expanse Certificate Indicator Layout (from Cortex XSOAR version 6.0.0)
  • Expanse Issue Layout (from Cortex XSOAR version 6.0.0)

Playbooks

Expanse Attribution

Sub-playbook for the Handle Expanse Incident playbook. Given an Expanse issue IP address, issue provider, issue domain, issue port, and issue protocol, it hunts for internal activity related to the detected service. The playbook looks for logs on Splunk, Cortex Data Lake, and Panorama. It returns a list of potential owner business units, owner users, devices, and notes.

Expanse Enrich Cloud Assets

Sub-playbook for the Handle Expanse Incident playbook. It enriches public cloud assets (i.e., IP addresses and FQDNs) by:

  • Searching the corresponding region and service by correlating the provided IP addresses with IP range feeds retrieved from public cloud providers. (It requires TIM and Public Cloud feeds such as AWS Feed integrations to be enabled).
  • Searching IP addresses and FQDNs in the Prisma Cloud inventory (requires Prisma Cloud).
Expanse Find Cloud IP Address Region and Service

Sub-playbook for the Expanse Enrich Cloud Assets sub-playbook. Used to find the corresponding public cloud region (i.e., AWS us-east-1) and service (i.e., AWS EC2) for a provided IP address. It works by correlating the provided IP address with the IP range indicators (CIDRs) that can be collected from public cloud feeds (i.e., AWS Feed) in Cortex XSOAR. CIDR indicators must be tagged properly using the corresponding tags (i.e., AWS for AWS Feed). Tags can be configured in the feed integrations and must match the ones provided in the inputs of this playbook. Correlation is done based on the longest match (i.e., a smaller CIDR such as /20 range wins over a larger one such as /16).

Expanse Load-Create List

Sub-playbook to support the Expanse Handle Incident playbook. Loads a list to be used in the Expanse playbook. Creates the list if it does not exist.

Extract and Enrich Expanse Indicators

Sub-playbook for the Handle Expanse Incident playbook. Extracts and enriches indicators (CIDRs, IP, Certificates, Domains, and DomainGlobs) from Expanse incidents. Enrichment is performed via the enrichIndicators command and generic playbooks. Returns the enriched indicators.

Handle Expanse Incident

Main playbook to handle Expanse incidents.

There are several phases:

  1. Enrichment: All the related information from the incident is extracted and related indicators (types IP, CIDR, Domain, DomainGlob, and Certificate) are created and enriched.
  2. Validation: The located IP address and FQDN are correlated with the information available in other products:
    • Risky or non-compliant communications to and from the IP address with external IP addresses as flagged in Expanse's behavior.
    • Firewall logs from Cortex Data Lake, Panorama, and Splunk.
    • User information from Active Directory.
    • Public IP address from AWS/GCP/Azure public IP feeds to identify the public cloud region and service (i.e., us-west-1 on AWS EC2).
    • IP address and FQDN from Prisma Cloud inventory
  3. Shadow IT check: Based on the information found, the playbook can suggest whether the discovered issue corresponds to an asset that is known to the InfoSec team (i.e., there are firewall logs present, or the asset is protected by Prisma Cloud, or is part of an IP range associated with the company).
  4. Attribution: Based on the information collected above, the analyst is prompted to assign this issue to an organization unit, that is a group within the company with a specific owner. The analyst can choose from existing organization units (stored in an XSOAR list) or define a new one.
  5. Response: Depending on the issue type, several remediation actions can be automatically and manually performed, such as:
    • Tagging the asset in Expanse with a specific organization unit tag.
    • Blocking the service on PAN-OS (if a firewall is deployed in front of the service).
    • Creating a new Shadow IT issue (if the asset is detected to be Shadow IT and the analyst confirms it).
    • Adding the service to a vulnerability management system.
    • Linking the incident to a related Prisma Cloud alert for the asset (if the asset is found under Prisma Cloud inventory).
Handle Expanse Incident - Attribution Only

Shorter version of Handle Expanse Incident playbook with only the Attribution part.

There are several phases:

  1. Enrichment: All the related information from the incident is extracted and related indicators (types IP, CIDR, Domain, DomainGlob, and Certificate) are created and enriched.
  2. Validation: The located IP address and FQDN are correlated with the information available in other products:
    • Risky or non-compliant communications to and from the IP address with external IP addresses as flagged in Expanse's behavior.
    • Firewall logs from Cortex Data Lake, Panorama, and Splunk.
    • User information from Active Directory.
    • Public IP address from AWS/GCP/Azure public IP feeds to identify the public cloud region and service (i.e., us-west-1 on AWS EC2).
    • IP address and FQDN from Prisma Cloud inventory
  3. Shadow IT check: Based on the information found, the playbook can suggest whether the discovered issue corresponds to an asset that is known to the InfoSec team (i.e., there are firewall logs present, or the asset is protected by Prisma Cloud, or is part of an IP range associated with the company).
  4. Attribution: Based on the information collected above, the analyst is prompted to assign this issue to an organization unit, that is a group within the company with a specific owner. The analyst can choose from existing organization units (stored in an XSOAR list) or define a new one.

Scripts

ExpanseAggregateAttributionDevice

Aggregates entries from multiple sources into AttributionDevice.

ExpanseAggregateAttributionIP

Aggregates entries from multiple sources into AttributionIP.

ExpanseAggregateAttributionUser

Aggregates entries from multiple sources into AttributionUser.

ExpanseEnrichAttribution

Enriches context generated by the ExpanseAggregateAttribution scripts with additional details.

ExpanseEvidenceDynamicSection

Dynamic section script used in the Expanse Issue layout to display the latest evidence structure.

ExpanseGenerateIssueMapWidgetScript

This widget script generates a map of the Open Expanse Issue Incidents with a provider on prem. The map is generated as a static PNG file embedded in Markdown.

ExpansePrintSuggestions

Generates and prints a report in Markdown format containing useful suggestions for the analyst to attribute an Expanse issue to an owner.

ExpanseRefreshIssueAssets

Script to refresh tags and attribution reasons of assets inside an Expanse issue. The script should be used inside the Expanse Issue incident context.

MatchIPinCIDRIndicators

Match provided IP address in all the indicators of type CIDR with the provided tags (longest match).

Widgets

Expanse Active Certificates by BU
Expanse Active Certificates by BU with Active Service
Expanse Active Domain with Bad/Suspicious Reputation
Expanse Active Domains by BU
Expanse Active Domains by BU with Active Service
Expanse Active Expired Certificates by BU
Expanse Active Public IP with Bad/Suspicious Reputation
Expanse Active public IPs per BU
Expanse Confirmed Shadow IT Assets
Expanse Incidents On Non Standard Ports
Expanse Map
Expanse New Certificates by BU
Expanse New Domains by BU
Expanse New public IPs per BU
Expanse Open Incidents
Expanse Open Incidents By Organization Unit
Expanse Open Incidents By Severity
Expanse Open Incidents By Type
Expanse Open Incidents Pending Attribution
Expanse Open Incidents With Attribution
Expanse Open Incidents With High / Critical Severity
Expanse Open Incidents by Business Unit
Expanse Open Incidents on AWS By Region
Expanse Open Incidents on Azure By Region
Expanse Open Incidents on GCP By Region

New: Hello IAM World Pack v1.0.0

Classifiers

User Profile - HelloIAMWorld (Incoming)

Maps user data to User Profile data.

User Profile - HelloIAMWorld (Outgoing)

Maps User Profile data to the HelloIAMWorld user data.

Integrations

Hello IAM World

An Identity and Access Management integration template.


New: MapRegex Pack v1.0.0 (Community Contributed)

Scripts

MapRegex

This transformer takes in a value and transforms it based on multiple regular expressions defined in a JSON dictionary structure. The key:value pair of the JSON dictionary should be:

"desired outcome": "regex to match"

For example:

{ "Match 1": ".match 1.", "Match 2": ".match 2.", "Catch all": ".*" }

The transformer matches in order of the dictionary entries.


New: MobileIron-UEM Pack v1.0.0 (Partner Supported)

With MobileIron, organizations can quickly and easily onboard devices and provision them over the air with all of the apps, settings, and security configurations needed to protect any iOS, macOS, Android, and Windows 10 endpoint across your digital workplace. MobileIron’s zero trust approach ensures that only authorized users, devices, apps, and services can access business resources. Users enjoy a seamless and productive experience during enrollment and the single console enables IT administrators to reduce the complexity and cost of managing a fleet of endpoints.

Classifiers

MobileIron Incident Incoming Mapper

Incoming mapper for the MobileIron UEM integration

Incident Fields

  • MobileIron Compliance State
  • MobileIron Device Alt Serial Number
  • MobileIron Device ID
  • MobileIron Device Owner
  • MobileIron Device Registration Status
  • MobileIron Device Registration Timestamp
  • MobileIron Device Serial Number
  • MobileIron Device UDID
  • MobileIron Device UUID
  • MobileIron Device User ID
  • MobileIron IMEI
  • MobileIron IMSI
  • MobileIron Is Device Jailbroken?
  • MobileIron Is Device Quarantined?
  • MobileIron Last Check-in Timestamp
  • MobileIron Manufacturer
  • MobileIron Platform
  • MobileIron Security State
  • MobileIron User Email Address

Incident Types

  • MobileIron Cloud Device Incident
  • MobileIron Core Device Incident

Integrations

MobileIronCLOUD

MobileIron Cloud is the SaaS variant of the MobileIron UEM solution. This integration interacts with the MobileIron CLOUD APIs to provide device and device related incident information. It features:

  • Commands to fetch device data based on certain common attributes such as WiFi, MAC address, device UUID, serial number, and IP address.
  • An option to fetch device data based on custom queries based on the MobileIron API Query DSL.
  • Commands to execute device specific actions such as retire, wipe, send message, etc.
  • Ability to fetch and create incidents based on device data contained within MobileIron.
  • Sample playbooks demonstrating how remediation actions can be set up to respond to device incidents.
  • Custom layout and incident mapper to better show the relevant data when fetching incidents.
MobileIronCORE

MobileIron Core is the on-premise variant of the MobileIron UEM solution. This integration interacts with the MobileIron CORE APIs to provide device and device related incident information. It features:

  • Commands to fetch device data based on certain common attributes such as WiFi, MAC address, device UUID, serial number, and IP address.
  • An option to fetch device data based on custom queries based on the MobileIron API Query DSL.
  • Commands to execute device specific actions such as retire, wipe, send message, etc.
  • Ability to fetch and create incidents based on device data contained within MobileIron.
  • Sample playbooks demonstrating how remediation actions can be set up to respond to device incidents.
  • Custom layout and incident mapper to better show the relevant data when fetching incidents.

Layouts

MobileIron Incident Layout (from Cortex XSOAR version 6.0.0)

Playbooks

MobileIron Cloud Incident Action Playbook

The playbook is triggered when an incident related to a MobileIron Cloud managed device is reported. Based on the data inside the incident that contains the complete device information, an admin can decide to call a specific MobileIron UEM action for that particular device.

MobileIron Core Incident Action Playbook

The playbook is triggered when an incident related to a MobileIron Core managed device is reported. Based on the data inside the incident that contains the complete device information, an admin can decide to call a specific MobileIron UEM action for that particular device.


New: Multi-Tenant Performance Pack v1.0.0

Dashboards

HA Groups - Health
Hosts - health

Widgets

Average Docker Container Count per HA Group

The average number of Docker containers used per HA group.

Average Docker Container Count per HA Group (last 24h)

The average number of Docker containers used per HA group in the last 24 hours.

Average CPU Usage per HA Group

The average percentage of CPU usage per HA group.

Average CPU Usage per HA Group (last 24h)

The average percentage of CPU usage per HA group in the last 24 hours.

Average Disk Usage per HA Group

The average percentage of disk usage per HA group.

Average Disk Usage per HA Group (last 24h)

The average percentage of disk usage per HA group in the last 24 hours.

Average Memory Usage per HA Group

The average percentage of memory usage per HA group.

Average Memory Usage per HA Group (last 24h)

The average percentage of memory usage per HA group in the last 24 hours.

Docker Container Count per Host

The number of Docker containers used per host.

Docker Container Count per Host (last 24h)

The number of Docker containers used per host in the last 24 hours.

CPU Usage per Host

Percentage of CPU usage per host.

CPU Usage per Host (last 24h)

Percentage of CPU usage per host in the last 24 hours.

Disk Usage per Host

Percentage of disk usage per host.

Disk Usage per Host (last 24h)

Percentage of disk usage per host in the last 24 hours.

Memory Usage per Host

Percentage of memory usage per host.

Memory Usage per Host (last 24h)

Percentage of memory usage per host in the last 24 hours.


New: Rapid7 InsightIDR Pack v1.0.0

Classifiers

Rapid7 InsightIDR - Classifier

Classifies Rapid7 InsightIDR incidents.

Rapid7 InsightIDR - Incoming Mapper

Maps incoming InsightIDR alert fields.

Incident Types

Rapid7 InsightIDR Alert

Integrations

Rapid7 InsightIDR

Rapid7 InsightIDR is a cloud-based SIEM that detects and responds to security incidents.

Layouts

Rapid7 InsightIDR - Layout (from Cortex XSOAR version 6.0.0)


New: Shadow IT Pack v1.0.0

Incident Fields

  • Shadow IT Account Owner Email
  • Shadow IT Account Owner Name
  • Shadow IT Billed To Corp
  • Shadow IT Certificate
  • Shadow IT Cloud Account ID
  • Shadow IT Cloud Account Type
  • Shadow IT FQDN
  • Shadow IT IP
  • Shadow IT OU Contact Email
  • Shadow IT OU Contact Name
  • Shadow IT Organizational Unit
  • Shadow IT Port
  • Shadow IT Provider
  • Shadow IT Region
  • Shadow IT Risk
  • Shadow IT Sactioned Service
  • Shadow IT Sensitive Data
  • Shadow IT Service
  • Shadow IT Service Purpose
  • Shadow IT Source
  • Shadow IT User Suggestions

Incident Types

Shadow IT

Layouts

Shadow IT Incident (from Cortex XSOAR version 6.0.0)

Playbooks

Handle Shadow IT Incident

This playbook is used to handle a Shadow IT incident. A Shadow IT incident occurs when a resource attributed to the organization that is not sanctioned by IT nor protected by the InfoSec team is found.

This playbook handles the incident by helping the analyst to find the owner of the resource based on existing evidence. The playbook also marks the service indicators (IP or FQDN) with a Shadow IT tag. The possible owner and their manager are notified and onboarding of the asset on Prisma Cloud is triggered through a manual process.


New: Starter Pack Pack v1.0.0 (Community Contributed)

Starter Pack for learning how to build new content in Cortex XSOAR.


New: Twinwave Pack v1.0.0 (Partner Supported)

Integrations

Twinwave

Stealth mode cybersecurity startup.


New: mnemonic MDR Pack v1.0.0 (Partner Supported)

Classifiers

mnemonicMDR
Argus Case Classifier
Argus Case Mapper

Incident Fields

  • Argus Attachment ID
  • Argus Case Category
  • Argus Case ID
  • Argus Case Service
  • Argus Case Type
  • Argus Comment ID
  • Argus Customer ID
  • Argus Event ID
  • Argus Event Type
  • Argus Tag ID

Incident Types

Argus Case

Integrations

mnemonic MDR - Argus Managed Defence

Rapidly detect, analyze, and respond to security threats with mnemonic’s leading Managed Detection and Response (MDR) service.

Layouts

Argus Case - Summary

Playbooks

Pull Case Metadata - Argus Managed Defence

Pulls metadata, attachments, comments, tags, and events related to the Argus case for later use.


AWS - Lambda Pack v1.1.0

Integrations

AWS - Lambda
  • Added the timeout and retries configuration options (also available for the aws-lambda-invoke command).

  • Fixed the log output when invoking a function with the logType=Tail argument.

  • Treats the payload argument of the aws-lambda-invoke command as a JSON encoded string if it is a string starting with the chars: { or [.

    For example: {"input":"test"}.

  • Updated the Docker image to: demisto/boto3py3:1.0.0.14959.


Active Directory Query Pack v1.1.1

Integrations

Active Directory Query v2

Maintenance and stability enhancements.


AlienVault Feed Pack v1.0.9

Integrations

AlienVault Reputation Feed

Added functionality in CSVApiModule which is used by Alien Vault.


AutoFocus Pack v1.1.12

Integrations

Palo Alto Networks AutoFocus v2
  • Fixed an issue where the domain command would fail when no domain was found.
  • Updated the Docker image to: demisto/python3:3.8.6.14516.

Azure Compute Pack v1.0.4

Integrations

Azure Compute v2

Added the optional integration authentication methods to the detailed description.


Azure Log Analytics Pack v1.0.5

Integrations

Azure Log Analytics (Beta)
  • Improved the implementation of the test module to check the api.loganalytics.io resource.
  • Added the timeout argument to the azure-log-analytics-execute-query command.
  • Added support for auto cache update on token expiration.
  • Updated the Docker image to: demisto/crypto:1.0.0.14297.

Azure Security Center Pack v1.1.5

Integrations

Azure Security Center v2

Added the optional integration authentication methods to the detailed description.


Bambenek Consulting Feed Pack v1.0.7

Integrations

Bambenek Consulting Feed

Added functionality in CSVApiModule which is used by Bambenek Consulting Feed.


Base Pack v1.6.1

Scripts

SanePdfReports

Updated the Docker image to: demisto/sane-pdf-reports:1.0.0.14791.

CommonServerPython
  • Improved debug-mode logging.
  • Added the IAMUserAppData and IAMCommand classes to support generic implementation for IAM creating, reading, updating, and deleting commands.
  • Added the cURL queries which are generated from the sent HTTP requests to the debug-mode log.
DBotMLFetchData

Updated the Docker image to: demisto/fetch-data:1.0.0.14842.


BigFix Pack v1.0.3

Integrations

BigFix

Fixed an issue where the bigfix-query command was incorrectly handled in the code.


CSV Feed Pack v1.0.7

Integrations

CSV Feed

Added functionality in CSVApiModule which is used by CSV Feed.


Carbon Black Cloud Enterprise EDR Pack v1.1.2

Integrations

VMware Carbon Black Enterprise EDR
  • Maintenance and stability enhancements.
  • Updated the Docker image from: 3.8.6.13358 to 3.8.6.14516.

Carbon Black Enterprise Live Response Pack v1.1.1

Playbooks

New: Get File Sample From Path - VMware Carbon Black EDR - Live Response API

This playbook retrieves a file from the path at the endpoint using VMware Carbon Black EDR (Live Response API). Make sure to provide the Carbon Black sensor ID of the endpoint from which you want to retrieve the file.


Carbon Black Enterprise Response Pack v1.1.3

Playbooks

New: Get the binary file from Carbon Black by its MD5 hash

This playbook retrieves a binary file by its MD5 hash from the Carbon Black telemetry data. (Available from Cortex XSOAR 5.0.0).


Chronicle Pack v1.1.4 (Partner Supported)

Incident Fields

  • Chronicle Auto Block Entities
  • Chronicle Skip Entity Isolation
  • ChronicleAsset Support Contact

Indicator Fields

  • ChronicleAsset Summary - Summarizes the event types of the events fetched for all the possible asset identifiers.

  • Chronicle Isolated Hostname - Determines if the host is isolated.

  • Chronicle Isolated IP - Determines if the IP address is isolated.

  • Chronicle Potentially Blocked IP - Determines if the IP address is potentially blocked.

  • ChronicleAssetHostname - Updates the hostname associated with the ChronicleAsset.

  • ChronicleAssetIP - Updates the IP address associated with the ChronicleAsset.

  • ChronicleAssetMAC - Updates the MAC address associated with the ChronicleAsset.

  • ChronicleAssetProductID - Updates the product ID associated with ChronicleAsset.

Indicator Types

ChronicleAsset - Added a default layout for XSOAR version 6.0.0.

Layouts

ChronicleAsset - Modified the layout for the ChronicleAsset type of indicators.

ChronicleAsset Indicator - Added a layout for the ChronicleAsset type of indicators compatible with XSOAR version 6.0.0.

Playbook

ChronicleAssets Investigation And Remediation - Chronicle
  • Performs enrichment and investigation of the ChronicleAsset type of indicators.
  • Provides an opportunity to remediate in case any of the ChronicleAsset information i.e., hostname or IP address, is found to be malicious or suspicious.
  • Sends an email with the list of isolated and potentially blocked entities.
ChronicleAsset Investigation - Chronicle
  • Receives indicators from its parent playbook
  • Performs enrichment and investigation for each one of the indicators
  • Provides an opportunity to isolate and block the hostname or IP address associated with the current indicator
  • Provides a list of isolated and blocked entities.
  • Lists the events fetched for the asset identifier information associated with the indicator.
Hostname And IP Address Investigation And Remediation - Chronicle
  • Receives the ChronicleAsset type of indicators from its parent playbook "ChronicleAsset Investigation - Chronicle"
  • Performs enrichment and investigation for each one of the indicators
  • Provides an opportunity to isolate and block the hostname or IP address associated with the current indicator
  • Provides a list of isolated and blocked entities.
List Device Events - Chronicle

Receives the ChronicleAsset identifier information and provides a list of events related to each one of the identifiers.

Script

ChronicleAssetEventsForHostnameWidgetScript
  • Displays the list of events fetched for an asset identified as a "ChronicleAsset" type of indicator when its hostname is passed as an asset identifier.
  • Updated the Docker image to: demisto/python3:3.8.6.14516.
ChronicleAssetEventsForIPWidgetScript
  • Displays the list of events fetched for an asset identified as a "ChronicleAsset" type of indicator, when its IP address is passed as an asset identifier.
  • Updated the Docker image to: demisto/python3:3.8.6.14516.
ChronicleAssetEventsForMACWidgetScript
  • Displays the list of events fetched for an asset identified as a "ChronicleAsset" type of indicator when its MAC address is passed as an asset identifier.
  • Updated the Docker image to: demisto/python3:3.8.6.14516.
ChronicleAssetEventsForProductIDWidgetScript
  • Displays the list of events fetched for an asset identified as a "ChronicleAsset" type of indicator when its product ID is passed as an asset identifier.
  • Updated the Docker image to: demisto/python3:3.8.6.14516.
ChronicleAssetIdentifierScript

Updated the Docker image to: demisto/python3:3.8.6.14516.

ChronicleDBotScoreWidgetScript

Updated the Docker image to: demisto/python3:3.8.6.14516.

ChronicleDomainIntelligenceSourcesWidgetScript

Updated the Docker image to: demisto/python3:3.8.6.14516.

ChronicleIsolatedHostnameWidgetScript
  • Notifies if the hostname associated with the ChronicleAsset is isolated.
  • Updated the Docker image to: demisto/python3:3.8.6.14516.
ChronicleIsolatedIPWidgetScript
  • Notifies if the IP address associated with the ChronicleAsset is isolated.
  • Updated the Docker image to: demisto/python3:3.8.6.14516.
ChronicleListDeviceEventsByEventTypeWidgetScript
  • Displays a pie chart of the number of events, categorized by its event type, fetched for all the identifiers of the ChronicleAsset.
  • Updated the Docker image to: demisto/python3:3.8.6.14516.
ChroniclePotentiallyBlockedIPWidgetScript
  • Notifies if the IP address associated with the ChronicleAsset is potentially blocked.
  • Updated the Docker image to: demisto/python3:3.8.6.14516.
ConvertDomainToURLs

Updated the Docker image to: demisto/python3:3.8.6.14516.

ExtractDomainFromIOCDomainMatchRes

Updated the Docker image to: demisto/python3:3.8.6.14516.

ListDeviceEventsScript

Updated the Docker image to: demisto/python3:3.8.6.14516.


Cisco ASA Pack v1.0.3

Integrations

Cisco ASA
  • Fixed an issue where the log_level argument in the cisco-asa-create-rule and the cisco-asa-edit-rule commands was not used correctly.
  • Updated the Docker image to: demisto/python3:3.8.6.14516.

CiscoFirepower Pack v1.0.2

Integrations

Cisco Firepower
  • Fixed an issue where the ciscofp-list-ise-security-group-tag command was incorrectly handled in the code.
  • Updated the Docker image to: demisto/python3:3.8.6.14516.

Common Playbooks Pack v1.8.8

Playbooks

CVE Enrichment - Generic v2

Fixed bugs related to playbook inputs and commands used.

New: Search Endpoint by CVE - Generic

Hunt for assets with a given CVE using available tools.

New: Get File Sample By Hash - Generic v3
  • Returns a file sample correlating to a hash in the War Room using the following sub-playbooks:
    • Get binary file by MD5 hash from Carbon Black telemetry data - VMware Carbon Black EDR v2.
    • Get the threat (file) attached to a specific SHA256 hash- Cylance Protect v2.
  • Added file outputs to the playbook.
New: Retrieve File from Endpoint - Generic V2

Retrieves a file sample from an endpoint using the following playbooks:

  • Get File Sample From Path - Generic v2.
  • Get File Sample By Hash - Generic v3.
New: Get File Sample From Path - Generic V2

Returns a file sample correlating to a path into the War Room using the following sub-playbook inputs:

  • Get File Sample From Path - D2.
  • Get File Sample From Path - VMware Carbon Black EDR (Live Response API).

Common Scripts Pack v1.3.9

Scripts

URLSSLVerification

Fixed an issue where URLs containing commas were not extracted correctly.

ZipFile
  • Added the ability to zip multiple files into a single .zip file by passing a CSV list of entry IDs to the entryID argument.
  • Updated the Docker image to: demisto/python_zipfile:1.0.0.12410.
SearchIncidentsV2
  • Added the foundIncidents.incidentLink output, which is a list containing URL links to all incidents that were found.
  • Updated the Docker image from: 3.8.6.13358 to 3.8.6.14516.

CrowdStrike Falcon Pack v1.2.11

Integrations

CrowdStrike Falcon
  • Fixed an issue where an unsupported media type was sent.
  • Updated the Docker image to: demisto/python3:3.8.6.14516.

CrowdStrike Falcon Streaming Pack v1.0.15

Integrations

CrowdStrike Falcon Streaming v2
  • Improved handling of 404 Not Found errors.
  • Added the Stream client read timeout integration parameter to set the stream read timeout.
  • Added support for stored event size validation when storing sample events.

Cryptocurrency Pack v1.1.0

Indicator Fields

Abuse Type

Raw Address

Indicator Types

Cryptocurrency Address

Layouts

Cryptocurrency Address

Maintenance and stability enhancements.


CyberArk AIM Pack v1.0.3

Integrations

CyberArk AIM v2
  • Fixed an issue where fetching multiple credentials was not supported.
  • Updated the Docker image to: demisto/ntlm:1.0.0.14682.

Cylance Protect Pack v1.0.2

Playbooks

Get File Sample By Hash - Cylance Protect v2

Added file outputs to the playbook.


DomainTools Pack v1.1.0 (Partner Supported)

Integrations

DomainTools

Maintenance and stability enhancements.


DomainTools Iris Pack v1.1.0 (Partner Supported)

Integrations

DomainTools Iris

Maintenance and stability enhancements.


EWS Pack v1.6.1

Integrations

EWS O365

Added a link in the documentation to the instructions for setting the required permissions for a self-deployed app.

O365 - Security And Compliance - Content Search (beta)

Updated the search_name argument in the o365-sc-new-search command to be optional. If left empty, a name will be auto generated with the following pattern ('XSOAR-\<GUID>').

EWS v2

Fixed an issue where an error was raised when no results were found in the ews-o365-get-compliance-search command.

Playbooks

O365 - Security And Compliance - Search Action - Delete

Added a retry mechanism to all commands in the O365 - Security And Compliance - Content Search (beta) integration due to a known limitation of 3 concurrent PSSessions.

O365 - Security And Compliance - Search Action - Preview

Added a retry mechanism to all commands in the O365 - Security And Compliance - Content Search (beta) integration due to a known limitation of 3 concurrent PSSessions.

O365 - Security And Compliance - Search

Added a retry mechanism to all commands in the O365 - Security And Compliance - Content Search (beta) integration due to a known limitation of 3 concurrent PSSessions.

O365 - Security And Compliance - Search And Delete
  • Added a retry mechanism to all commands in the O365 - Security And Compliance - Content Search (beta) integration due to a known limitation of 3 concurrent PSSessions.
  • Added a manual option to skip the delete task.

Elasticsearch Feed Pack v1.0.8

Integrations

Elasticsearch Feed
  • Improved the display name formatting of the Indicator Value Field integration parameter.
  • Updated the Docker image to: demisto/elasticsearch:1.0.0.14274.

Email Communication Pack v1.3.4

Incident Fields

Email Generated Code

Scripts

SendEmailReply
  • Updated the script to use a UUID for every new incident that is created.
  • Fixed an issue where notes added by DBot were not displayed correctly.
PreprocessEmail
  • Updated the script to use a UUID for every new incident that is created.
  • Breaking Change: To avoid performance issues, the search for related incidents is limited to 60 days.
  • Fixed the name of the XSOAR - Email Communication Days To Query list in the README.

Expanse v2 Pack v1.0.2

Integrations

Expanse v2
  • Fixed an issue where the tag parameter was not used correctly.
  • Maintenance and stability enhancements.

FireEye HX Pack v1.0.8

Integrations

FireEye HX

Improved alert parsing as part of the fetch incidents flow.


GitHub Pack v1.1.5

Integrations

GitHub IAM
  • Maintenance and stability enhancements.
  • Updated the Docker image from: 3.8.6.14516 to 3.9.1.14969.

Gmail Pack v1.1.3

Integrations

Gmail
  • Fixed an issue where the integration attempted to send requests via proxy even though the Use system proxy settings integration parameter was not checked.
  • Updated the Docker image to the latest version.

IBM QRadar Pack v1.2.7

Classifiers

QRadar - Generic Incoming Mapper

Fixed an issue where list type incident fields were not mapped correctly.

Integrations

IBM QRadar v2
  • Fixed an issue where the integration failed to fetch events since the minute queried as the start time was equal to the end time.
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/python3:3.8.6.14516.

Illusive Networks Pack v1.0.6 (Partner Supported)

Integrations

IllusiveNetworks
  • Fixed an issue where the hostnames argument in the illusive-get-incidents command was not used correctly.
  • Updated the Docker image to: demisto/python3:3.8.6.14516.

Infinipoint Pack v1.0.4 (Partner Supported)

Integrations

Infinipoint

Fixed an issue where the infinipoint-get-non-compliance command was incorrectly handled in the code.


Infoblox Pack v1.0.2

Integrations

Infoblox
  • Fixed an issue where setting the proxy configuration to True was ignored.
  • Updated the Docker image from: 3.8.3.8715 to 3.8.6.14516.

Joe Security Pack v1.0.3

Integrations

Joe Security
  • Fixed an issue where the joe-analysis-submit-sample command failed if given a file with backslashes in its name.

Kenna Pack v1.0.4

Integrations

Kenna v2
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/python3:3.8.6.14516.

Lacework Pack v1.0.2 (Community Contributed)

Integrations

Lacework
  • Added a Recommendation ID filter for compliance report data.
  • Added the NIST_800-171_Rev2 AWS Compliance Report option.
  • Updated the Docker image to: demisto/lacework:1.0.0.14553.

Lastline Pack v1.0.4

Integrations

Lastline v2
  • Fixed an issue where the test-module failed in case no email and username were entered.
  • Improved the test-module to check for username and password.
  • Updated the Docker image to: demisto/python3:3.8.6.14516.

MISP Pack v1.0.4

Integrations

MISP v2

Fixed an issue where the unzip argument in the misp-download-sample command was not used correctly.


Mail Listener Pack v1.0.2

Integrations

Mail Listener v2
  • Fixed an issue where in some scenarios email messages were not fetched as expected.
  • Reverted a change made in version 1.0.1 which would remove the last fetch timestamp stored in the fetch incidents flow.
  • Updated the Docker image to: demisto/imap:1.0.0.14044.

Majestic Million Feed Pack v1.0.2

Integrations

Majestic Million Feed

Added functionality in CSVApiModule which is used by Majestic Million Feed.


Maltiverse Pack v1.0.1

Integrations

Maltiverse
  • Removed the fullResponse argument from all commands.
  • Updated the Docker image to: demisto/python3:3.8.6.14516.

Microsoft Cloud App Security Pack v1.0.13

Integrations

Microsoft Cloud App Security
  • Improved the timestamp query in order to avoid duplicates if more than one alert occurred at the same time.
  • Updated the Docker image to: demisto/python3:3.8.6.14516.

Microsoft Defender for Endpoint Pack v1.2.9

Integrations

Microsoft Defender for Endpoint
  • Renamed the Microsoft Defender Advanced Threat Protection integration to Microsoft Defender for Endpoint.
  • Added the optional integration authentication methods to the detailed description.
  • Added support for auto cache update on token expiration.

Microsoft Graph Calendar Pack v1.0.5

Integrations

Microsoft Graph Calendar

Added the optional integration authentication methods to the detailed description.


Microsoft Graph Device Management Pack v1.0.5

Integrations

Microsoft Graph Device Management (Microsoft Intune)

Added the optional integration authentication methods to the detailed description.


Microsoft Graph Files Pack v1.0.4

Integrations

Microsoft Graph Files

Added the optional integration authentication methods to the detailed description.


Microsoft Graph Groups Pack v1.0.4

Integrations

Microsoft Graph Groups

Added the optional integration authentication methods to the detailed description.


Microsoft Graph Security Pack v2.0.7

Integrations

Microsoft Graph Security

Added the optional integration authentication methods to the detailed description.


Microsoft Graph User Pack v1.3.6

Integrations

Microsoft Graph User
  • Fixed an issue where using a self deployed app failed to refresh the access tokens.
  • Updated the Docker image to: demisto/crypto:1.0.0.14297.

Microsoft Management Activity API (O365/Azure Events) Pack v1.1.6

Integrations

Microsoft Management Activity API (O365 Azure Events)
  • Added support for auto cache update on token expiration.
  • Fixed an issue where the raw response returned from the ms-management-activity-list-content command was not filtered as expected.

PAN-OS Pack v1.6.11

Integrations

Palo Alto Networks PAN-OS
  • Fixed an issue where the panorama-get-url-category-from-cloud command would not give a meaningful error if executed without the proper license.
  • Updated the Docker image to: demisto/python3:3.8.6.14516.

Playbooks

New: PAN-OS - Block Destination Service

Blocks a Destination IP and Service (TCP or UDP port) by creating a rule for a specific device group on PAN-OS.


Palo Alto Networks BPA Pack v1.2.2

Playbooks

Comprehensive PAN-OS Best Practice Assessment

Fixed a typo in the email sent from Cortex XSOAR.


Palo Alto Networks Cortex XDR - Investigation and Response Pack v2.7.2

Integrations

Palo Alto Networks Cortex XDR - Investigation and Response
  • Changed the name of the event_timestampt argument to event_timestamp in the xdr-insert-parsed-alert command.
  • Added the following context outputs:
    • xdr-get-incident-extra-data command - Added File, Process, IP and Domain data.
    • xdr-get-audit-agent-reports command - Added Endpoint data.
    • xdr-get-endpoints command - Added Account data.
  • Updated the Docker image to: demisto/python3:3.8.6.14516.

Palo Alto Networks Traps Pack v1.0.3

Integrations

Palo Alto Networks Traps

Maintenance and stability enhancements.


Palo Alto Networks WildFire Pack v1.2.2

Integrations

Palo Alto Networks WildFire v2

Improved the description for the integration.


Phishing Pack v2.0.0

Scripts

New: FindDuplicateEmailIncidents

Can be used to find duplicate emails for incidents of type Phishing, including malicious, spam, and legitimate emails.

PhishingDedupPreprocessingRule

Deprecated. Use the FindDuplicateEmailIncidents script instead.


Prisma Cloud Pack v1.6.0

Playbooks

New: Prisma Cloud Correlate Alerts

Searches alerts in Prisma Cloud for a specific asset ID and, if present in XSOAR, links them.

New: Prisma Cloud - Find Public Cloud Resource by Public IP

Finds Public Cloud resources by Public IP using Prisma Cloud inventory.

New: Prisma Cloud - Find Public Cloud Resource by FQDN

Finds Public Cloud resources by FQDN using Prisma Cloud inventory.

New: Prisma Cloud - Find AWS Resource by FQDN

Finds AWS resources by FQDN using Prisma Cloud inventory.

New: Prisma Cloud - Find AWS Resource by Public IP

Finds AWS resources by Public IP using Prisma Cloud inventory.

New: Prisma Cloud - Find GCP Resource by FQDN

Finds GCP resources by FQDN using Prisma Cloud inventory.

New: Prisma Cloud - Find GCP Resource by Public IP

Finds GCP resources by Public IP using Prisma Cloud inventory.

New: Prisma Cloud - Find Azure Resource by FQDN

Finds Azure resources by FQDN using Prisma Cloud inventory.

New: Prisma Cloud - Find Azure Resource by Public IP

Finds Azure resources by Public IP using Prisma Cloud inventory.

Scripts

New: PrismaCloudAttribution

Converts outputs from the redlock-search-query commands to human readable format.


Public DNS Feed Pack v1.0.2

Integrations

Public DNS Feed
  • Fixed an issue where only IPv6 indicators were fetched.
  • Updated the Docker image to: demisto/netutils:1.0.0.14492.

QueryAI Pack v1.0.4 (Partner Supported)

Integrations

Query.AI
  • Breaking change: Replaced the API key parameter for authentication with the API token parameter.
  • Updated the Docker image to: demisto/python3:3.8.6.14516.

RSA Archer Pack v1.1.8

Integrations

RSA Archer v2
  • Fixed an issue where duplicated incidents were created by the fetch-incidents command.
  • Removed the following integration parameters as they are resolved by Cortex XSOAR:
    • Use European Time Format
    • Timezone Offset
  • Removed the fetch filter parameter which was not used.
  • Fixed an issue where the numericOperator argument in the archer-search-records command was not used correctly.
  • Updated the Docker image to: demisto/python3:3.9.1.14969.

RSS Pack v1.0.1 (Community Contributed)

Integrations

RSS
  • Breaking Change: Deleted the test-fetch-rss command, which was not implemented in the code.
  • Updated the Docker image to: demisto/python3:3.8.6.13358.

Rapid Breach Response Pack v1.3.0

Playbooks

SolarStorm and SUNBURST Hunting and Response Playbook
  • Expanded IOC coverage for SolarStorm and SUNBURST.
  • Expanded hunting in network activity with Expanse.
New: FireEye Red Team Tools Investigation and Response

This playbook does the following:

  • Collects indicators to aid in your threat hunting process.

    • Retrieves IOCs of FireEye red team tools.
    • Discovers IOCs of associated activity related to the infection.
    • Generates an indicator list to block indicators with SUNBURST tags.
  • Hunts for the indicators:

    • Searches endpoints with the FireEye red team tools CVEs.
    • Searches endpoint logs for FireEye red team tools hashes.
    • Searches and links previous incidents with the FireEye hashes.
  • If compromised hosts are found, the playbook fires off sub-playbooks to isolate/quarantine infected hosts/endpoints and await further actions from the security team.


RecordedFuture v2 Pack v1.0.3 (Partner Supported)

Integrations

Recorded Future v2
  • Breaking Change: The following reputation commands were changed to return multiple entries (entry per indicator) instead of a single entry:
    • ip
    • domain
    • hash
    • url
  • Updated the Docker image from: 3.8.6.13358 to 3.8.6.14516.

SNDBOX Pack v1.0.2

Integrations

SNDBOX

Breaking Change: Deleted the sndbox-detonate-file command, which was not implemented in the code.


SentinelOne Pack v1.0.7

Integrations

SentinelOne v2
  • Breaking Change: Deleted the sentinelone-expire-site command, which was not implemented in the code.
  • Fixed an issue where the group_type argument in the sentinelone-get-groups command and the display_name argument in the sentinelone-get-threats command were not used correctly.
  • Updated the Docker image to: demisto/python3:3.8.6.13358.

ServiceNow Pack v2.1.2

Integrations

ServiceNow (Deprecated)

Breaking Change: Deleted the servicenow-incident-get command, which was not implemented in the code.

ServiceNow IAM
  • Maintenance and stability enhancements.
  • Updated the Docker image from: 3.8.6.14516 to 3.9.1.14969.

Sophos Central Pack v1.0.1

Integrations

Sophos Central
  • Fixed an issue where the First fetch parameter was not used correctly.
  • Updated the Docker image to: demisto/python3:3.8.6.14516.

Symantec Advanced Threat Protection Pack v1.1.1

Integrations

Symantec Advanced Threat Protection
  • Added the fetch incidents configuration option for an integration instance.
  • Added the Query string for fetch incidents configuration option for an integration instance to solve an issue where the fetch incidents was not working.

Telegram (Beta) Pack v1.0.1

Integrations

Telegram (Beta)

Fixed an issue where the telegram-send-message command was incorrectly handled in the code.


ThreatExchange Pack v1.0.1

Integrations

ThreatExchange

Maintenance and stability enhancements.


Troubleshoot Pack v1.1.1

Scripts

CertificatesTroubleshoot
  • Added an option to detect endpoint certificates using the OpenSSL client.
  • Improved debug logging.
  • Updated the Docker image to: demisto/ssl-analyze:1.0.0.14890.

Twinwave Pack v1.0.1 (Partner Supported)

Integrations

Twinwave

Breaking Change: Changed the twinwave-get-job-summary command to return multiple entries (entry per indicator) instead of a single entry.


Uptycs Pack v1.0.3 (Partner Supported)

Integrations

Uptycs
  • Removed the filename argument from the uptycs-post-threat-source command.
  • Updated the Docker image to: demisto/uptycs:1.0.0.12410.

Windows Remote Management Pack v1.0.2

Integrations

Windows Remote Management (Beta)
  • Moved the integration to Beta format.
  • Updated the integration image.

WootCloud Pack v1.0.2 (Partner Supported)

Integrations

WootCloud
  • Fixed an issue where the wootcloud-fetch-bluetooth-alert command was incorrectly handled in the code.
  • Updated the Docker image to: demisto/python3:3.8.6.14516.

X509Certificate Pack v1.0.1

Scripts

CertificateExtract

Maintenance and stability enhancements.


Zscaler Pack v1.1.0

Integrations

Zscaler
  • Added support for the custom_categories_only argument for the get-categories command.
  • Added the zscaler-url-quota command, which can be used for URL quota information.

abuse.ch SSL Blacklist Feed Pack v1.0.6

Integrations

abuse.ch SSL Blacklist Feed

Added functionality in the CSVApiModule, which is used by SSL Blacklist Feed.


dnstwist Pack v1.1.0

Integrations

dnstwist

Maintenance and stability enhancements.


okta Pack v2.1.2

Integrations

Okta IAM
  • Maintenance and stability enhancements.
  • Updated the Docker image from: 3.8.6.14516 to 3.9.1.14969.

urlscan.io Pack v1.0.6

Integrations

urlscan.io

Fixed a bug where exceeding the quota limit caused a timeout exception.


Assets