Cortex XSOAR Content Release Notes for version 20.10.0 (142601)#

Published on 13 October 2020#

New: Cisco Email Security (Beta) Pack v1.0.0#

Integrations#

Cisco Email Security (Beta)#

Cisco Email Security is an email security gateway. It detects and blocks a wide variety of email-born threats, such as malware, spam, and phishing.


New: Coralogix Pack v1.0.0 (Partner Supported)#

Integrations#

Coralogix#

Fetches incidents, searches for supporting data and tags interesting datapoints in or from your Coralogix account.


New: Feed OpenCTI Pack v1.0.0#

Integrations#

OpenCTI Feed#

Ingests indicator feeds from OpenCTI.


New: Integrations & Incidents Health Check Pack v1.0.0 (Server 6.0+)#

Enables system users to review all of the failed integrations, incidents, and playbooks. As part of this pack, you will get out-of-the-box, full layouts, dashboards, an incident type, and incident fields. All of these are easily customizable to suit the needs of your organization. You can configure a job on an hourly/daily/weekly basis to perform the health check. The job will run the checkup playbook that tests all enabled integrations and searches for open incidents with errors to get their status and retrieve the error information. Additionally, this job will update the dashboards for visibility.

Dashboards#

  • Incidents Health
  • Integrations Health

Incident Fields#

  • Created Date Failed Incidents
  • Integrations Categories
  • Integrations Failed Categories
  • Number of Entries ID Errors
  • Number of Failed Incidents
  • Playbook Names With Failed Tasks
  • Playbook Tasks Errors
  • Playbooks Failed Commands
  • Playbooks With Failed Tasks
  • Total Failed Instances
  • Total Good Instances
  • Total Instances
  • Unassigned Incidents
  • failed incidents created date
  • similarIncident

Incident Types#

Integrations and Incidents Health Check

Playbooks#

Integrations and Playbooks Health Check - Running Scripts#

This playbook is triggered by a JOB - Integrations and Playbooks Health playbook and is responsible for running failed integrations and failed incidents scripts. The playbook may run separately from the main playbook to run health tests on enabled integrations and open incidents.

JOB - Integrations and Playbooks Health Check#

This playbook checks the health of all enabled integrations and open incidents. You should run this playbook as a scheduled job.

JOB - Integrations and Playbooks Health Check - Lists handling#

This playbook is triggered by a JOB - Integrations and Playbooks Health playbook and is responsible for creating or updating related Cortex XSOAR lists.

Reports#

Integrations and Incidents Health Check#

Reports all failed enabled integrations and failed open incident.

Scripts#

CopyLinkedAnalystNotes#

Copies the analyst notes from the integrations and incidents grid.

GetFailedTasks#

Gets failed tasks details for incidents based on a query.

IncidentsCheck-NumberofIncidentsNoOwner#

Displays the number of unassigned incidents in the Health Check dynamic section.

IncidentsCheck-NumberofIncidentsWithErrors#

Displays the number of failed incidents in the Health Check dynamic section.

IncidentsCheck-NumberofTotalEntriesErrors#

Displays the total number of errors in failed incidents in the Health Check dynamic section.

IncidentsCheck-PlaybooksFailingCommands#

Displays the top ten commands of the failed incidents in a pie chart in the Health Check dynamic section.

IncidentsCheck-PlaybooksHealthNames#

Displays the top ten playbook names of the failed incidents in a bar chart in the Health Check dynamic section.

IncidentsCheck-Widget-CommandsNames#

Data output script for populating the dashboard pie graph widget with the top failing incident commands.

IncidentsCheck-Widget-CreationDate#

Data output script for populating the dashboard line graph widget with the creation date of failing incidents.

IncidentsCheck-Widget-IncidentsErrorsInfo#

Data output script for populating the dashboard table graph widget with information about failing incidents.

IncidentsCheck-Widget-NumberFailingIncidents#

Data output script for populating the dashboard number graph widget with the number of failing incidents.

IncidentsCheck-Widget-NumberofErrors#

Data output script for populating the dashboard number graph widget with the number of entry ID errors.

IncidentsCheck-Widget-PlaybookNames#

Data output script for populating the dashboard bar graph widget with the top failing playbooks name.

IncidentsCheck-Widget-UnassignedFailingIncidents#

Data output script for populating the dashboard number graph widget with the number of unassigned failing incidents.

InstancesCheck-FailedCategories#

Displays the top ten categories of the failed integrations in a pie chart in the Health Check dynamic section.

InstancesCheck-NumberofEnabledInstances#

Displays the total number of checked integrations in the Health Check dynamic section.

InstancesCheck-NumberofFailedInstances#

Displays the total number of failed integrations in the Health Check dynamic section.

IntegrationsCheck-Widget-IntegrationsCategory#

Data output script for populating the dashboard pie graph widget with the failing integrations.

IntegrationsCheck-Widget-IntegrationsErrorsInfo#

Data output script for populating the dashboard table graph widget with information about failing integrations.

IntegrationsCheck-Widget-NumberChecked#

Data output script for populating the dashboard number graph widget with the number of checked integrations.

IntegrationsCheck-Widget-NumberFailingInstances#

Data output script for populating the dashboard number graph widget with the number of failing integrations.

Widgets#

Number of Checked Integrations#

A widget displaying the number of checked integrations.

Failed Incidents Information#

A widget displaying the failed incidents information in a table.

Failed Instances Category#

A pie widget displaying the failed instances category.

Failed Instances Information#

A table widget displaying the failed instances information.

Number Of Failed Instances#

A number widget displaying the failed integrations.

Top Failed Commands#

A pie chart displaying the top failed commands.

Top Failed Playbook Names#

A bar chart displaying the top failed playbook names.

Creation Date of Failed Incidents#

A line widget displaying the creation date of the failed incidents.

Number of Errors#

A number widget displaying the total number of errors (entries ID).

Number of Failed Incidents#

A number widget displaying the number of the failed incidents.

Number of Failed Unassigned Incidents#

A number widget displaying the total number of unassigned failed incidents.


New: Lacework Pack v1.0.0 (Community Contributed)#

Integrations#

Lacework#

Lacework provides customers with visibility and control over their cloud operations at cloud scale to the monitoring of all activities across all cloud components.


New: Microsoft Endpoint Configuration Manager Pack v1.0.0#

Integrations#

Microsoft Endpoint Configuration Manager#

The configuration manager provides the overall Configuration Management (CM) infrastructure and environment to the product development team (formerly known as SCCM).


New: RegexReplace Pack v1.0.0 (Community Contributed)#

Scripts#

RegexReplace#

Searches for and replaces occurrences of a pattern (regular expression) inside a string. If the regex does not match any pattern, the original value is returned.


New: RiskIQ Digital Footprint Pack v1.0.0 (Partner Supported)#

Incident Fields#

  • RiskIQ Asset AWS Security Group Name
  • RiskIQ Asset Contact
  • RiskIQ Asset GCP Firewall Name
  • RiskIQ Asset Name
  • RiskIQ Asset Okta Zone ID
  • RiskIQ Asset Owner
  • RiskIQ Asset Type
  • RiskIQ Skip Manual Tasks
  • RiskIQ Support Contact

Incident Types#

  • RiskIQ Asset Management

IndicatorFields#

RiskIQAsset Added To Inventory#

Date and time when the asset was added to the RiskIQ Digital Footprint inventory.

RiskIQAsset Brands#

Names of the brands applied to the asset.

RiskIQAsset Confidence#

Discovery confidence level of the asset.

RiskIQAsset CVEs#

CVEs detected from the details of the asset.

RiskIQAsset Enterprise Asset#

Whether the asset has been designated as an enterprise asset by RiskIQ Digital Footprint.

RiskIQAsset First Seen#

Date and time when the asset was first observed on RiskIQ Digital Footprint.

RiskIQAsset Inventory Status#

Inventory status of the asset.

RiskIQAsset Last Seen#

Date and time when the asset was most recently observed on RiskIQ Digital Footprint.

RiskIQAsset Last Updated#

Date and time when the most recent update was performed on the asset by a user action on RiskIQ Digital Footprint.

RiskIQAsset Organizations#

Names of the organizations applied to the asset.

RiskIQAsset Priority#

Priority of the asset.

RiskIQAsset Tags#

Names of the tags applied to the asset.

RiskIQAsset Type#

The type of the asset.

RiskIQAsset UUID#

The unique identifier of the asset on RiskIQ Digital Footprint.

IndicatorTypes#

Packs/RiskIQDigitalFootprint/IndicatorTypes/reputation-RiskIQAsset.json

Integrations#

RiskIQ Digital Footprint#

The RiskIQ Digital Footprint integration enables your security team to manage assets outside your firewall. Using the integration, you can view asset details, add or update assets, and analyze your digital footprint from the adversary's perspective.

Layouts#

  • RiskIQ Asset Management - Summary
  • RiskIQ Asset Management - New/Edit
  • RiskIQ Asset Management - Mobile
  • RiskIQ Asset Management - Quick View

Playbooks#

Enrich Incident With Asset Details - RiskIQ Digital Footprint#

Enriches the incident with asset details, and enriches the asset with the incident URL on the RiskIQ Digital Footprint platform. This playbook also sends an email containing the owner's information to the primary or secondary contact of the asset and provides the user with an opportunity to update or remove the asset. Supported integration: RiskIQ Digital Footprint.

Update Or Remove Assets - RiskIQ Digital Footprint#

Using various user inputs, this playbook checks if the user wants to update or remove an asset, and performs the respective actions. Supported integration: RiskIQ Digital Footprint.


New: Spamcop Pack v1.0.0 (Community Contributed)#

Integrations#

Spamcop#

SpamCop is an email spam reporting service. The integration enables checking the reputation of an IP address.


New: Troubleshoot Pack v1.0.0#

Scripts#

CertificatesTroubleshoot#

Exports all certificate-related information from the Python Docker container and decodes it using RFC. It also gets the certificate located in the specified endpoint.


New: WootCloud Pack v1.0.0 (Partner Supported)#

Integrations#

WootCloud#

Appends HyperContext™ insights to your SIEM data and feeds them into your orchestration workflows.


New: XSOAR Mirroring Pack v1.0.0#

Classifiers#

  • XSOAR Mirror
  • XSOAR Mirror In
  • XSOAR Mirror Out

Incident Fields#

From Pong

Incident Types#

  • Ping
  • Pong

Integrations#

XSOAR Mirroring#

Facilitates mirroring of XSOAR incidents between different XSOAR tenants.


AWS - EC2 Pack v1.1.3#

Integrations#

AWS - EC2#

Added clarification to the fromPort and toPort arguments for the aws-ec2-authorize-security-group-ingress-rule and aws-ec2-revoke-security-group-ingress-rule commands.


Active Directory Query Pack v1.0.5#

Integrations#

Active Directory Query v2#
  • Fixed several typos.
  • Updated the Docker image to: demisto/ldap:1.0.0.11282.

Aella Star Light Pack v1.0.1#

Integrations#

Aella_StarLight#

Documentation and metadata improvements.


Anomali ThreatStream Pack v1.0.4#

Integrations#

Anomali ThreatStream v2#
  • Maintenance and stability enhancements.
  • Fixed an issue in the threatstream-import-indicator-with-approval command where indicators were not imported to the Anomali ThreatStream platform.

AutoFocus Pack v1.1.4#

Integrations#

AutoFocus Feed#
  • Maintenance and stability enhancements.
  • Updated the Docker image to: 3.8.5.11789.

Base Pack v1.3.15#

Scripts#

CommonServerPython#
  • Maintenance and stability enhancements.
  • Fixed an issue where an unneeded import error was raised.
WordTokenizerNLP#

Fixed a performance issue.

DBotTrainTextClassifierV2#

Added a validation to check that the phishingLabels argument is consistent with the input incidents.git.

GetIncidentsByQuery#
  • Queries incidents in batches (paging). You can set the batch range by passing the pageSize argument. The default is 500.
  • Updated the script to Python 3.

Carbon Black Enterprise Response Pack v1.1.0#

Playbook#

Get File Sample From Path - Carbon Black Enterprise Response#
  • Deprecated the CBLiveGetFile automation command. Use the CBLiveGetFile_V2 automation command instead.
  • Updated playbook outputs with the CBLiveGetFile_V2 command.

Scripts#

CBLiveFetchFiles#
  • Deprecated the CBLiveGetFile automation command. Use the CBLiveGetFile_V2 automation command instead.
  • Changed the automation structure to Package format.
New: CBLiveGetFile_V2#

This automation translates an endpoint's hostname/IP address to the Carbon Black sensor ID. It then opens a session to the endpoint to download the specified file paths and closes the session.


CaseManagement-Generic Pack v1.0.1#

Layouts#

Updated the ID of the layouts.

  • layout-close-Case_layout-Case.json
  • layout-detailsV2-Case_layout-Case.json
  • layout-edit-Case_layout-Case.json
  • layout-mobile-Case_layout-Case.json
  • layout-quickView-Case_layout-Case.json
  • Case layout

Incident Types#

Case Updated the bounded layout.


Check Point Firewall Pack v2.0.0#

Integrations#

New: Check Point Firewall v2#

Reads information and sends commands to the Check Point Firewall server.

Playbooks#

Checkpoint - Block IP - Custom Block Rule#

Blocks IP addresses using custom block rules in the Checkpoint firewall.

Checkpoint - Block URL#

Blocks URLs using the Checkpoint firewall through custom URL categories.

Checkpoint - Publish&Install configuration#

Publishes the Checkpoint firewall configuration and installs a policy over all the gateways that are available.

Scripts#

CheckpointFWCreateBackup#

Connects to a Checkpoint firewall appliance using SSH and triggers a task to create a configuration backup of the device. The user account that accesses the device must be set up to use the SSH shell and not the built-in Checkpoint CLI. Consult the Checkpoint documentation for instructions on how to set up the user account to use the SSH shell.

CheckpointFWBackupStatus#

Connects a Checkpoint firewall appliance using SSH and retrieves the status of the backup tasks. The user account that accesses the device must be set up to use the SSH shell and not the built-in Checkpoint CLI. Consult the Checkpoint documentation for instructions on how to set up the user account to use the SSH shell.

CheckPointDownloadBackup#

Downloads the CheckPoint policy backup to the Cortex XSOAR War Room.


Chronicle Pack v1.1.2 (Partner Supported)#

Pack has been certified.


Code42 Pack v2.0.5 (Partner Supported)#

Pack has been certified.


Cofense Triage Pack v1.1.6 (Partner Supported)#

Integrations#

Cofense Triage v2#
  • Added the cofense-search-inbox-reports command.
  • Added the mailbox_location parameter to control the source of the periodic incident poll.
  • Expanded the cofense-search-reports command to support specifying a reporter by its email address. The cofense-search-inbox-reports command already supports this.
  • Updateed the Docker image to: 1.0.0.12337.

Common Playbooks Pack v1.8.2#

Playbooks#

New: Field Polling - Generic#

This playbook polls a field to check if a specific value exists.


Common Scripts Pack v1.2.54#

Scripts#

FindSimilarIncidents#

Fixed an issue where the script failed to find incidents by numeric field values.

New: CheckFieldValue#

This script checks that a field exists (and contains data), and optionally checks the value of the field for a match against an input value. If a regex is not supplied, the script checks that the field is not empty. This script can be used with the GenericPolling playbook to poll whether the field is populated or that the field contains a specific value.

SetByIncidentId#

Updated the script to execute using the DBot role.

jmespath#
  • Fixed an issue where the JMESpath transformer did not handle list data as expected.
  • Updated the Docker image to: demisto/jmespath:1.0.0.10854.
New: URLEncode#

Encodes a URL string by replacing special characters in the string using the %xx escape. For example: https://example.com converts to https:%2F%2Fexample.com.

SearchIncidentsV2#
  • Improved the description of the size argument.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.

Common Widgets Pack v1.0.4#

Scripts#

GetLargestInvestigations#
  • Fixed an issue where the script would fail if no investigations were found.
  • Updated the Docker image to: 3.8.5.11789.
  • Fixed an issue where the results were not sorted properly.
  • Removed the MB suffix from the values of the Size column.
  • Changed the table header name Size to Size(MB).
  • Changed the table header IncidentID to a hyperlink to the incident.
  • Changed the default result format to Markdown.
  • Added handling for Playground investigation.
  • Added the table_result argument, which returns a result in either Markdown or in a format suitable for a table widget. By default, the result is in Markdown.
GetLargestInputsAndOuputsInIncidents#
  • Fixed an issue where the script would fail if no inputs or outputs were found.
  • Updated the Docker image to: 3.8.5.11789.
  • Removed the MB suffix from the values of the Size column.
  • Changed the table header name Size to Size(MB).
  • Changed the table header IncidentID to a hyperlink to the incident.
  • Changed the table header TaskID to a hyperlink to the task.
  • Changed the default result format to Markdown.

Widgets#

Largest Investigations#

Fixed an issue where the widget did not pull information from the correct script.

Largest Inputs And Outputs In Incidents#
  • Documentation and metadata improvements.
  • Removed the MB suffix from the values of the Size column.
  • Changed the table header name Size to Size(MB).
  • Changed the table header IncidentID to a hyperlink to the incident.
  • Changed the table header TaskID to a hyperlink to the task.
Largest Incidents by Storage Size#
  • Removed the MB suffix from the values of the Size column.
  • Changed the table header name Size to Size(MB).
  • Changed the table header IncidentID to a hyperlink to the incident.

Cortex Data Lake Pack v1.2.5#

Integrations#

Cortex Data Lake#

Maintenance and stability enhancements.


CrowdStrike Falcon Pack v1.2.5#

Classifiers#

Added 2 new classifiers:.

  • CrowdStrike Falcon Classifier - CrowdStrike Falcon Incident Classifier
  • CrowdStrike Falcon Mapper - CrowdStrike Falcon Mapper for incidents and detections.

Incident Fields#

Added 3 new incident fields:

  • Behaviour Tactic
  • Behaviour Scenario
  • Behaviour Objective

Integrations#

CrowdStrike Falcon#
  • Added the cs-device-ran-on command, which gets a list of device IDs on which an indicator ran.
  • Updated the Docker image to: 3.8.5.11789.
  • Added 2 new commands.
  • cs-falcon-list-incident-summaries
  • cs-falcon-list-detection-summaries
  • Added the ability to fetch incidents, detections, or both.
  • Fixed an issue where the Choose what to fetch integration parameter was used to fetch only detections.
  • Added the following IOC API commands:
    • cs-falcon-search-iocs
    • cs-falcon-get-ioc
    • cs-falcon-upload-ioc
    • cs-falcon-update-ioc
    • cs-falcon-delete-ioc
    • cs-falcon-device-count-ioc
    • cs-falcon-processes-ran-on
    • cs-falcon-process-details
  • Deprecated the cs-device-ran-on command. Use the cs-falcon-device-ran-on command instead.
  • Updated the Docker image to the latest version.

CrowdStrike Falcon Intel Pack v2.0.1#

Integrations#

CrowdStrike Falcon Intel v2#
  • Improved the credentials display name.
  • Updated the Docker image to: 3.8.6.12176.

Cymulate Pack v1.0.6 (Partner Supported)#

Integrations#

Cymulate#

Documentation and metadata improvements.


DUO Admin Pack v2.0.3#

Integrations#

DUO Admin#

Maintenance and stability enhancements.


Expanse Pack v1.1.2 (Partner Supported)#

Pack has been certified.


FalconHost Pack v1.1.3#

Integrations#

FalconHost (Deprecated)#

Deprecated the FalconHost integration. Use the CrowdStrike Falcon integration instead.


FireEye HX Pack v1.0.5#

Integrations#

FireEye HX#
  • Maintenance and stability enhancements.
  • Fixed an issue where the fireeye-hx-host-containment command failed when using an API version higher than v3.

Genians Pack v1.0.1 (Partner Supported)#

Integrations#

Genians#

Documentation and metadata improvements.


IBM QRadar Pack v1.1.2#

Integrations#

IBM QRadar v2#
  • Added the get-mapping-fields command and schema.
  • Updated the Docker image to the latest version.
  • Added the qradar-get-custom-properties command.
  • Simplified the way asset properties are displayed in fetched incidents. This may adversely affect existing asset mapping.
  • Fixed an issue where the time occurred field for fetched incidents would store a timestamp value instead of an ISO formatted time string.

IBM X-Force Exchange Pack v1.0.3#

Integrations#

IBM X-Force Exchange (Deprecated)#
  • Moved the deprecated XFE integration to this pack.
  • Removed the IBM X-Force Exchange pack.
  • Updated fromVersion

Illusive Networks Pack v1.0.5 (Partner Supported)#

Pack has been certified.


Indeni Pack v1.0.6 (Partner Supported)#

Integrations#

Indeni#

Documentation and metadata improvements.


Luminate Pack v1.0.1#

Integrations#

Luminate#

Documentation and metadata improvements.


Malwarebytes Pack v1.1.0 (Partner Supported)#

Integrations#

Malwarebytes#
  • Fixed so that events show up in the classification mapping.
  • Updated the Docker image to: 1.0.0.11697.

McAfee ESM Pack v1.1.1#

Integrations#

McAfee ESM v2#
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/python3:3.8.5.11789.

McAfee ESM v10 and v11 Pack v1.0.5#

Integrations#

McAfee ESM v10 and v11 (Deprecated)#

Maintenance and stability enhancements.


Microsoft Defender Advanced Threat Protection Pack v1.2.2#

Integrations#

Microsoft Defender Advanced Threat Protection#
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/crypto:1.0.0.11650.

Microsoft Graph Mail Pack v1.0.8#

Integrations#

Microsoft Graph Mail#

Modified the integration to fetch email messages by received date.


Microsoft Graph Mail Single User Pack v1.0.7#

Integrations#

Microsoft Graph Mail Single User#
  • Modified the integration to fetch email messages by received date.
  • Updated the integration Docker image to: demisto/crypto:1.0.0.11650.

Microsoft Management Activity API (O365/Azure Events) Pack v1.1.1#

Integrations#

Microsoft Management Activity API (O365 Azure Events)#

Maintenance and stability enhancements.


MicrosoftCloudAppSecurity Pack v1.0.5#

Integrations#

Microsoft Cloud App Security#
  • Fixed an issue in fetch incidents, where the order of the incidents was incorrect.
  • Updated the Docker image to: 3.8.5.11789.
  • Fixed an issue where the Incident severity and Incident resolution status integration parameters were used to filter out fetch incidents.

Minerva Labs Anti-Evasion Platform Pack v1.0.1 (Partner Supported)#

Integrations#

MinervaLabsAntiEvasionPlatform#

Documentation and metadata improvements.


OpenPhish Pack v2.0.0#

Integrations#

New: OpenPhish v2#

Added the OpenPhish V2 integration to provide enrichment for URLs.

OpenPhish (Deprecated)#

This integration is deprecated. Use the OpenPhish v2 integration instead.


PAN-OS Pack v1.6.3#

Integrations#

Palo Alto Networks PAN-OS#
  • Fixed an issue where the panorama command failed when using the export type.
  • Updated the Docker image to: demisto/python3:3.8.5.11789.
  • Added the deviceName and sessionID arguments to the panorama-get-pcap command.
  • Added the edl_type, location, and vsys arguments to the panorama-refresh-edl command, which allows refreshing of an EDL object that resides on Panorama.

Palo Alto Networks Cortex XDR - Investigation and Response Pack v2.4.1#

Classifiers#

Cortex XDR - Incoming Mapper#

Added support for severity mapping from Cortex XDR incident to Cortex XSOAR incident.

Cortex XDR - Outgoing Mapper#

Added outgoing mapper from XSOAR incident to XDR incidents.

Integrations#

Palo Alto Networks Cortex XDR - Investigation and Response#
  • Added support for incident mirroring between Cortex XDR to Cortex XSOAR. Available from version 6.0.0.
  • Added the Sync Incident Owners integration parameter that synchronizes the owners between XSOAR and XDR incidents. Note that this feature will only work when the users are registered both in XDR and XSOAR.
  • Added the Fetch incident alerts and artifacts integration parameter to get extra incident data when fetching XDR incidents.
  • Fixed an issue where incidents were not fetched in cases where some incident fields were not entered.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.

Layouts#

Cortex XDR Incident

Playbooks#

Cortex XDR Incident Sync#
  • Updated the playbook description.
  • Do not use this playbook as a default playbook when using the newly added mirroring feature in Cortex XSOAR version 6.0.0. For more information, see the the XDR Incident Mirroring section in the integration documentation.
Cortex XDR incident handling v3#

Improved implementation of the Cortex XDR incident handling v2 playbook to work with incident mirroring between Cortex XDR and Cortex XSOAR.

Scripts#

XDRSyncScript#

Deprecated from version 6.0.0. Use the mirroring feature instead.


PassiveTotal Pack v2.0.3 (Partner Supported)#

Integrations#

PassiveTotal#

Documentation and metadata improvements.


PolySwarm Pack v1.0.2 (Partner Supported)#

Integrations#

PolySwarm#
  • Maintenance and stability enhancements.
  • Documentation and metadata improvements.

RSA Archer Pack v1.1.1#

Integrations#

RSA Archer (Deprecated)#

Deprecated. Use the RSA Archer v2 integration instead.


RecordedFuture v2 Pack v1.0.1 (Partner Supported)#

Pack has been certified.


RiskIQ Digital Footprint Pack v1.0.3 (Partner Supported)#

Integrations#

get_asset_ip_address_hr.md#

Maintenance and stability enhancements.

RiskIQ Digital Footprint#

Maintenance and stability enhancements.

RiskIQDigitalFootprint#

Documentation and metadata improvements.


RiskSense Pack v1.0.3 (Partner Supported)#

Integrations#

RiskSense#

Documentation and metadata improvements.


SMIME Messaging Pack v1.0.1#

Integrations#

SMIME Messaging#

Added support for .p7m format files.


SNDBOX Pack v1.0.1#

Integrations#

SNDBOX#

Fixed an issue where printed errors would not include the verbose reason.


SafeBreach - Breach and Attack Simulation platform Pack v1.1.1 (Partner Supported)#

Integrations#

SafeBreach v2#

Updated the total simulations amount to exclude the internal failures results in the safebreach-get-test-status command.


Security Intelligence Services Feed Pack v1.0.2 (Partner Supported)#

Integrations#

SecurityIntelligenceServicesFeed#

Documentation and metadata improvements.


Sepio Pack v1.0.1 (Partner Supported)#

Integrations#

Sepio#

Documentation and metadata improvements.


ServiceNow Pack v1.3.6#

Integrations#

ServiceNow v2#
  • Fixed an issue where an empty username or password in the instance configuration resulted in an unclear error.
  • Updated the Docker image.

Playbooks#

  • ServiceNow Ticket State Polling
    Added a new playbook for polling the state of a ServiceNow Ticket.
  • Mirror ServiceNow Ticket
    Added a new playbook to mirror a ticket from ServiceNow.
  • Create ServiceNow Ticket
    Added a wrapper playbook for creating a new ticket with state polling or mirror as sync.

Incident Types#

Added a new incident type with the new layout.

  • ServiceNow Create Ticket and Mirror

Incident Fields#

Added new incident fields. ServiceNow incident fields are now associated to all incident types to support mirroring.

  • ServiceNow Closed By
  • ServiceNow Resolution Code
  • ServiceNow Caller ID
  • ServiceNow Urgency
  • ServiceNow Category
  • ServiceNow Caller
  • ServiceNow Assignment Group
  • ServiceNow Assigned To
  • ServiceNow State
  • ServiceNow Severity
  • ServiceNow Resolved Time
  • ServiceNow Resolution Notes
  • ServiceNow Priority
  • ServiceNow Opened Date
  • ServiceNow Notify
  • ServiceNow Impact
  • ServiceNow Escalation
  • ServiceNow Due Date
  • ServiceNow Description
  • ServiceNow Closed Date
  • ServiceNow Ticket Number

Layouts#

  • ServiceNow Create Ticket and Mirror
    Added a new layout for the Mirror playbook.
  • ServiceNow Ticket
    Updated the ServiceNow Ticket layout to support the ticket state widget.

Classifiers#

Added new mappers for incoming and outgoing mirroring to support the Mirror playbook.

  • ServiceNow Create Ticket - Outgoing Mapper
  • ServiceNow Create Ticket - Incoming Mapper

Scripts#

Added a script to populate the ServiceNow Ticket State.

  • ServiceNowIncidentStatus

Silverfort Pack v1.0.3 (Partner Supported)#

Integrations#

Silverfort#

Documentation and metadata improvements.


Sixgill Darkfeed - Core Edition Pack v1.2.0 (Partner Supported)#

Integrations#

Sixgill DarkFeed Threat Intelligence#

New Sixgill logo.

Playbooks#

Darkfeed Threat hunting-research#

The playbook now uses the new SixgillSearchIndicators script.

Scripts#

New: SixgillSearchIndicators#

Search for Indicators.

SearchIndicators#

Deprecated. Use the SixgillSearchIndicators script instead.


Slack Pack v1.3.6#

Integrations#

Slack v2#

Updated the Docker image to: demisto/slack:1.0.0.11588 due to a hotfix in python-slackclient.


SlashNext Phishing Incident Response Pack v1.1.0 (Partner Supported)#

Integrations#

SlashNext Phishing Incident Response#

Added Extend context for the slashnext-api-quota command.


SplunkPy Pack v1.2.4#

Integrations#

SplunkPy#
  • Added optional functionality to the fields parameter in the splunk-submit-event-hec command.
  • Added usage of handle_proxy() for all requests.
  • Updated the Docker image to: demisto/splunksdk:1.0.0.11989.
  • Added support for the Select Schema feature of XSOAR 6.0 by providing the get-mapping-fields command.

SumoLogic Pack v1.0.2#

Integrations#

SumoLogic#

Fixed an issue where the fetch-incident command did not retrieve all the events.


TAXII Feed Pack v1.0.5#

Integrations#

TAXII Feed#

Maintenance and stability enhancements.


ThreatQ Pack v1.0.7 (Partner Supported)#

Integrations#

ThreatQ v2#
  • Fixed an issue where the domain argument validation in the domain command did not work as expected.
  • Updated the Docker image to: demisto/python3:3.8.5.11789.

Tufin Pack v1.2.0 (Partner Supported)#

Pack has been certified.


Twilio Pack v1.0.1#

Integrations#

Twilio#

Fixed several typos.


VirusTotal - Private API Pack v1.0.4#

Integrations#

VirusTotal - Private API#

Maintenance and stability enhancements.


WootCloud Pack v1.0.1 (Partner Supported)#

Integrations#

WootCloud#

Documentation and metadata improvements.


Zscaler Pack v1.0.5#

Integrations#

Zscaler#

Maintenance and stability enhancements.


illuminate Pack v1.0.3 (Partner Supported)#

Integrations#

illuminate#

Documentation and metadata improvements.


urlscan.io Pack v1.0.4#

Integrations#

urlscan.io#

Maintenance and stability enhancements.


Assets#