Skip to main content

Cortex XSOAR Content Release Notes for version 20.12.1 (229240)

Published on 22 December 2020#

Breaking Changes#

The following packs include breaking changes.

New: Rapid Breach Response Pack v1.0.0#

Playbooks#

SolarStorm and SUNBURST Hunting and Response Playbook#

This playbook does the following:

  • Collects indicators to aid in your threat hunting process.

    • Retrieves IOCs of SUNBURST (a trojanized version of the SolarWinds Orion plugin).
    • Retrieves C2 domains and URLs associated with Sunburst.
    • Discovers IOCs of associated activity related to the infection.
    • Generates an indicator list to block indicators with SUNBURST tags.
  • Hunts for the SUNBURST backdoor.

    • Queries firewall logs to detect network activity.
    • Searches endpoint logs for Sunburst hashes to detect presence on hosts.
  • If compromised hosts are found the playbook:

    • Notifies the security team to review and trigger remediation response actions.
    • Fires off sub-playbooks to isolate/quarantine infected hosts/endpoints and await further actions from the security team.

      Note: This is a beta pack, which lets you implement and test pre-released software. Since the pack is a beta version, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve the pack.


New: AWS-NetworkFirewall Pack v1.0.0#

Integrations#

AWS Network Firewall#

AWS Network Firewall is a stateful, managed, network firewall and intrusion detection and prevention service for Amazon Virtual Private Cloud (Amazon VPC). With AWS Network Firewall, you can filter traffic at the perimeter of your VPC. This includes filtering traffic going to and coming from an internet gateway, NAT gateway, or over VPN or AWS Direct Connect. Network Firewall uses rules that are compatible with Suricata, a free, open source intrusion detection system (IDS) engine.


New: Centrify Vault Pack v1.0.0 (Community Contributed)#

Integrations#

Centrify Vault#

Leverage the Centrify Vault integration to create and manage secrets.


New: Cisco Umbrella Enforcement Pack v1.0.0#

Integrations#

Cisco Umbrella Enforcement#

Add and remove domains in Cisco OpenDNS.


New: Cloud Convert Pack v1.0.0#

Integrations#

CloudConvert#

Use the CloudConvert integration to convert your files to the desired format.

Playbooks#

CloudConvert - Convert File#

Use this playbook to convert a file to the required format using CloudConvert.


New: Cryptocurrency Pack v1.0.0#

Indicator Fields#

Cryptocurrency Address Type

Indicator Types#

Cryptocurrency Address

Integrations#

Cryptocurrency#

Cryptocurrency will help classify Cryptocurrency indicators as suspicious when ingested.

Layouts#

Cryptocurrency Address - Indicator Details

Scripts#

CryptoCurrenciesFormat#

Verifies that a crypto address is valid and only returns the address if it is valid.


New: Darktrace Pack v1.0.0 (Partner Supported)#

Classifiers#

Darktrace Incident Classifier#

Classifies all incidents fetched by the Darktrace integration as Darktrace Model Breach type incidents for the purpose of using the integration playbooks.

Darktrace Model Breach Mapper#

Maps model breach fields to mappings for use in integration playbooks.

Incident Fields#

  • Darktrace Comment Count - Number of comments in the Darktrace model breach.
  • Darktrace Device Hostname - Hostname associated with the device in Darktrace.
  • Darktrace Device ID - ID associated with the device in Darktrace.
  • Darktrace Device IP - IP address associated with the device in Darktrace.
  • Darktrace Device Label - Device label associated with the device in Darktrace.
  • Darktrace Device MAC - MAC address associated with the device in Darktrace.
  • Darktrace Device Vendor Vendor associated with the device in Darktrace.
  • Darktrace Model Breach Description - Description of the model breach.
  • Darktrace Model Breach ID - Darktrace Model Breach ID (PBID) of the model breach.
  • Darktrace Model Breach Score - Darktrace model breach score.
  • Darktrace Model ID - Model ID (PID) associated with the model breach in Darktrace.
  • Darktrace Model Name - Name associated with the model breach in Darktrace.
  • Darktrace Model Priority - Priority of the model breach in Darktrace.
  • Darktrace Model Tags - Tags associated with the model breach in Darktrace.
  • Darktrace Model UUID - Model UUID associated with the model breach in Darktrace.

Incident Types#

Darktrace Model Breach

Integrations#

Darktrace#

Rapid detection of malicious behavior can make all the difference in the response to a security event. This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to investigate and manage security events before they have time to escalate.

Playbooks#

Handle Darktrace Model Breach#

Handles each fetched Darktrace model breach by gathering additional detail about the activity and device, providing enrichment data from Darktrace and XSOAR, linking similar incidents, and providing the ability to acknowledge the model breach and close the incident.


New: ModulesManagement Pack v1.0.0#

Scripts#

GetInstances#

Returns integration instances configured in Cortex XSOAR. You can filter by instance status and/or brand name (vendor).


New: Public DNS Feed Pack v1.0.0#

Integrations#

Public DNS Feed#

Fetches IP addresses from the Public DNS feed.


New: Sophos Central Pack v1.0.0#

Classifiers#

Sophos Central - Classifier#

Classifies Sophos Central incidents.

Sophos Central - Incoming Mapper#

Maps incoming alerts from Sophos Central.

Incident Types#

Sophos Central Incident

Integrations#

Sophos Central#

The unified console for managing Sophos products.


New: Tripwire Pack v1.0.0#

Classifiers#

Tripwire - Classifier#

Classifies Tripwire incidents.

Tripwire - Incoming Mapper#

Maps incoming Tripwire incident fields.

Incident Types#

Tripwire File Change

Integrations#

Tripwire#

Tripwire is a file integrity management (FIM) system. FIM monitors files and folders on systems and is triggered when they have changed.

Layouts#

Tripwire File Change - Summary

Playbooks#

Tripwire Incident IP Enrichment#

Enriches the IP of a node.


New: Windows Remote Management Pack v1.0.0#

Integrations#

Windows Remote Management (Beta)#

Uses the Python pywinrm library and commands to execute either a process or Powershell scripts.


New: X509Certificate Pack v1.0.0#

Incident Fields#

  • Certificate Names
  • Certificate Signature
  • Certificate Validation Checks
  • Extension
  • Issuer DN
  • PEM
  • Public Key
  • SPKI SHA256
  • Serial Number
  • Subject Alternative Names
  • Subject DN
  • Validity Not After
  • Validity Not Before

Indicator Types#

Certificate

Layouts#

  • Certificate Indicator

Scripts#

CertificateExtract#

Extracts fields from a certificate file and returns the standard context.

CertificateReputation#

Enriches and calculates the reputation of a certificate indicator.


ARIAPacketIntelligence Pack v2.0.0 (Partner Supported)#

Integrations#

ARIA Packet Intelligence#
  • Breaking Change:
    • Updated the integration to match the latest Packet Intelligence REST API.
    • Removed the following arguments.
      • label_sia_region
      • label_sia_group
      • label_sia_name
  • Uses Remediation Configuration String (RCS) in the command to select SIA.

AlienVault Feed Pack v1.0.8#

Integrations#

AlienVault Reputation Feed#

Maintenance and stability enhancements.


Anomali Enterprise Pack v1.0.1#

Integrations#

Anomali Match#
  • Rebranded Anomali Enterprise to Anomali Match.
  • Added the DGA tag to the domain command.
  • Updated the Docker image to: demisto/python3:3.8.6.13358.

Playbooks#

Anomali Enterprise Forensic Search#

Updated playbook descriptions.


Anomali ThreatStream Pack v1.1.0#

Integrations#

Anomali ThreatStream v2#

Fixed an issue where only MD5 hash data was returned for all hash types in the file and threatstream-get-indicators commands.


Asset Pack v1.0.1#

Incident Fields#

  • Switch ID - Asset
  • IP Address - Asset
  • MAC Address - Asset
  • Asset Table
  • Location - Asset
  • Switch Port ID - Asset
  • ID - Asset
  • Description - Asset

Azure Feed Pack v1.0.4#

Integrations#

Azure Feed#
  • Fixed an issue where some indicators were fetched twice.
  • Added AzureDevOps to the list of supported services.

AzureSentinel Pack v1.0.6#

Integrations#

Azure Sentinel (Beta)#
  • Added the classification and the classification_reason arguments to the azure-sentinel-update-incident command.
  • Updated the Docker image to: demisto/crypto:1.0.0.14297.

Bambenek Consulting Feed Pack v1.0.6#

Integrations#

Bambenek Consulting Feed#
  • Fixed an issue where an empty Authorization header would be sent if the credentials parameter had an empty string in it.
  • Updated the C2 IP feed and C2 Domain feed links.
  • Updated the Docker image to: demisto/python3:3.8.6.14516.

Barracuda Pack v1.0.1 (Community Contributed)#

Integrations#

Barracuda Reputation Block List (BRBL)#
  • Updated the ip command with new code conventions.
  • Fixed the outputs of the ip command.
  • Updated the Docker image to: demisto/python3:3.8.6.13358.

Base Pack v1.5.3#

Scripts#

CommonServerPython#
  • Updated BaseClient._http_request to include an optional argument for an empty codes list.
  • Added CRYPTOCURRENCY to DBotScoreType.
  • Added the Cryptocurrency indicator context to Common.
  • Added the tags field to the Domain indicator class.
  • Added support for clickable URL fields using the url argument in the tableToMarkdown method.
  • Fixed an issue with the aws_table_to_markdown function, which failed on an empty list.
  • Improved the log formatter to remove sensitive URL query parameters.
CommonServerPowerShell#
  • Fixed the setIntegrationContext method in the $Demisto class.
  • Added a new helper function, ConvertTo-Boolean, which converts a string to boolean.

Box Pack v2.0.0#

Classifiers#

New: Box Incident Incoming Mapper#

Maps incoming Box incident fields.

Incident Fields#

  • Box Source Parent Name
  • Box Source Parent ID
  • Box Source Owner Name
  • Box Source Owner ID
  • Box Source Created By Name
  • Box Source Created By ID

Incident Types#

Integrations#

Box (Deprecated)#

Deprecated. Use the Box v2 integration instead.

New: Box v2#
  • Manage Box users.
  • Updated the Docker image to: demisto/pyjwt3:1.0.0.8871.

Layouts#

Box Incident


Brute Force Pack v1.2.2#

Incident Fields#

  • Account Groups
  • Successful Login
  • Password Expiration Status
  • Login Attempt Count
  • User Disabled Status

CSV Feed Pack v1.0.6#

Integrations#

CSV Feed#

Fixed an issue where an empty Authorization header would be sent when the credentials parameter had an empty string in it.


Check Point Firewall Pack v2.0.6#

Integrations#

Check Point Firewall v2#
  • Updated the checkpoint-login-and-get-session-id command to add an optional domain parameter allowing MDS logins.
  • Updated the Docker image to: demisto/python3:3.8.6.14516.

CiscoFirepower Pack v1.0.1#

Integrations#

Cisco Firepower#
  • Fixed an issue where the ciscofp-deploy-to-devices command did not work in some versions of Cisco Firepower.
  • Updated the Docker image to: demisto/python3:3.8.6.13358.

Claroty Pack v1.0.7 (Partner Supported)#

Incident Fields#

  • Claroty Alert Type
  • Claroty Related Assets
  • Claroty Category
  • Claroty Alert Resolved
  • Claroty Network ID
  • Claroty Resource ID
  • Claroty Site ID

Code42 Pack v2.0.8 (Partner Supported)#

Incident Fields#

  • Code42 Alert Type
  • Code42 Severity
  • Code42 SecurityAlert Timestamp
  • Code42 Username
  • Exfiltrated Files
  • Code42 SecurityAlert Description
  • Code42 File Events
  • Code42 SecurityAlert ID
  • Code42 SecurityAlert Name
  • Code42 SecurityAlert State

Common Playbooks Pack v1.8.6#

Playbooks#

Dedup - Generic v2#

Deprecated. Use the Dedup Generic v3 playbook instead.

Dedup - Generic v3#

The new version of the Dedup playbook that includes the PhishingDedupPreprocessingRule new machine learning script, which identifies duplicate Phishing incidents.


Common Scripts Pack v1.3.6#

Scripts#

New: ConvertDatetoUTC#

Converts a date from a different timezone to UTC timezone.

ScheduleGenericPolling#

Added support for non-English characters in the ids argument.

DateStringToISOFormat#
  • Added the add_utc_timezone argument to indicate whether to add a UTC timezone in case an offset-naive date was provided as an input.
  • Updated the Docker image to: demisto/python3:3.8.6.13358.
GetDomainDNSDetails#

Added the missing DomainDNSDetails.CNAME script output. This output is the Domain CNAME records.

RepopulateFiles#

Fixed an issue where the script failed when there were no files to repopulate.

DeleteContext#

Fixed an issue where using the keysToKeep argument on a context key that contained an array with duplicate values would also perform deduplication on the array.


Common Types Pack v2.7.1#

Incident Fields#

  • Application Id
  • Application Name
  • IncomingMirrorError
  • OutgoingMirrorError
  • Dst Ports
  • Log Source Type
  • Assignment Group
  • Pre Nat Destination Port
  • Log Source Name
  • CVSS Confidentiality Requirement
  • Detected Users
  • High Level Categories
  • Escalation
  • Traffic Direction
  • Ticket Opened Date
  • Source IPV6
  • Low Level Categories Events
  • DNS Name
  • Close Time
  • Ticket Number
  • Source IPs
  • Technical User
  • Compliance Notes
  • Source Geolocation
  • Pre Nat Source Port
  • Destination MAC Address
  • Destination Hostname
  • Number Of Log Sources
  • Detected Internal Hosts
  • Pre Nat Source IP
  • Protocols
  • Category Count
  • Raw Event
  • Technical Owner
  • Device Time
  • Event Descriptions
  • Detected External Hosts
  • Source Hostname
  • Technical Owner Contact
  • Last Update Time
  • Post Nat Source IP
  • CVSS Availability Requirement
  • Follow Up
  • List Of Rules - Event
  • Detected Internal IPs
  • Closing User
  • Destination IPs
  • Detected External IPs
  • Unique Ports
  • Caller
  • Source MAC Address
  • Usernames
  • sAMAccountName
  • Post Nat Destination Port
  • Post Nat Source Port
  • Dest Hostname
  • Mobile Device Model
  • CVSS Collateral Damage Potential
  • Closing Reason
  • Event Names
  • Start Time
  • Events
  • Src Hostname
  • Destination Geolocation
  • Src Ports
  • userAccountControl
  • Protocol - Event
  • Post Nat Destination IP
  • Destination IPV6
  • CVSS Integrity Requirement
  • Ticket Closed Date
  • Dest OS
  • Device Id
  • Policy Description
  • SHA512
  • SHA1
  • Policy ID

Indicator Fields#

Primary Motivation#

Malware types

Tags#

Fixed Tags field having empty options.

Signature Description#
  • Registrant Country
  • Internal
  • STIX ID
  • CVSS
  • Admin Phone
  • DNS
  • Office365Required
  • Admin Country
  • STIX Description
  • Display Name
  • Geo Country
  • Username
  • SHA512
  • Description
  • Actor
  • Category
  • Office365Category
  • STIX Primary Motivation.
  • Source Original Severity
  • STIX Resource Level
  • Email Address
  • STIX Roles
  • Updated Date
  • Operating System
  • Associations
  • STIX Is Malware Family
  • Subdomains
  • Signature Copyright
  • STIX Goals
  • First Seen By Source
  • Path
  • Malware Family
  • Entry ID
  • CVE Modified
  • STIX Malware Types
  • Expiration Date
  • Registrant Name
  • STIX Kill Chain Phases
  • Last Seen By Source
  • MAC Address
  • Signed
  • Domain Referring IPs
  • Registrar Abuse Email
  • Organizational Unit (OU)
  • Device Model
  • Reported By
  • File Extension
  • Account Type
  • ASN
  • BIOS Version
  • Indicator Identification
  • Service
  • Admin Email
  • Name Field
  • Registrant Email
  • DHCP Server
  • Region
  • Groups
  • Hostname
  • Threat Types
  • Name Servers
  • Domain Status
  • Traffic Light Protocol
  • CVE Description
  • Memory
  • Office365ExpressRoute
  • Organization
  • STIX Secondary Motivations
  • Signature Authentihash
  • imphash
  • IP Address
  • STIX Tool Version
  • STIX Threat Actor Types
  • File Type
  • Registrant Phone
  • STIX Aliases
  • Name
  • MD5
  • Detection Engines
  • OS Version
  • Admin Name
  • Campaign
  • Operating System Version
  • Processors
  • SHA1
  • Domain Referring Subnets
  • Size
  • Signature File Version
  • Signature Internal Name
  • Associated File Names
  • Domain Name
  • SSDeep
  • Positive Detections
  • Geo Location
  • Creation Date
  • Feed Related Indicators
  • Registrar Name
  • Domain IDN Name
  • STIX Tool Types
  • STIX Sophistication
  • Registrar Abuse Phone
  • Port
  • SHA256
  • Processor
  • Published

Indicator Types#

unifiedFileRep - Fixed an issue where the associated layout was not File Indicator.


ConcentricAI Pack v1.1.0 (Partner Supported)#

Integrations#

ConcentricAI#

Added the concentricai-get-file-sharing-details command, which adds file sharing details in the playbook.

Playbooks#

ConcentricAI Demo Playbook#

The playbook now enables one to fetch all file details, file sharing permissions along with user details of the owner.


Cortex Data Lake Pack v1.3.0#

Integrations#

Cortex Data Lake#
  • Added support for a caching mechanism for repetitive errors when requesting access token from CDL server.
  • Added the cdl-reset-authentication-timeout command to reset the failure counters of the caching mechanism.
  • Updated the Docker image to: demisto/python_pancloud_v2:1.0.0.14327.

Crisis Management Pack v1.2.2#

Indicator Fields#

Last Name#
  • Job Title
  • Employee Response Status
  • Employee Health Status
  • First Name

CrowdStrike Falcon Pack v1.2.10#

Incident Types#

  • CrowdStrike Falcon Incident
  • CrowdStrike Falcon Detection

Integrations#

CrowdStrike Falcon#

Fixed an issue where an IOC, which does not exist, caused an error in the cs-device-ran-on and the cs-falcon-device-count-ioc commands.


Cymulate Pack v1.0.7 (Partner Supported)#

Incident Fields#

  • Cymulate Immediate Threats Payload Name
  • Cymulate Immediate Threats Attack ID
  • Cymulate Immediate Threats Module
  • Cymulate Immediate Threats Mitigations
  • Cymulate Immediate Threats Vector
  • Cymulate Immediate Threats Status
  • Cymulate Immediate Threats ID
  • Cymulate Immediate Threats File Type

EWS Pack v1.5.0#

Integrations#

New: O365 - Security And Compliance - Content Search (beta)#

This integration allows you to manage and interact with the Microsoft security and compliance content search.

Playbooks#

New: O365 - Security And Compliance - Search Action - Delete#

This playbook performs the following steps:

  1. Creates the new purge compliance search action.
  2. Waits for the compliance search action to complete.
  3. Retrieves the delete search action.
New: O365 - Security And Compliance - Search And Delete#

This playbook performs the following steps:

  1. Creates a compliance search.
  2. Starts a compliance search.
  3. Waits for the compliance search to complete.
  4. Gets the results of the compliance search.
  5. Gets the preview results, if specified.
  6. Deletes the search results (Hard/Soft purge).
New: O365 - Security And Compliance - Search Action - Preview#

This playbook performs the following steps:

  1. Creates the new Preview compliance search action (based on the created compliance search).
  2. Waits until the preview action completes.
  3. Retrieves the preview results.
New: O365 - Security And Compliance - Search#

This playbook performs the following steps:

  1. Creates a compliance search.
  2. Starts a compliance search.
  3. Wait for the compliance search to complete.
  4. Gets the results of the compliance search as an output.
  5. Gets the preview results, if specified.

Employee Offboarding Pack v1.0.5#

Incident Fields#

Offboarding Date - Updated the entity to conform to the new schema standards.


Expanse Pack v1.1.4 (Partner Supported)#

Incident Fields#

  • Expanse Exposure Type
  • Expanse Severity
  • ExpanseRawJSONEvent
  • Expanse Business Unit
  • Expanse Behavior Rule

Export Indicators Pack v1.0.1#

Integrations#

Export Indicators Service#
  • Fixed an issue where processing an indicator without a value raised an exception.
  • Updated the Docker image to: demisto/teams:1.0.0.14318.

Fetch Indicators From File Pack v1.0.2#

Scripts#

FetchIndicatorsFromFile#

Added support for Domain indicators context extraction.


GitHub Pack v1.1.3#

Integrations#

GitHub IAM#

Maintenance and stability enhancements.


IBM QRadar Pack v1.2.4#

Incident Fields#

  • List of Rules - Offense
  • Destination Network - Offense
  • Status - Offense
  • Low Level Categories - Offense
  • Credibility - Offense
  • Number Of Flows
  • Description - Offense
  • Username Count - Offense
  • Source Network - Offense
  • ID - Offense
  • Severity - Offense
  • Source IP - Offense
  • Type - Offense
  • Number Of Events In Offense
  • Magnitude - Offense
  • Domain - Offense
  • Destination IP - Offense
  • Relevance - Offense
  • Number Of Fetched Events
  • Offense Inactive

Integrations#

IBM QRadar v2#

Improved the error message when testing an integration instance with the Fetch Mode integration parameter set to Fetch With All Events or Fetch Correlation Events Only and no Event fields were provided.

Layouts#

Qradar Generic - Added the usernames field to the layout.


Indeni Pack v1.0.7 (Partner Supported)#

Incident Fields#

  • Indeni Issue ID
  • Indeni Device ID

Infinipoint Pack v1.0.3 (Partner Supported)#

Integrations#

Infinipoint#

Maintenance and stability enhancements.


Lastline Pack v1.0.3#

Integrations#

Lastline v2#
  • Added support for account-based authentication.
  • Updated the Docker image to: demisto/python3:3.8.6.13358.

LogRhythmRest Pack v1.0.2#

Integrations#

LogRhythmRest#

Improved implementation of error handling when an unexpected content type was returned.


Logz.io Pack v1.1.3 (Partner Supported)#

Integrations#

Logz.io#

Fixed an integration argument bug when fetching event logs from Logz.io.


MITRE ATT&CK Pack v1.1.7#

Indicator Fields#

MITRE System Requirements#
  • MITRE Platforms
  • MITRE Extended Aliases
  • MITRE Description
  • MITRE Contributors
  • MITRE Aliases
  • MITRE Labels
  • MITRE ID
  • MITRE Permissions Required
  • MITRE Kill Chain Phases
  • MITRE Detection
  • MITRE Type
  • MITRE Version
  • MITRE Impact Type
  • MITRE Data Sources
  • MITRE External References
  • MITRE Name
  • MITRE Defense Bypassed

Majestic Million Feed Pack v1.0.1#

Integrations#

Majestic Million Feed#

Maintenance and stability enhancements.


Microsoft Cloud App Security Pack v1.0.12#

Incident Types#

Microsoft CAS Alert


Microsoft Defender Advanced Threat Protection Pack v1.2.6#

Integrations#

Microsoft Defender Advanced Threat Protection#
  • Added the timeout argument to the microsoft-atp-advanced-hunting command.
  • Updated the Docker image to: demisto/crypto:1.0.0.14297.

NIST Pack v1.0.5#

Incident Fields#

  • Exactly what happened, and at what times?
  • What information was needed sooner?
  • Were any steps or actions taken that might have inhibited the recovery?
  • How could information sharing with other organizations have been improved?
  • What additional tools or resources are needed to detect, analyze, and mitigate future incidents?
  • What corrective actions can prevent similar incidents in the future?
  • How well did staff and management perform in dealing with the incident? Were the documented procedures followed? Were they adequate?
  • What precursors or indicators should be watched for in the future to detect similar incidents?
  • What would the staff and management do differently the next time a similar incident occurs?

NTT Cyber Threat Sensor Pack v1.0.2 (Partner Supported)#

Incident Fields#

  • Graph Plot
  • FAERE Description

PAN-OS Pack v1.6.9#

Incident Fields#

Target Firewall Version - Updated the entity to conform to the new schema standards.


PCAP Analysis Pack v2.3.7#

Incident Fields#

  • PCAP file
  • PCAP Flows
  • PCAP Start Time
  • PCAP Number Of Packets
  • PCAP End Time
  • PCAP Number Of Streams
  • PCAP File Name
  • PCAP File Size

PagerDuty Pack v1.0.2#

Integrations#

PagerDuty v2#
  • Fixed an issue where the PagerDuty-incidents command failed when non-ASCII characters were returned from the API response.
  • Fixed an issue where triggering events failed due to changes done in the previous version.

Palo Alto Networks Cortex XDR - Investigation and Response Pack v2.7.0#

Classifiers#

Cortex XDR - Incoming Mapper#

Added mapping to the LastMirroredInTime field.

Cortex XDR - IR#

Added mapping to the following fields.

  • XDR Alerts
  • XDR File Artifacts
  • XDR Network Artifacts
  • XDR Modification Time
  • LastMirroredInTime fields.

Incident Fields#

  • XDR Modification Time
  • LastMirroredInTime
  • XDR manual severity

Indicator Fields#

XDR Modification Time - Updated the entity to conform to the new schema standards.

Integrations#

Palo Alto Networks Cortex XDR - Investigation and Response#

Changed the name of the event_timestampt argument to event_timestamp in the xdr-insert-parsed-alert command.

  • Added 9 commands.

    • xdr-delete-endpoints
    • xdr-get-policy
    • xdr-get-endpoint-device-control-violations
    • xdr-retrieve-files
    • xdr-retrieve-file-details
    • xdr-get-scripts
    • xdr-get-script-metadata
    • xdr-get-script-code
    • xdr-action-get-status
  • Added the option to return only modified incidents from the xdr-get-incident-extra-data command to improve mirroring rate limit handling.

  • Updated the Docker image to: demisto/python3:3.8.6.12176.

Playbooks#

Cortex XDR - Check Action Status#

Added a playbook that takes an action ID and checks its action status.

Cortex XDR - Retrieve File Playbook#

Added a playbook that retrieves a file from selected endpoints and adds the file link to the War Room.

Cortex XDR incident handling v3#
  • Updated the description for the LinkSimilarIncidents playbook input to specify that it requires the Demisto REST API integration.
  • Replaced the PANW - Hunting and threat detection by indicator type V2 playbook with the Palo Alto Networks - Hunting And Threat Detection playbook.
  • Passed the internalRanges value to the XDR Alerts handling sub-playbook input through the XDR Incident Handling v3 playbook.
  • Added the internalRanges input to the XDR Alerts handling sub-playbook.
Cortex XDR incident handling v2#
  • Updated the description for the LinkSimilarIncidents playbook input to specify that it requires the Demisto REST API integration.
  • Replaced the PANW - Hunting and threat detection by indicator type V2 playbook with the Palo Alto Networks - Hunting And Threat Detection playbook.
  • Passed the internalRanges value to the XDR Alerts handling sub-playbook input through the XDR Incident Handling v2 playbook.
  • Added the internalRanges input to the XDR Alerts handling sub-playbook.
Cortex XDR Alerts Handling#

Updated the host_ip input for the Cortex XDR - Malware Investigation sub-playbook to accept the host IP list.

Cortex XDR - Port Scan#

Fixed an issue where an error was raised when the playbook expected lateral movement alerts as part of port scan events.

Scripts#

XDRSyncScript#

Updated to support the xdr-get-incident-extra-data command enhancement in order to avoid rate limit errors from XDR.


Pentera Pack v1.0.3 (Partner Supported)#

Incident Fields#

Pentera Operation Details - Updated the entity to conform to the new schema standards.


PhishTank Pack v2.0.2#

Integrations#

PhishTank v2#

Breaking Change: Updated the url command to return multiple entries (entry per indicator) instead of a single entry.


Polygon Pack v1.0.2 (Partner Supported)#

Integrations#

Group-IB TDS Polygon#
  • Breaking Change: Updated the following reputation commands to return multiple entries (entry per indicator) instead of a single entry.

    • ip
    • domain
    • file
    • url
    • process
    • registry
  • Updated the Docker image to: demisto/python3:3.8.6.14516.


Prisma Cloud Pack v1.5.0#

Integrations#

Prisma Cloud (RedLock)#
  • Added the redlock-get-RQL-response command.
  • Added the ability to snooze alerts.

Prisma Cloud Compute Pack v1.0.6#

Incident Fields#

  • Prisma Cloud Compute Project
  • Prisma Cloud Compute Error
  • Prisma Cloud Compute Forensic
  • Prisma Cloud Compute Line
  • Prisma Cloud Compute Function
  • Prisma Cloud Compute Log File
  • Prisma Cloud Compute Collections
  • Prisma Cloud Compute Container
  • Prisma Cloud Compute Category
  • Prisma Cloud Compute Image
  • Prisma Cloud Compute Raw Alert JSON
  • Prisma Cloud Compute Markdown
  • Prisma Cloud Compute Total
  • Prisma Cloud Compute AppID
  • Prisma Cloud Compute Host
  • Prisma Cloud Compute Message
  • Prisma Cloud Compute Command
  • Prisma Cloud Compute Type
  • Prisma Cloud Compute FQDN
  • Prisma Cloud Compute Service Type
  • Prisma Cloud Compute Kubernetes Resource
  • Prisma Cloud Compute Activity Type
  • Prisma Cloud Compute Rule
  • Prisma Cloud Compute Runtime
  • Prisma Cloud Compute Registry
  • Prisma Cloud Compute Provider
  • Prisma Cloud Compute User
  • Prisma Cloud Compute Distribution
  • Prisma Cloud Compute Interactive
  • Prisma Cloud Compute Credential ID
  • Prisma Cloud Compute Region
  • Prisma Cloud Compute Protected
  • Prisma Cloud Compute Service
  • Prisma Cloud Compute Labels

Integrations#

Palo Alto Networks - Prisma Cloud Compute#
  • Fixed an issue where some alerts were not processed properly when fetching incidents.
  • Updated the Docker image to: demisto/python3:3.8.6.13358.

Proofpoint Protection Server Pack v1.0.5#

Integrations#

Proofpoint Protection Server (Beta)#
  • Improved the implementation of the error handling in the proofpoint-download-email command.
  • Improved the description of the message_id argument in the proofpoint-download-email command.

Pulsedive Pack v1.0.1 (Community Contributed)#

Integrations#

Pulsedive#
  • Breaking Change: Updated the following commands to return multiple entries (entry per indicator) instead of a single entry.
    • ip
    • url
    • domain
  • Added missing outputs to the url command.
  • Updated the Docker image to: demisto/python3:3.8.6.13358.

Rapid Breach Response Pack v1.0.2#

Playbooks#

SolarStorm and SUNBURST Hunting and Response Playbook#
  • Added the SolarStorm and SUNBURST Hunting and Response playbook.
  • Updated the playbook description.
  • The playbook will be available from Cortex XSOAR v5.5.

Recorded Future Feed Pack v1.0.6#

Indicator Fields#

Recorded Future Evidence Details - Updated the entity to conform to the new schema standards.


RiskIQ Digital Footprint Pack v1.0.4 (Partner Supported)#

Integrations#

RiskIQ Digital Footprint#
  • Breaking Change: Updated the following commands to return multiple entries (entry per indicator) instead of a single entry.
    • df-asset-connections
    • df-get-asset commands
    • df-asset-connections
  • Updated the Docker image to the latest version.

SANS Pack v1.1.2#

Incident Fields#

  • Suggestions and discussion of how to improve the team
  • What were the areas where the CIRT teams were effective?
  • How was the incident contained and eradicated?
  • What was the work performed during recovery?
  • What was the scope of the incident?
  • When was the problem first detected and by whom?
  • What are the areas that need improvement?
  • SANS Stage

SafeBreach - Breach and Attack Simulation platform Pack v1.1.3 (Partner Supported)#

Layouts#

SafeBreach Insight - Updated the entity to conform to the new schema standards.


SentinelOne Pack v1.0.5#

Integrations#

SentinelOne v2#
  • Improved error message processing from the SentinelOne API.
  • Updated the Docker image to: demisto/python3:3.8.6.13358.

ServiceNow Pack v2.1.0#

Integrations#

New: ServiceNow CMDB#

Added the ServiceNow CMDB integration.


Slack Pack v1.3.9#

Integrations#

Slack v2#
  • Added the filtered_tags parameter to filter the messages sent from Demisto by tags. Only supported in Cortex XSOAR V6.1 and above.
  • Fixed an issue where an error was raised when a non-strict JSON passed to the blocks argument in the send-notification command.

Smokescreen IllusionBLACK Pack v1.0.6 (Partner Supported)#

Incident Fields#

  • IllusionBLACK Threat Parse
  • IllusionBLACK Events
  • IllusionBLACK Decoy ID
  • IllusionBLACK Attacker ID
  • IllusionBLACK Attack Type

Spamcop Pack v1.0.1 (Community Contributed)#

Integrations#

Spamcop#
  • Updated the ip command with new code conventions.
  • Fixed the outputs of the ip command.
  • Updated the Docker image to: demisto/python3:3.8.6.13358.

SplunkPy Pack v1.2.6#

Integrations#

SplunkPy#

Fixed an issue where providing a raw field that is wrapped in double quotes in a notable event would return with the key set as the value in the incident metadata if it did not exist.


Symantec Blue Coat Content and Malware Analysis (Beta) Pack v1.0.1#

Integrations#

Symantec Blue Coat Content and Malware Analysis (Beta)#

Fixed an issue where files with special characters in their names were not handled properly in the symantec-cma-upload-file command.


Synapse Pack v1.0.1 (Community Contributed)#

Integrations#

Synapse#
  • Breaking Change: Updated the following commands to return multiple entries (entry per indicator) instead of a single entry.
    • ip
    • url
    • domain
    • file
  • Added missing outputs to the following commands.
    • ip
    • url
    • domain
    • file
  • Updated the Docker image to: demisto/aiohttp:1.0.0.13810.

Tripwire Pack v1.0.1#

Integrations#

Tripwire#

Breaking Change: Fixed an issue where the argument name in the tripwire-rules-list command was wrong.


TruSTAR Pack v2.1.1 (Partner Supported)#

Integrations#

TruSTAR v2#
  • Breaking Change: Updated the following commands to return multiple entries (entry per indicator) instead of a single entry.
    • trustar-indicator-summaries
    • trustar-related-indicators
    • trustar-indicator-summaries
    • trustar-get-whitelisted-indicators
    • trustar-trending-indicators
    • trustar-get-indicators-for-report
    • trustar-search-indicators
    • trustar-get-phishing-indicators
  • Updated the Docker image to: demisto/trustar:20.2.0.13605.

XM Cyber Pack v1.0.2 (Partner Supported)#

Integrations#

XM Cyber#

Breaking Change: Updated the following commands to return multiple entries (entry per indicator) instead of a single entry.

  • ip
  • xmcyber-hostname

XSOAR Mirroring Pack v2.0.0#

Breaking Change: Removed the following items from the pack.

  • Incident field (from Pong)
  • Incident types (from Ping and Pong)
  • Classifier
  • Mapper

Integrations#

XSOAR Mirroring#

Maintenance and stability enhancements.

Classifiers#

XSOAR Incoming Mapper#

Added a default mapper for the integration.


abuse.ch SSL Blacklist Feed Pack v1.0.5#

Integrations#

abuse.ch SSL Blacklist Feed#

Maintenance and stability enhancements.


iDefense Pack v3.0.0#

Integrations#

iDefense v2#

Updated the Docker image to: demisto/python3:3.8.6.13358.

New: iDefense Feed#

Fetches indicators from iDefense feed according to the applied filters.


Assets#