Skip to main content

Cortex XSOAR Content Release Notes for version 20.6.0 (56612)#

Published on 09 June 2020#

Welcome to the 20.6.0 Content release for Cortex XSOAR. Starting with this release we are restructuring our release notes to be based upon Content Packs. One of our team's top priorities is making our Content more accessible and understandable for both users and contributors. In this effort, we recently moved our Content repo to work in Packs format were there is a clear separation and grouping of Content artifacts. Each Content Pack provides a clear grouping of related Content artifacts used to either implement a use case, implement an integration or provide a clear set of functionality. Our new release notes are structured around Content Packs and you will see related Content artifacts grouped together according to Packs. We hope you will find this new format useful and clear.

End Of Life Notice#

The following Integrations were deprecated on Nov 2019:

  • Azure Compute
  • Azure Security Center

These integrations will reach the end of life on July 31, 2020, due to changes to the back-end authentication services needed for these Integrations. Use the Azure Compute v2 and Azure Security Center v2 Integrations instead.

New: DeepInstinct Pack v1.0.0#


Deep Instinct#

The Deep Learning cybersecurity platform, for zero time prevention.

New: Carbon Black Cloud Enterprise EDR Pack v1.0.0#


Carbon Black Enterprise EDR#

VMware Carbon Black Enterprise EDR is an advanced threat hunting and incident response solution delivering continuous visibility for top security operations centers (SOCs) and incident response (IR) teams. (formerly known as ThreatHunter)

New: Cortex XDR - IOC Pack v1.0.0#


Cortex XDR - IOC#

Use the Cortex XDR - IOCs feed integration to sync indicators from Cortex XSOAR to Cortex XDR and back to Cortex XSOAR. Cortex XDR is the world's first detection and response app that natively integrates network, endpoint and cloud data to stop sophisticated attacks.

New: Humio Pack v1.0.0#



Integrate with Humio. Humio operates as a time-series logging and aggregation platform designed for unrestricted and comprehensive event analysis.

Humio QueryJob Poll#

Run and poll a Humio Query Job.

Active Directory Query Pack v1.0.1#


Active Directory Query v2#

Improved parsing of custom attributes in the ad-get-user command.

Awake Security Pack v1.0.1#


Awake Security#

Fixed an issue where the context did not update properly for the awake-query-activities, awake-query-devices, and awake-query-activities commands.

Base Pack v1.0.6#


  • Fixed IPv4 regex to only catch IPv4 addresses, not CIDR ranges.
  • Added the auto_detect_indicator_type function to indicate the type of indicator.
  • Added the Endpoint Common class.
  • Updated the handle_proxy function to remove relevant environment variables when either the unsecure or insecure parameters are set.
  • Improved logging when running with the debug-mode argument.
  • Added support for the CVE indicator class.

Removed override of the Write-Output function.

CVE Search Pack v1.0.1#


CVE Search v2#

Added DBot score to the cve command.

Carbon Black Defense Pack v1.1.0#


Carbon Black Defense#

Fixed a bug in the cbd-find-events command where hash arguments were not processed correctly.

Carbon Black Enterprise Live Response Pack v1.0.1#


Carbon Black Enterprise Live Response#

Fixed an error when pulling a file in the get-file-from-endpoint command.

Carbon Black Enterprise Response Pack v1.0.3#


Carbon Black Enterprise Response#
  • Added new context outputs for the cb-get-processes command:
    • File.Name
    • File.MD5
    • File.Path
    • Endpoint.Hostname
  • Fixed an issue where the file context did not behave as expected in the cb-get-processes command.

Check Point Firewall Pack v1.0.1#


Check Point#

Added the command argument in the checkpoint command. This argument is the command to run in the firewall.

Cofense Feed Pack v1.0.2#


Cofense Feed#
  • Fixed a bug where the Test button always returned a positive result.
  • Removed the phish threat type .

Cofense Triage Pack v1.1.0#


Cofense Triage#

Deprecated - Use Cofense Triage v2 instead (available from 5.0.0).

Cofense Triage v2#

Added support for the cofense-get-report-png-by-id and cofense-get-threat-indicators commands.

Common Scripts Pack v1.1.3#



  • Fixed an issue parsing EML files encoded with a BOM.
  • Fixed an issue with header parsing.
  • Fixed an issue with a dictionary element.
  • Added support for lists of values.
  • Added support for unpacking nested elements.
  • The keys argument is no longer mandatory, all the keys will be taken by default.

Added private IP address ranges.


Added support for subtracting days and years from the current date using the daysAgo and yearsAgo arguments.

Cortex Data Lake Pack v1.0.1#


Cortex Data Lake#

Fixed a bug in the cdl-query-logs command when no records are found for a given query.

CrowdStrike Falcon Streaming Pack v1.0.2#


New: CrowdStrike Falcon Streaming v2#

The integration is now GA.

Demisto REST API Pack v1.0.1#


Demisto REST API#

Fixed an issue in which URL endpoints given with a forward slash character as prefix were not processed as expected.

Elasticsearch Feed Pack v1.0.1#


Elasticsearch Feed#

Fixed an issue where the integration would handle Generic Feed as Cortex XSOAR Feed.

Expanse Pack v1.0.1#



Added support for filtering incident creation by the Expanse Exposure severity level.

FalconHost Pack v1.1.0#



Added support for 3 commands from the Threat Graph API:

  • cs-threatgraph-summary
  • cs-threatgraph-processes
  • cs-threatgraph-detections

Fidelis Elevate Network Pack v1.0.1#


Fidelis Elevate Network#

Fixed file download functionality in the fidelis-download-malware-file command.

FireEye Helix Pack v1.0.1#



Fixed an issue in the fireeye-helix-search command where the headers argument was not processed as expected.

FortiSIEM Pack v1.0.0#



Fixed an issue where authentication did not work properly.

IBM Resilient Systems Pack v1.0.1#


IBM Resilient Systems#

Fixed an issue where the fetch-incident command did not pull all incidents.

JsonWhoIs Pack v1.0.1#



Prints an error when an error is returned from the API.

MITRE ATT&CK Pack v1.0.2#



Fixed an issue where the insecure and proxy parameters were not passed while fetching indicators.



Added the mitre-reputation command under the MITRE indicator type.

Microsoft Defender Advanced Threat Protection Pack v1.1.0#


Microsoft Defender Advanced Threat Protection#

Added support to authenticate using a self-deployed Azure application.

Microsoft Graph Mail Single User Pack v1.0.2#


Microsoft Graph Mail Single User#

Fixed an issue in which some emails were not fetched as incidents.

Microsoft Graph Security Pack v2.0.0#


Microsoft Graph#

Added fetch-incidents functionality and a unit test.

Microsoft Teams Pack v1.0.1#


Microsoft Teams#

Improved error handling.

Mimecast Pack v1.0.1#



Fixed parsing of responses for the create-mimecast-incident command.

MongoDB Pack v1.0.1#



Fixed an issue when pulling a object that contains a date.

PAN-OS Pack v1.0.2#


  • Replaced the spaces in the URL context output of the panorama-create-edl command to %20.
  • POST request parameters are now passed in the request body, not the URI.

Palo Alto Networks PAN-OS EDL Service Pack v1.0.2#



Added request parameters passed in the URL.


PAN-OS EDL Service Configuration#

Added a new playbook to the EDL pack - EDL Service Configuration. It is a single-run playbook that enables Cortex XSOAR's built-in External Dynamic List (EDL) as a service with PAN-OS native EDL Objects to create firewall policy rules that continuously updates with Cortex XSOAR built-in indicator managment cpabilities.

Palo Alto Networks WildFire Pack v1.0.1#



Fixed an issue in which the wildfire-get-sample command returned the wrong filename.

Phishing Pack v1.2.0#



Removed custom fields that raised warnings from the incident Quick View layout.


Phishing - Core#
  • Fixed an issue where URL screenshots did not display in the layout.
  • Streamlined the playbook by merging two conditions to a single condition.

Prisma Cloud Pack v1.1.0#


Prisma Cloud Remediation - GCP VPC Network Misconfiguration#

New Prisma Cloud remediations:

  • GCP Default Firewall rule should not have any rules (except http and https)
  • GCP Firewall with Inbound rule overly permissive to All Traffic
Prisma Cloud Remediation - GCP VPC Network Firewall Misconfiguration#

New Prisma Cloud remediations:

  • GCP Default Firewall rule should not have any rules (except http and https)
  • GCP Firewall with Inbound rule overly permissive to All Traffic

ProtectWise Pack v1.0.0#



Fixed an issue where an error was raised when only one sensor ID was provided.

RTIR Pack v1.0.1#



Improved parsing of ticket history and ticket links.

Recorded Future Pack v1.0.1#


Recorded Future#

Fixed an issue in output from the recorded-future-get-related-entities command was mishandled.

Red Canary Pack v1.0.1#


  • Removed timeline details for a detection fetched as an incident.
  • Fixed an issue in which acknowledged detections were fetched as incidents.

ServiceNow Pack v1.1.2#


ServiceNow v2#
  • Added the incident_name parameter, which enables the user to choose the column from ServiceNow on which the fetched incidents will be named.
  • Fixed an issue where system proxy settings were always being used.
  • Fixed an issue where fetch-incidents command did not work as expected when it included attachments.
  • Fixed the timestamp field parameter description.
  • Fixed an issue in which the ServiceNow ticket column to be set as the incident name parameter was not initialized with the default value as expected.

Shodan Pack v1.0.1#



Fixed an issue in which searching for an IP address without information raised an error.

Signal Sciences WAF Pack v1.0.1#


Signal Sciences WAF#

Added verification to the Corporation Name parameter to match the required pattern.

Slack Pack v1.2.0#



Updated default integration parameter to new brand name Palo Alto Networks Cortex XSOAR (formerly Demisto).



Added an option to include which user responded and what the response was.

Stealthwatch Cloud Pack v1.0.1#


Stealthwatch Cloud#

Fixed an issue where the sw-update-alert command was not updating the alert as expected.

SumoLogic Pack v1.0.1#



Changed the integration image from CSV to PNG.

Symantec Data Loss Prevention (Beta) Pack v1.1.0#


Symantec Data Loss Prevention#
  • Updated the Docker image.
  • Improved cached DB initialization to support off-line deployments.
  • Fixed parsing incidents with missing fields.

TIM - Processing Pack v1.1.1#


New: TIM - Indicators Exclusion By Related Incidents (Available from Cortex XSOAR 6.0)#

This playbooks allows you to exclude indicators according to the number of incidents the indicator is related to. The indicator query is "investigationsCount:>=X" where X is the number of related incidents to the indicator that you set. Excluded indicators are located in the Cortex XSOAR exclusion list and are removed from all of their related incidents and future ones. The purpose of excluding these indicators is to reduce the amount internal and common indicators appearing in many incidents and showing only relevant indicators. Creating exclusions can also accelerate performance.

TIM - Indicator Auto Processing#

Added a sub-playbook for Whois.

ThreatMiner Pack v1.0.1#



Fixed a bug in the ip command when searching for IP addresses that don't have reports in ThreatMiner.

ThreatQ Pack v1.0.2#

ThreatQ v2#

Fixed an issue where indicators were duplicated in the context data.

US - Breach Notification Pack v1.0.2#


New: Illinois - Breach Notification#

This playbook helps an analyst determine if the breached data meets the criteria for breach notification according to Illinois law and, if necessary, follows through with the notification procedures. DISCLAIMER: Please consult with your legal team before implementing this playbook.

Residents Notification - Breach Notification#

Changed the playbook input "AutoNotification" to False

US - Breach Notification#

Added a new sub-playbook "Illinois - Breach Notification"


US Breach Notification#

Added the "New \ Edit Form".

Access Investigation Pack v1.1.4#


Access Investigation - Generic#

Starting with Demisto 4.5, this playbook uses newer versions of previously used playbooks.

Whois Pack v1.0.2#


New: TIM - Process Domain registrant With Whois#

Uses several sub playbooks to process and tag indicators based on the results of the Whois tool.

New: TIM - Process Domain Age With Whois#

This playbook compares the domain registrant against the Cortex XSOAR list of approved registrants provided in the inputs. A registrant is the company or entity that owns the domain.

New: TIM - Process Domains With Whois#

This playbook compares the domain creation time against a provided time value such as one month ago. The period can be configured within the playbook inputs MinimumAgeOfDomainMonths or MinimumAgeOfDomainHours. The playbook calculates the timestamp for the relevant period and compares it to the domain creation time value provided by Whois. The domains are outputted accordingly if they were created before or after the compared time, respectively.