Cortex XSOAR Release Notes for version 20.5.2 (54359)

Published on 26 May 2020

Breaking Changes

• TruSTAR
  • In the trustar-get-phishing-submissions and trustar-get-phishing-indicators, replaced the normalized_triage_score argument with the priority_event_score argument.
  • Updated context outputs in the trustar-get-phishing-submissions and trustar-get-phishing-indicators.
  • In the trustar-get-phishing-indicators command, replaced the normalized_source_score argument with the normalized_indicator_score argument.

End Of Life Notice

The Palo Alto Networks Cortex integration will reach end of life on May 31st due to the Cortex Data Lake move to API version 2.0. Use the Cortex Data Lake integration instead.

Integrations

4 New Integrations

• IllusiveNetworks
  The Illusive Attack Management API enables you to retrieve detected incidents with a forensics timeline, attack surface insights, collect forensics on-demand, and manage a variety of operations with regard to deceptive entities, deception policies, and more.
• Bastille Networks
  RF monitoring for wireless intrusion detection and policy enforcement. Visit https://www.bastille.net for additional details.
• Logz.io
  Fetch and remediate security incidents identified by Logz.io Cloud SIEM.
• Digital Guardian
  Use the Digital Guardian integration to fetch incidents and programmatically add or remove entries from watchlists and component lists.

26 Improved Integrations

• TruSTAR
  • Fixed the description for the from_time argument to '24 hours ago' for the trustar-get-phishing-indicators and trustar-get-phishing-submissions commands.
  • Added -1 to list of default values in the priority_event_score argument for the trustar-get-phishing-submissions command.
  • Added -1 to the list of default values in the priority_event_score and normalized_indicator_score arguments for the trustar-get-phishing-indicators command.
• Microsoft Graph Security
  Added fetch-incidents functionality.
• IBM Resilient Systems
  Fixed an issue where the fetch-incident command did not pull all incidents.
• ThreatQ v2
  Fixed an issue where indicators with custom indicator statuses, indicator types, event types, or attachment types would raise an error.
• Shodan v2
  Fixed an issue where searching for an IP address without information raised an error.
• Jask
  Fixed an issue where bad access to the SourceType key caused an error in the jask-get-insight-details command.
• Whois
  Added the Domain.Whois.QueryResult output, which tells whether the query found a matching result.
• Recorded Future
  Fixed an issue in the recorded-future-get-related-entities where the command output was mishandled.
• Kafka v2
  Added support for lz4 compressed messages.
• Palo Alto Networks PAN-OS
  • Added the option to list predefined applications in PAN-OS 9.X in the panorama-get-applications command using the predefined argument.
  • Fixed an issue where listing custom applications in PAN-OS 9.X using the panorama-get-applications command did not work properly.
  • Fixed an issue where running the panorama-get-url-category command multiple times, displayed previous results in the war room.
  • Replaced the spaces in the URL context output of the panorama-create-edl command to %20.
• Generic SQL
  Fixed an issue where connecting to an MS SQL database using an encrypted connection failed.
• Tanium
  Fixed an issue where the output of some results was malformed.
• VirusTotal - Private API
  Fixed an issue where running file-related commands would raise an error.
• Tanium Threat Response
  Fixed an issue where the tanium-tr-get-downloaded-file command retrieved a malformed file.
• URLhaus
  • Added the Number of retries parameter which determines how many times a command should attempt to run before raising an error.
  • Fixed an issue where the urlhaus-download-sample command would raise an error in cases where results were found.
• RTIR
  • Fixed an issue where the fetch-incidents and search-tickets commands did not behave as expected.
  • Fixed an issue where the test module did not work as expected.
  • Added the Fetch limit parameter to the instance configuration, which specified the maximum number of results to fetch.
  • Added the results_limit argument to the search-tickets command, which specifies the maximum number of results to return.
• SplunkPy
  Added support for HTTPS handler, which uses the Python requests library.
• Palo Alto Networks PAN-OS EDL Service
  • Removed the panos_compatible parameter. All indicators exported by this integration will be PAN-OS compatible.
  • Added request parameters that are passed in the URL.
• OPSWAT-Metadefender v2
  Fixed an issue where running file-related commands would raise an error.
• ServiceNow v2
  • Added the incident_name parameter, which enables users to select the column from ServiceNow on which the fetched incidents will be named.
  • Fixed an issue where system proxy settings were always used.
  • Fixed an issue where the fetch-incidents command with attachments did not work as expected.
• RSA Archer
  • Fixed an issue where several commands would not work as expected when they were performed on app ID 411.
  • Fixed an issue where type 4 fields were not displayed in the results of the archer-search-records command.
• Microsoft Graph Mail Single User
  Fixed an issue where some emails were not fetched as incidents.
• Expanse
  Added support for filtering incident creation by Expanse Exposure severity level.
• MongoDB
  Fixed an issue when pulling an object that contains a date.
• Azure Compute v2
  Added support to authenticate using a self-deployed Azure application.
• Palo Alto Networks BPA
  • Added an argument that enables you to download a Panorama report.
  • Fixed an issue where proxy settings were not handled properly.

Deprecated Integration

• ServiceNow
  Use the ServiceNow v2 integration instead (available from Demisto v5.0.0).

---

Feeds

These feeds are available from Cortex XSOAR v5.5.

4 Improved Feeds

• Microsoft Intune Feed
  Added IPv4 and CIDR indicators to the feed.
• Cofense Feed
  Fixed a bug where the Test button always returned a positive result.
• AutoFocus Feed
  • Added support for samples feed.
  • Added service mapping for indicators.
• MITRE ATT&CK Feed
  Fixed an issue where the insecure and proxy parameters were not passed while fetching indicators.

---

Scripts

2 New Scripts

• BetweenDates
  Checks whether the given value is within the specified date range.
• BetweenHours
  Checks whether the given value is within the specified time (hour) range.

10 Improved Scripts

• EmailDomainSquattingReputation
  Added support for domain arrays as a parameter, including empty domains.
• DBotPredictOutOfTheBox
  Added the option to map automation output to out-of-the-box incidents fields.
• GetMLModelEvaluation
  • You can now train a model even when not reaching the minimum precision target. In case the target is not reached, the closest threshold will be returned.
  • Added support for model evaluation using different confidence thresholds for each class.
• FilterByList
  Added a delimiter argument, which defines the character that delimits fields.
• SetGridField
  • Fixed an issue with a dictionary element.
  • Added support for lists of values.
  • Added support for unpacking nested elements.
  • The keys argument is no longer mandatory. By default, all keys are taken.
• DBotTrainTextClassifierV2
  Added support for model evaluation using different confidence thresholds for each class.
• PWObservationPcapDownload
  Fixed an issue where an error was raised when only one sensor ID was provided.
• SearchIncidentsV2
  Fixed an issue where using \ caused a parsing error.
• ParseEmailFiles
  • Fixed an issue parsing EML files encoded with a BOM.
  • Fixed an issue with header parsing.
• AssignAnalystToIncident
  Added the onCall argument to assign only users that are on shift.

3 Deprecated Scripts

• Elasticsearch
  Use the Elasticsearch v2 integration instead.
• ElasticSearchDisplay
  Use the Elasticsearch v2 integration instead.
• AwsGetInstanceInfo
  There is no replacement script.

---

Playbooks

10 New Playbooks

• Logz.io Handle Alert
  Handles a Logz.io alert by retrieving the events that generated the alert.
• New York - Breach Notification
  This playbook helps an analyst determine if the breached data meets the criteria for breach notification according to New York State law, and, if necessary, follows through with the notification procedures.
  • DISCLAIMER: Please consult with your legal team before implementing this playbook.
    Sources:
    • https://ag.ny.gov/internet/data-breach
    • https://www.dos.ny.gov/consumerprotection/pdf/infosecbreach03.pdf
    • https://www.nysenate.gov/legislation/laws/GBS/899-AA
• PAN-OS EDL Service Configuration
  This single-run playbook enables Cortex XSOAR built-in External Dynamic List (EDL) as a service for the system indicators, configures PAN-OS EDL Objects and the respective firewall policy rules. The EDLs will continually update for each indicator that matches the query syntax entered in the playbook.
• PII Check - Breach Notification
  Checks for all various types of PII, however, each state determines what is considered PII, and which PII requires notification.
  • DISCLAIMER: Please consult with your legal team before implementing this playbook.
    Sources:
    • http://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.82
    • https://www.nysenate.gov/legislation/laws/GBS/899-AA and more for each state.
• Residents Notification - Breach Notification
  This playbook is triggered by a breach notification playbook and is responsible for the resident notification process.
• Illusive-Collect-Forensics-On-Demand
  Collects forensics on-demand on any compromised host and retrieve the forensics timeline upon successful collection.
• Illusive-Retrieve-Incident
  Gets a detailed overview of a detected incident by retrieving the incident details and a forensics timeline if and when forensics have been successfully collected.
• California - Breach Notification
  This playbook helps analysts determine if the breached data meets the criteria for breach notification according to California law, and, if necessary, follows through with the notification procedures.
  • DISCLAIMER: Please consult with your legal team before implementing this playbook.
    Source: http://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.82.
• Digital Guardian Demo Playbook
  This playbook will show how to handle an exfiltration event through Digital Guardian by emailing a user's manager and adding the user to a Digital Guardian Watchlist.
• US - Breach Notification
  This playbook is triggered by a breach notification incident and then proceeds to the breach notification playbook for the relevant state.

10 Improved Playbooks

• TIM - QRadar Add IP Indicators
  Fixed a task condition.
• TIM - Run Enrichment For Hash Indicators
  Fixed an input name.
• TIM - Process Indicators - Manual Review
  Fixed a typo.
• TIM - Run Enrichment For IP Indicators
  Fixed an input name.
• TIM - Run Enrichment For Domain Indicators
  Fixed an input name.
• TIM - Run Enrichment For Url Indicators
  Fixed an input name.
• ExtraHop - Ticket Tracking
  Incidents are searched using the SearchIncidentsV2 automation instead of the deprecated SearchIncidents automation.
• Email Address Enrichment - Generic v2.1
  Added a check that will prevent empty email addresses from being enriched.
• URL Enrichment - Generic v2
  The playbook will not stop if Rasterize fails. This improves the playbook stability when rasterizing URLs of websites that are currently down.
• Phishing Investigation - Generic v2
  • The playbook now uses Block Indicators - Generic v2 to block malicious indicators (off by default).
  • Replaced the deprecated SendEmail automation with the send-mail command.

---

Incident Fields

Added incident fields for:

• Digital Guardian
• Logz.io
• US Breach Notification

---

Layouts

4 New Layouts

• Digital Guardian Security Event - Summary
• US Breach Notification - Summary
• Illusive Networks Incident - Summary
• Logz.io Alert - Summary

4 Improved Layouts

• domainRepUnified - Indicator Details
  Fixed an issue where Extended Details would not display the Threat Category and Threat Category Confidence fields.
• ipRep - Indicator Details
  Fixed an issue where Extended Details would not display the Threat Category and Threat Category Confidence fields.
• unifiedFileRep - Indicator Details
  Fixed an issue where Extended Details would not display the Threat Category and Threat Category Confidence fields.
• urlRep - Indicator Details
  Fixed an issue where Extended Details would not display the Threat Category and Threat Category Confidence fields.

---

Classification & Mapping

3 New Classification & Mapping

• Logz.io
• Digital Guardian
• IllusiveNetworks

---

Assets

• Download: content_new.zip
• Browse the Source Code: Content Repo @ 20.5.2