Cortex XSOAR Content Release Notes for version 20.5.0 (52248)
Published on 12 May 2020
End Of Life Notice: Palo Alto Networks Cortex Integration will reach end of life on May 31st. This is due to changes in the Cortex Data Lake move to a new version 2.0 API. Please make sure to use the Cortex Data Lake Integration instead.
Integrations
6 New Integrations
- CrowdStrike Falcon Streaming v2
Use the CrowdStrike Falcon Stream v2 integration to stream detections and audit security events. - Zabbix
Allow integration with Zabbix api. - Microsoft Graph Device Management (Microsoft Intune)
Microsoft Intune is a Microsoft cloud-based management solution that provides for mobile device and operating system management. - Endace
This integration uses Endace APIs to search, archive, and download a PCAP file from either a single EndaceProbe or many via the InvestigationManager, and enables integration of full historical packet capture into security automation workflows. The EndaceProbe Analytics Platform provides 100% accurate, continuous packet capture on network links up to 100Gbps, with unparalleled depth of storage and retrieval performance. Coupled with the Endace InvestigationManager, this provides a central search and data-mining capability across a fabric of EndaceProbes deployed in a network. - Maltiverse
Analyze suspicious hashes, URLs, domains and IP addresses. - Malwarebytes
Scan and remediate threats on endpoints in the Malwarebytes cloud.
52 Improved Integrations
- OTRS
- Fixed an issue with the article argument in the otrs-update-ticket command.
- Added support for fetching a ticket by ticket number in the otrs-get-ticket command.
- Cisco Threat Grid
Fixed an issue where the threat-grid-upload-sample command did not work as expected while in insecure mode. - Palo Alto Networks AutoFocus v2
Improved error messages for server connection issues. - VirusTotal
Fixed an issue where URLs with a comma were parsed incorrectly. - Cisco ASA
Fixed an issue where a command completes but an error is raised. - EWS v2
- Added Email entry context for the ews-get-items command.
- Fixed an issue where getting emails with malformed attachments caused an error.
- OpenLDAP (Beta)
Fixed LDAP authentication when running the integration on an engine. - McAfee DAM
Updated the detailed description. - Okta v2
Fixed an issue where the okta-verify-push-factor command failed when an HTTP 201 code was returned. - Cortex Data Lake
- Fixed exception parsing.
- Added a retry mechanism when requesting an access token from a refresh token.
- Fixed an issue with the dest_port and source_port arguments were not processed correctly in the cdl-query-traffic-logs and cdl-query-threat-logs commands.
- McAfee Threat Intelligence Exchange
Fixed an issue where running the tie-file-references command on TIE server version 3.0.0 raised an error. - Pentera
- Changed the API default port from 8181 to 5555 and parsed hashes from password cracking operations.
- Now raw NTLM, NTLMv1, and NTLMv2 will be hidden. NTLMv1 and NTLMv2 will be parsed to expose the username and its domain or hostname.
- Carbon Black Defense
Fixed an issue where the context output for the cbd-get-alert-details command was incorrect. - Expanse
Added the expanse-get-exposures command. - Alexa Rank Indicator
Fixed an issue where the integration failed to retrieve the correct rank. - HelloWorld
- Improved Test Playbook reliability.
- Added Standard Context data for domain output.
- Converted output timestamps to ISO8601.
- Minor bug fixes.
- Added support for Common functions and CommandResults.
- PhishLabs IOC
Fixed an issue where fetch-incidents did not work as expected. - Google Cloud Compute
Added the gcp-compute-project-info-add-metadata command, which enables adding or updating project-wide metadata. - Export Indicators Service
- Fixed an issue where eis-update command failed when the query argument is not supplied.
- Removed the Long Running Instance parameter from the instance configuration.
- ProtectWise
Added the token parameter to the integration instance configuration. This is your ProtectWise API token. - ServiceNow v2
- Added 5 commands:.
- servicenow-query-items
- servicenow-get-item-details
- servicenow-create-item-order
- servicenow-add-tag
- servicenow-document-route-to-queue
- Improved documentation regarding the usage of the impact and the urgency arguments for the following commands.
- servicenow-update-ticket
- servicenow-create-ticket
- Added the system_params argument to the servicenow-query-table, servicenow-query-tickets commands.
- Added 5 commands:.
- Infoblox
Fixed an issue where arguments for the create_rpz_rule function were switched. - iDefense
Fixed an issue in the url command. - Slack v2
Removed the Long Running Instance parameter from the instance configuration. - AWS - AccessAnalyzer (beta)
Fixed an incorrect YAML definition of the integration. - Generic SQL
- Fixed an issue where empty query results raised an error.
- Added support for SSL connection.
- Carbon Black Enterprise Live Response
Fixed an issue where the description for deprecated commands did not refer to commands that replace them. - Attivo Botsink
Fixed an issue where the commands did not work properly. - Palo Alto Networks PAN-OS
Fixed an issue where commands resulting with an empty list would raise an error instead of a warning. - Salesforce
- Added 4 commands.
- salesforce-get-casecomment.
- salesforce-post-casecomment.
- salesforce-get-user.
- salesforce-get-org.
- Added 4 commands.
- CrowdStrike Falcon Streaming v2
Removed the Long Running Instance parameter from the instance configuration. - Netskope
Fixed an issue where the fetch-incidents command did not work as expected. - Microsoft Graph Groups
Added support to authenticate using a self-deployed Azure application. - IntSights
Fixed an issue where the IsClosed flag was not fetched properly in the intsights-get-alert-by-id and intsights-get-alerts commands. - IBM QRadar
Fixed an issue where the test module did not work as expected. - Microsoft Graph User
Added the msgraph-direct-reports command, which retrieves a user's direct reports. - Lockpath KeyLight v2
Added the kl-get-user-by-id command. - Mail Sender (New)
Added support for the SSL/TLS parameter to configure an SSL/TLS connection, which is not STARTTLS. - GitHub
Added handling for deleted forked repositories in the GitHub-get-pull-request command. - Palo Alto Networks PAN-OS EDL Service
- Removed the Long Running Instance parameter from the instance configuration.
- Set the listener host to 0.0.0.0, to handle IPv6.
- Microsoft Graph Files
Added support to authenticate using a self-deployed Azure application. - FireEye ETP
Fixed an issue where the fireeye-etp-search-messages command failed. - Vectra v2
Fixed an issue where the fetch-incidents command failed due to incorrect date format. - Symantec Data Loss Prevention (Beta)
- Improved handling of proxy and insecure parameters.
- Fixed an issue where the symantec-dlp-get-incident-details would return an error in some cases.
- Improved documentation to describe the format required for Active Directory accounts.
2 Deprecated integrations
- PostgreSQL
Use the Generic SQL integration instead. - Elasticsearch
Use the Elasticsearch v2 integration instead.
Feeds
Available from Cortex XSOAR 5.5
2 New Feeds
- GCP Whitelist Feed
Use the Google Cloud Platform whitelist integration to get indicators from the feed. - MITRE ATT&CK Feed
Use the MITRE ATT&CK® feed to fetch MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) content. MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
9 Improved feeds
- TAXII Server
Removed Long Running Instance from instance configuration. - Fastly Feed
Set the default value for the bypass exclusion list parameter to "true". - Prisma Access Egress IP Feed
Set the default value for the bypass exclusion list parameter to "true". - Office 365 Feed
Set the default value for the bypass exclusion list parameter to "true". - AWS Feed
Set the default value for the bypass exclusion list parameter to "true". - Azure Feed
Set the default value for the bypass exclusion list parameter to "true". - Microsoft Intune Feed
Set the default value for the bypass exclusion list parameter to "true". - Cloudflare Feed
Set the default value for the bypass exclusion list parameter to "true". - TAXII Feed
Added authentication using certificate key and text file.
Scripts
6 New Scripts
- ConvertToSingleElementArray
Converts a single string to an array of that string. - EvaluateMLModllAtProduction
Evaluates an ML model in production. - ChangeContext
Enables changing context in two ways. The first is to capitalize the first letter of each key in the following level of the context key entered. The second is to change context keys to new values. - PenteraDynamicTable
Renders a Markdown table from the penteraoperationdetails field in Pentera Insight incidents. - PenteraOperationToIncident
Groups Pentera Full Actions Reports by Operation Type to generate an output that you can use when creating incidents. - SetGridField
Creates a Grid table from items or key-value pairs.
5 Improved Scripts
- DBotPredictPhishingWords
Added the option to map automation output to out-of-the-box incident fields. - SanePdfReports
Fixed logos usage and added failure verbose output. - PhishLabsPopulateIndicators
- Fixed an issue where email indicators were not classified correctly.
- Fixed an issue where the script attempted to create indicators with Attachment type instead of File type.
- PcapHTTPExtractor
Fixed an issue where a PCAP file that contained only an HTTP response was mishandled. - SandboxDetonateFile
Fixed an issue that occurred when some fields were missing from the response.
4 Deprecated Scripts
- QRadarGetOffenseCorrelations
Use the QRadar - Get offense correlations v2 playbook instead. - QRadarGetCorrelationLogs
Use the QRadarCorrelationLog playbook instead. - DocumentationAutomation
We recommend using thedemisto-sdk
to generate documentation. For full details see the dev hub docs. - HTMLDocsAutomation
We recommend using thedemisto-sdk
to generate documentation. For full details see the dev hub docs.
Playbooks
21 New Playbooks
- PAN-OS EDL Setup v3
Configures an external dynamic list in PAN-OS. In the event that the file exists on the web server, it will sync the file to Cortex XSOAR. Then it will create an EDL object and a matching rule. - Malwarebytes - Isolate Endpoint
Isolates endpoints in Malwarebytes Cloud. - Continuously Process Survey Responses (Beta)
Continuously processes new questionnaire responses as they are received. Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs.Updates made to the playbook during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the playbook to help us identify issues, fix them, and continually improve. - TIM - Process Azure indicators
This playbook handles the tagging of Azure indicators. You can specify the tag to apply to these indicators in the playbook inputs, for example, approved_white. If no inputs are specified, the indicators will be tagged for manual review. - TIM - Process Office365 indicators
This playbook handles the tagging of Office365 indicators. You can specify the tag to apply to these indicators in the playbook inputs, for example, approved_white. If no inputs are specified, the indicators will be tagged for manual review. - TIM - Process AWS indicators
This playbook handles the tagging of AWS indicators. You can specify the tag to apply to these indicators in the playbook inputs, for example, approved_white. If no inputs are specified, the indicators will be tagged for manual review. - TIM - Review Indicators Manually For Whitelisting
This playbook helps analysts manage the manual process of whitelisting indicators from cloud providers, apps, services, etc. The playbook indicator query is set to search for indicators that have the whitelist_review tag. The playbooks layout displays all of the related indicators in the summary page. While reviewing the indicators, the analyst can go to the summary page and tag the indicators accordingly with tags such as, 'approved_black', 'approved_white', etc. Once the analyst completes the review, the playbook can optionally send an email with a list of changes done by the analyst which haven't been approved. Once complete, the playbook removes the 'whitelist review' tag from the indicators. - Endace Search Archive and Download
This playbook uses Endace APIs to search, archive, and download PCAP file from either a single EndaceProbe or many via the InvestigationManager and enables integration of full historical packet capture into security automation workflows. - Pentera Filter And Create Incident
This is a sub-playbook used to select specific entries from the Pentera action report and create incidents for each of the selected entries. - Prisma Cloud Remediation - GCP VPC Network Firewall Misconfiguration
This playbook remediates the following Prisma Cloud GCP VPC Network Firewall alerts. - QRadarCorrelationLog
This playbook retrieves the correlation logs of multiple QIDs. - Hunt Extracted Hashes
This playbook extracts IOCs from the incident details and attached files using regular expressions and then hunts for hashes on endpoints in the organization using available tools. The playbook supports multiple types of attachments. For the full supported attachments list, refer to "Extract Indicators From File - Generic v2". - Process Survey Response (Beta)
Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the playbook during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the playbook to help us identify issues, fix them, and continually improve. This playbook processes the survery responses. It updates that the employee responded to the survey and what their health status is. If necessary, it opens IT or HR incidents, and updates the process survey tracker. - Employee Status Survey (Beta)
Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the playbook during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the playbook to help us identify issues, fix them, and continually improve. Manages a crisis event where employees have to work remotely due to a pandemic, issues with the workplace or similar situations. Sends a questionnaire to all direct reports under a given manager. The questionnaire asks the employees for their health status and whether they need any help. The data is saved as employee indicators in Cortex XSOAR, while IT and HR incidents are created to provide assistance to employees who requested it. The questionnaire expires after 24 hours by default, and during that time the responses are processed every 5 minutes. These settings can be edited via the task that sends the questionnaire and the loop settings of the Continuously Process Survey Responses playbook, respectively. - Prisma Cloud Remediation - GCP VPC Network Project Misconfiguration
- This playbook remediates the following Prisma Cloud GCP VPC Network Project alerts.
- Prisma Cloud policies remediated:.
- GCP project is using the default network.
- Prisma Cloud Remediation - GCP VPC Network Misconfiguration
This playbook remediates Prisma Cloud GCP VPC Network alerts. It calls sub-playbooks that perform the actual remediation steps. - QRadar - Get offense correlations v2
- Run on a QRadar offense to get more information:
- Get all correlations relevant to the offense.
- Get all logs relevant to the correlations (not done by default - set "GetCorrelationLogs" to "True").
- Inputs:
- GetCorrelationLogs (default: False)
- MaxLogsCount (default: 20).
- Run on a QRadar offense to get more information:
- Endace Search Archive Download PCAP
This playbook uses Endace APIs to search, archive and download PCAP file from either a single EndaceProbe or many via the InvestigationManager. - PAN-OS - Block IP and URL - External Dynamic List v2
This playbook blocks IP addresses and URLs using Palo Alto Networks Panorama or Firewall External Dynamic Lists. It checks if the EDL configuration is in place with the 'PAN-OS EDL Setup' sub-playbook (otherwise the list will be configured), and adds the inputted IPs and URLs to the relevant lists. - Pentera Run Scan and Create Incidents
This playbook will run a Pentera task given the Pentera task name. It will generate the full action report that contains all the actions that Pentera made during the scan, and will create incidents according to the filters in the Pentera Filter and Create incidents playbook. - Malwarebytes - Scan & Remediate Endpoint
Scan and remediate endpoints in Malwarebytes Cloud.
11 Improved Playbooks
- TIM - Process Indicators Against Business Partners Domains List
Improved a conditional task. - TIM - Process Indicators Against Business Partners IP List
Improved a conditional task. - TIM - Process Indicators Against Approved Hash List
Improved a conditional task. - TIM - Process Indicators Against Organizations External IP List
Improved conditional task. - Pentera Run Scan
- Made formatting changes.
- Added the Pentera Full Action Report as the playbook output.
- TIM - Process Indicators Against Business Partners URL List
Improved a conditional task. - PAN-OS Commit Configuration
- Improved the error message when commit or push fails.
- Added Push/Commit warnings as a playbook output.
- TIM - Indicator Auto Processing
Removed default list names and updated playbook logic. - TIM - Process Indicators - Fully Automated
Fixed task name and score. - Phishing Investigation - Generic v2
The playbook now uses the Block Indicators - Generic v2 playbook to block malicious indicators (off by default). - Impossible Traveler
- Simplified the process that gets details of the user's manager.
- Fixed a potential error with running Active Directory commands when the integration is disabled.
4 Deprecated Playbooks
- Block Indicators - Generic
Use the Block Indicators - Generic v2 playbook instead. - Hunt for bad IOCs
Use the Search Endpoints By Hash playbook instead. - Rapid IOC Hunting Playbook
Use the Hunt File Hash playbook instead. - QRadar - Get offense correlations
Use the QRadar - Get offense correlations v2 playbook instead.
Dashboards
New Dashboard
- Employee Health Status
Incident Fields
17 New Incident Fields for SANS incident type.
Layouts
7 New Layouts
- Pentera Insight - Summary
- Review Indicators Manually For Whitelisting - Summary
- SANS - Summary
- NIST - Summary
- MITRE ATT&CK - Indicator Details
- Employee Health Check - New/Edit
- Employee - Indicator Details
3 Improved Layouts
- Indicator Feed - New/Edit
Added edit layout for the Indicator Feed incident type. - GDPR Data Breach - Summary
Changed "Date breach information" section from rows to cards. - GCP Compute Engine Misconfiguration - Summary
New layout for 'GCP Compute Engine Misconfiguration'.
Assets
- Download: content_new.zip
- Browse the Source Code: Content Repo @ 20.5.0