Cortex XSOAR Content Release Notes for version 20.10.1 (159259)

Published on 27 October 2020

New: Cisco Umbrella Cloud Security Pack v1.0.0 (Community Contributed)

Integrations

Cisco Umbrella Cloud Security

Adds domains to the Umbrella block list.


New: Cisco WebEx Feed Pack v1.0.0 (Community Contributed)

Integrations

Cisco WebEx Feed

The WebEx IP Address and Domain website provided by Cisco documents IP addresses and domains used by WebEx. The WebEx Feed integration fetches indicators from the web page from which you can create a list (whitelist, blacklist, EDL, etc.) for your SIEM or firewall service to ingest and apply policy rules.


New: ExportToXLSX Pack v1.0.0

Scripts

ExportToXLSX

Exports context data to a Microsoft Excel Open XML Spreadsheet (XLSX) file.


New: Graylog Pack v1.0.0 (Community Contributed)

Integrations

Graylog

Searches for logs and events.


New: Hatching Triage Pack v1.0.0 (Community Contributed)

Integrations

Hatching Triage

Submits a large number of samples to run in a sandbox and to view reports.


New: Majestic Million Feed Pack v1.0.0

Integrations

Majestic Million Feed

Free search and download of the top million websites.


New: Synapse Pack v1.0.0 (Community Contributed)

Integrations

Synapse

A Synapse intelligence analysis platform.


Active Directory Query Pack v1.0.6

Integrations

Active Directory Query v2
  • Fixed an issue where the DN parameter within a query in the search-computer command was incorrect.
  • Updated the Docker image to: demisto/ldap:1.0.0.12410.

Aella Star Light Pack v1.0.1

Integrations

Aella_StarLight

Documentation and metadata improvements.


Alexa Rank Indicator Pack v1.1.0

Integrations

Alexa Rank Indicator

Added the Alexa Benign Parameter for Good Domains.


AlienVault Feed Pack v1.0.6

Integrations

AlienVault Reputation Feed

Maintenance and stability enhancements.


Amazon DynamoDB Pack v1.0.2

Integrations

Amazon DynamoDB
  • Documentation and metadata improvements.
  • Updated the Docker image to: demisto/boto3py3:1.0.0.12514.

Analyst1 Pack v1.0.4 (Partner Supported)

Integrations

illuminate (Deprecated)

Deprecated. Use the Analyst1 integration instead.

Playbooks

Illuminate Integration Demonstration

Deprecated. Use the Analyst1 Integration Demonstration playbook instead.

Analyst1 Integration Demonstration

Demonstrates the various Analyst1 enrichment commands.


ApiModules Pack v1.1.5

Scripts

CSVFeedApiModule
  • Maintenance and stability enhancements.
  • Added the limit and value_field parameters for fetch indicators.
  • Updated the Docker image to: jmespath:1.0.0.12410.

Atlassian Jira Pack v1.2.0

Classifiers

New: classifier-mapper-incoming-JiraV2

Jira V2 mirror-in classifier.

Integrations

Atlassian Jira v2
  • Fixed an issue in the jira-create-issue command where the arguments projectKey and issueTypeId were not specified as mandatory.
  • Updated the Docker image to: demisto/oauthlib:1.0.0.12447.
  • Added mirror-in support (from Cortex XSOAR version 6.0.0). Mirror-in incidents (Issues/Tickets) come from the remote server (Jira).

AutoFocus Pack v1.1.6

Integrations

Palo Alto AutoFocus (Deprecated)

Deprecated. Use the Palo Alto Networks AutoFocus v2 integration instead.

Palo Alto Networks AutoFocus v2

Maintenance and stability enhancements.


Bambenek Consulting Feed Pack v1.0.4

Integrations

Bambenek Consulting Feed

Maintenance and stability enhancements.


Base Pack v1.3.20

Scripts

DBotPreProcessTextData

Updated the script to Python 3.

CommonServerPython

Added the following classes, which are used in IAM integrations.

  • IAMUserProfile
  • IAMVendorActionResult
  • IAMErrors
  • Modified the set_integration_context function to be agnostic to the version argument type.
GetMLModelEvaluation

Updated the script to Python 3.


Bastille Networks Pack v1.0.1 (Partner Supported)

Integrations

Bastille Networks
  • Documentation and metadata improvements.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.

BitDam Pack v1.0.1 (Partner Supported)

Integrations

BitDam

Documentation and metadata improvements.


CSV Feed Pack v1.0.5

Integrations

CSV Feed

Maintenance and stability enhancements.


Carbon Black Enterprise Response Pack v1.1.1

Playbooks

Block Endpoint - Carbon Black Response

Added playbook outputs.


CaseManagement-Generic Pack v1.1.0

Dashboards

Incidents Overview

Added the Active Incidents by Source widget.

Layouts

Reports

New: Case Report

Investigation Summary Report from the Case Management pack.

Scripts

TimersOnOwnerChange

Updated the automation to use the latest python3 Docker image (3.8.6.12176).

LinkIncidentsButton

Updated the automation to use the latest python3 Docker image (3.8.6.12176).

GenerateSummaryReportButton

Updated the automation to use the latest python3 Docker image (3.8.6.12176).

AssignToMeButton

Updated the automation to use the latest python3 Docker image (3.8.6.12176).

Widgets

New: My Mean Time to Remediation (Remediation SLA)

The mean time (average time) to remediation across all incidents where the remediation SLA timer completed and where the owner is the current user. The widget takes into account incidents from the last 30 days by default.

New: Mean Time to Remediation (Remediation SLA)

The mean time (average time) to remediation across all incidents where the remediation SLA timer completed. The widget takes into account incidents from the last 30 days by default.

New: Mean Time to Assignment (Time to Assignment)

The mean time (average time) to remediation across all incidents where the time to assignment SLA timer completed. The widget takes into account incidents from the last 30 days by default.

New: Participating Incidents

Displays a table of the active incidents where the current user is not the owner but is an investigation team member.

New: Participating Incidents Count

Displays a count of the active incidents where the current user is not the owner but is an investigation team member.

New: My Incidents by Type

Displays the incidents assigned to the current user, by type.


Check Point Firewall Pack v2.0.2

Integrations

Check Point Firewall (Deprecated)

Deprecated. Use the Check Point Firewall v2 integration instead.

Check Point Firewall v2
  • Updated the integration display name.
  • Documentation improvements.

Cisco Threat Grid Pack v1.1.1

Integrations

Cisco Threat Grid

Fixed an issue where analysis files with no domains caused an error.


Claroty Pack v1.0.6 (Partner Supported)

Integrations

Claroty

Documentation and metadata improvements.


Code42 Pack v2.0.6 (Partner Supported)

Integrations

Code42

Updated the Docker image to: 1.0.0.12174.


Common Playbooks Pack v1.8.5

Playbooks

Isolate Endpoint - Generic
  • Fixed issues regarding sub-playbook inputs.
  • Added playbook outputs indicating the isolation state.
Email Address Enrichment - Generic v2.1

Fixed an issue where emails were not checked for domain-squatting due to the WhereFieldEquals transformer not working as expected.


Common Scripts Pack v1.2.65

Scripts

FindSimilarIncidents

Fixed an issue where the script did not handle special characters.

SetIfEmpty

Maintenance and stability enhancements.

New: IsInternalDomainName

This script accepts multiple values for the domain_to_check and domains_to_compare arguments and iterates through each of the domains to check if the specified subdomains are located in at least one of the specified main domains. If the tested subdomain is in one of the main domains, the result will be true. For example, if the domain_to_check values are apps.paloaltonetworks.com and apps.paloaltonetworks.bla and the domains_to_compare values are paloaltonetworks.com and demisto.com, the result for apps.paloaltonetworks.com will be true since it is a part of the paloaltonetworks.com domain. The result for apps.paloaltonetworks.bla will be false since it is not a part of the paloaltonetworks.com or demisto.com domain.

New: UnEscapeIndicatorIPv6

Extracts IPv6 addresses from specific characters.

SetGridField
  • Fixed an issue where the script set values in incorrect fields.
  • Updated the Docker image to: demisto/pandas:1.0.0.12410.
FailedInstances

Returns an empty list if no failed instances are found.

New: AfterRelativeDate

Added a new filter that checks that the given time occurred after the relative time.

UnEscapeIndicatorIPv6

Fixed an issue where the script did not work as intended.

ParseEmailFiles

Fixed an issue where parsing failed due to incorrect email payload filtering.


Common Types Pack v2.1.1

Indicator Fields

Domain Indicator Fields

Added the following indicator fields:

  • Domain IDN Name
  • Domain Referring Subnets
  • Domain Referring IPs

Indicator Types

IPv6

Upgrade IPv6 regex to extract the address only if it is surrounded by special characters.


Common Widgets Pack v1.0.5

Scripts

GetLargestInputsAndOuputsInIncidents

Fixed an issue where the wrong automation was called.


Cortex Data Lake Pack v1.2.7

Integrations

Cortex Data Lake
  • Added the Fetch Table integration parameter, which enables you to select the table incidents will be fetched from.
  • Added the firewall.file_data fetch table.
  • Added the Fetch Fields integration parameter, which takes a comma-separated list of fields that will be fetched with every incident. For example,
    pcap,session_id. Enter "*" for all possible fields.
  • Fixed an issue where the auth token was refreshed before it expired.

CrowdStrike Falcon Streaming Pack v1.0.9

Integrations

CrowdStrike Falcon Streaming v2
  • Modified the integration to store the fetched event offset in the integration cache immediately on event fetch instead of storing it according to a schedule.
  • Updated the Docker image to: demisto/aiohttp:1.0.0.12423.

CyberTotal Pack v1.0.1 (Partner Supported)

Integrations

CyberTotal

Documentation and metadata improvements.


Cybereason Pack v1.0.4

Playbooks

Isolate Endpoint - Cybereason

Added playbook outputs.


Cymulate Pack v1.0.6 (Partner Supported)

Integrations

Cymulate

Documentation and metadata improvements.


Demisto REST API Pack v1.1.2

Integrations

Demisto REST API

Maintenance and stability enhancements.


EWS Pack v1.3.7

Integrations

EWS O365
  • Fixed an issue where the get-items and get-items-as-eml commands failed when the target-mailbox argument was different than the one in the integration parameters.
  • Fixed an issue in the send-mail command where the body argument was not ignored if the htmlBody argument was provided.
  • Updated the Docker image to: demisto/py3ews:1.0.0.12717.
EWS v2
  • Fixed an issue where the integration used the proxy even if the Use system proxy settings integration parameter checkbox was not selected.
  • Maintenance and stability enhancements.
  • Documentation and metadata improvements.

Elasticsearch Pack v1.1.3

Integrations

Elasticsearch v2
  • Fixed an issue where the integration used the proxy even if the Use system proxy settings integration parameter was unchecked.
  • Updated the Docker image to: demisto/elasticsearch:1.0.0.12410.
  • Fixed an issue where the test module did not check the server URL properly.

Expanse Pack v1.1.3 (Partner Supported)

Integrations

Expanse
  • Addressed an issue where the domains command failed in some circumstances.
  • Updated the Docker image from: 3.8.5.10845 to 3.8.6.12176.

ExtraHop Reveal(x) Pack v1.0.4 (Partner Supported)

Playbooks

ExtraHop - Ticket Tracking v2
  • This playbook is no longer deprecated and is now available.
  • Fixed an issue where the script was hidden.

Farsight DNSDB Pack v2.0.1 (Partner Supported)

Integrations

Farsight DNSDB

Added the content pack README.


FeodoTracker Feed Pack v1.0.2

Integrations

Feodo Tracker Hashes Feed (Deprecated)

Deprecated. Feodo Tracker no longer supports this feed.


FireEye Feed Pack v1.0.2

Integrations

FireEye Feed
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.

Genians Pack v1.0.1 (Partner Supported)

Integrations

Genians

Documentation and metadata improvements.


Gmail Pack v1.0.7

Integrations

Gmail
  • Fixed an issue where scheduled reports were not sent as attachments.
  • Updated the Docker image to: demisto/google-api:1.0.0.11841.

Google Cloud Functions Pack v1.0.1

Integrations

Google Cloud Functions
  • Fixed an issue where not entering the default region and default project ID integration parameters caused an error.
  • Updated the Docker image to: demisto/google-api-py3:1.0.0.12248.

HelloWorld Pack v1.1.11

Integration

HelloWorld

Updated the Docker image to: demisto/python3:3.8.6.12176.

Integrations

HelloWorld

Improved handling of datetime objects.

Scripts

HelloWorldScript
  • Updated to newer code conventions (CommandResults).
  • Updated the Docker image to: demisto/python3:3.8.6.12176.

IBM QRadar Pack v1.1.4

Integrations

IBM QRadar

Updated the API documentation links for the fetch-incidents filter syntax.

IBM QRadar v2
  • Modified the integration to use the set_to_integration_context_with_retries function instead of the set_integration_context function.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.

IBM X-Force Exchange Pack v1.0.4

Integrations

IBM X-Force Exchange v2

Maintenance and stability enhancements.


Indeni Pack v1.0.6 (Partner Supported)

Integrations

Indeni

Documentation and metadata improvements.


Integrations & Incidents Health Check Pack v1.1.4

Playbooks

Integrations and Playbooks Health Check - Running Scripts

Fixed an issue with empty lists.

Scripts

CopyLinkedAnalystNotes
  • Fixed an issue where incident grid rows were not sorted by the creation date.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.
IncidentsCheck-Widget-NumberofErrors
  • Maintenance and stability enhancements.
  • Updated the Docker image to the latest version.
IncidentsCheck-Widget-PlaybookNames
  • Maintenance and stability enhancements.
  • Updated the Docker image to the latest version.
  • Maintenance and stability enhancements.
IncidentsCheck-Widget-CreationDate
  • Maintenance and stability enhancements.
  • Updated the Docker image to the latest version.
InstancesCheck-FailedCategories
  • Maintenance and stability enhancements.
  • Updated the Docker image to the latest version.
IncidentsCheck-Widget-CommandsNames
  • Maintenance and stability enhancements.
  • Updated the Docker image to the latest version.
IncidentsCheck-Widget-IncidentsErrorsInfo
  • Maintenance and stability enhancements.
  • Updated the Docker image to the latest version.
IncidentsCheck-PlaybooksHealthNames
  • Maintenance and stability enhancements.
  • Updated the Docker image to the latest version.
IncidentsCheck-PlaybooksFailingCommands
  • Maintenance and stability enhancements.
  • Updated the Docker image to the latest version.
IntegrationsCheck-Widget-IntegrationsCategory
  • Maintenance and stability enhancements.
  • Updated the Docker image to the latest version.
IntegrationsCheck-Widget-IntegrationsErrorsInfo
  • Maintenance and stability enhancements.
  • Updated the Docker image to the latest version.

Lacework Pack v1.0.1 (Community Contributed)

Integrations

Lacework
  • Updated the description of the integration to be more accurate.
  • Changed 'instance' to 'account' across Lacework projects to maintain consistency.
  • Updated the Docker image to: demisto/lacework:1.0.0.12410.

Luminate Pack v1.0.1 (Community Contributed)

Integrations

Luminate

Documentation and metadata improvements.


MITRE ATT&CK Pack v1.1.5

Dashboards

MITRE ATT&CK

Updated the default time range to last 7 days.

Scripts

MITREIndicatorsByOpenIncidents
  • Added support for the to and from time range arguments.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.
  • Improved the implementation of the to and from time range arguments.

Microsoft Defender Advanced Threat Protection Pack v1.2.3

Integrations

Microsoft Defender Advanced Threat Protection
  • Improved error handling in the test module.
  • Updated the Docker image to: demisto/crypto:1.0.0.12410.

Microsoft Graph Device Management Pack v1.0.2

Integrations

Microsoft Graph Device Management (Microsoft Intune)
  • General documentation improvements.
  • Updated the Docker image to: demisto/crypto:1.0.0.12410.

Microsoft Graph User Pack v1.3.3

Integrations

Microsoft Graph User
  • Added the msgraph-user-get-manager command, which retrieves the properties of the specified user's manager.
  • Added the msgraph-user-assign-manager command, which assigns a manager to the specified user.

Microsoft Teams Pack v1.0.4

Integrations

Microsoft Teams
  • Fixed an issue where the to argument was missing in the send-notification command.
  • Updated the Docker image to: demisto/teams:1.0.0.12455.

Minerva Labs Anti-Evasion Platform Pack v1.0.1 (Partner Supported)

Integrations

MinervaLabsAntiEvasionPlatform

Documentation and metadata improvements.


PCAP Analysis Pack v2.3.6

Playbooks

PCAP Parsing And Indicator Enrichment

Updated the order of the incident fields.

PCAP Search

Updated the order of the incident fields.


Palo Alto Networks Cortex XDR - Investigation and Response Pack v2.4.5

Classifiers

Cortex XDR - Incoming Mapper

Fixed an issue where labels were populated.

Integrations

Palo Alto Networks Cortex XDR - Investigation and Response
  • Fixed an issue where incidents were not fetched in cases where some incident fields were not entered.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.
  • Fixed an issue where the outgoing mirror failed to close an incident with the Other status.
Cortex XDR - IOC
  • Fixed an issue where severity was listed as med instead of medium.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.

Playbooks

Cortex XDR - Isolate Endpoint

Added playbook outputs.


PassiveTotal Pack v2.0.4 (Partner Supported)

Integrations

PassiveTotal

Documentation and metadata improvements.


PhishTank Pack v2.0.0

Integrations

New: PhishTank V2

Added the PhishTank V2 integration. Previous functionality was maintained.

PhishTank (Deprecated)

Deprecated. Use the PhishTank v2 integration instead.


Phishing Pack v1.10.5

Scripts

PhishingDedupPreprocessingRule
  • Updated de-duplication logic to close a duplicate incident and link it to the oldest duplicate incident.
  • Added support for custom type field.

PolySwarm Pack v1.0.2 (Partner Supported)

Integrations

PolySwarm

Documentation and metadata improvements.


Polygon Pack v1.0.1 (Partner Supported)

Integrations

Polygon

Documentation and metadata improvements.


Proofpoint Threat Response (Beta) Pack v1.0.2

Integrations

Proofpoint Threat Response (Beta)

Fixed an issue where the proofpoint-tr-update-incident-comment command was not implemented correctly.


Rapid7 Nexpose Pack v1.0.2

Integrations

Rapid7 Nexpose

Fixed an issue where the integration used the proxy even if the Use system proxy settings integration parameter was unchecked.


Recorded Future Feed Pack v1.0.5

Integrations

Recorded Future RiskList Feed
  • Fixed an issue where duplicate indicators were created in Cortex XSOAR.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.

RiskIQ Digital Footprint Pack v1.0.3 (Partner Supported)

Integrations

RiskIQDigitalFootprint

Documentation and metadata improvements.


RiskSense Pack v1.0.3 (Partner Supported)

Integrations

RiskSense

Documentation and metadata improvements.


SCADAfence CNM Pack v1.0.2 (Partner Supported)

Integrations

SCADAFence_CNM

Documentation and metadata improvements.


Security Intelligence Services Feed Pack v1.0.2 (Partner Supported)

Integrations

SecurityIntelligenceServicesFeed

Documentation and metadata improvements.


SentinelOne Pack v1.0.2

Integrations

SentinelOne v2
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.

Sepio Pack v1.0.1 (Partner Supported)

Integrations

Sepio

Documentation and metadata improvements.


ServiceNow Pack v1.3.7

Integrations

ServiceNow v2
  • Improved file handling in the get-remote-data command.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.

Silverfort Pack v1.0.3 (Partner Supported)

Integrations

Silverfort

Documentation and metadata improvements.


Sixgill Darkfeed - Annual Subscription Pack v1.2.1 (Partner Supported)

Integrations

Sixgill_Darkfeed

Documentation and metadata improvements.


Slack Pack v1.3.7

Integrations

Slack v2
  • Fixed an issue where failing to invite users to a mirrored channel would cause the mirroring to fail.
  • Updated the Docker image to: demisto/slack:1.0.0.12410.

Smokescreen IllusionBLACK Pack v1.0.5 (Partner Supported)

Integrations

Smokescreen_IllusionBLACK

Documentation and metadata improvements.


Tanium Threat Response Pack v1.0.2

Integrations

Tanium Threat Response
  • Fixed an issue where the in progress filter for fetch incidents and the tanium-tr-list-alerts command did not work as expected.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.

Troubleshoot Pack v1.1.0

Scripts

CertificatesTroubleshoot

Added the following certificate details:

  • NotValidAfter
  • NotValidBefore
  • Version
  • IssuerAlternateNames
  • SubjectAlternateNames

Whois Pack v1.1.6

Integrations

Whois
  • Fixed an issue where an error was caused due to dates being mishandled.
  • Updated the Docker image to: demisto/ippysocks:1.0.0.11896.

Zscaler Pack v1.0.6

Integrations

Zscaler
  • Added the following new parameters:
    • Auto Activate Changes - When enabled, the integration activates the Zscaler command changes after each execution. If disabled, the user will have to call the zscaler-activate-changes command to activate Zscaler command changes.
    • Auto Logout - When enabled, the integration will logout with each command execution.
  • Added the following new commands:
    • zscaler-login - Manually create a Zscaler login session. This command will also try to log out of the previous session.
    • zscaler-logout - Log out of the current Zscaler session. To be used when the Auto Logout parameter is disabled.
    • zscaler-activate-changes - Activate the changes executed by other Zscaler commands. To be used when the Auto Activate Changes parameter is disabled.
  • Added array handling for the following commands:
    • ip - The comma-separated list of IP addresses will be handled in a single command execution.
    • zscaler-category-remove-ip - The comma-separated list of IP addresses will be handled in a single command execution.
    • zscaler-whitelist-ip - The comma-separated list of IP addresses will be handled in a single command execution.
    • zscaler-undo-whitelist-ip - The comma-separated list of IP addresses will be handled in a single command execution.
    • zscaler-blacklist-ip - The comma-separated list of IP addresses will be handled in a single command execution.
    • zscaler-undo-blacklist-ip - The comma-separated list of IP addresses will be handled in a single command execution.
    • url - The comma-separated list of URLs will be handled in a single command execution.
    • zscaler-whitelist-url - The comma-separated list of URLs will be handled in a single command execution.
    • zscaler-undo-whitelist-url - The comma-separated list of URLs will be handled in a single command execution.
    • zscaler-blacklist-url - The comma-separated list of URLs will be handled in a single command execution.
    • zscaler-undo-blacklist-url - The comma-separated list of URLs will be handled in a single command execution.

abuse.ch SSL Blacklist Feed Pack v1.0.4

Integrations

abuse.ch SSL Blacklist Feed

Maintenance and stability enhancements.


Assets