Cortex XSOAR Content Release Notes for version 20.11.1 (196572)#

Published on 22 November 2020#

Breaking Changes#

Several packs include breaking changes.

New: Asset Pack v1.0.0#

Base pack with incident fields for any packs requiring asset fields.

Incident Fields#

  • Asset Table - A table view of all assets related to the offense.
  • Description - Asset - The description of the asset.
  • ID - Asset - The ID of the asset.
  • IP Address - Asset - The IP address provided for the asset.
  • Location - Asset - The location of the asset.
  • MAC Address - Asset - The MAC address provided for the asset. Switch ID - Asset - The ID of the switch the asset is connected to.
  • Switch Port ID - Asset The ID of the switch port the asset is connected to.

New: Cisco ESA IronPort Email API Pack v1.0.0 (Community Contributed)#

Integrations#

Cisco IronPort EMail API#

Searches IronPort email traffic for spam and quarantines relevant emails.


New: CyberX - Central Manager Pack v1.0.0 (Community Contributed)#

Integrations#

CyberX - Central Manager#

Updates alerts in CyberX Central Manager. CyberX's Central Manager enables users and groups to be centrally managed from a single console, with varying permission levels.


New: FortiManager Pack v1.0.0#

Integrations#

FortiManager#

FortiManager is a single console central management system that manages Fortinet devices.

Playbooks#

FortiManager - Install Policy Package on Device#

Installs a FortiManager firewall policy package on a given device.


New: G Suite Admin Pack v1.0.0#

Integrations#

G Suite Admin#

G Suite, or Google Workspace Admin, is an integration that performs an action on IT infrastructure, creates users, updates settings, and performs additional administrative tasks.


New: Generic Webhook Pack v1.0.0#

Integrations#

Generic Webhook#

The Generic Webhook integration is used to create incidents on event triggers. The trigger can be any query posted to the integration.


New: Google Calendar Pack v1.0.0#

Integrations#

Google Calendar#

Google Calendar is a time-management and scheduling calendar service developed by Google. This integration helps you to perform various tasks on the access control list (ACL).


New: Palo Alto Networks Enterprise DLP Pack v1.0.0#

Integrations#

Palo Alto Networks Enterprise DLP#

Use the Palo Alto Networks Enterprise DLP integration to discover and protect company data across every data channel and repository. Integrated Enterprise DLP enables data protection and compliance everywhere without complexity.


New: Palo Alto Networks Threat Vault Pack v1.0.0#

Integrations#

Palo Alto Networks Threat Vault#

Use the Palo Alto Networks Threat Vault to research the latest threats (vulnerabilities/exploits, viruses, and spyware) that Palo Alto Networks next-generation firewalls can detect and prevent.

Playbooks#

PANW Threat Vault - Signature Search#

Initiates a Signature Search in the Palo Alto Networks Threat Vault.


New: Rundeck Pack v1.0.0#

Integrations#

Rundeck#

Rundeck is a runbook automation for incident management, business continuity, and self-service operations. The integration enables you to install software on a list of machines or perform a task periodically. The integration can be used when you want to perform an update of the software to block a new attack.

Playbooks#

Rundeck-job-execute-Generic#

This playbook executes a job and exits when it successfully finishes.


New: Viper Pack v1.0.0 (Community Contributed)#

Integrations#

Viper#

Viper is a binary analysis and management framework. It provides a solution to easily organize your collection of malware and exploit samples as well as the collection of scripts you created or found over time to facilitate your daily research.


AWS - CloudTrail Pack v1.0.4#

Integrations#

AWS - CloudTrail#
  • Fixed an issue where an error was raised if an event was missing some fields in the aws-cloudtrail-lookup-events command.
  • Updated the Docker image to: demisto/boto3:2.0.0.13676.

AlienVault Feed Pack v1.0.7#

Integrations#

AlienVault OTX TAXII Feed#
  • Added the First fetch timestamp parameter to enable incremental fetches.
  • Added the firstseenbysource field to the fetched indicators.
  • Updated the Docker image to: demisto/taxii:1.0.0.12553.

AlienVault USM Anywhere Pack v1.0.2#

Integrations#

AlienVault USM Anywhere#
  • Fixed an issue where the alienvault-search-events command did not return events.
  • Updated the Docker image to: demisto/python3:3.8.6.13358.

AlphaSOC Network Behavior Analytics Pack v1.0.1 (Partner Supported)#

Integrations#

AlphaSOC Network Behavior Analytics#

Changed the default value of the Ignore events below severity parameter from 3 to 4.


Anomali ThreatStream Pack v1.0.7#

Integrations#

Anomali ThreatStream v2#

Fixed an issue where the threatstream-get-indicators command did not return more than 1,000 indicators.


ApiModules Pack v2.0.0#

Scripts#

CrowdStrikeApiModule#

You can now use custom URLs using the Server URL integration parameter.

New: GSuiteApiModule#

Common G Suite code that will be appended to each Google/GSuite integration when it is deployed. The GSuiteApiModule contains the authentication methods for the Google integrations along with some helper functions.


Atlassian Jira Pack v1.2.2#

Integrations#

Atlassian Jira v2#
  • Fixed an issue in the jira-create-issue command where the reporter argument referred to the reporter’s name and not the reporter's account ID.
  • Updated the Docker image to: demisto/oauthlib:1.0.0.13073.

AutoFocus Pack v1.1.10#

Integrations#

Palo Alto Networks AutoFocus v2#

Fixed an issue where the autofocus-sample-analysis command failed when data was 'Not Available'.


Azure Feed Pack v1.0.3#

Integrations#

Azure Feed#
  • Added the Azure service in the Indicators field.
  • Updated the Docker image to the latest version.

Base Pack v1.3.40#

Scripts#

CommonServerPython#
  • Removed the log print of the object stored in the integration cache.
  • Added support for the IgnoreAutoExtract argument in the CommandResults object.
  • Added a default value for the url_suffix argument in the BaseClient _http_request method.
  • Maintenance and stability enhancements.
GetIncidentsByQuery#

Added support for wildcards in the incident types argument.

DBotMLFetchData#

Updated support for custom phishing types in the incident fetch query.

DBotTrainTextClassifierV2#

Updated the calculation of the minimum precision to be the minimum score of the precision per-class scores.

DBotPreProcessTextData#

Removed log messages for texts that exceed the maximum allowed text length.

GetMLModelEvaluation#

Merged two result entries to a single entry.

DBotBuildPhishingClassifier#

Added an enhancement to fetch only incidents of labels which are relevant for model training.


Bastille Networks Pack v1.0.2 (Partner Supported)#

Integrations#

Bastille Networks#
  • Updated the Docker image to: demisto/python3:3.8.6.12176.
  • Documentation and metadata improvements.

Bmc Helix Remedyforce Pack v1.0.2#

Integrations#

BMC Helix Remedyforce#
  • Added support for the impact_id argument in the following commands.
    • bmc-remedy-incident-create
    • bmc-remedy-incident-update
  • Updated the Docker image to: demisto/python3:3.8.6.13358.

CVE Search Pack v1.0.3#

Integrations#

CVE Search v2#

Updated the following commands to return a different result for each indicator.

  • cve
  • cve-latest

Scripts#

cveReputation#

Fixed an issue where the script returned DBotScore 3 when no CVE was found.


Carbon Black Enterprise Live Response Pack v1.1.0#

Integrations#

VMware Carbon Black EDR (Live Response API)#
  • The cb-file-get command is no longer deprecated and is available for use.
  • Added the download argument to the cb-get-file-from-endpoint command. If "true", will download the file from the CarbonBlack server. Default is "true". Set to false for large files.

Playbooks#

New: Carbon Black Live Response - Download File#

Downloads a file from a sensor.

New: Carbon Black Live Response - Wait Until Command Complete#

Polls the command status until the playbook finishes with an error or it completes.

New: Carbon Black Live Response - Create active session#

Creates an active session. If the active session already exists, will use the existing session.


Chronicle Pack v1.1.3 (Partner Supported)#

Incident Fields#

Added the following incident fields:

  • Chronicle Last Seen
  • Chronicle IOC Ingest Time
  • Chronicle First Seen
  • Chronicle Domain Name
  • Chronicle DBot Score
  • Chronicle Auto Block Entities

Incident Types#

Chronicle IOC Domain Matches

Indicator Fields#

Added the following indicator fields:

  • ChronicleAssetHostname - Hostname associated with the ChronicleAsset
  • ChronicleAssetIP - IP Address associated with the ChronicleAsset
  • ChronicleAssetMAC - MAC Address associated with the ChronicleAsset
  • ChronicleAssetProductID - Product ID associated with ChronicleAsset

Indicator Types#

ChronicleAsset

Integrations#

Chronicle#

Removed a redundant 'else'.

Layouts#

Added the following new layouts:

  • layout-quickView-Chronicle_IOC_Domain_Matches.json
  • layout-mobile-Chronicle_IOC_Domain_Matches.json
  • layout-edit-Chronicle_IOC_Domain_Matches.json

Playbooks#

Threat Hunting - Chronicle#
  • Use this playbook to investigate and remediate suspicious IOC domain matches with recent activity found in the enterprise.
  • This playbook also creates indicators for the entities fetched while investigating and enriches them.
Investigate On Bad Domain Matches - Chronicle#
  • Use this playbook to investigate and remediate bad IOC domain matches with recent activity found in the enterprise.
  • With this playbook, you can notify the SOC lead and network team about bad IOC domain matches with recent activity found in the enterprise.

Scripts#

ExtractDomainFromIOCDomainMatchRes#

Extracts a domain and its details from the Chronicle IOC Domain match response.

ConvertDomainToURLs#

Converts domain(s) into URL(s).

ChronicleDomainIntelligenceSourcesWidgetScript#

A widget script for layouts that shows the details of the sources in the Chronicle Domain Intelligence Sources section of the incident.

ChronicleDBotScoreWidgetScript#

A widget script for layouts that shows the DBot score and the reputation of the domain.

ChronicleAssetIdentifierScript#

Collects all asset identifiers in the context: hostname, IP address, and MAC address.

ListDeviceEventsScript#

Lists all of the events discovered within your enterprise on a particular device.

ChronicleAsset#

New asset type.


Cisco AMP Pack v1.1.0#

Integrations#

Cisco AMP#
  • Fixed an issue where commands would fail due to a syntax error that occurred while creating their query parameters.
  • Added the following commands.
    • amp_delete_computers_isolation - Request to unlock a computer.
    • amp_put_computers_isolation - Request to lock a computer.
    • amp_get_computers_isolation - Returns the isolation status of a computer.

Cisco Umbrella Investigate Pack v1.0.2#

Integrations#

Cisco Umbrella Investigate#

Fixed an issue where the regex for email address validation in the umbrella-get-domains-for-email-registrar command did not work as intended.


Cisco WebEx Feed Pack v1.1.1#

Integrations#

Cisco WebEx Feed#
  • Removed the duplicate parameter Fetches Indicators from the feed configuration.
  • Updated the Docker image to: btfl-soup:1.0.1.12410.
  • Maintenance and stability enhancements.

Playbooks#

New: Check WebEx Feed#
  • Checks that the WebEx webpage is reachable and does not create an error.
  • Updated the Docker image to: demisto/btfl-soup:1.0.1.12768.

Code42 Pack v2.0.7 (Partner Supported)#

Documentation and metadata improvements.


Common Scripts Pack v1.2.82#

Scripts#

New: OnionURLReputation#

This script adds the reputation to Onion URL indicators. The script is automatically triggered when a Onion URL indicator is auto-extracted. For instance, if you run a Cortex XSOAR CLI on a valid Onion URL, the indicators are extracted automatically and this script is triggered for the extracted indicators.

ExtractIndicatorsFromWordFile#

Fixed an issue where the script could not process all of the files.

ExtractDomainAndFQDNFromUrlAndEmail#

Fixed an issue where the script recognized emails as domains.

New: VerifyIPv6Indicator#
  • Formatting script for IPv6 to verify that the address is a valid IPv6 address.
  • Removed the UnEscapeIPv6Indicator formatting script.
SearchIncidentsV2#
  • Fixed an issue where multiple context results were outputted for the same incident ID.
  • Updated the Docker image to: demisto/python3:3.8.6.13358.
DockerHardeningCheck#
  • Updated the description with an updated link to the Docker Hardening Guide.
  • Updated the Docker image to: demisto/python3:3.8.6.13358.
ParseEmailFiles#

Added support for ISO-8859 text in the smime.p7m file type.

DeleteContext#

Fixed an issue where all of the context data in the current sub-playbook were not deleted when all = yes and subplaybook = yes/auto.


Common Types Pack v2.2.4#

Incident Fields#

  • Post Nat Destination IP
  • Src Ports
  • Start Time
  • Source IPs
  • Raw Event
  • Destination IPs
  • High Level Categories
  • Post Nat Source Port
  • Closing User
  • Pre Nat Destination Port
  • Close Time
  • Post Nat Destination Port
  • DNS Name
  • Dst Ports
  • Technical Owner
  • Traffic Direction
  • Post Nat Source IP
  • Pre Nat Source IP
  • Device Time
  • Usernames
  • Source IPV6
  • Source MAC Address
  • Destination Geolocation
  • Source Geolocation
  • Destination IPV6
  • Pre Nat Source Port
  • Technical User
  • Technical Owner Contact
  • Event Names
  • Destination MAC Address
  • Closing Reason
  • Low Level Categories Events
  • CVSS Collateral Damage Potential
  • Number Of Log Sources
  • Last Update Time
  • CVSS Integrity Requirement
  • CVSS Availability Requirement
  • Events
  • Log Source Type
  • Protocol - Event
  • Compliance Notes
  • Category Count
  • List Of Rules - Event
  • Log Source Name
  • CVSS Confidentiality Requirement
  • Follow Up
  • Event Descriptions

Indicator Types#

IPv6 - Changed the regex so that it will extract only the common shape addresses of IPv6.


ConcentricAI Pack v1.0.1 (Partner Supported)#

Documentation and metadata improvements.


Coralogix Pack v1.0.2 (Partner Supported)#

Documentation and metadata improvements.


Cortex Data Lake Pack v1.2.8#

Integrations#

Cortex Data Lake#
  • Fixed an issue where fetch-incidents created duplicate incidents.
  • Updated the Docker image to: demisto/python_pancloud_v2:1.0.0.13088.

CrowdStrike Falcon Pack v1.2.8#

Integrations#

CrowdStrike Falcon#
  • Fixed an issue where the test module failed on authentication.
  • Added support for running the cs-falcon-run-script command with a configurable timeout (in seconds), including a session refresh every 5 minutes.
  • Updated the Docker image to: demisto/python3:3.8.6.13358.

CrowdStrike Falcon Intel Pack v2.0.8#

Integrations#

CrowdStrike Falcon Intel v2#

You can now use custom URLs using the Server URL integration parameter.


CrowdStrike Falcon Sandbox Pack v1.0.2#

Integrations#

CrowdStrike Falcon Sandbox#
  • Fixed an issue where the crowdstrike-result command did not work in case the file argument was not provided.
  • Updated the report data download endpoint as the previous one was deprecated.

CrowdStrike Falcon Streaming Pack v1.0.12#

Integrations#

CrowdStrike Falcon Streaming v2#
  • Fixed an issue in which the request to refresh the stream session was not sent properly.
  • General documentation improvements.

CrowdStrike Malquery Pack v1.0.1#

Integrations#

CrowdStrike Malquery#

Breaking Change: The file command was changed to return multiple entries (entry per indicator) instead of a single entry.


Crowdstrike Falcon Intel Feed Pack v1.0.3#

Integrations#

Crowdstrike Falcon Intel Feed#

Fixed a visual issue in the instance configuration.


Cuckoo Sandbox Pack v1.0.1#

Integrations#

Cuckoo Sandbox#

Updated the get-task-report command to include file information in context.


CyberTotal Pack v1.0.3 (Partner Supported)#

Documentation and metadata improvements.


Cybereason Pack v1.0.5#

Integrations#

Cybereason#

Improved handling of authorization errors.


DomainTools Iris Pack v1.0.4 (Partner Supported)#

Integrations#

DomainTools Iris#
  • Added the API URL configuration parameter.
  • Updated the Docker image to: demisto/python3:3.8.6.12176.

EWS Pack v1.4.2#

Integrations#

EWS v2#
  • Added the show_only_recipients argument to the ews-o365-get-compliance-search command, which will return recipients to context.
  • Added an error message when trying to pull incidents with an incorrect exchange version.

EWS Mail Sender Pack v1.1.0#

Integrations#

EWS Mail Sender#
  • Added the reply-mail command which sends an email reply to a given message using EWS.
  • Updated the Docker image to: demisto/py2-exchangelib:1.0.0.13559.

Email Communication Pack v1.3.1#

Classifiers#

New: Gmail - Classifier - Email Communication -#

Classifies Gmail email messages.

New: Gmail - Incoming Mapper - Email Communication#

Maps incoming Gmail email message fields.

New: EWS - Incoming Mapper - Email Communication#

Maps incoming EWS email message fields.

New: EWS - Classifier - Email Communication#

Classifies EWS email messages.

New: EWS v2#

Maps incoming EWS email message fields.

Layouts#

Email Communication - Changed the original email details section to support email inline images.

Scripts#

New: DisplayEmailHtml#

Displays the original email in HTML format.

DisplayEmailHtml#

Maintenance and stability enhancements.

PreprocessEmail#
  • You can now view inline images and attachments for email communication incidents.
  • Updated the Docker image to: demisto/python3:3.8.6.13358.
SendEmailReply#
  • Updated the script to reply to a given email message instead of sending a new message.
  • Updated the Docker image to: demisto/python3:3.8.6.13358.

ExtFilter Pack v1.1.0#

Playbooks#

Modified: Test - ExtFilter Main#

Added examples for ExtFilter script additions.

Scripts#

Modified: ExtFilter#

Added the following operators.

  • switch-case
  • collects values
  • collects keys
  • flattens with values
  • flattens with keys

F5 Firewall Pack v1.2.0#

Integrations#

New: F5 Application Security Manager (WAF)#

Use the F5 ASM integration to read information and to manage the F5 firewall.


Farsight DNSDB Pack v2.1.1 (Partner Supported)#

Documentation and metadata improvements.


Gmail Pack v1.1.2#

Integrations#

Gmail#
  • Fixed an issue where the test-module did not run properly with fetch incidents.
  • Added the reply-mail command which sends an email reply to a given message using Gmail.
  • Fixed the following issues in the send-mail command:
    • The additionalHeader argument was added to the request only if attachments were received.
    • Attachments were not attached correctly when both the htmlBody and body arguments were received.
  • Updated the Docker image to: demisto/google-api:1.0.0.13775.

Humio Pack v1.0.2 (Partner Supported)#

Documentation and metadata improvements.


IBM QRadar Pack v1.2.1#

Classifiers#

New: QRadar - Generic Incoming Mapper#

Default mapping for QRadar offenses, events, and assets.

Incident Fields#

  • Offense Inactive
  • Severity - Offense
  • Domain - Offense
  • Destination Network - Offense
  • Description - Offense
  • Type - Offense
  • Credibility - Offense
  • Number Of Fetched Events
  • Number Of Flows
  • List of Rules - Offense
  • Source IP - Offense
  • Source Network - Offense
  • Relevance - Offense
  • Number Of Events In Offense
  • ID - Offense
  • Magnitude - Offense
  • Username Count - Offense
  • Low Level Categories - Offense
  • Status - Offense
  • Destination IP - Offense
  • Link To Offense

Incident Types#

Qradar Generic - New incident type.

Layouts#

New: Qradar Generic - Displays all of the main offenses, events, and assets data.

Playbooks#

The following playbooks were changed so that the task that 'checks if the QRadar integration is enabled prior to executing it' matches the same task in QRadar V2.

  • QRadar - Get offense correlations v2
  • QRadar Indicator Hunting V2
  • TIM - QRadar Add Bad Hash Indicators
  • TIM - QRadar Add Domain Indicators
  • TIM - QRadar Add IP Indicators
  • TIM - QRadar Add Url Indicators
  • TIM - Access Investigation - QRadar

Scripts#

New: QRadarPrintAssets#

Prints the assets fetched from the offense in table format.

New: QRadarFetchedEventsSum#

Displays the amount of fetched events vs the total amount of events in the offense.

New: QRadarPrintEvents#

Prints the events fetched from the offense in table format.

New: QRadarMagnitude#

Colors the fields in the table according to the magnitude of the QRadar offense. The scale is

  • 1-3 green
  • 4-7 yellow
  • 8-10 red

IBM X-Force Exchange Pack v1.0.5#

Integrations#

IBM X-Force Exchange v2#
  • Fixed an issue where non-existing hashes returned an error in the file command.
  • Fixed an issue where submitting multiple hashes in the file command did not return the correct output.

Integrations & Incidents Health Check Pack v1.1.7#

Scripts#

GetFailedTasks#
  • Added support for Cortex XSOAR multi-tenant environment.
  • Added Demisto-REST-API dependencies.
  • Updated the Docker image to: demisto/python3:3.8.6.13358.

IronDefense Pack v1.1.3 (Partner Supported)#

Integrations#

IronDefense#

Updated the Docker image to: demisto/python3:3.8.6.13358.


Logz.io Pack v1.1.1 (Partner Supported)#

Documentation and metadata improvements.


McAfee Advanced Threat Defense Pack v1.0.4#

Integrations#

McAfee Advanced Threat Defense#
  • Fixed an issue where setting the submitType argument to '2' or '3' caused a failure in the atd-file-upload command.
  • Fixed an issue where arguments were not handled correctly in the atd-file-upload command.
  • Documentation and metadata improvements.

Playbook#

New: Detonate Remote File from URL - McAfee ATD#

Added a playbook that detonates a file from a URL using the McAfee Advanced Threat Defense sandbox integration.


Microsoft Cloud App Security Pack v1.0.11#

Integrations#

Microsoft Cloud App Security#
  • Fixed an issue where an error was raised in fetch-incident in case there were no incidents to fetch.
  • Updated the endpoints for the following commands.
    • microsoft-cas-alert-dismiss-bulk
    • microsoft-cas-alert-resolve-bulk
  • Updated the Docker image to: demisto/python3:3.8.6.13358.

Microsoft Graph Mail Single User Pack v1.0.10#

Integrations#

Microsoft Graph Mail Single User#

General documentation improvements.


Microsoft Graph Security Pack v2.0.5#

Integrations#

Microsoft Graph Security#
  • Fixed an issue where alerts were not pulled in the fetch incidents flow.
  • Updated the Docker image to: demisto/crypto:1.0.0.12979.

Microsoft Management Activity API (O365/Azure Events) Pack v1.1.3#

Integrations#

Microsoft Management Activity API (O365 Azure Events)#
  • Fixed the spelling of audit.general in the Content types to fetch integration parameter.
  • Updated the Docker image to: demisto/pyjwt3:1.0.0.13142.

Microsoft Teams Pack v1.0.5#

Integrations#

Microsoft Teams#
  • Fixed an issue in which existing users were not found.
  • Updated the Docker image to: demisto/teams:1.0.0.13080.

MongoDB Pack v1.2.0#

Integrations#

MongoDB#
  • Added an option to return only certain fields in the mongodb-query command.
  • Updated the Docker image to: demisto/pymongo:1.0.0.12410.

NTT Cyber Threat Sensor Pack v1.0.1 (Partner Supported)#

Documentation and metadata improvements.


Nozomi Networks Pack v1.0.1#

Documentation and metadata improvements.


PAN-OS Pack v1.6.6#

Integrations#

Palo Alto Networks PAN-OS#
  • Breaking Change: The following commands now return multiple entries (an entry per indicator) instead of a single entry.
    • url
    • panorama-get-url-category
    • panorama-get-url-category-from-cloud
    • panorama-get-url-category-from-host
  • Added the profile-setting argument to the following commands.
    • panorama-create-rule
    • panorama-edit-rule
  • Updated the Docker image to: demisto/python3:3.8.6.13358.

PANW Comprehensive Investigation Pack v1.3.4#

Playbooks#

Palo Alto Networks - Hunting And Threat Detection#

Fixed a bug in the is enabled tasks.


Palo Alto Networks Cortex XDR - Investigation and Response Pack v2.4.11#

Playbooks#

Cortex XDR - Port Scan#

Fixed the ipRanges input.

Cortex XDR - Port Scan - Adjusted#
  • Fixed the ipRanges input.
  • Deprecated the InternalIPRange input for this playbook. Use the InternalIPRanges input instead.

Palo Alto Networks IoT Pack v1.0.1#

Documentation and metadata improvements.


Palo Alto Networks Threat Vault Pack v1.0.1#

Documentation and metadata improvements.


PassiveTotal Pack v2.0.5 (Partner Supported)#

Integrations#

PassiveTotal v2#

Breaking Change: The following commands now return multiple entries (entry per indicator) instead of a single entry.

  • pt-get-pdns-details
  • pt-whois-search
  • pt-get-components

PhishTank Pack v2.0.1#

Integrations#

PhishTank v2#
  • Fixed an issue where the url command did not cache the data.
  • Updated the Docker image to: demisto/python3:3.8.6.13358.

Phishing Pack v1.10.8#

Incident Fields#

  • Associated the following incident fields to the Email Communication incident type.
    • Email To
    • Email Body Format
    • Email Received
    • Email Client Name
    • Attachment Name
    • Email HTML
    • Email Subject
    • Email Message ID
    • Attachment ID
    • Email Reply To
    • Email BCC
    • Email Body HTML
    • Email Body
    • Email Headers
    • Email From
    • Email CC
  • Added the following new incident fields
    • Email Latest Message
    • Email HTML Image
    • Email Labels

Prisma Cloud Pack v1.4.0#

Classifiers#

  • Updated the classifier for the new GCP Kubernetes playbooks.

    • Prisma Cloud - Classifier
    • Prisma Cloud App - Classifier
  • Updated for the new GCP Kubernetes playbooks.

    • RedLock
    • prismaCloud_app
  • Updated the mapper for the new GCP Kubernetes playbooks.
    • Prisma Cloud App - Incoming Mapper
    • Prisma Cloud - Incoming Mapper

Incident Fields#

  • Updated the following incident fields.
    • Resource API Name
    • Subscription Type
    • Prisma Cloud Reason
  • Assigned the following incident fields to the GCP Kubernetes Engine Misconfiguration incident type.
    • RRN
    • Prisma Cloud Time
    • Subscription Description
    • Prisma Cloud Rules
    • Prisma Cloud Status
    • Prisma Cloud ID
    • Subscription Name
    • Subscription Updated On
    • Resource Cloud Type
    • Subscription Assigned By
    • System Default
    • Subscription Updated By
    • Subscription Created By
    • Subscription Created On
    • Subscription ID

Incident Types#

GCP Kubernetes Engine Misconfiguration - New incident type.

Integrations#

Prisma Cloud (RedLock)#

Added the redlock-search-config command.

Layouts#

The following are new layouts for the GCP Kubernetes Engine Misconfiguration incident types.

  • GCP Kubernetes Engine Misconfiguration Incident
  • GCP Kubernetes Engine Misconfiguration

Playbooks#

New: Prisma Cloud Remediation - GCP Kubernetes Engine Misconfiguration#

This playbook remediates Prisma Cloud GCP Kubernetes Engine alerts. It calls sub-playbooks that perform the actual remediation steps.

Remediation:

  • GCP Kubernetes Engine Clusters Basic Authentication is set to Enabled.
  • GCP Kubernetes Engine Clusters have HTTP load balancing disabled.
  • GCP Kubernetes Engine Clusters have Legacy Authorization enabled.
  • GCP Kubernetes Engine Clusters have Master authorized networks disabled.
  • GCP Kubernetes Engine Clusters have Network policy disabled.
  • GCP Kubernetes Engine Clusters have Stackdriver Logging disabled
  • GCP Kubernetes Engine Clusters have Stackdriver Monitoring disabled.
  • GCP Kubernetes Engine Clusters have binary authorization disabled.
  • GCP Kubernetes Engine Clusters web UI/dashboard is set to Enabled.
  • GCP Kubernetes Engine Clusters intra-node visibility is disabled.
New: Prisma Cloud Remediation - GCP Kubernetes Engine Cluster Misconfiguration#

This playbook remediates the following Prisma Cloud GCP Kubernetes Engine Cluster alerts.

Prisma Cloud policies remediated:

  • GCP Kubernetes Engine Clusters Basic Authentication is set to Enabled.
  • GCP Kubernetes Engine Clusters have HTTP load balancing disabled.
  • GCP Kubernetes Engine Clusters have Legacy Authorization enabled.
  • GCP Kubernetes Engine Clusters have Master authorized networks disabled.
  • GCP Kubernetes Engine Clusters have Network policy disabled.
  • GCP Kubernetes Engine Clusters have Stackdriver Logging disabled.
  • GCP Kubernetes Engine Clusters have Stackdriver Monitoring disabled.
  • GCP Kubernetes Engine Clusters have binary authorization disabled.
  • GCP Kubernetes Engine Clusters web UI/Dashboard is set to Enabled.
  • GCP Kubernetes Engine Clusters intra-node visibility is disabled.

QueryAI Pack v1.0.3 (Partner Supported)#

Documentation and metadata improvements.


RTIR Pack v1.0.5#

Integrations#

RTIR#

Fixed an issue where the integration commands failed when non-ASCII characters were passed.


SafeBreach - Breach and Attack Simulation platform Pack v1.1.2 (Partner Supported)#

Documentation and metadata improvements.


SentinelOne Pack v1.0.4#

Integrations#

SentinelOne v2#

Updated the description for the sentinelone-get-hash command.


ServiceNow Pack v1.3.11#

Integrations#

ServiceNow v2#

Fixed an issue where multiple query arguments were not allowed in the the following commands.

  • servicenow-query-tickets
  • servicenow-query-table

Shift Management - Assign to Next Shift Pack v1.0.1#

Playbooks#

Assign Active Incidents to Next Shift#

Fixed the reference to the AssignToNextShift automation.


Symantec Data Loss Prevention (Beta) Pack v1.1.1#

Integrations#

Symantec Data Loss Prevention (Beta)#

Fixed an issue where fetch-incidents created duplicate incidents.


Symantec Managed Security Services Pack v1.0.1#

Integrations#

Symantec Managed Security Services#

Fixed an issue where the certificates were not handled appropriately.


VirusTotal - Private API Pack v1.0.6#

Integrations#

VirusTotal - Private API#

Fixed an issue where empty behavior reports were not parsed correctly.


Whois Pack v1.1.7#

Integrations#

Whois#

Added the Domain.Admin context standards to the following commands.

  • domain
  • whois

Workday Pack v1.0.5#

Classifiers#

IAM Sync User - Workday#

Maintenance and stability enhancements.


XSOAR Mirroring Pack v1.0.1#

Documentation and metadata improvements.


okta Pack v2.0.2#

Integrations#

Okta IAM#

Maintenance and stability enhancements.


Assets#