Cortex XSOAR Content Release Notes for version 20.5.0 (52248)

Published on 12 May 2020

End Of Life Notice: Palo Alto Networks Cortex Integration will reach end of life on May 31st. This is due to changes in the Cortex Data Lake move to a new version 2.0 API. Please make sure to use the Cortex Data Lake Integration instead.

Integrations

6 New Integrations

• CrowdStrike Falcon Streaming v2
  Use the CrowdStrike Falcon Stream v2 integration to stream detections and audit security events.
• Zabbix
  Allow integration with Zabbix api.
• Microsoft Graph Device Management (Microsoft Intune)
  Microsoft Intune is a Microsoft cloud-based management solution that provides for mobile device and operating system management.
• Endace
  This integration uses Endace APIs to search, archive, and download a PCAP file from either a single EndaceProbe or many via the InvestigationManager, and enables integration of full historical packet capture into security automation workflows. The EndaceProbe Analytics Platform provides 100% accurate, continuous packet capture on network links up to 100Gbps, with unparalleled depth of storage and retrieval performance. Coupled with the Endace InvestigationManager, this provides a central search and data-mining capability across a fabric of EndaceProbes deployed in a network.
• Maltiverse
  Analyze suspicious hashes, URLs, domains and IP addresses.
• Malwarebytes
  Scan and remediate threats on endpoints in the Malwarebytes cloud.

52 Improved Integrations

• OTRS
  • Fixed an issue with the article argument in the otrs-update-ticket command.
  • Added support for fetching a ticket by ticket number in the otrs-get-ticket command.
• Cisco Threat Grid
  Fixed an issue where the threat-grid-upload-sample command did not work as expected while in insecure mode.
• Palo Alto Networks AutoFocus v2
  Improved error messages for server connection issues.
• VirusTotal
  Fixed an issue where URLs with a comma were parsed incorrectly.
• Cisco ASA
  Fixed an issue where a command completes but an error is raised.
• EWS v2
  • Added Email entry context for the ews-get-items command.
  • Fixed an issue where getting emails with malformed attachments caused an error.
• OpenLDAP (Beta)
  Fixed LDAP authentication when running the integration on an engine.
• McAfee DAM
  Updated the detailed description.
• Okta v2
  Fixed an issue where the okta-verify-push-factor command failed when an HTTP 201 code was returned.
• Cortex Data Lake
  • Fixed exception parsing.
  • Added a retry mechanism when requesting an access token from a refresh token.
  • Fixed an issue with the dest_port and source_port arguments were not processed correctly in the cdl-query-traffic-logs and cdl-query-threat-logs commands.
• McAfee Threat Intelligence Exchange
  Fixed an issue where running the tie-file-references command on TIE server version 3.0.0 raised an error.
• Pentera
  • Changed the API default port from 8181 to 5555 and parsed hashes from password cracking operations.
  • Now raw NTLM, NTLMv1, and NTLMv2 will be hidden. NTLMv1 and NTLMv2 will be parsed to expose the username and its domain or hostname.
• Carbon Black Defense
  Fixed an issue where the context output for the cbd-get-alert-details command was incorrect.
• Expanse
  Added the expanse-get-exposures command.
• Alexa Rank Indicator
  Fixed an issue where the integration failed to retrieve the correct rank.
• HelloWorld
  • Improved Test Playbook reliability.
  • Added Standard Context data for domain output.
  • Converted output timestamps to ISO8601.
  • Minor bug fixes.
  • Added support for Common functions and CommandResults.
• PhishLabs IOC
  Fixed an issue where fetch-incidents did not work as expected.
• Google Cloud Compute
  Added the gcp-compute-project-info-add-metadata command, which enables adding or updating project-wide metadata.
• Export Indicators Service
  • Fixed an issue where eis-update command failed when the query argument is not supplied.
  • Removed the Long Running Instance parameter from the instance configuration.
• ProtectWise
  Added the token parameter to the integration instance configuration. This is your ProtectWise API token.
• ServiceNow v2
  • Added 5 commands:.
    • servicenow-query-items
    • servicenow-get-item-details
    • servicenow-create-item-order
    • servicenow-add-tag
    • servicenow-document-route-to-queue
  • Improved documentation regarding the usage of the impact and the urgency arguments for the following commands.
    • servicenow-update-ticket
    • servicenow-create-ticket
  • Added the system_params argument to the servicenow-query-table, servicenow-query-tickets commands.
• Infoblox
  Fixed an issue where arguments for the create_rpz_rule function were switched.
• iDefense
  Fixed an issue in the url command.
• Slack v2
  Removed the Long Running Instance parameter from the instance configuration.
• AWS - AccessAnalyzer (beta)
  Fixed an incorrect YAML definition of the integration.
• Generic SQL
  • Fixed an issue where empty query results raised an error.
  • Added support for SSL connection.
• Carbon Black Enterprise Live Response
  Fixed an issue where the description for deprecated commands did not refer to commands that replace them.
• Attivo Botsink
  Fixed an issue where the commands did not work properly.
• Palo Alto Networks PAN-OS
  Fixed an issue where commands resulting with an empty list would raise an error instead of a warning.
• Salesforce
  • Added 4 commands.
    • salesforce-get-casecomment.
    • salesforce-post-casecomment.
    • salesforce-get-user.
    • salesforce-get-org.
• CrowdStrike Falcon Streaming v2
  Removed the Long Running Instance parameter from the instance configuration.
• Netskope
  Fixed an issue where the fetch-incidents command did not work as expected.
• Microsoft Graph Groups
  Added support to authenticate using a self-deployed Azure application.
• IntSights
  Fixed an issue where the IsClosed flag was not fetched properly in the intsights-get-alert-by-id and intsights-get-alerts commands.
• IBM QRadar
  Fixed an issue where the test module did not work as expected.
• Microsoft Graph User
  Added the msgraph-direct-reports command, which retrieves a user's direct reports.
• Lockpath KeyLight v2
  Added the kl-get-user-by-id command.
• Mail Sender (New)
  Added support for the SSL/TLS parameter to configure an SSL/TLS connection, which is not STARTTLS.
• GitHub
  Added handling for deleted forked repositories in the GitHub-get-pull-request command.
• Palo Alto Networks PAN-OS EDL Service
  • Removed the Long Running Instance parameter from the instance configuration.
  • Set the listener host to 0.0.0.0, to handle IPv6.
• Microsoft Graph Files
  Added support to authenticate using a self-deployed Azure application.
• FireEye ETP
  Fixed an issue where the fireeye-etp-search-messages command failed.
• Vectra v2
  Fixed an issue where the fetch-incidents command failed due to incorrect date format.
• Symantec Data Loss Prevention (Beta)
  • Improved handling of proxy and insecure parameters.
  • Fixed an issue where the symantec-dlp-get-incident-details would return an error in some cases.
  • Improved documentation to describe the format required for Active Directory accounts.

2 Deprecated integrations

• PostgreSQL
  Use the Generic SQL integration instead.
• Elasticsearch
  Use the Elasticsearch v2 integration instead.

---

Feeds

Available from Cortex XSOAR 5.5

2 New Feeds

• GCP Whitelist Feed
  Use the Google Cloud Platform whitelist integration to get indicators from the feed.
• MITRE ATT&CK Feed
  Use the MITRE ATT&CK® feed to fetch MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) content. MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

9 Improved feeds

• TAXII Server
  Removed Long Running Instance from instance configuration.
• Fastly Feed
  Set the default value for the bypass exclusion list parameter to "true".
• Prisma Access Egress IP Feed
  Set the default value for the bypass exclusion list parameter to "true".
• Office 365 Feed
  Set the default value for the bypass exclusion list parameter to "true".
• AWS Feed
  Set the default value for the bypass exclusion list parameter to "true".
• Azure Feed
  Set the default value for the bypass exclusion list parameter to "true".
• Microsoft Intune Feed
  Set the default value for the bypass exclusion list parameter to "true".
• Cloudflare Feed
  Set the default value for the bypass exclusion list parameter to "true".
• TAXII Feed
  Added authentication using certificate key and text file.

---

Scripts

6 New Scripts

• ConvertToSingleElementArray
  Converts a single string to an array of that string.
• EvaluateMLModllAtProduction
  Evaluates an ML model in production.
• ChangeContext
  Enables changing context in two ways. The first is to capitalize the first letter of each key in the following level of the context key entered. The second is to change context keys to new values.
• PenteraDynamicTable
  Renders a Markdown table from the penteraoperationdetails field in Pentera Insight incidents.
• PenteraOperationToIncident
  Groups Pentera Full Actions Reports by Operation Type to generate an output that you can use when creating incidents.
• SetGridField
  Creates a Grid table from items or key-value pairs.

5 Improved Scripts

• DBotPredictPhishingWords
  Added the option to map automation output to out-of-the-box incident fields.
• SanePdfReports
  Fixed logos usage and added failure verbose output.
• PhishLabsPopulateIndicators
  • Fixed an issue where email indicators were not classified correctly.
  • Fixed an issue where the script attempted to create indicators with Attachment type instead of File type.
• PcapHTTPExtractor
  Fixed an issue where a PCAP file that contained only an HTTP response was mishandled.
• SandboxDetonateFile
  Fixed an issue that occurred when some fields were missing from the response.

4 Deprecated Scripts

• QRadarGetOffenseCorrelations
  Use the QRadar - Get offense correlations v2 playbook instead.
• QRadarGetCorrelationLogs
  Use the QRadarCorrelationLog playbook instead.
• DocumentationAutomation
  We recommend using the demisto-sdk to generate documentation. For full details see the dev hub docs.
• HTMLDocsAutomation
  We recommend using the demisto-sdk to generate documentation. For full details see the dev hub docs.

---

Playbooks

21 New Playbooks

• PAN-OS EDL Setup v3
  Configures an external dynamic list in PAN-OS. In the event that the file exists on the web server, it will sync the file to Cortex XSOAR. Then it will create an EDL object and a matching rule.
• Malwarebytes - Isolate Endpoint
  Isolates endpoints in Malwarebytes Cloud.
• Continuously Process Survey Responses (Beta)
  Continuously processes new questionnaire responses as they are received. Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs.Updates made to the playbook during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the playbook to help us identify issues, fix them, and continually improve.
• TIM - Process Azure indicators
  This playbook handles the tagging of Azure indicators. You can specify the tag to apply to these indicators in the playbook inputs, for example, approved_white. If no inputs are specified, the indicators will be tagged for manual review.
• TIM - Process Office365 indicators
  This playbook handles the tagging of Office365 indicators. You can specify the tag to apply to these indicators in the playbook inputs, for example, approved_white. If no inputs are specified, the indicators will be tagged for manual review.
• TIM - Process AWS indicators
  This playbook handles the tagging of AWS indicators. You can specify the tag to apply to these indicators in the playbook inputs, for example, approved_white. If no inputs are specified, the indicators will be tagged for manual review.
• TIM - Review Indicators Manually For Whitelisting
  This playbook helps analysts manage the manual process of whitelisting indicators from cloud providers, apps, services, etc. The playbook indicator query is set to search for indicators that have the whitelist_review tag. The playbooks layout displays all of the related indicators in the summary page. While reviewing the indicators, the analyst can go to the summary page and tag the indicators accordingly with tags such as, 'approved_black', 'approved_white', etc. Once the analyst completes the review, the playbook can optionally send an email with a list of changes done by the analyst which haven't been approved. Once complete, the playbook removes the 'whitelist review' tag from the indicators.
• Endace Search Archive and Download
  This playbook uses Endace APIs to search, archive, and download PCAP file from either a single EndaceProbe or many via the InvestigationManager and enables integration of full historical packet capture into security automation workflows.
• Pentera Filter And Create Incident
  This is a sub-playbook used to select specific entries from the Pentera action report and create incidents for each of the selected entries.
• Prisma Cloud Remediation - GCP VPC Network Firewall Misconfiguration
  This playbook remediates the following Prisma Cloud GCP VPC Network Firewall alerts.
• QRadarCorrelationLog
  This playbook retrieves the correlation logs of multiple QIDs.
• Hunt Extracted Hashes
  This playbook extracts IOCs from the incident details and attached files using regular expressions and then hunts for hashes on endpoints in the organization using available tools. The playbook supports multiple types of attachments. For the full supported attachments list, refer to "Extract Indicators From File - Generic v2".
• Process Survey Response (Beta)
  Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the playbook during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the playbook to help us identify issues, fix them, and continually improve. This playbook processes the survery responses. It updates that the employee responded to the survey and what their health status is. If necessary, it opens IT or HR incidents, and updates the process survey tracker.
• Employee Status Survey (Beta)
  Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the playbook during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the playbook to help us identify issues, fix them, and continually improve. Manages a crisis event where employees have to work remotely due to a pandemic, issues with the workplace or similar situations. Sends a questionnaire to all direct reports under a given manager. The questionnaire asks the employees for their health status and whether they need any help. The data is saved as employee indicators in Cortex XSOAR, while IT and HR incidents are created to provide assistance to employees who requested it. The questionnaire expires after 24 hours by default, and during that time the responses are processed every 5 minutes. These settings can be edited via the task that sends the questionnaire and the loop settings of the Continuously Process Survey Responses playbook, respectively.
• Prisma Cloud Remediation - GCP VPC Network Project Misconfiguration
  • This playbook remediates the following Prisma Cloud GCP VPC Network Project alerts.
  • Prisma Cloud policies remediated:.
  • GCP project is using the default network.
• Prisma Cloud Remediation - GCP VPC Network Misconfiguration
  This playbook remediates Prisma Cloud GCP VPC Network alerts. It calls sub-playbooks that perform the actual remediation steps.
• QRadar - Get offense correlations v2
  • Run on a QRadar offense to get more information:
    • Get all correlations relevant to the offense.
    • Get all logs relevant to the correlations (not done by default - set "GetCorrelationLogs" to "True").
  • Inputs:
    • GetCorrelationLogs (default: False)
    • MaxLogsCount (default: 20).
• Endace Search Archive Download PCAP
  This playbook uses Endace APIs to search, archive and download PCAP file from either a single EndaceProbe or many via the InvestigationManager.
• PAN-OS - Block IP and URL - External Dynamic List v2
  This playbook blocks IP addresses and URLs using Palo Alto Networks Panorama or Firewall External Dynamic Lists. It checks if the EDL configuration is in place with the 'PAN-OS EDL Setup' sub-playbook (otherwise the list will be configured), and adds the inputted IPs and URLs to the relevant lists.
• Pentera Run Scan and Create Incidents
  This playbook will run a Pentera task given the Pentera task name. It will generate the full action report that contains all the actions that Pentera made during the scan, and will create incidents according to the filters in the Pentera Filter and Create incidents playbook.
• Malwarebytes - Scan & Remediate Endpoint
  Scan and remediate endpoints in Malwarebytes Cloud.

11 Improved Playbooks

• TIM - Process Indicators Against Business Partners Domains List
  Improved a conditional task.
• TIM - Process Indicators Against Business Partners IP List
  Improved a conditional task.
• TIM - Process Indicators Against Approved Hash List
  Improved a conditional task.
• TIM - Process Indicators Against Organizations External IP List
  Improved conditional task.
• Pentera Run Scan
  • Made formatting changes.
  • Added the Pentera Full Action Report as the playbook output.
• TIM - Process Indicators Against Business Partners URL List
  Improved a conditional task.
• PAN-OS Commit Configuration
  • Improved the error message when commit or push fails.
  • Added Push/Commit warnings as a playbook output.
• TIM - Indicator Auto Processing
  Removed default list names and updated playbook logic.
• TIM - Process Indicators - Fully Automated
  Fixed task name and score.
• Phishing Investigation - Generic v2
  The playbook now uses the Block Indicators - Generic v2 playbook to block malicious indicators (off by default).
• Impossible Traveler
  • Simplified the process that gets details of the user's manager.
  • Fixed a potential error with running Active Directory commands when the integration is disabled.

4 Deprecated Playbooks

• Block Indicators - Generic
  Use the Block Indicators - Generic v2 playbook instead.
• Hunt for bad IOCs
  Use the Search Endpoints By Hash playbook instead.
• Rapid IOC Hunting Playbook
  Use the Hunt File Hash playbook instead.
• QRadar - Get offense correlations
  Use the QRadar - Get offense correlations v2 playbook instead.

---

Dashboards

New Dashboard

• Employee Health Status

---

Incident Fields

17 New Incident Fields for SANS incident type.

---

Layouts

7 New Layouts

• Pentera Insight - Summary
• Review Indicators Manually For Whitelisting - Summary
• SANS - Summary
• NIST - Summary
• MITRE ATT&CK - Indicator Details
• Employee Health Check - New/Edit
• Employee - Indicator Details

3 Improved Layouts

• Indicator Feed - New/Edit
  Added edit layout for the Indicator Feed incident type.
• GDPR Data Breach - Summary
  Changed "Date breach information" section from rows to cards.
• GCP Compute Engine Misconfiguration - Summary
  New layout for 'GCP Compute Engine Misconfiguration'.

---

Assets

• Download: content_new.zip
• Browse the Source Code: Content Repo @ 20.5.0