Cortex XSOAR Content Release Notes for version 20.12.1 (229240)

Published on 22 December 2020

Breaking Changes

The following packs include breaking changes.

• ARIAPacketIntelligence Pack v2.0.0
• PhishTank Pack v2.0.2
• Polygon Pack v1.0.2
• Pulsedive Pack v1.0.1
• RiskIQ Digital Footprint Pack v1.0.4
• Synapse Pack v1.0.1
• Tripwire Pack v1.0.1
• TruSTAR Pack v2.1.1
• XM Cyber Pack v1.0.2
• XSOAR Mirroring Pack v2.0.0

New: Rapid Breach Response Pack v1.0.0

Playbooks

SolarStorm and SUNBURST Hunting and Response Playbook

This playbook does the following:

• Collects indicators to aid in your threat hunting process.

  • Retrieves IOCs of SUNBURST (a trojanized version of the SolarWinds Orion plugin).
  • Retrieves C2 domains and URLs associated with Sunburst.
  • Discovers IOCs of associated activity related to the infection.
  • Generates an indicator list to block indicators with SUNBURST tags.

• Hunts for the SUNBURST backdoor.

  • Queries firewall logs to detect network activity.
  • Searches endpoint logs for Sunburst hashes to detect presence on hosts.

• If compromised hosts are found the playbook:

  • Notifies the security team to review and trigger remediation response actions.
  • Fires off sub-playbooks to isolate/quarantine infected hosts/endpoints and await further actions from the security team.

    Note: This is a beta pack, which lets you implement and test pre-released software. Since the pack is a beta version, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve the pack.

---

New: AWS-NetworkFirewall Pack v1.0.0

Integrations

AWS Network Firewall

AWS Network Firewall is a stateful, managed, network firewall and intrusion detection and prevention service for Amazon Virtual Private Cloud (Amazon VPC). With AWS Network Firewall, you can filter traffic at the perimeter of your VPC. This includes filtering traffic going to and coming from an internet gateway, NAT gateway, or over VPN or AWS Direct Connect. Network Firewall uses rules that are compatible with Suricata, a free, open source intrusion detection system (IDS) engine.

---

New: Centrify Vault Pack v1.0.0 (Community Contributed)

Integrations

Centrify Vault

Leverage the Centrify Vault integration to create and manage secrets.

---

New: Cisco Umbrella Enforcement Pack v1.0.0

Integrations

Cisco Umbrella Enforcement

Add and remove domains in Cisco OpenDNS.

---

New: Cloud Convert Pack v1.0.0

Integrations

CloudConvert

Use the CloudConvert integration to convert your files to the desired format.

Playbooks

CloudConvert - Convert File

Use this playbook to convert a file to the required format using CloudConvert.

---

New: Cryptocurrency Pack v1.0.0

Indicator Fields

Cryptocurrency Address Type

Indicator Types

Cryptocurrency Address

Integrations

Cryptocurrency

Cryptocurrency will help classify Cryptocurrency indicators as suspicious when ingested.

Layouts

Cryptocurrency Address - Indicator Details

Scripts

CryptoCurrenciesFormat

Verifies that a crypto address is valid and only returns the address if it is valid.

---

New: Darktrace Pack v1.0.0 (Partner Supported)

Classifiers

Darktrace Incident Classifier

Classifies all incidents fetched by the Darktrace integration as Darktrace Model Breach type incidents for the purpose of using the integration playbooks.

Darktrace Model Breach Mapper

Maps model breach fields to mappings for use in integration playbooks.

Incident Fields

• Darktrace Comment Count - Number of comments in the Darktrace model breach.
• Darktrace Device Hostname - Hostname associated with the device in Darktrace.
• Darktrace Device ID - ID associated with the device in Darktrace.
• Darktrace Device IP - IP address associated with the device in Darktrace.
• Darktrace Device Label - Device label associated with the device in Darktrace.
• Darktrace Device MAC - MAC address associated with the device in Darktrace.
• Darktrace Device Vendor Vendor associated with the device in Darktrace.
• Darktrace Model Breach Description - Description of the model breach.
• Darktrace Model Breach ID - Darktrace Model Breach ID (PBID) of the model breach.
• Darktrace Model Breach Score - Darktrace model breach score.
• Darktrace Model ID - Model ID (PID) associated with the model breach in Darktrace.
• Darktrace Model Name - Name associated with the model breach in Darktrace.
• Darktrace Model Priority - Priority of the model breach in Darktrace.
• Darktrace Model Tags - Tags associated with the model breach in Darktrace.
• Darktrace Model UUID - Model UUID associated with the model breach in Darktrace.

Incident Types

Darktrace Model Breach

Integrations

Darktrace

Rapid detection of malicious behavior can make all the difference in the response to a security event. This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to investigate and manage security events before they have time to escalate.

Playbooks

Handle Darktrace Model Breach

Handles each fetched Darktrace model breach by gathering additional detail about the activity and device, providing enrichment data from Darktrace and XSOAR, linking similar incidents, and providing the ability to acknowledge the model breach and close the incident.

---

New: ModulesManagement Pack v1.0.0

Scripts

GetInstances

Returns integration instances configured in Cortex XSOAR. You can filter by instance status and/or brand name (vendor).

---

New: Public DNS Feed Pack v1.0.0

Integrations

Public DNS Feed

Fetches IP addresses from the Public DNS feed.

---

New: Sophos Central Pack v1.0.0

Classifiers

Sophos Central - Classifier

Classifies Sophos Central incidents.

Sophos Central - Incoming Mapper

Maps incoming alerts from Sophos Central.

Incident Types

Sophos Central Incident

Integrations

Sophos Central

The unified console for managing Sophos products.

---

New: Tripwire Pack v1.0.0

Classifiers

Tripwire - Classifier

Classifies Tripwire incidents.

Tripwire - Incoming Mapper

Maps incoming Tripwire incident fields.

Incident Types

Tripwire File Change

Integrations

Tripwire

Tripwire is a file integrity management (FIM) system. FIM monitors files and folders on systems and is triggered when they have changed.

Layouts

Tripwire File Change - Summary

Playbooks

Tripwire Incident IP Enrichment

Enriches the IP of a node.

---

New: Windows Remote Management Pack v1.0.0

Integrations

Windows Remote Management (Beta)

Uses the Python pywinrm library and commands to execute either a process or Powershell scripts.

---

New: X509Certificate Pack v1.0.0

Incident Fields

• Certificate Names
• Certificate Signature
• Certificate Validation Checks
• Extension
• Issuer DN
• PEM
• Public Key
• SPKI SHA256
• Serial Number
• Subject Alternative Names
• Subject DN
• Validity Not After
• Validity Not Before

Indicator Types

Certificate

Layouts

• Certificate Indicator

Scripts

CertificateExtract

Extracts fields from a certificate file and returns the standard context.

CertificateReputation

Enriches and calculates the reputation of a certificate indicator.

---

ARIAPacketIntelligence Pack v2.0.0 (Partner Supported)

Integrations

ARIA Packet Intelligence

• Breaking Change:
  • Updated the integration to match the latest Packet Intelligence REST API.
  • Removed the following arguments.
    • label_sia_region
    • label_sia_group
    • label_sia_name
• Uses Remediation Configuration String (RCS) in the command to select SIA.

---

AlienVault Feed Pack v1.0.8

Integrations

AlienVault Reputation Feed

Maintenance and stability enhancements.

---

Anomali Enterprise Pack v1.0.1

Integrations

Anomali Match

• Rebranded Anomali Enterprise to Anomali Match.
• Added the DGA tag to the domain command.
• Updated the Docker image to: demisto/python3:3.8.6.13358.

Playbooks

Anomali Enterprise Forensic Search

Updated playbook descriptions.

---

Anomali ThreatStream Pack v1.1.0

Integrations

Anomali ThreatStream v2

Fixed an issue where only MD5 hash data was returned for all hash types in the file and threatstream-get-indicators commands.

---

Asset Pack v1.0.1

Incident Fields

• Switch ID - Asset
• IP Address - Asset
• MAC Address - Asset
• Asset Table
• Location - Asset
• Switch Port ID - Asset
• ID - Asset
• Description - Asset

---

Azure Feed Pack v1.0.4

Integrations

Azure Feed

• Fixed an issue where some indicators were fetched twice.
• Added AzureDevOps to the list of supported services.

---

AzureSentinel Pack v1.0.6

Integrations

Azure Sentinel (Beta)

• Added the classification and the classification_reason arguments to the azure-sentinel-update-incident command.
• Updated the Docker image to: demisto/crypto:1.0.0.14297.

---

Bambenek Consulting Feed Pack v1.0.6

Integrations

Bambenek Consulting Feed

• Fixed an issue where an empty Authorization header would be sent if the credentials parameter had an empty string in it.
• Updated the C2 IP feed and C2 Domain feed links.
• Updated the Docker image to: demisto/python3:3.8.6.14516.

---

Barracuda Pack v1.0.1 (Community Contributed)

Integrations

Barracuda Reputation Block List (BRBL)

• Updated the ip command with new code conventions.
• Fixed the outputs of the ip command.
• Updated the Docker image to: demisto/python3:3.8.6.13358.

---

Base Pack v1.5.3

Scripts

CommonServerPython

• Updated BaseClient._http_request to include an optional argument for an empty codes list.
• Added CRYPTOCURRENCY to DBotScoreType.
• Added the Cryptocurrency indicator context to Common.
• Added the tags field to the Domain indicator class.
• Added support for clickable URL fields using the url argument in the tableToMarkdown method.
• Fixed an issue with the aws_table_to_markdown function, which failed on an empty list.
• Improved the log formatter to remove sensitive URL query parameters.

CommonServerPowerShell

• Fixed the setIntegrationContext method in the $Demisto class.
• Added a new helper function, ConvertTo-Boolean, which converts a string to boolean.

---

Box Pack v2.0.0

Classifiers

New: Box Incident Incoming Mapper

Maps incoming Box incident fields.

Incident Fields

• Box Source Parent Name
• Box Source Parent ID
• Box Source Owner Name
• Box Source Owner ID
• Box Source Created By Name
• Box Source Created By ID

Incident Types

Integrations

Box (Deprecated)

Deprecated. Use the Box v2 integration instead.

New: Box v2

• Manage Box users.
• Updated the Docker image to: demisto/pyjwt3:1.0.0.8871.

Layouts

Box Incident

---

Brute Force Pack v1.2.2

Incident Fields

• Account Groups
• Successful Login
• Password Expiration Status
• Login Attempt Count
• User Disabled Status

---

CSV Feed Pack v1.0.6

Integrations

CSV Feed

Fixed an issue where an empty Authorization header would be sent when the credentials parameter had an empty string in it.

---

Check Point Firewall Pack v2.0.6

Integrations

Check Point Firewall v2

• Updated the checkpoint-login-and-get-session-id command to add an optional domain parameter allowing MDS logins.
• Updated the Docker image to: demisto/python3:3.8.6.14516.

---

CiscoFirepower Pack v1.0.1

Integrations

Cisco Firepower

• Fixed an issue where the ciscofp-deploy-to-devices command did not work in some versions of Cisco Firepower.
• Updated the Docker image to: demisto/python3:3.8.6.13358.

---

Claroty Pack v1.0.7 (Partner Supported)

Incident Fields

• Claroty Alert Type
• Claroty Related Assets
• Claroty Category
• Claroty Alert Resolved
• Claroty Network ID
• Claroty Resource ID
• Claroty Site ID

---

Code42 Pack v2.0.8 (Partner Supported)

Incident Fields

• Code42 Alert Type
• Code42 Severity
• Code42 SecurityAlert Timestamp
• Code42 Username
• Exfiltrated Files
• Code42 SecurityAlert Description
• Code42 File Events
• Code42 SecurityAlert ID
• Code42 SecurityAlert Name
• Code42 SecurityAlert State

---

Common Playbooks Pack v1.8.6

Playbooks

Dedup - Generic v2

Deprecated. Use the Dedup Generic v3 playbook instead.

Dedup - Generic v3

The new version of the Dedup playbook that includes the PhishingDedupPreprocessingRule new machine learning script, which identifies duplicate Phishing incidents.

---

Common Scripts Pack v1.3.6

Scripts

New: ConvertDatetoUTC

Converts a date from a different timezone to UTC timezone.

ScheduleGenericPolling

Added support for non-English characters in the ids argument.

DateStringToISOFormat

• Added the add_utc_timezone argument to indicate whether to add a UTC timezone in case an offset-naive date was provided as an input.
• Updated the Docker image to: demisto/python3:3.8.6.13358.

GetDomainDNSDetails

Added the missing DomainDNSDetails.CNAME script output. This output is the Domain CNAME records.

RepopulateFiles

Fixed an issue where the script failed when there were no files to repopulate.

DeleteContext

Fixed an issue where using the keysToKeep argument on a context key that contained an array with duplicate values would also perform deduplication on the array.

---

Common Types Pack v2.7.1

Incident Fields

• Application Id
• Application Name
• IncomingMirrorError
• OutgoingMirrorError
• Dst Ports
• Log Source Type
• Assignment Group
• Pre Nat Destination Port
• Log Source Name
• CVSS Confidentiality Requirement
• Detected Users
• High Level Categories
• Escalation
• Traffic Direction
• Ticket Opened Date
• Source IPV6
• Low Level Categories Events
• DNS Name
• Close Time
• Ticket Number
• Source IPs
• Technical User
• Compliance Notes
• Source Geolocation
• Pre Nat Source Port
• Destination MAC Address
• Destination Hostname
• Number Of Log Sources
• Detected Internal Hosts
• Pre Nat Source IP
• Protocols
• Category Count
• Raw Event
• Technical Owner
• Device Time
• Event Descriptions
• Detected External Hosts
• Source Hostname
• Technical Owner Contact
• Last Update Time
• Post Nat Source IP
• CVSS Availability Requirement
• Follow Up
• List Of Rules - Event
• Detected Internal IPs
• Closing User
• Destination IPs
• Detected External IPs
• Unique Ports
• Caller
• Source MAC Address
• Usernames
• sAMAccountName
• Post Nat Destination Port
• Post Nat Source Port
• Dest Hostname
• Mobile Device Model
• CVSS Collateral Damage Potential
• Closing Reason
• Event Names
• Start Time
• Events
• Src Hostname
• Destination Geolocation
• Src Ports
• userAccountControl
• Protocol - Event
• Post Nat Destination IP
• Destination IPV6
• CVSS Integrity Requirement
• Ticket Closed Date
• Dest OS
• Device Id
• Policy Description
• SHA512
• SHA1
• Policy ID

Indicator Fields

Primary Motivation

Malware types

Tags

Fixed Tags field having empty options.

Signature Description

• Registrant Country
• Internal
• STIX ID
• CVSS
• Admin Phone
• DNS
• Office365Required
• Admin Country
• STIX Description
• Display Name
• Geo Country
• Username
• SHA512
• Description
• Actor
• Category
• Office365Category
• STIX Primary Motivation.
• Source Original Severity
• STIX Resource Level
• Email Address
• STIX Roles
• Updated Date
• Operating System
• Associations
• STIX Is Malware Family
• Subdomains
• Signature Copyright
• STIX Goals
• First Seen By Source
• Path
• Malware Family
• Entry ID
• CVE Modified
• STIX Malware Types
• Expiration Date
• Registrant Name
• STIX Kill Chain Phases
• Last Seen By Source
• MAC Address
• Signed
• Domain Referring IPs
• Registrar Abuse Email
• Organizational Unit (OU)
• Device Model
• Reported By
• File Extension
• Account Type
• ASN
• BIOS Version
• Indicator Identification
• Service
• Admin Email
• Name Field
• Registrant Email
• DHCP Server
• Region
• Groups
• Hostname
• Threat Types
• Name Servers
• Domain Status
• Traffic Light Protocol
• CVE Description
• Memory
• Office365ExpressRoute
• Organization
• STIX Secondary Motivations
• Signature Authentihash
• imphash
• IP Address
• STIX Tool Version
• STIX Threat Actor Types
• File Type
• Registrant Phone
• STIX Aliases
• Name
• MD5
• Detection Engines
• OS Version
• Admin Name
• Campaign
• Operating System Version
• Processors
• SHA1
• Domain Referring Subnets
• Size
• Signature File Version
• Signature Internal Name
• Associated File Names
• Domain Name
• SSDeep
• Positive Detections
• Geo Location
• Creation Date
• Feed Related Indicators
• Registrar Name
• Domain IDN Name
• STIX Tool Types
• STIX Sophistication
• Registrar Abuse Phone
• Port
• SHA256
• Processor
• Published

Indicator Types

unifiedFileRep - Fixed an issue where the associated layout was not File Indicator.

---

ConcentricAI Pack v1.1.0 (Partner Supported)

Integrations

ConcentricAI

Added the concentricai-get-file-sharing-details command, which adds file sharing details in the playbook.

Playbooks

ConcentricAI Demo Playbook

The playbook now enables one to fetch all file details, file sharing permissions along with user details of the owner.

---

Cortex Data Lake Pack v1.3.0

Integrations

Cortex Data Lake

• Added support for a caching mechanism for repetitive errors when requesting access token from CDL server.
• Added the cdl-reset-authentication-timeout command to reset the failure counters of the caching mechanism.
• Updated the Docker image to: demisto/python_pancloud_v2:1.0.0.14327.

---

Crisis Management Pack v1.2.2

Indicator Fields

Last Name

• Job Title
• Employee Response Status
• Employee Health Status
• First Name

---

CrowdStrike Falcon Pack v1.2.10

Incident Types

• CrowdStrike Falcon Incident
• CrowdStrike Falcon Detection

Integrations

CrowdStrike Falcon

Fixed an issue where an IOC, which does not exist, caused an error in the cs-device-ran-on and the cs-falcon-device-count-ioc commands.

---

Cymulate Pack v1.0.7 (Partner Supported)

Incident Fields

• Cymulate Immediate Threats Payload Name
• Cymulate Immediate Threats Attack ID
• Cymulate Immediate Threats Module
• Cymulate Immediate Threats Mitigations
• Cymulate Immediate Threats Vector
• Cymulate Immediate Threats Status
• Cymulate Immediate Threats ID
• Cymulate Immediate Threats File Type

---

EWS Pack v1.5.0

Integrations

New: O365 - Security And Compliance - Content Search (beta)

This integration allows you to manage and interact with the Microsoft security and compliance content search.

Playbooks

New: O365 - Security And Compliance - Search Action - Delete

This playbook performs the following steps:

1. Creates the new purge compliance search action.
2. Waits for the compliance search action to complete.
3. Retrieves the delete search action.

New: O365 - Security And Compliance - Search And Delete

This playbook performs the following steps:

1. Creates a compliance search.
2. Starts a compliance search.
3. Waits for the compliance search to complete.
4. Gets the results of the compliance search.
5. Gets the preview results, if specified.
6. Deletes the search results (Hard/Soft purge).

New: O365 - Security And Compliance - Search Action - Preview

This playbook performs the following steps:

1. Creates the new Preview compliance search action (based on the created compliance search).
2. Waits until the preview action completes.
3. Retrieves the preview results.

New: O365 - Security And Compliance - Search

This playbook performs the following steps:

1. Creates a compliance search.
2. Starts a compliance search.
3. Wait for the compliance search to complete.
4. Gets the results of the compliance search as an output.
5. Gets the preview results, if specified.

---

Employee Offboarding Pack v1.0.5

Incident Fields

Offboarding Date - Updated the entity to conform to the new schema standards.

---

Expanse Pack v1.1.4 (Partner Supported)

Incident Fields

• Expanse Exposure Type
• Expanse Severity
• ExpanseRawJSONEvent
• Expanse Business Unit
• Expanse Behavior Rule

---

Export Indicators Pack v1.0.1

Integrations

Export Indicators Service

• Fixed an issue where processing an indicator without a value raised an exception.
• Updated the Docker image to: demisto/teams:1.0.0.14318.

---

Fetch Indicators From File Pack v1.0.2

Scripts

FetchIndicatorsFromFile

Added support for Domain indicators context extraction.

---

GitHub Pack v1.1.3

Integrations

GitHub IAM

Maintenance and stability enhancements.

---

IBM QRadar Pack v1.2.4

Incident Fields

• List of Rules - Offense
• Destination Network - Offense
• Status - Offense
• Low Level Categories - Offense
• Credibility - Offense
• Number Of Flows
• Description - Offense
• Username Count - Offense
• Source Network - Offense
• ID - Offense
• Severity - Offense
• Source IP - Offense
• Type - Offense
• Number Of Events In Offense
• Magnitude - Offense
• Domain - Offense
• Destination IP - Offense
• Relevance - Offense
• Number Of Fetched Events
• Offense Inactive

Integrations

IBM QRadar v2

Improved the error message when testing an integration instance with the Fetch Mode integration parameter set to Fetch With All Events or Fetch Correlation Events Only and no Event fields were provided.

Layouts

Qradar Generic - Added the usernames field to the layout.

---

Indeni Pack v1.0.7 (Partner Supported)

Incident Fields

• Indeni Issue ID
• Indeni Device ID

---

Infinipoint Pack v1.0.3 (Partner Supported)

Integrations

Infinipoint

Maintenance and stability enhancements.

---

Lastline Pack v1.0.3

Integrations

Lastline v2

• Added support for account-based authentication.
• Updated the Docker image to: demisto/python3:3.8.6.13358.

---

LogRhythmRest Pack v1.0.2

Integrations

LogRhythmRest

Improved implementation of error handling when an unexpected content type was returned.

---

Logz.io Pack v1.1.3 (Partner Supported)

Integrations

Logz.io

Fixed an integration argument bug when fetching event logs from Logz.io.

---

MITRE ATT&CK Pack v1.1.7

Indicator Fields

MITRE System Requirements

• MITRE Platforms
• MITRE Extended Aliases
• MITRE Description
• MITRE Contributors
• MITRE Aliases
• MITRE Labels
• MITRE ID
• MITRE Permissions Required
• MITRE Kill Chain Phases
• MITRE Detection
• MITRE Type
• MITRE Version
• MITRE Impact Type
• MITRE Data Sources
• MITRE External References
• MITRE Name
• MITRE Defense Bypassed

---

Majestic Million Feed Pack v1.0.1

Integrations

Majestic Million Feed

Maintenance and stability enhancements.

---

Microsoft Cloud App Security Pack v1.0.12

Incident Types

Microsoft CAS Alert

---

Microsoft Defender Advanced Threat Protection Pack v1.2.6

Integrations

Microsoft Defender Advanced Threat Protection

• Added the timeout argument to the microsoft-atp-advanced-hunting command.
• Updated the Docker image to: demisto/crypto:1.0.0.14297.

---

NIST Pack v1.0.5

Incident Fields

• Exactly what happened, and at what times?
• What information was needed sooner?
• Were any steps or actions taken that might have inhibited the recovery?
• How could information sharing with other organizations have been improved?
• What additional tools or resources are needed to detect, analyze, and mitigate future incidents?
• What corrective actions can prevent similar incidents in the future?
• How well did staff and management perform in dealing with the incident? Were the documented procedures followed? Were they adequate?
• What precursors or indicators should be watched for in the future to detect similar incidents?
• What would the staff and management do differently the next time a similar incident occurs?

---

NTT Cyber Threat Sensor Pack v1.0.2 (Partner Supported)

Incident Fields

• Graph Plot
• FAERE Description

---

PAN-OS Pack v1.6.9

Incident Fields

Target Firewall Version - Updated the entity to conform to the new schema standards.

---

PCAP Analysis Pack v2.3.7

Incident Fields

• PCAP file
• PCAP Flows
• PCAP Start Time
• PCAP Number Of Packets
• PCAP End Time
• PCAP Number Of Streams
• PCAP File Name
• PCAP File Size

---

PagerDuty Pack v1.0.2

Integrations

PagerDuty v2

• Fixed an issue where the PagerDuty-incidents command failed when non-ASCII characters were returned from the API response.
• Fixed an issue where triggering events failed due to changes done in the previous version.

---

Palo Alto Networks Cortex XDR - Investigation and Response Pack v2.7.0

Classifiers

Cortex XDR - Incoming Mapper

Added mapping to the LastMirroredInTime field.

Cortex XDR - IR

Added mapping to the following fields.

• XDR Alerts
• XDR File Artifacts
• XDR Network Artifacts
• XDR Modification Time
• LastMirroredInTime fields.

Incident Fields

• XDR Modification Time
• LastMirroredInTime
• XDR manual severity

Indicator Fields

XDR Modification Time - Updated the entity to conform to the new schema standards.

Integrations

Palo Alto Networks Cortex XDR - Investigation and Response

Changed the name of the event_timestampt argument to event_timestamp in the xdr-insert-parsed-alert command.

• Added 9 commands.

  • xdr-delete-endpoints
  • xdr-get-policy
  • xdr-get-endpoint-device-control-violations
  • xdr-retrieve-files
  • xdr-retrieve-file-details
  • xdr-get-scripts
  • xdr-get-script-metadata
  • xdr-get-script-code
  • xdr-action-get-status

• Added the option to return only modified incidents from the xdr-get-incident-extra-data command to improve mirroring rate limit handling.

• Updated the Docker image to: demisto/python3:3.8.6.12176.

Playbooks

Cortex XDR - Check Action Status

Added a playbook that takes an action ID and checks its action status.

Cortex XDR - Retrieve File Playbook

Added a playbook that retrieves a file from selected endpoints and adds the file link to the War Room.

Cortex XDR incident handling v3

• Updated the description for the LinkSimilarIncidents playbook input to specify that it requires the Demisto REST API integration.
• Replaced the PANW - Hunting and threat detection by indicator type V2 playbook with the Palo Alto Networks - Hunting And Threat Detection playbook.
• Passed the internalRanges value to the XDR Alerts handling sub-playbook input through the XDR Incident Handling v3 playbook.
• Added the internalRanges input to the XDR Alerts handling sub-playbook.

Cortex XDR incident handling v2

• Updated the description for the LinkSimilarIncidents playbook input to specify that it requires the Demisto REST API integration.
• Replaced the PANW - Hunting and threat detection by indicator type V2 playbook with the Palo Alto Networks - Hunting And Threat Detection playbook.
• Passed the internalRanges value to the XDR Alerts handling sub-playbook input through the XDR Incident Handling v2 playbook.
• Added the internalRanges input to the XDR Alerts handling sub-playbook.

Cortex XDR Alerts Handling

Updated the host_ip input for the Cortex XDR - Malware Investigation sub-playbook to accept the host IP list.

Cortex XDR - Port Scan

Fixed an issue where an error was raised when the playbook expected lateral movement alerts as part of port scan events.

Scripts

XDRSyncScript

Updated to support the xdr-get-incident-extra-data command enhancement in order to avoid rate limit errors from XDR.

---

Pentera Pack v1.0.3 (Partner Supported)

Incident Fields

Pentera Operation Details - Updated the entity to conform to the new schema standards.

---

PhishTank Pack v2.0.2

Integrations

PhishTank v2

Breaking Change: Updated the url command to return multiple entries (entry per indicator) instead of a single entry.

---

Polygon Pack v1.0.2 (Partner Supported)

Integrations

Group-IB TDS Polygon

• Breaking Change: Updated the following reputation commands to return multiple entries (entry per indicator) instead of a single entry.

  • ip
  • domain
  • file
  • url
  • process
  • registry

• Updated the Docker image to: demisto/python3:3.8.6.14516.

---

Prisma Cloud Pack v1.5.0

Integrations

Prisma Cloud (RedLock)

• Added the redlock-get-RQL-response command.
• Added the ability to snooze alerts.

---

Prisma Cloud Compute Pack v1.0.6

Incident Fields

• Prisma Cloud Compute Project
• Prisma Cloud Compute Error
• Prisma Cloud Compute Forensic
• Prisma Cloud Compute Line
• Prisma Cloud Compute Function
• Prisma Cloud Compute Log File
• Prisma Cloud Compute Collections
• Prisma Cloud Compute Container
• Prisma Cloud Compute Category
• Prisma Cloud Compute Image
• Prisma Cloud Compute Raw Alert JSON
• Prisma Cloud Compute Markdown
• Prisma Cloud Compute Total
• Prisma Cloud Compute AppID
• Prisma Cloud Compute Host
• Prisma Cloud Compute Message
• Prisma Cloud Compute Command
• Prisma Cloud Compute Type
• Prisma Cloud Compute FQDN
• Prisma Cloud Compute Service Type
• Prisma Cloud Compute Kubernetes Resource
• Prisma Cloud Compute Activity Type
• Prisma Cloud Compute Rule
• Prisma Cloud Compute Runtime
• Prisma Cloud Compute Registry
• Prisma Cloud Compute Provider
• Prisma Cloud Compute User
• Prisma Cloud Compute Distribution
• Prisma Cloud Compute Interactive
• Prisma Cloud Compute Credential ID
• Prisma Cloud Compute Region
• Prisma Cloud Compute Protected
• Prisma Cloud Compute Service
• Prisma Cloud Compute Labels

Integrations

Palo Alto Networks - Prisma Cloud Compute

• Fixed an issue where some alerts were not processed properly when fetching incidents.
• Updated the Docker image to: demisto/python3:3.8.6.13358.

---

Proofpoint Protection Server Pack v1.0.5

Integrations

Proofpoint Protection Server (Beta)

• Improved the implementation of the error handling in the proofpoint-download-email command.
• Improved the description of the message_id argument in the proofpoint-download-email command.

---

Pulsedive Pack v1.0.1 (Community Contributed)

Integrations

Pulsedive

• Breaking Change: Updated the following commands to return multiple entries (entry per indicator) instead of a single entry.
  • ip
  • url
  • domain
• Added missing outputs to the url command.
• Updated the Docker image to: demisto/python3:3.8.6.13358.

---

Rapid Breach Response Pack v1.0.2

Playbooks

SolarStorm and SUNBURST Hunting and Response Playbook

• Added the SolarStorm and SUNBURST Hunting and Response playbook.
• Updated the playbook description.
• The playbook will be available from Cortex XSOAR v5.5.

---

Recorded Future Feed Pack v1.0.6

Indicator Fields

Recorded Future Evidence Details - Updated the entity to conform to the new schema standards.

---

RiskIQ Digital Footprint Pack v1.0.4 (Partner Supported)

Integrations

RiskIQ Digital Footprint

• Breaking Change: Updated the following commands to return multiple entries (entry per indicator) instead of a single entry.
  • df-asset-connections
  • df-get-asset commands
  • df-asset-connections
• Updated the Docker image to the latest version.

---

SANS Pack v1.1.2

Incident Fields

• Suggestions and discussion of how to improve the team
• What were the areas where the CIRT teams were effective?
• How was the incident contained and eradicated?
• What was the work performed during recovery?
• What was the scope of the incident?
• When was the problem first detected and by whom?
• What are the areas that need improvement?
• SANS Stage

---

SafeBreach - Breach and Attack Simulation platform Pack v1.1.3 (Partner Supported)

Layouts

SafeBreach Insight - Updated the entity to conform to the new schema standards.

---

SentinelOne Pack v1.0.5

Integrations

SentinelOne v2

• Improved error message processing from the SentinelOne API.
• Updated the Docker image to: demisto/python3:3.8.6.13358.

---

ServiceNow Pack v2.1.0

Integrations

New: ServiceNow CMDB

Added the ServiceNow CMDB integration.

---

Slack Pack v1.3.9

Integrations

Slack v2

• Added the filtered_tags parameter to filter the messages sent from Demisto by tags. Only supported in Cortex XSOAR V6.1 and above.
• Fixed an issue where an error was raised when a non-strict JSON passed to the blocks argument in the send-notification command.

---

Smokescreen IllusionBLACK Pack v1.0.6 (Partner Supported)

Incident Fields

• IllusionBLACK Threat Parse
• IllusionBLACK Events
• IllusionBLACK Decoy ID
• IllusionBLACK Attacker ID
• IllusionBLACK Attack Type

---

Spamcop Pack v1.0.1 (Community Contributed)

Integrations

Spamcop

• Updated the ip command with new code conventions.
• Fixed the outputs of the ip command.
• Updated the Docker image to: demisto/python3:3.8.6.13358.

---

SplunkPy Pack v1.2.6

Integrations

SplunkPy

Fixed an issue where providing a raw field that is wrapped in double quotes in a notable event would return with the key set as the value in the incident metadata if it did not exist.

---

Symantec Blue Coat Content and Malware Analysis (Beta) Pack v1.0.1

Integrations

Symantec Blue Coat Content and Malware Analysis (Beta)

Fixed an issue where files with special characters in their names were not handled properly in the symantec-cma-upload-file command.

---

Synapse Pack v1.0.1 (Community Contributed)

Integrations

Synapse

• Breaking Change: Updated the following commands to return multiple entries (entry per indicator) instead of a single entry.
  • ip
  • url
  • domain
  • file
• Added missing outputs to the following commands.
  • ip
  • url
  • domain
  • file
• Updated the Docker image to: demisto/aiohttp:1.0.0.13810.

---

Tripwire Pack v1.0.1

Integrations

Tripwire

Breaking Change: Fixed an issue where the argument name in the tripwire-rules-list command was wrong.

---

TruSTAR Pack v2.1.1 (Partner Supported)

Integrations

TruSTAR v2

• Breaking Change: Updated the following commands to return multiple entries (entry per indicator) instead of a single entry.
  • trustar-indicator-summaries
  • trustar-related-indicators
  • trustar-indicator-summaries
  • trustar-get-whitelisted-indicators
  • trustar-trending-indicators
  • trustar-get-indicators-for-report
  • trustar-search-indicators
  • trustar-get-phishing-indicators
• Updated the Docker image to: demisto/trustar:20.2.0.13605.

---

XM Cyber Pack v1.0.2 (Partner Supported)

Integrations

XM Cyber

Breaking Change: Updated the following commands to return multiple entries (entry per indicator) instead of a single entry.

• ip
• xmcyber-hostname

---

XSOAR Mirroring Pack v2.0.0

Breaking Change: Removed the following items from the pack.

• Incident field (from Pong)
• Incident types (from Ping and Pong)
• Classifier
• Mapper

Integrations

XSOAR Mirroring

Maintenance and stability enhancements.

Classifiers

XSOAR Incoming Mapper

Added a default mapper for the integration.

---

abuse.ch SSL Blacklist Feed Pack v1.0.5

Integrations

abuse.ch SSL Blacklist Feed

Maintenance and stability enhancements.

---

iDefense Pack v3.0.0

Integrations

iDefense v2

Updated the Docker image to: demisto/python3:3.8.6.13358.

New: iDefense Feed

Fetches indicators from iDefense feed according to the applied filters.

---

Assets

• Download Content Zip (Cortex XSOAR 5.5 and earlier): content_new.zip
• Download Marketplace Packs (Cortex XSOAR 6.0 and later): content_marketplace_packs.zip
• Browse the Source Code: Content Repo @ 20.12.1