Cortex XSOAR Content Release Notes for version 21.2.0 (267504)

Published on 02 February 2021

New: Acalvio ShadowPlex Pack v1.0.0 (Partner Supported)

Integrations

Acalvio ShadowPlex

Acalvio ShadowPlex is a comprehensive autonomous deception platform that offers advanced threat detection, investigation, and response capabilities.

---

New: Agari Phishing Defense Pack v1.0.0 (Partner Supported)

Classifiers

Agari Phishing Defense - Classifier

Removed non-existing incident fields.

Agari Phishing Defense - Mapper

Maps incoming Agari Phishing Defense incident fields.

Dashboards

Agari Phishing Defense

Incident Fields

• APD Admin Recipients
• APD Alert Definition Name
• APD Attack Types
• APD Created At
• APD Enforcement Action
• APD Global Message ID
• APD Internal Message ID
• APD Message Authentication Results
• APD Message Authenticity Score
• APD Message DKIM D Tag
• APD Message Date
• APD Message Domain Reputation
• APD Message From
• APD Message From Domain
• APD Message Mail From
• APD Message PTR Name
• APD Message Reply To
• APD Message Reputation
• APD Message Risk Reason
• APD Message Sender IP Address
• APD Message Subject
• APD Message To
• APD Message Trust Score
• APD Notified Original Recipients
• APD Policy Action
• APD Policy Enabled
• APD Policy Event ID
• APD Summary
• APD Updated At

Incident Types

Agari Phishing Defense Policy Event

Integrations

Agari Phishing Defense

Agari Phishing Defense stops phishing, BEC, and other identity deception attacks that trick employees into harming your business.

Layouts

Agari Phishing Defense Policy Event - Summary

Playbooks

Agari Message Remediation - Agari Phishing Defense

Investigates Agari policy events by obtaining the original message and attachments from the existing email integrations and remediates in Agari.

Remediate Message - Agari Phishing Defense

Remediates a given message ID.

Retrieve Email Data - Agari Phishing Defense

Retrieves email data from one of the following integrations:

• Gmail.
• Mail Listener v2.
• EWS O365.
• Microsoft Graph Mail integrations.

---

New: Arduino Pack v1.0.0 (Community Contributed)

Integrations

Arduino

Connects to and controls an Arduino pin system using the network.

---

New: ComputerVisionEngine Pack v1.0.1 (Community Contributed)

Integrations

Computer Vision Engine

Processes images or movies and detects objects in them by using machine learning. It uses OpenCV with YOLO COCO.

---

New: Cyberint Pack v1.0.1 (Partner Supported)

Classifiers

Cyberint - Classifier

CyberInt (mapper)

Incident Types

Cyberint Incident

Integrations

Cyberint

Cyberint provides intelligence-driven digital risk protection. This integration will help your enterprise effectively consume actionable cyber alerts to increase your security posture.

Layouts

Cyberint incident layout

---

New: Intel471 Feed Pack v1.0.0

Integrations

Intel471 Actors Feed

Intel 471's Actors Feed is an actor-centric intelligence feature. It combines both a field-based intelligence collection and a headquartered-based intelligence analysis component. This feed allows getting data out of closed sources (typically referred to as the deep and dark web) where threat actors collaborate, communicate, and plan cyber attacks.

Intel471 Malware Feed

Intel471's Malware Intelligence is focused on the provisioning of a high fidelity and timely indicators feed with rich context, TTP information, and malware intelligence reports. This feed allows customers to block and gain an understanding of the latest crimeware campaigns and is for those who value timeliness, confidence (little to no false positives), and seek rich context and insight around the attacks they are seeing.

Indicator Fields

Forum Post Total Count

Forum Total Count

Instant Message Total Count

Report Total Count

---

New: LSASS Credential Dumping Pack v1.0.0 (Community Contributed)

Playbooks

LSASS Credential Dumping

Detects credential dumping attacks as researched by Accenture Security analysts and engineers.

---

New: LogPoint SIEM Integration Pack v1.0.0 (Partner Supported)

Classifiers

LogPoint SIEM Integration - Incoming Mapper

Maps LogPoint Incident fields

Incident Fields

• LogPoint AlertObjId - LogPoint Alert Obj Id
• LogPoint Assigned To - LogPoint Assigned To
• LogPoint Comments - LogPoint Comments
• LogPoint Comments Count - LogPoint Comments Count
• LogPoint Detection Timestamp - LogPoint Detection Timestamp
• LogPoint IncidentId - LogPoint Incident ID
• LogPoint Last Action - LogPoint Last Action
• LogPoint LogPoint Name - LogPoint LogPoint Name
• LogPoint Loginspect IP DNS - LogPoint Loginspect IP DNS
• LogPoint Object ID - LogPoint Incident Object ID
• LogPoint Query - LogPoint Query
• LogPoint Repos - LogPoint Repos
• LogPoint Rows Count - LogPoint Rows Count
• LogPoint Status - LogPoint Status
• LogPoint Throttle Enabled - LogPoint Throttle Enabled
• LogPoint Tid - LogPoint Tid
• LogPoint Time Range - LogPoint Time Range
• LogPoint User Id - LogPoint User Id
• LogPoint Username - LogPoint Username
• LogPoint Visible To - LogPoint Visible To

Incident Types

LogPoint Incident

Integrations

LogPoint SIEM Integration

Use this content pack to fetch incident logs from LogPoint, analyze them for underlying threats, and respond to these threats in real-time.

---

New: Mantis Pack v1.0.0 (Community Contributed)

Integrations

Mantis

Creates and updates issues in MantisBT. MantisBT is a popular, free, web-based bug tracking system.

---

New: NCSC Cyber Assessment Framework Pack v1.0.0 (Community Contributed)

Incident Fields

• CAF A Achievement
• CAF A Answers
• CAF A Details
• CAF A Email
• CAF A Questions
• CAF A Result
• CAF A Result Raw
• CAF A Status
• CAF B Achievement
• CAF B Answers
• CAF B Details
• CAF B Email
• CAF B Questions
• CAF B Result
• CAF B Result Raw
• CAF B Status
• CAF C Achievement
• CAF C Answers
• CAF C Details
• CAF C Email
• CAF C Questions
• CAF C Result
• CAF C Result Raw
• CAF C Status
• CAF D Achievement
• CAF D Answers
• CAF D Details
• CAF D Email
• CAF D Questions
• CAF D Result
• CAF D Result Raw
• CAF D Status
• CAF Overall Result
• CAF Regulator Email
• NCSC Assessment Status

Incident Types

NCSC CAF Assessment

Layouts

Assessment Info

Playbooks

NCSC CAF Assessment

Executes automatically as part of the NCSC Assessment incident type. It sends the relevant questions (via email) to each participant and generates the assessment results.

Reports

NCSC Assessment

This is the final report generated when all CAF section questions are answered.

Scripts

EntryWidgetNCSCResultsA

Populates results for the dynamic content shown in the incident layout.

EntryWidgetNCSCResultsB

Populates results for the dynamic content shown in the incident layout.

EntryWidgetNCSCResultsC

Populates results for the dynamic content shown in the incident layout.

EntryWidgetNCSCResultsD

Populates results for the dynamic content shown in the incident layout.

NCSCCalculateQuestionsScore

Calculates the score based on the question and answer responses.

NCSCFieldProtection

Protects the fields associated with the assessment from accidental modification.

NCSCQuestionPopulate

Populates the "NCSC CAF Assessment" list with the list of NCSC questions.

NCSCReportDetails

Generates the report details used in the final report.

NCSCReportDetails_A

Generates the report details for the individual CAF section.

NCSCReportDetails_B

Generates the report details for the individual CAF section.

NCSCReportDetails_C

Generates the report details for the individual CAF section.

NCSCReportDetails_D

Generates the report details for the individual CAF section.

NCSCReportOverview

Generates the report details for the individual CAF section.

---

New: Netmiko Pack v1.0.0 (Community Contributed)

Integrations

Netmiko

Multi-vendor library to simplify SSH connections to network devices. Utilizes the Netmiko Python library for connections. Supports SSH key authentication and username/password.

---

New: Orca Pack v1.0.0 (Partner Supported)

Classifiers

Orca Alert - Classification

Classifies Orca Alert incidents.

Orca Mapper

Maps Orca fields for use in integration playbooks.

Incident Fields

• Orca Alert ID
• Orca Asset Unique ID
• Orca Cloud Account
• Orca Reason

Incident Types

Orca Alert

Integrations

Orca

Agentless, workload-deep, context-aware security and compliance for AWS, Azure, and GCP.

---

New: Palo Alto Networks Automatic SLR Pack v1.0.0 (Community Contributed)

Integrations

Palo Alto Networks Automatic SLR

A community supported integration to allow XSOAR to automatically generate Security Lifecycle Reviews (SLRs).

Playbooks

Palo Alto Networks - Automatic SLR

Initial default playbook to run the Palo Alto Networks Automatic SLR (Community) integration.

---

New: RST Threat Feed Pack v1.0.0 (Partner Supported)

Integrations

RST Cloud - Threat Feed API

The RST Threat Feed integration for interacting with APIs.

Playbooks

Domain Enrichment - RST Threat Feed

Enriches domains using one or more integrations. Domain enrichment includes threat information.

IP Enrichment - External - RST Threat Feed

Enriches IP addresses using one or more integrations.

• Resolves IP addresses to host names (DNS).
• Provides threat information.
• Separates internal and external addresses.

URL Enrichment - RST Threat Feed

Enriches URLs using one or more integrations.

• Provides SSL verification for URLs.
• Provides threat information.
• Provides URL screenshots.

---

New: SSL Certificate Verifier Pack v1.0.0 (Community Contributed)

Scripts

SSLVerifier

Checks for the validity of your SSL certificate and gets the time until expiration.

---

ANY.RUN Pack v1.0.1

Integrations

ANY.RUN

• Fixed an issue where some arguments were incorrectly marked as default arguments.
• Updated the Docker image to: demisto/python3:3.9.1.14969.

---

AWS Feed Pack v1.1.1

Integrations

AWS Feed

Internal code improvements.

---

Active Directory Query Pack v1.1.3

Integrations

Active Directory Query v2

Added the import for IAMApiModule to support all IAM classes.

---

ActiveMQ Pack v1.0.1

Integrations

ActiveMQ

Removed the Use system proxy settings configuration parameter as proxy is not supported by the integration.

---

Agari Phishing Defense Pack v1.0.1 (Partner Supported)

Classifiers

Agari Phishing Defense - Mapper

Removed non-existing incident fields.

Agari Phishing Defense - Classifier

Removed non-existing incident fields.

Layouts

Agari Phishing Defense Policy Event

---

Alexa Rank Indicator Pack v1.1.1

Integrations

Alexa Rank Indicator

Fixed an issue where the Dbot score was not calculated correctly for the domain command.

---

Analyst1 Pack v1.0.6 (Partner Supported)

Integrations

illuminate (Deprecated)

Documentation and metadata improvements.

Analyst1

• Fixed the display names for various integration parameters.
• Updated the Docker image to: demisto/python3:3.9.1.15759.

---

Ansible Tower Pack v1.0.1

Integrations

Ansible Tower

Fixed an issue where some arguments were incorrectly marked as default arguments.

---

ArcSight ESM Pack v1.1.0

Integrations

ArcSight ESM v2

Fixed an issue where the wrong context path was declared in the as-get-entries command.

Playbooks

TIM - ArcSight Add Url Indicators

Maintenance and stability enhancements.

TIM - ArcSight Add IP Indicators

Maintenance and stability enhancements.

TIM - ArcSight Add Domain Indicators

Maintenance and stability enhancements.

---

ArcSight Logger Pack v1.0.1

Integrations

ArcSight Logger

• Improved the documentation for the local_search argument of the as-search-events command.
• Fixed an issue where the field_summary argument of the as-search-events command was not working as expected.

---

Atlassian Jira Pack v1.2.11

Integrations

Atlassian Jira v2

• Fixed an issue where the assignee argument referred to the user's name and not its Account ID in the jira-create-issue command.
• Fixed the display names for various integration parameters.
• Reverted a change that was made in version 1.2.9 since it was not compatible with the Jira server.
• Added the assignee_id argument to the following commands which enables user assignment to an issue using the user's Account ID in order to support changes in the Jira Cloud API.
  • jira-create-issue
  • jira-edit-issue
• Added the jira-get-id-by-attribute command, which searches and retrieves the Account ID for a given user's attribute.
• Updated the Docker image to: demisto/oauthlib:1.0.0.15507.

---

AutoFocus Pack v1.1.13

Integrations

Palo Alto Networks AutoFocus v2

• Fixed an issue where the following arguments did not work as expected in the autofocus-search-sessions command.
  • time_range
  • time_after
  • time_before
• Updated the Docker image to: demisto/python3:3.9.1.14969.

---

Axonius Pack v1.0.1 (Partner Supported)

Integrations

Axonius

Updated the Docker image to: demisto/axonius:1.0.0.15518.

---

Base Pack v1.7.5

Scripts

CommonServerPython

• You can now log the return value from a function in debug mode when using the logger decorator.
• Added the reliability argument to the DBotScore class.
• Added the ability to mark an entry as a note for results of the CommandResults function by using the mark_as_note flag.
• Moved all IAM classes to the separate IAMApiModule module.
• Fixed an issue where several incident types were not extracted correctly in the GetMappingFieldsResponse class.

SanePdfReports

Updated the Docker image to: demisto/sane-pdf-reports:1.0.0.15795.

CheckDockerImageAvailable

Updated to support checking Docker availability in the xsoar-registry.

DBotMLFetchData

The script now collects the following additional data:

• Whether an email is a forwarded message.
• The average embeddings of the email subject.
• Pre-process the subject email to remove [] prefixes.
• Additional features that might indicate if the incident was closed automatically.

---

BitcoinAbuse Feed Pack v1.0.1

Integrations

BitcoinAbuse Feed

• Fixed an issue with the handling of the Description indicator field for non-English text.
• Added the bitcoinabuse-get-indicators command.
• Updated the Docker image to: demisto/python3:3.9.1.14969.

---

BlockList DE Feed Pack v1.0.3

Integrations

Blocklist_de Feed

The Use system proxy settings parameter now works as expected.

---

Box Pack v2.0.1

Integrations

Box (Deprecated)

Documentation and metadata improvements.

---

BruteForce Feed Pack v1.0.3

Integrations

BruteForceBlocker Feed

The Use system proxy settings parameter now works as expected.

---

Carbon Black Enterprise Protection Pack v1.0.5

Integrations

VMware Carbon Black App Control v2

• Removed the following unused arguments from the cbp-computer-update command:
  • templateCloneCleanupMode
  • templateCloneCleanupTime
  • templateCloneCleanupTimeScale
  • templateTrackModsOnly
  • changeDiagnostics
  • changeTemplate
  • delete
  • resetCLIPassword
• Fixed an issue where the reputationApprovalsEnabled argument was not used correctly in the cbp-fileRule-update command.

---

Check Point Firewall Pack v2.0.7

Integrations

Check Point Firewall v2

• Fixed the display names for various integration parameters.
• Updated the Docker image to: demisto/python3:3.9.1.15759.

---

Cisco ASA Pack v1.0.4

Integrations

Cisco ASA

• Fixed the display names for various integration parameters.
• Updated the Docker image to: demisto/python3:3.9.1.15759.

---

Cisco ESA IronPort Email API Pack v1.0.1 (Community Contributed)

Integrations

Cisco IronPort EMail API

• Fixed the display names for various integration parameters.
• Updated the Docker image to: demisto/python3:3.9.1.15759.

---

Cloudflare Feed Pack v1.0.3

Integrations

Cloudflare Feed

The Use system proxy settings parameter now works as expected.

---

Cofense Triage Pack v1.1.7 (Partner Supported)

Integrations

Cofense Triage (Deprecated)

Documentation and metadata improvements.

---

Common Playbooks Pack v1.8.11

Playbooks

Block File - Generic v2

Added the Cortex XDR - Block File sub-playbook.

---

Common Scripts Pack v1.3.16

Scripts

PcapHTTPExtractor

Updated the Docker image to: demisto/pcap-http-extractor:1.0.0.15436.

SetGridField

• Improved the error messages.
• Fixed an issue where the script failed when an empty value was entered.
• Fixed an issue where the script failed on an "unhashable type" error.
• Updated the Docker image to: demisto/pandas:1.0.0.15584.

ModifyDateTime

• Fixed an issue where the time zone was ignored.
• Updated the Docker image to: demisto/python3:3.9.1.15759.

---

Common Types Pack v2.8.1

Incident Fields

• Team name
• app channel name
• similarIncidents
• App message

Indicator Fields

Mitre Tactics

Download URL

---

CrowdStrike Falcon Pack v1.2.12

Integrations

CrowdStrike Falcon

• Fixed an issue where an unsupported media type was sent.
• Updated the Docker image to: demisto/python3:3.9.1.14969.

---

CrowdStrike Falcon Intel Pack v2.0.9

Integrations

CrowdStrike Falcon Intel (Deprecated)

Documentation and metadata improvements.

---

CrowdStrike Falcon Streaming Pack v1.0.16

Integrations

CrowdStrike Falcon Streaming v2

Improved the handling of the discovery attempt for stream resources when they are not required.

---

Cryptocurrency Pack v1.1.3

Indicator Fields

Integrations

Cryptocurrency

• Added the Source Reliability integration parameter to define the reliability of the source providing the intelligence data.
• Added the Reputation integration parameter to define the reputation of the ingested indicators.

Layouts

• Cryptocurrency - Added the Count field to the layout.
• Cryptocurrency Address - Added the Count field to the layout.

Scripts

CryptoCurrenciesFormat

Maintenance and stability enhancements.

---

CyberArk AIM Pack v1.0.5

Integrations

CyberArk AIM (Deprecated)

Documentation and metadata improvements.

CyberArk AIM v2

• Fixed an issue were credentials fetched from this integration could not be used in other integrations.
• Updated the Docker image to: demisto/ntlm:1.0.0.15081.

---

CyberX - Central Manager Pack v1.0.1 (Community Contributed)

Integrations

CyberX - Central Manager

• Fixed the display names for various integration parameters.
• Updated the Docker image to: demisto/python3-deb:3.9.1.15758.

---

Cymulate Pack v1.0.8 (Partner Supported)

Integrations

Cymulate

• Fixed the display names for various integration parameters.
• Update the Docker image to: demisto/python3:3.9.1.15759.

---

Cyren Threat InDepth Threat Intelligence Pack v1.2.0 (Partner Supported)

Classifiers

New: Cyren Threat InDepth Indicator Mapper

Cyren Threat InDepth Indicator Mapper - Provides flexibility to gather the data the way it is needed in the customer's process.(Available from Cortex XSOAR 6.0.0.)

Dashboards

New: Cyren Threat InDepth Dashboard

Cyren Threat InDepth Dashboard - Provides general information about the data pulled from Cyren Threat InDepth. It can be used directly as a new dashboard or individual widgets can be added to existing dashboards. (Available from Cortex XSOAR 6.0.0.)

Indicator Fields

Cyren Feed Relationships

• Cyren IP Intensity
• Cyren IP Risk
• Cyren Source Tags

Integrations

Cyren Threat InDepth Threat Intelligence Feed

• Deprecated the Creation Date field for indicator fields. Use the Updated Date field instead.
• Creates or updates indicators from feed relationships now (for instance, ingesting both a malicious SHA256 and the URL potentially hosting it).
• Added the Cyren Threat InDepth Indicator Mapper default mapper.

Layouts

Scripts

New: CyrenThreatInDepthRelatedWidget

Shows feed relationship data in a table with the ability to navigate. (Available from Cortex XSOAR 6.0.0.)

---

DShield Feed Pack v1.0.3

Integrations

DShield Feed

The Use system proxy settings parameter now works as expected.

---

Darktrace Pack v1.0.2 (Partner Supported)

Integrations

Darktrace

Fixed an issue where some arguments were incorrectly marked as default arguments.

---

DeepInstinct Pack v1.0.3 (Partner Supported)

Integrations

Deep Instinct

• Fixed the display names for various integration parameters.
• Updated the Docker image to: demisto/python3:3.9.1.15759.

---

EWS Pack v1.7.3

Integrations

EWS v2

Fixed an issue where the fetch incidents command failed to parse email headers.

---

EWS Mail Sender Pack v1.1.1

Integrations

EWS Mail Sender

• Fixed a regression where the integration failed to connect to older versions of Exchange, which still use TLS1.0.
• Updated the Docker image to: demisto/py2-exchangelib:1.0.0.15788.

---

Elasticsearch Pack v1.1.4

Integrations

Elasticsearch v2

• Fixed an issue where JSON incident labels were not saved correctly.
• Updated the Docker image to: demisto/elasticsearch:1.0.0.14274.

---

Expanse v2 Pack v1.0.6

Integrations

Expanse Expander Feed

Fixed an issue where some arguments were incorrectly marked as default arguments.

Playbooks

Handle Expanse Incident

Added a check to avoid failures when no Asset tags are associated to the Expanse issue.

Handle Expanse Incident - Attribution Only

Added a check to avoid failures when no Asset tags are associated to the Expanse issue.

Scripts

ExpanseRefreshIssueAssets

Fixed an issue when handling Asset tags returned by Expanse.

---

Fastly Feed Pack v1.1.1

Integrations

Fastly Feed

Internal code improvements.

---

FeodoTracker Feed Pack v1.0.6

Integrations

Feodo Tracker Hashes Feed (Deprecated)

• The Use system proxy settings parameter now works as expected.
• Documentation and metadata improvements.

Feodo Tracker IP Blocklist Feed

• Fixed an issue where the indicators were not extracted from the feed.
• Updated the Docker image to: demisto/python3:3.9.1.15759.

---

Forescout Pack v1.0.2

Integrations

Forescout

• Fixed an issue where some arguments were incorrectly marked as default arguments.
• Updated the Docker image to: demisto/python3:3.9.1.14969.

---

GitHub Pack v1.1.7

Integrations

GitHub IAM

• Added the import for IAMApiModule to support all IAM Classes.
• Fixed the display names for various integration parameters.
• Updated the Docker image to: demisto/python3:3.9.1.15759.

---

Gmail Pack v1.1.4

Integrations

Gmail

• Maintenance and stability enhancements.
• Updated the Docker image to: demisto/google-api:1.0.0.15653.

---

Gmail Single User (Beta) Pack v1.1.1

Integrations

Gmail Single User (Beta)

• Added the Maximum number of emails to pull per fetch configuration parameter.
• Improved fetch incidents logic to avoid duplicate incidents.
• Improved handling of emails with an invalid Date header.
• Fixed an issue where the integration attempted to send requests via proxy even though the Use system proxy settings integration parameter was not checked.
• Fixed an issue where the send-email command sent emails with both a textual and HTML body.
• Fixed an issue where attachments were not sent in the correct format.
• Documentation improvements on using your own Google App.
• Updated the Docker image to: demisto/google-api-py3:1.0.0.14611.

---

Google Vision AI Pack v1.0.1

Integrations

Google Vision AI

Updated the Docker image to: demisto/google-vision-api:1.0.0.15679.

---

Graylog Pack v1.0.1 (Community Contributed)

Integrations

Graylog

• Fixed an issue where some arguments were incorrectly marked as default arguments.
• Updated the Docker image to: demisto/python3:3.9.1.14969.

---

Hello World IAM Pack v1.0.1

Integrations

Hello World IAM

General performance and reliability improvements.

---

HelloWorld Pack v1.2.1 (Community Contributed)

Integrations

HelloWorld

• Fixed a typo in the comments.
• Updated the Docker image to: demisto/python3:3.9.1.14969.

Playbooks

Handle Hello World Alert

Maintenance and stability enhancements.

---

IBM QRadar Pack v1.2.11

Integrations

IBM QRadar

Fixed an issue where the test-module command did not work as expected.

IBM QRadar v2

• Fixed an issue where the fetch-incidents command missed events when fetching an offense with unindexed events.
• Updated the Docker image to: demisto/python3:3.9.1.14969.

---

IBM X-Force Exchange Pack v1.0.7

Integrations

IBM X-Force Exchange (Deprecated)

Documentation and metadata improvements.

---

IntSights Pack v1.0.2

Integrations

IntSights

Fixed the display names for various integration parameters.

---

Integrations & Incidents Health Check Pack v1.1.11

Playbooks

Integrations and Playbooks Health Check - Running Scripts

Fixed an issue where the playbooktaskserrors incident field was filled incorrectly.

Scripts

IncidentsCheck-PlaybooksHealthNames

• Fixed an issue where some colors appeared transparent.
• Updated the Docker image to: demisto/python3:3.9.1.15759.

IncidentsCheck-PlaybooksFailingCommands

• Fixed an issue where some colors appeared transparent.
• Updated the Docker image to: demisto/python3:3.9.1.15759.

IncidentsCheck-Widget-PlaybookNames

• Fixed an issue where some colors appeared transparent.
• Updated the Docker image to: demisto/python3:3.9.1.15759.

IncidentsCheck-Widget-CreationDate

• Fixed an issue where some colors appeared transparent.
• Updated the Docker image to: demisto/python3:3.9.1.15759.

GetFailedTasks

• Fixed an issue where the script output always added an empty object.
• Updated the Docker image to: demisto/python3:3.9.1.15759.

IncidentsCheck-Widget-CommandsNames

• Fixed an issue where some colors appeared transparent.
• Updated the Docker image to: demisto/python3:3.9.1.15759.

IncidentsCheck-Widget-IncidentsErrorsInfo

• Improved error handling.
• Updated the Docker image to: demisto/python3:3.9.1.15759.

InstancesCheck-FailedCategories

• Fixed an issue where some colors appeared transparent.
• Updated the Docker image to: demisto/python3:3.9.1.15759.

IntegrationsCheck-Widget-IntegrationsCategory

• Fixed an issue where some colors appeared transparent.
• Updated the Docker image to: demisto/python3:3.9.1.15759.

---

JSON Feed Pack v1.1.1

Integrations

JSON Feed

Internal code improvements.

---

Kafka Pack v1.0.2

Integrations

Kafka v2

• Fixed the display names for various integration parameters.
• Updated the Docker image to: demisto/pykafka:1.0.0.15212.

---

Lastline Pack v1.0.5

Integrations

Lastline v2

• Fixed an issue where the threshold integration parameter was not used correctly.
• Updated the Docker image to: demisto/python3:3.9.1.14969.

---

Maltiverse Pack v1.0.2

Integrations

Maltiverse

• Fixed an issue where some arguments were incorrectly marked as default arguments.
• Updated the Docker image to: demisto/python3:3.9.1.14969.

---

MalwareDomainList Feed Pack v1.0.3

Integrations

Malware Domain List Active IPs Feed

The Use system proxy settings parameter now works as expected.

---

Manage Engine Service Desk Plus Pack v1.2.2

Integrations

Service Desk Plus

• The update_reason argument in the service-desk-plus-request-update command now works as expected.
• The status_change_comments argument was removed from the service-desk-plus-request-update command since it was unused.
• Updated the Docker image to: demisto/python3:3.9.1.14969.

---

McAfee Advanced Threat Defense Pack v1.0.5

Integrations

McAfee Advanced Threat Defense

Fixed the display names for various integration parameters.

---

McAfee ESM Pack v1.1.3

Integrations

McAfee ESM v2

• Fixed an issue where some arguments were incorrectly marked as default arguments.
• Updated the Docker image to: demisto/python3:3.9.1.14969.

---

McAfee ESM v10 and v11 Pack v1.0.6

Integrations

McAfee ESM v10 and v11 (Deprecated)

Documentation and metadata improvements.

---

Microsoft Graph Device Management Pack v1.0.6

Integrations

Microsoft Graph Device Management (Microsoft Intune)

• Fixed an issue where some arguments were incorrectly marked as default arguments.
• Updated the Docker image to: demisto/crypto:1.0.0.14297.

---

Netmiko Pack v1.0.1 (Community Contributed)

Integrations

Netmiko

Updated the client method to include missing input parameter.

---

Orca Pack v1.0.2 (Partner Supported)

Classifiers

Orca Mapper

Corrected the name of a misspelled incident field.

Integrations

Orca

Updated the following commands so that they do not fail on empty results:

• orca-get-asset
• orca-get-alerts

---

Palo Alto Networks Cortex XDR - Investigation and Response Pack v2.8.1

Layouts

Cortex XDR Incident

• Added the Work Plan section to the Cortex XDR Incident layout for better playbook tasks execution monitoring.
• Maintenance and stability enhancements.

Playbooks

Cortex XDR incident handling v3

• Replaced the Rest API LinkIncident command with the built-in LinkIncident command.
• Maintenance and stability enhancements.

New: Cortex XDR - Block File

Adds files to the Cortex XDR block list with a given file SHA256 playbook input. (Available from Cortex XSOAR 5.0.0.)

Cortex XDR incident handling v2

Replaced the Rest API LinkIncident command with the built-in LinkIncident command.

---

Palo Alto Networks PAN-OS EDL Management Pack v1.0.1

Integrations

Palo Alto Networks PAN-OS EDL Management

• Fixed the display names for various integration parameters.
• Updated the Docker image to: demisto/openssh:1.0.0.12410.

---

Palo Alto Networks PAN-OS EDL Service Pack v1.0.6

Integrations

Palo Alto Networks PAN-OS EDL Service

• Fixed an issue where selecting a value from the Should collapse IPs integration parameter could cause an out of memory error.
• Fixed an issue where redundant data was saved in the integration context.
• Updated the Docker image to: demisto/teams:1.0.0.15630.

---

Palo Alto Networks WildFire Pack v1.2.3

Integrations

Palo Alto Networks WildFire v2

• Fixed an issue where uploading js files using the wildfire-upload command failed.
• Updated the Docker image to: demisto/python3:3.9.1.14969.

---

PassiveTotal Pack v2.0.6 (Partner Supported)

Integrations

PassiveTotal (Deprecated)

Documentation and metadata improvements.

---

PhishTank Pack v2.0.4

Integrations

PhishTank (Deprecated)

Documentation and metadata improvements.

---

Phishing Pack v2.2.0

Layouts

Playbooks

Phishing Playbook - Manual

Maintenance and stability enhancements.

Scripts

FindDuplicateEmailIncidents

• Added additional incident fields to the entry results contents.
• Updated the Docker image to: demisto/sklearn:1.0.0.15163.

---

Plain Text Feed Pack v1.0.4

Integrations

Plain Text Feed

The Use system proxy settings parameter now works as expected.

---

Proofpoint Protection Server Pack v2.0.2

Integrations

Proofpoint Protection Server (Deprecated)

• Deprecated. Use Proofpoint Protection Server v2 instead.
• Improved deprecation comment.

New: Proofpoint Protection Server v2

Proofpoint email security appliance.

---

RSA Archer Pack v1.1.11

Integrations

RSA Archer (Deprecated)

Documentation and metadata improvements.

RSA Archer v2

Fixed an issue where duplicate incidents were fetched when they occurred at the same time as the previous fetch.

---

RSA NetWitness v11.1 Pack v1.0.1

Integrations

RSA NetWitness v11.1

Fixed the display names for various integration parameters.

---

Rapid7 Nexpose Pack v1.0.3

Integrations

Rapid7 Nexpose

Fixed the display names for various integration parameters.

---

Remedy SR (Beta) Pack v1.0.2

Integrations

BMC Remedy SR (Beta)

Improved proxy handling.

---

ReversingLabs A1000 Pack v1.0.1

Integrations

ReversingLabs A1000

• Added a custom error class for better error handling.
• Added user agent functionality.

---

ReversingLabs Titanium Cloud Pack v1.0.1

Integrations

ReversingLabs Titanium Cloud

• Added user agent functionality.
• Fixed some error messages.

---

RiskSense Pack v1.0.4 (Partner Supported)

Integrations

RiskSense

• Fixed an issue where some arguments were incorrectly marked as default arguments.
• Updated the Docker image to: demisto/python3:3.9.1.14969.

---

Salesforce Pack v1.0.3

Classifiers

New: User Profile - Salesforce (Incoming)

(Available from Cortex XSOAR 6.0.0.)

New: User Profile - Salesforce (Outgoing)

(Available from Cortex XSOAR 6.0.0.)

Integrations

New: Salesforce IAM

Integrates with Salesforce's services to perform Identity Lifecycle Management operations. (Available from Cortex XSOAR 6.0.0.)

Scripts

New: generate_profile_id

Generates profileId by user data. (Available from Cortex XSOAR 6.0.0.)

New: generate_timezonesidkey

• Generates timezonesidkey by user data. (Available from Cortex XSOAR 6.0.0.)
• Updated the Docker image to: demisto/python3:3.9.1.14969.

---

ServiceNow Pack v2.1.9

Integrations

ServiceNow (Deprecated)

Documentation and metadata improvements.

ServiceNow v2

• Added the following arguments to the servicenow-update-ticket and servicenow-create-ticket commands:
  • reassignment_count
  • reopen_count
  • sys_updated_by
  • sys_updated_on
• Added the above mentioned ticket fields to the context data.
• Removed the following arguments from the servicenow-update-ticket and servicenow-create-ticket commands, as they are not supported in the API.
  • display
  • escalation
• Added the fields_delimiter argument to the following commands:
  • servicenow-create-ticket
  • servicenow-update-ticket
  • servicenow-create-record
  • servicenow-update-record
  • servicenow-get-ticket
• Updated the Docker image to: demisto/python3:3.9.1.14969.

ServiceNow CMDB

• Fixed an issue where some arguments were incorrectly marked as default arguments.
• Updated the Docker image to: demisto/python3:3.9.1.14969.

ServiceNow IAM

Added the import for IAMApiModule to support all IAM classes.

Scripts

ServiceNowIncidentStatus

Updated the Docker image to: demisto/python3:3.9.1.14969.

---

Shift Management Pack v1.2.1

Incident Fields

• Out off the office
• To start the meeting
• To join the meeting
• Shift open incidents
• Shift manager briefing

Incident Types

Shift handover

Layouts

Shift handover

Playbooks

New: Set up a Shift handover meeting

Create an online meeting for shift handover. Currently, this playbook supports Zoom. (Available from Cortex XSOAR 6.0.0).

New: Assign Active Incidents to Next Shift V2

Reassigns active incidents to the current users who are on call. It requires shift management to be set up. The playbook can be run as a job a few minutes after the scheduled shift change time. (Available from Cortex XSOAR 6.0.0.)

Scripts

GetUsersOnCall

Added the listname argument that allows users to specify a new name for the out-of-office list. The default name is OOO List.

GetShiftsPerUser

Updated the Docker image to: demisto/python3:3.9.1.14969.

GetRolesPerShift

Updated the Docker image to: demisto/python3:3.9.1.14969.

GetNumberOfUsersOnCall

Updated the Docker image to: demisto/python3:3.9.1.14969.

GetOnCallHoursPerUser

Updated the Docker image to: demisto/python3:3.9.1.14969.

New: CreateChannelWrapper

Creates a channel in Slack v2 or in Microsoft Teams. If both Slack v2 and Microsoft Teams are available, it creates the channel in both. (Available from Cortex XSOAR 5.5.0.)

New: AssignToNextShiftOOO

Reassigns the active incidents to the next shift. (Available from Cortex XSOAR 5.0.0.)

New: TimeToNextShift

Retrieves the time left until the next shift begins. (Available from Cortex XSOAR 5.5.0.)

New: AssignAnalystToIncidentOOO

Assigns all on-call analysts to the active incidents. This automation will not assign users who appear in the out-of-office list. (Available from Cortex XSOAR 5.5.0).

New: ManageOOOusers

Adds or removes an analyst from the out-of-office list in XSOAR. When used with the AssignAnalystToIncidentOOO automation, prevents incidents from being assigned to an analyst who is out of the office. (Available from Cortex XSOAR 5.5.0).

New: OutOfOfficeListCleanup

Removes any analyst from the out-of-office list whose 'off until day' is in the past. (Available from Cortex XSOAR 5.5.0).

New: GetUsersOOO

Retrieves users who are currently out of office. (Available from Cortex XSOAR 5.5.0).

GetUsersOOO

Fixed an issue when the OOO List is empty.

Widgets

New: Out of office users

Details of the users who are currently out of office. (Available from Cortex XSOAR 5.5.0).

New: Shift changes in

Displays the amount of time left until the end of shift. (Available from Cortex XSOAR 5.5.0).

---

Sixgill Darkfeed - Annual Subscription Pack v1.2.4 (Partner Supported)

Integrations

Sixgill DarkFeed Enrichment

Fixed an issue where some arguments were incorrectly marked as default arguments.

---

Skyformation Pack v1.0.2 (Partner Supported)

Integrations

Skyformation (Deprecated)

• Deprecated. Following M&A, partner declared end-of-life for this integration.

---

Slack Pack v1.3.13

Integrations

New: Slack IAM

• Integrates with Slack's services to execute create, read, update, and delete operations for employee lifecycle processes. (Available from Cortex XSOAR 6.0.0.)
• Updated the Docker image to: demisto/python3:3.9.1.14969.

Slack IAM

Fixed display names for various integration parameters.

---

Snowflake Pack v1.0.2

Integrations

Snowflake

• Fixed an issue where some arguments were incorrectly marked as default arguments.
• Fixed the display names for various integration parameters.
• Updated the Docker image to: demisto/snowflake:1.0.0.2505.

---

Spamhaus Feed Pack v1.0.3

Integrations

Spamhaus Feed

The Use system proxy settings parameter now works as expected.

---

Splunk Pack v1.2.9

Integrations

SplunkPy

• Added support for the limit argument in the splunk-results command in order to control the number of returned results.
• Fixed an issue where a KeyError exception was raised while trying to edit a notable.
• Fixed an issue where some arguments were incorrectly marked as default.

---

Stealthwatch Cloud Pack v1.0.3

Integrations

Stealthwatch Cloud

Fixed the display names for various integration parameters.

---

Symantec Blue Coat Content and Malware Analysis (Beta) Pack v1.0.2

Integrations

Symantec Blue Coat Content and Malware Analysis (Beta)

Removed the following integration parameters which were not in use.

• Verbose
• Max. Polling Time

---

Symantec Managed Security Services Pack v1.0.2

Integrations

Symantec Managed Security Services

Fixed an issue where the integration failed on an XML parsing error.

---

ThreatConnect Pack v2.0.12

Integrations

ThreatConnect (Deprecated)

Documentation and metadata improvements.

ThreatConnect v2

• Fixed an issue where the security_label argument was not used correctly in the tc-create-document-group command.
• Removed the updatedValues argument from the tc-update-indicator command since it is not used.
• Fixed the display names for various integration parameters.

---

Troubleshoot Pack v2.0.1

Playbooks

Integration Troubleshooting

Fixed an issue where the playbook failed to run due to an incorrect condition handling in the What is the troubleshoot type? task.

---

TruSTAR Pack v2.1.2 (Partner Supported)

Integrations

TruSTAR (Deprecated)

Documentation and metadata improvements.

---

Uptycs Pack v1.0.4 (Partner Supported)

Integrations

Uptycs

• Fixed the display names for various integration parameters.
• Updated the Docker image to: demisto/uptycs:1.0.0.15503.

---

VirusTotal Pack v1.0.3

Integrations

VirusTotal

Fixed an issue in the url command where invalid URLs were not handled correctly.

---

VulnDB Pack v1.0.2

Integrations

VulnDB

• Fixed the display names for various integration parameters.
• Updated the Docker image to: demisto/python3:3.9.1.15759.

---

Windows Defender Advanced Threat Protection (Deprecated) Pack v1.0.3

Integrations

Windows Defender Advanced Threat Protection (Deprecated)

Documentation and metadata improvements.

---

WootCloud Pack v1.0.3 (Partner Supported)

Integrations

WootCloud

• Fixed an issue where some arguments were incorrectly marked as default arguments.
• Updated the Docker image to: demisto/python3:3.9.1.14969.

---

Workday Pack v1.0.8

Integrations

Workday

• Fixed an issue where some arguments were incorrectly marked as default arguments.
• Updated the Docker image to: demisto/python3:3.9.1.14969.

Workday IAM

Added the import for IAMApiModule to support all IAM Classes.

---

XSOAR Mirroring Pack v2.0.1

Integrations

XSOAR Mirroring

• Fixed an issue where the columns argument did not work as expected in the xsoar-search-incidents command.
• Updated the Docker image to: demisto/python3:3.9.1.14969.

---

Zscaler Pack v1.1.1

Integrations

Zscaler

Fixed an issue where some arguments were incorrectly marked as default arguments.

---

iDefense Pack v3.0.1

Integrations

iDefense Feed

Internal code improvements.

---

mnemonic MDR Pack v1.0.1 (Partner Supported)

Integrations

mnemonic MDR - Argus Managed Defence

• Fixed an issue where some arguments were incorrectly marked as default arguments.
• Fixed an issue where the First fetch time parameter was not handled correctly.
• Updated the Docker image to: demisto/argus-toolbelt:1.0.0.15350.

---

okta Pack v2.1.5

Integrations

Okta IAM

Added the import for IAMApiModule to support all IAM Classes.

---

Assets

• Download Content Zip (Cortex XSOAR 5.5 and earlier): content_new.zip
• Download Marketplace Packs (Cortex XSOAR 6.0 and later): content_marketplace_packs.zip
• Browse the Source Code: Content Repo @ 21.2.0