Cortex XSOAR Content Release Notes for version 20.12.1 (229240)
Published on 22 December 2020
Breaking Changes
The following packs include breaking changes.
- ARIAPacketIntelligence Pack v2.0.0
- PhishTank Pack v2.0.2
- Polygon Pack v1.0.2
- Pulsedive Pack v1.0.1
- RiskIQ Digital Footprint Pack v1.0.4
- Synapse Pack v1.0.1
- Tripwire Pack v1.0.1
- TruSTAR Pack v2.1.1
- XM Cyber Pack v1.0.2
- XSOAR Mirroring Pack v2.0.0
New: Rapid Breach Response Pack v1.0.0
Playbooks
SolarStorm and SUNBURST Hunting and Response Playbook
This playbook does the following:
Collects indicators to aid in your threat hunting process.
- Retrieves IOCs of SUNBURST (a trojanized version of the SolarWinds Orion plugin).
- Retrieves C2 domains and URLs associated with Sunburst.
- Discovers IOCs of associated activity related to the infection.
- Generates an indicator list to block indicators with SUNBURST tags.
Hunts for the SUNBURST backdoor.
- Queries firewall logs to detect network activity.
- Searches endpoint logs for Sunburst hashes to detect presence on hosts.
If compromised hosts are found the playbook:
- Notifies the security team to review and trigger remediation response actions.
- Fires off sub-playbooks to isolate/quarantine infected hosts/endpoints and await further actions from the security team.
Note: This is a beta pack, which lets you implement and test pre-released software. Since the pack is a beta version, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve the pack.
New: AWS-NetworkFirewall Pack v1.0.0
Integrations
AWS Network Firewall
AWS Network Firewall is a stateful, managed, network firewall and intrusion detection and prevention service for Amazon Virtual Private Cloud (Amazon VPC). With AWS Network Firewall, you can filter traffic at the perimeter of your VPC. This includes filtering traffic going to and coming from an internet gateway, NAT gateway, or over VPN or AWS Direct Connect. Network Firewall uses rules that are compatible with Suricata, a free, open source intrusion detection system (IDS) engine.
New: Centrify Vault Pack v1.0.0 (Community Contributed)
Integrations
Centrify Vault
Leverage the Centrify Vault integration to create and manage secrets.
New: Cisco Umbrella Enforcement Pack v1.0.0
Integrations
Cisco Umbrella Enforcement
Add and remove domains in Cisco OpenDNS.
New: Cloud Convert Pack v1.0.0
Integrations
CloudConvert
Use the CloudConvert integration to convert your files to the desired format.
Playbooks
CloudConvert - Convert File
Use this playbook to convert a file to the required format using CloudConvert.
New: Cryptocurrency Pack v1.0.0
Indicator Fields
Cryptocurrency Address Type
Indicator Types
Cryptocurrency Address
Integrations
Cryptocurrency
Cryptocurrency will help classify Cryptocurrency indicators as suspicious when ingested.
Layouts
Cryptocurrency Address - Indicator Details
Scripts
CryptoCurrenciesFormat
Verifies that a crypto address is valid and only returns the address if it is valid.
New: Darktrace Pack v1.0.0 (Partner Supported)
Classifiers
Darktrace Incident Classifier
Classifies all incidents fetched by the Darktrace integration as Darktrace Model Breach type incidents for the purpose of using the integration playbooks.
Darktrace Model Breach Mapper
Maps model breach fields to mappings for use in integration playbooks.
Incident Fields
- Darktrace Comment Count - Number of comments in the Darktrace model breach.
- Darktrace Device Hostname - Hostname associated with the device in Darktrace.
- Darktrace Device ID - ID associated with the device in Darktrace.
- Darktrace Device IP - IP address associated with the device in Darktrace.
- Darktrace Device Label - Device label associated with the device in Darktrace.
- Darktrace Device MAC - MAC address associated with the device in Darktrace.
- Darktrace Device Vendor Vendor associated with the device in Darktrace.
- Darktrace Model Breach Description - Description of the model breach.
- Darktrace Model Breach ID - Darktrace Model Breach ID (PBID) of the model breach.
- Darktrace Model Breach Score - Darktrace model breach score.
- Darktrace Model ID - Model ID (PID) associated with the model breach in Darktrace.
- Darktrace Model Name - Name associated with the model breach in Darktrace.
- Darktrace Model Priority - Priority of the model breach in Darktrace.
- Darktrace Model Tags - Tags associated with the model breach in Darktrace.
- Darktrace Model UUID - Model UUID associated with the model breach in Darktrace.
Incident Types
Darktrace Model Breach
Integrations
Darktrace
Rapid detection of malicious behavior can make all the difference in the response to a security event. This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to investigate and manage security events before they have time to escalate.
Playbooks
Handle Darktrace Model Breach
Handles each fetched Darktrace model breach by gathering additional detail about the activity and device, providing enrichment data from Darktrace and XSOAR, linking similar incidents, and providing the ability to acknowledge the model breach and close the incident.
New: ModulesManagement Pack v1.0.0
Scripts
GetInstances
Returns integration instances configured in Cortex XSOAR. You can filter by instance status and/or brand name (vendor).
New: Public DNS Feed Pack v1.0.0
Integrations
Public DNS Feed
Fetches IP addresses from the Public DNS feed.
New: Sophos Central Pack v1.0.0
Classifiers
Sophos Central - Classifier
Classifies Sophos Central incidents.
Sophos Central - Incoming Mapper
Maps incoming alerts from Sophos Central.
Incident Types
Sophos Central Incident
Integrations
Sophos Central
The unified console for managing Sophos products.
New: Tripwire Pack v1.0.0
Classifiers
Tripwire - Classifier
Classifies Tripwire incidents.
Tripwire - Incoming Mapper
Maps incoming Tripwire incident fields.
Incident Types
Tripwire File Change
Integrations
Tripwire
Tripwire is a file integrity management (FIM) system. FIM monitors files and folders on systems and is triggered when they have changed.
Layouts
Tripwire File Change - Summary
Playbooks
Tripwire Incident IP Enrichment
Enriches the IP of a node.
New: Windows Remote Management Pack v1.0.0
Integrations
Windows Remote Management (Beta)
Uses the Python pywinrm library and commands to execute either a process or Powershell scripts.
New: X509Certificate Pack v1.0.0
Incident Fields
- Certificate Names
- Certificate Signature
- Certificate Validation Checks
- Extension
- Issuer DN
- PEM
- Public Key
- SPKI SHA256
- Serial Number
- Subject Alternative Names
- Subject DN
- Validity Not After
- Validity Not Before
Indicator Types
Certificate
Layouts
- Certificate Indicator
Scripts
CertificateExtract
Extracts fields from a certificate file and returns the standard context.
CertificateReputation
Enriches and calculates the reputation of a certificate indicator.
ARIAPacketIntelligence Pack v2.0.0 (Partner Supported)
Integrations
ARIA Packet Intelligence
- Breaking Change:
- Updated the integration to match the latest Packet Intelligence REST API.
- Removed the following arguments.
- label_sia_region
- label_sia_group
- label_sia_name
- Uses Remediation Configuration String (RCS) in the command to select SIA.
AlienVault Feed Pack v1.0.8
Integrations
AlienVault Reputation Feed
Maintenance and stability enhancements.
Anomali Enterprise Pack v1.0.1
Integrations
Anomali Match
- Rebranded Anomali Enterprise to Anomali Match.
- Added the DGA tag to the domain command.
- Updated the Docker image to: demisto/python3:3.8.6.13358.
Playbooks
Anomali Enterprise Forensic Search
Updated playbook descriptions.
Anomali ThreatStream Pack v1.1.0
Integrations
Anomali ThreatStream v2
Fixed an issue where only MD5 hash data was returned for all hash types in the file and threatstream-get-indicators commands.
Asset Pack v1.0.1
Incident Fields
- Switch ID - Asset
- IP Address - Asset
- MAC Address - Asset
- Asset Table
- Location - Asset
- Switch Port ID - Asset
- ID - Asset
- Description - Asset
Azure Feed Pack v1.0.4
Integrations
Azure Feed
- Fixed an issue where some indicators were fetched twice.
- Added AzureDevOps to the list of supported services.
AzureSentinel Pack v1.0.6
Integrations
Azure Sentinel (Beta)
- Added the classification and the classification_reason arguments to the azure-sentinel-update-incident command.
- Updated the Docker image to: demisto/crypto:1.0.0.14297.
Bambenek Consulting Feed Pack v1.0.6
Integrations
Bambenek Consulting Feed
- Fixed an issue where an empty Authorization header would be sent if the credentials parameter had an empty string in it.
- Updated the C2 IP feed and C2 Domain feed links.
- Updated the Docker image to: demisto/python3:3.8.6.14516.
Barracuda Pack v1.0.1 (Community Contributed)
Integrations
Barracuda Reputation Block List (BRBL)
- Updated the ip command with new code conventions.
- Fixed the outputs of the ip command.
- Updated the Docker image to: demisto/python3:3.8.6.13358.
Base Pack v1.5.3
Scripts
CommonServerPython
- Updated BaseClient._http_request to include an optional argument for an empty codes list.
- Added CRYPTOCURRENCY to DBotScoreType.
- Added the Cryptocurrency indicator context to Common.
- Added the tags field to the Domain indicator class.
- Added support for clickable URL fields using the url argument in the tableToMarkdown method.
- Fixed an issue with the aws_table_to_markdown function, which failed on an empty list.
- Improved the log formatter to remove sensitive URL query parameters.
CommonServerPowerShell
- Fixed the setIntegrationContext method in the $Demisto class.
- Added a new helper function, ConvertTo-Boolean, which converts a string to boolean.
Box Pack v2.0.0
Classifiers
New: Box Incident Incoming Mapper
Maps incoming Box incident fields.
Incident Fields
- Box Source Parent Name
- Box Source Parent ID
- Box Source Owner Name
- Box Source Owner ID
- Box Source Created By Name
- Box Source Created By ID
Incident Types
Integrations
Box (Deprecated)
Deprecated. Use the Box v2 integration instead.
New: Box v2
- Manage Box users.
- Updated the Docker image to: demisto/pyjwt3:1.0.0.8871.
Layouts
Box Incident
Brute Force Pack v1.2.2
Incident Fields
- Account Groups
- Successful Login
- Password Expiration Status
- Login Attempt Count
- User Disabled Status
CSV Feed Pack v1.0.6
Integrations
CSV Feed
Fixed an issue where an empty Authorization header would be sent when the credentials parameter had an empty string in it.
Check Point Firewall Pack v2.0.6
Integrations
Check Point Firewall v2
- Updated the checkpoint-login-and-get-session-id command to add an optional domain parameter allowing MDS logins.
- Updated the Docker image to: demisto/python3:3.8.6.14516.
CiscoFirepower Pack v1.0.1
Integrations
Cisco Firepower
- Fixed an issue where the ciscofp-deploy-to-devices command did not work in some versions of Cisco Firepower.
- Updated the Docker image to: demisto/python3:3.8.6.13358.
Claroty Pack v1.0.7 (Partner Supported)
Incident Fields
- Claroty Alert Type
- Claroty Related Assets
- Claroty Category
- Claroty Alert Resolved
- Claroty Network ID
- Claroty Resource ID
- Claroty Site ID
Code42 Pack v2.0.8 (Partner Supported)
Incident Fields
- Code42 Alert Type
- Code42 Severity
- Code42 SecurityAlert Timestamp
- Code42 Username
- Exfiltrated Files
- Code42 SecurityAlert Description
- Code42 File Events
- Code42 SecurityAlert ID
- Code42 SecurityAlert Name
- Code42 SecurityAlert State
Common Playbooks Pack v1.8.6
Playbooks
Dedup - Generic v2
Deprecated. Use the Dedup Generic v3 playbook instead.
Dedup - Generic v3
The new version of the Dedup playbook that includes the PhishingDedupPreprocessingRule new machine learning script, which identifies duplicate Phishing incidents.
Common Scripts Pack v1.3.6
Scripts
New: ConvertDatetoUTC
Converts a date from a different timezone to UTC timezone.
ScheduleGenericPolling
Added support for non-English characters in the ids argument.
DateStringToISOFormat
- Added the add_utc_timezone argument to indicate whether to add a UTC timezone in case an offset-naive date was provided as an input.
- Updated the Docker image to: demisto/python3:3.8.6.13358.
GetDomainDNSDetails
Added the missing DomainDNSDetails.CNAME script output. This output is the Domain CNAME records.
RepopulateFiles
Fixed an issue where the script failed when there were no files to repopulate.
DeleteContext
Fixed an issue where using the keysToKeep argument on a context key that contained an array with duplicate values would also perform deduplication on the array.
Common Types Pack v2.7.1
Incident Fields
- Application Id
- Application Name
- IncomingMirrorError
- OutgoingMirrorError
- Dst Ports
- Log Source Type
- Assignment Group
- Pre Nat Destination Port
- Log Source Name
- CVSS Confidentiality Requirement
- Detected Users
- High Level Categories
- Escalation
- Traffic Direction
- Ticket Opened Date
- Source IPV6
- Low Level Categories Events
- DNS Name
- Close Time
- Ticket Number
- Source IPs
- Technical User
- Compliance Notes
- Source Geolocation
- Pre Nat Source Port
- Destination MAC Address
- Destination Hostname
- Number Of Log Sources
- Detected Internal Hosts
- Pre Nat Source IP
- Protocols
- Category Count
- Raw Event
- Technical Owner
- Device Time
- Event Descriptions
- Detected External Hosts
- Source Hostname
- Technical Owner Contact
- Last Update Time
- Post Nat Source IP
- CVSS Availability Requirement
- Follow Up
- List Of Rules - Event
- Detected Internal IPs
- Closing User
- Destination IPs
- Detected External IPs
- Unique Ports
- Caller
- Source MAC Address
- Usernames
- sAMAccountName
- Post Nat Destination Port
- Post Nat Source Port
- Dest Hostname
- Mobile Device Model
- CVSS Collateral Damage Potential
- Closing Reason
- Event Names
- Start Time
- Events
- Src Hostname
- Destination Geolocation
- Src Ports
- userAccountControl
- Protocol - Event
- Post Nat Destination IP
- Destination IPV6
- CVSS Integrity Requirement
- Ticket Closed Date
- Dest OS
- Device Id
- Policy Description
- SHA512
- SHA1
- Policy ID
Indicator Fields
Primary Motivation
Malware types
Tags
Fixed Tags field having empty options.
Signature Description
- Registrant Country
- Internal
- STIX ID
- CVSS
- Admin Phone
- DNS
- Office365Required
- Admin Country
- STIX Description
- Display Name
- Geo Country
- Username
- SHA512
- Description
- Actor
- Category
- Office365Category
- STIX Primary Motivation.
- Source Original Severity
- STIX Resource Level
- Email Address
- STIX Roles
- Updated Date
- Operating System
- Associations
- STIX Is Malware Family
- Subdomains
- Signature Copyright
- STIX Goals
- First Seen By Source
- Path
- Malware Family
- Entry ID
- CVE Modified
- STIX Malware Types
- Expiration Date
- Registrant Name
- STIX Kill Chain Phases
- Last Seen By Source
- MAC Address
- Signed
- Domain Referring IPs
- Registrar Abuse Email
- Organizational Unit (OU)
- Device Model
- Reported By
- File Extension
- Account Type
- ASN
- BIOS Version
- Indicator Identification
- Service
- Admin Email
- Name Field
- Registrant Email
- DHCP Server
- Region
- Groups
- Hostname
- Threat Types
- Name Servers
- Domain Status
- Traffic Light Protocol
- CVE Description
- Memory
- Office365ExpressRoute
- Organization
- STIX Secondary Motivations
- Signature Authentihash
- imphash
- IP Address
- STIX Tool Version
- STIX Threat Actor Types
- File Type
- Registrant Phone
- STIX Aliases
- Name
- MD5
- Detection Engines
- OS Version
- Admin Name
- Campaign
- Operating System Version
- Processors
- SHA1
- Domain Referring Subnets
- Size
- Signature File Version
- Signature Internal Name
- Associated File Names
- Domain Name
- SSDeep
- Positive Detections
- Geo Location
- Creation Date
- Feed Related Indicators
- Registrar Name
- Domain IDN Name
- STIX Tool Types
- STIX Sophistication
- Registrar Abuse Phone
- Port
- SHA256
- Processor
- Published
Indicator Types
unifiedFileRep - Fixed an issue where the associated layout was not File Indicator.
ConcentricAI Pack v1.1.0 (Partner Supported)
Integrations
ConcentricAI
Added the concentricai-get-file-sharing-details command, which adds file sharing details in the playbook.
Playbooks
ConcentricAI Demo Playbook
The playbook now enables one to fetch all file details, file sharing permissions along with user details of the owner.
Cortex Data Lake Pack v1.3.0
Integrations
Cortex Data Lake
- Added support for a caching mechanism for repetitive errors when requesting access token from CDL server.
- Added the cdl-reset-authentication-timeout command to reset the failure counters of the caching mechanism.
- Updated the Docker image to: demisto/python_pancloud_v2:1.0.0.14327.
Crisis Management Pack v1.2.2
Indicator Fields
Last Name
- Job Title
- Employee Response Status
- Employee Health Status
- First Name
CrowdStrike Falcon Pack v1.2.10
Incident Types
- CrowdStrike Falcon Incident
- CrowdStrike Falcon Detection
Integrations
CrowdStrike Falcon
Fixed an issue where an IOC, which does not exist, caused an error in the cs-device-ran-on and the cs-falcon-device-count-ioc commands.
Cymulate Pack v1.0.7 (Partner Supported)
Incident Fields
- Cymulate Immediate Threats Payload Name
- Cymulate Immediate Threats Attack ID
- Cymulate Immediate Threats Module
- Cymulate Immediate Threats Mitigations
- Cymulate Immediate Threats Vector
- Cymulate Immediate Threats Status
- Cymulate Immediate Threats ID
- Cymulate Immediate Threats File Type
EWS Pack v1.5.0
Integrations
New: O365 - Security And Compliance - Content Search (beta)
This integration allows you to manage and interact with the Microsoft security and compliance content search.
Playbooks
New: O365 - Security And Compliance - Search Action - Delete
This playbook performs the following steps:
- Creates the new purge compliance search action.
- Waits for the compliance search action to complete.
- Retrieves the delete search action.
New: O365 - Security And Compliance - Search And Delete
This playbook performs the following steps:
- Creates a compliance search.
- Starts a compliance search.
- Waits for the compliance search to complete.
- Gets the results of the compliance search.
- Gets the preview results, if specified.
- Deletes the search results (Hard/Soft purge).
New: O365 - Security And Compliance - Search Action - Preview
This playbook performs the following steps:
- Creates the new Preview compliance search action (based on the created compliance search).
- Waits until the preview action completes.
- Retrieves the preview results.
New: O365 - Security And Compliance - Search
This playbook performs the following steps:
- Creates a compliance search.
- Starts a compliance search.
- Wait for the compliance search to complete.
- Gets the results of the compliance search as an output.
- Gets the preview results, if specified.
Employee Offboarding Pack v1.0.5
Incident Fields
Offboarding Date - Updated the entity to conform to the new schema standards.
Expanse Pack v1.1.4 (Partner Supported)
Incident Fields
- Expanse Exposure Type
- Expanse Severity
- ExpanseRawJSONEvent
- Expanse Business Unit
- Expanse Behavior Rule
Export Indicators Pack v1.0.1
Integrations
Export Indicators Service
- Fixed an issue where processing an indicator without a value raised an exception.
- Updated the Docker image to: demisto/teams:1.0.0.14318.
Fetch Indicators From File Pack v1.0.2
Scripts
FetchIndicatorsFromFile
Added support for Domain indicators context extraction.
GitHub Pack v1.1.3
Integrations
GitHub IAM
Maintenance and stability enhancements.
IBM QRadar Pack v1.2.4
Incident Fields
- List of Rules - Offense
- Destination Network - Offense
- Status - Offense
- Low Level Categories - Offense
- Credibility - Offense
- Number Of Flows
- Description - Offense
- Username Count - Offense
- Source Network - Offense
- ID - Offense
- Severity - Offense
- Source IP - Offense
- Type - Offense
- Number Of Events In Offense
- Magnitude - Offense
- Domain - Offense
- Destination IP - Offense
- Relevance - Offense
- Number Of Fetched Events
- Offense Inactive
Integrations
IBM QRadar v2
Improved the error message when testing an integration instance with the Fetch Mode integration parameter set to Fetch With All Events or Fetch Correlation Events Only and no Event fields were provided.
Layouts
Qradar Generic - Added the usernames field to the layout.
Indeni Pack v1.0.7 (Partner Supported)
Incident Fields
- Indeni Issue ID
- Indeni Device ID
Infinipoint Pack v1.0.3 (Partner Supported)
Integrations
Infinipoint
Maintenance and stability enhancements.
Lastline Pack v1.0.3
Integrations
Lastline v2
- Added support for account-based authentication.
- Updated the Docker image to: demisto/python3:3.8.6.13358.
LogRhythmRest Pack v1.0.2
Integrations
LogRhythmRest
Improved implementation of error handling when an unexpected content type was returned.
Logz.io Pack v1.1.3 (Partner Supported)
Integrations
Logz.io
Fixed an integration argument bug when fetching event logs from Logz.io.
MITRE ATT&CK Pack v1.1.7
Indicator Fields
MITRE System Requirements
- MITRE Platforms
- MITRE Extended Aliases
- MITRE Description
- MITRE Contributors
- MITRE Aliases
- MITRE Labels
- MITRE ID
- MITRE Permissions Required
- MITRE Kill Chain Phases
- MITRE Detection
- MITRE Type
- MITRE Version
- MITRE Impact Type
- MITRE Data Sources
- MITRE External References
- MITRE Name
- MITRE Defense Bypassed
Majestic Million Feed Pack v1.0.1
Integrations
Majestic Million Feed
Maintenance and stability enhancements.
Microsoft Cloud App Security Pack v1.0.12
Incident Types
Microsoft CAS Alert
Microsoft Defender Advanced Threat Protection Pack v1.2.6
Integrations
Microsoft Defender Advanced Threat Protection
- Added the timeout argument to the microsoft-atp-advanced-hunting command.
- Updated the Docker image to: demisto/crypto:1.0.0.14297.
NIST Pack v1.0.5
Incident Fields
- Exactly what happened, and at what times?
- What information was needed sooner?
- Were any steps or actions taken that might have inhibited the recovery?
- How could information sharing with other organizations have been improved?
- What additional tools or resources are needed to detect, analyze, and mitigate future incidents?
- What corrective actions can prevent similar incidents in the future?
- How well did staff and management perform in dealing with the incident? Were the documented procedures followed? Were they adequate?
- What precursors or indicators should be watched for in the future to detect similar incidents?
- What would the staff and management do differently the next time a similar incident occurs?
NTT Cyber Threat Sensor Pack v1.0.2 (Partner Supported)
Incident Fields
- Graph Plot
- FAERE Description
PAN-OS Pack v1.6.9
Incident Fields
Target Firewall Version - Updated the entity to conform to the new schema standards.
PCAP Analysis Pack v2.3.7
Incident Fields
- PCAP file
- PCAP Flows
- PCAP Start Time
- PCAP Number Of Packets
- PCAP End Time
- PCAP Number Of Streams
- PCAP File Name
- PCAP File Size
PagerDuty Pack v1.0.2
Integrations
PagerDuty v2
- Fixed an issue where the PagerDuty-incidents command failed when non-ASCII characters were returned from the API response.
- Fixed an issue where triggering events failed due to changes done in the previous version.
Palo Alto Networks Cortex XDR - Investigation and Response Pack v2.7.0
Classifiers
Cortex XDR - Incoming Mapper
Added mapping to the LastMirroredInTime field.
Cortex XDR - IR
Added mapping to the following fields.
- XDR Alerts
- XDR File Artifacts
- XDR Network Artifacts
- XDR Modification Time
- LastMirroredInTime fields.
Incident Fields
- XDR Modification Time
- LastMirroredInTime
- XDR manual severity
Indicator Fields
XDR Modification Time - Updated the entity to conform to the new schema standards.
Integrations
Palo Alto Networks Cortex XDR - Investigation and Response
Changed the name of the event_timestampt argument to event_timestamp in the xdr-insert-parsed-alert command.
Added 9 commands.
- xdr-delete-endpoints
- xdr-get-policy
- xdr-get-endpoint-device-control-violations
- xdr-retrieve-files
- xdr-retrieve-file-details
- xdr-get-scripts
- xdr-get-script-metadata
- xdr-get-script-code
- xdr-action-get-status
Added the option to return only modified incidents from the xdr-get-incident-extra-data command to improve mirroring rate limit handling.
Updated the Docker image to: demisto/python3:3.8.6.12176.
Playbooks
Cortex XDR - Check Action Status
Added a playbook that takes an action ID and checks its action status.
Cortex XDR - Retrieve File Playbook
Added a playbook that retrieves a file from selected endpoints and adds the file link to the War Room.
Cortex XDR incident handling v3
- Updated the description for the LinkSimilarIncidents playbook input to specify that it requires the Demisto REST API integration.
- Replaced the PANW - Hunting and threat detection by indicator type V2 playbook with the Palo Alto Networks - Hunting And Threat Detection playbook.
- Passed the internalRanges value to the XDR Alerts handling sub-playbook input through the XDR Incident Handling v3 playbook.
- Added the internalRanges input to the XDR Alerts handling sub-playbook.
Cortex XDR incident handling v2
- Updated the description for the LinkSimilarIncidents playbook input to specify that it requires the Demisto REST API integration.
- Replaced the PANW - Hunting and threat detection by indicator type V2 playbook with the Palo Alto Networks - Hunting And Threat Detection playbook.
- Passed the internalRanges value to the XDR Alerts handling sub-playbook input through the XDR Incident Handling v2 playbook.
- Added the internalRanges input to the XDR Alerts handling sub-playbook.
Cortex XDR Alerts Handling
Updated the host_ip input for the Cortex XDR - Malware Investigation sub-playbook to accept the host IP list.
Cortex XDR - Port Scan
Fixed an issue where an error was raised when the playbook expected lateral movement alerts as part of port scan events.
Scripts
XDRSyncScript
Updated to support the xdr-get-incident-extra-data command enhancement in order to avoid rate limit errors from XDR.
Pentera Pack v1.0.3 (Partner Supported)
Incident Fields
Pentera Operation Details - Updated the entity to conform to the new schema standards.
PhishTank Pack v2.0.2
Integrations
PhishTank v2
Breaking Change: Updated the url command to return multiple entries (entry per indicator) instead of a single entry.
Polygon Pack v1.0.2 (Partner Supported)
Integrations
Group-IB TDS Polygon
Breaking Change: Updated the following reputation commands to return multiple entries (entry per indicator) instead of a single entry.
- ip
- domain
- file
- url
- process
- registry
Updated the Docker image to: demisto/python3:3.8.6.14516.
Prisma Cloud Pack v1.5.0
Integrations
Prisma Cloud (RedLock)
- Added the redlock-get-RQL-response command.
- Added the ability to snooze alerts.
Prisma Cloud Compute Pack v1.0.6
Incident Fields
- Prisma Cloud Compute Project
- Prisma Cloud Compute Error
- Prisma Cloud Compute Forensic
- Prisma Cloud Compute Line
- Prisma Cloud Compute Function
- Prisma Cloud Compute Log File
- Prisma Cloud Compute Collections
- Prisma Cloud Compute Container
- Prisma Cloud Compute Category
- Prisma Cloud Compute Image
- Prisma Cloud Compute Raw Alert JSON
- Prisma Cloud Compute Markdown
- Prisma Cloud Compute Total
- Prisma Cloud Compute AppID
- Prisma Cloud Compute Host
- Prisma Cloud Compute Message
- Prisma Cloud Compute Command
- Prisma Cloud Compute Type
- Prisma Cloud Compute FQDN
- Prisma Cloud Compute Service Type
- Prisma Cloud Compute Kubernetes Resource
- Prisma Cloud Compute Activity Type
- Prisma Cloud Compute Rule
- Prisma Cloud Compute Runtime
- Prisma Cloud Compute Registry
- Prisma Cloud Compute Provider
- Prisma Cloud Compute User
- Prisma Cloud Compute Distribution
- Prisma Cloud Compute Interactive
- Prisma Cloud Compute Credential ID
- Prisma Cloud Compute Region
- Prisma Cloud Compute Protected
- Prisma Cloud Compute Service
- Prisma Cloud Compute Labels
Integrations
Palo Alto Networks - Prisma Cloud Compute
- Fixed an issue where some alerts were not processed properly when fetching incidents.
- Updated the Docker image to: demisto/python3:3.8.6.13358.
Proofpoint Protection Server Pack v1.0.5
Integrations
Proofpoint Protection Server (Beta)
- Improved the implementation of the error handling in the proofpoint-download-email command.
- Improved the description of the message_id argument in the proofpoint-download-email command.
Pulsedive Pack v1.0.1 (Community Contributed)
Integrations
Pulsedive
- Breaking Change: Updated the following commands to return multiple entries (entry per indicator) instead of a single entry.
- ip
- url
- domain
- Added missing outputs to the url command.
- Updated the Docker image to: demisto/python3:3.8.6.13358.
Rapid Breach Response Pack v1.0.2
Playbooks
SolarStorm and SUNBURST Hunting and Response Playbook
- Added the SolarStorm and SUNBURST Hunting and Response playbook.
- Updated the playbook description.
- The playbook will be available from Cortex XSOAR v5.5.
Recorded Future Feed Pack v1.0.6
Indicator Fields
Recorded Future Evidence Details - Updated the entity to conform to the new schema standards.
RiskIQ Digital Footprint Pack v1.0.4 (Partner Supported)
Integrations
RiskIQ Digital Footprint
- Breaking Change: Updated the following commands to return multiple entries (entry per indicator) instead of a single entry.
- df-asset-connections
- df-get-asset commands
- df-asset-connections
- Updated the Docker image to the latest version.
SANS Pack v1.1.2
Incident Fields
- Suggestions and discussion of how to improve the team
- What were the areas where the CIRT teams were effective?
- How was the incident contained and eradicated?
- What was the work performed during recovery?
- What was the scope of the incident?
- When was the problem first detected and by whom?
- What are the areas that need improvement?
- SANS Stage
SafeBreach - Breach and Attack Simulation platform Pack v1.1.3 (Partner Supported)
Layouts
SafeBreach Insight - Updated the entity to conform to the new schema standards.
SentinelOne Pack v1.0.5
Integrations
SentinelOne v2
- Improved error message processing from the SentinelOne API.
- Updated the Docker image to: demisto/python3:3.8.6.13358.
ServiceNow Pack v2.1.0
Integrations
New: ServiceNow CMDB
Added the ServiceNow CMDB integration.
Slack Pack v1.3.9
Integrations
Slack v2
- Added the filtered_tags parameter to filter the messages sent from Demisto by tags. Only supported in Cortex XSOAR V6.1 and above.
- Fixed an issue where an error was raised when a non-strict JSON passed to the blocks argument in the send-notification command.
Smokescreen IllusionBLACK Pack v1.0.6 (Partner Supported)
Incident Fields
- IllusionBLACK Threat Parse
- IllusionBLACK Events
- IllusionBLACK Decoy ID
- IllusionBLACK Attacker ID
- IllusionBLACK Attack Type
Spamcop Pack v1.0.1 (Community Contributed)
Integrations
Spamcop
- Updated the ip command with new code conventions.
- Fixed the outputs of the ip command.
- Updated the Docker image to: demisto/python3:3.8.6.13358.
SplunkPy Pack v1.2.6
Integrations
SplunkPy
Fixed an issue where providing a raw field that is wrapped in double quotes in a notable event would return with the key set as the value in the incident metadata if it did not exist.
Symantec Blue Coat Content and Malware Analysis (Beta) Pack v1.0.1
Integrations
Symantec Blue Coat Content and Malware Analysis (Beta)
Fixed an issue where files with special characters in their names were not handled properly in the symantec-cma-upload-file command.
Synapse Pack v1.0.1 (Community Contributed)
Integrations
Synapse
- Breaking Change: Updated the following commands to return multiple entries (entry per indicator) instead of a single entry.
- ip
- url
- domain
- file
- Added missing outputs to the following commands.
- ip
- url
- domain
- file
- Updated the Docker image to: demisto/aiohttp:1.0.0.13810.
Tripwire Pack v1.0.1
Integrations
Tripwire
Breaking Change: Fixed an issue where the argument name in the tripwire-rules-list command was wrong.
TruSTAR Pack v2.1.1 (Partner Supported)
Integrations
TruSTAR v2
- Breaking Change: Updated the following commands to return multiple entries (entry per indicator) instead of a single entry.
- trustar-indicator-summaries
- trustar-related-indicators
- trustar-indicator-summaries
- trustar-get-whitelisted-indicators
- trustar-trending-indicators
- trustar-get-indicators-for-report
- trustar-search-indicators
- trustar-get-phishing-indicators
- Updated the Docker image to: demisto/trustar:20.2.0.13605.
XM Cyber Pack v1.0.2 (Partner Supported)
Integrations
XM Cyber
Breaking Change: Updated the following commands to return multiple entries (entry per indicator) instead of a single entry.
- ip
- xmcyber-hostname
XSOAR Mirroring Pack v2.0.0
Breaking Change: Removed the following items from the pack.
- Incident field (from Pong)
- Incident types (from Ping and Pong)
- Classifier
- Mapper
Integrations
XSOAR Mirroring
Maintenance and stability enhancements.
Classifiers
XSOAR Incoming Mapper
Added a default mapper for the integration.
abuse.ch SSL Blacklist Feed Pack v1.0.5
Integrations
abuse.ch SSL Blacklist Feed
Maintenance and stability enhancements.
iDefense Pack v3.0.0
Integrations
iDefense v2
Updated the Docker image to: demisto/python3:3.8.6.13358.
New: iDefense Feed
Fetches indicators from iDefense feed according to the applied filters.
Assets
- Download Content Zip (Cortex XSOAR 5.5 and earlier): content_new.zip
- Download Marketplace Packs (Cortex XSOAR 6.0 and later): content_marketplace_packs.zip
- Browse the Source Code: Content Repo @ 20.12.1