Cortex XSOAR Content Release Notes for version 20.6.1 (59306)
Published on 23 June 2020
Welcome to the 20.6.1 Content release for Cortex XSOAR. Starting from the 20.6.0 release, we restructured our release notes to be based upon Content Packs. One of our team's top priorities is making our Content more accessible and understandable for both users and contributors. In this effort, we recently moved our Content repo to work in Packs format were there is a clear separation and grouping of Content artifacts. Each Content Pack provides a clear grouping of related Content artifacts used to either implement a use case, implement an integration or provide a clear set of functionality. Our new release notes are structured around Content Packs and you will see related Content artifacts grouped together according to Packs. We hope you will find this new format useful and clear.
End Of Life Notice
The following Integrations were deprecated on Nov 2019:
- Azure Compute
- Azure Security Center
These integrations will reach the end of life on July 31, 2020, due to changes to the backend authentication services needed for these Integrations. Use the Azure Compute v2 and Azure Security Center v2 integrations instead.
New: HIPAA - Breach Notification Pack v1.0.0
IncidentFields
- HIPAA Notification
IncidentTypes
- HIPAA Breach Notification
Layouts
- HIPAA Breach Notification - Summary
- HIPAA Breach Notification - New/Edit
Playbooks
HIPAA - Breach Notification
USA Health Insurance Portability and Accountability Act of 1996 (HIPAA) covers organizations that use, store, or process Private Health Information (PHI). The HIPAA Breach Notification Rule requires companies that deal with health information to disclose cybersecurity breaches; the disclosure will include notification to individuals, to the media, and the Secretary of Health and Human Services. This playbook is triggered by a HIPAA breach notification incident and follows through with the notification procedures.
DISCLAIMER: Please consult with your legal team before implementing this playbook.
** Source: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
New: Infocyte Pack v1.0.0
Integrations
Infocyte
Infocyte can pivot off incidents to automate triage, validate events with forensic data and enabling dynamic response actions against any or all host using both agentless or agented endpoint access.
New: PCAP Analysis Pack v1.0.0
Scripts
PcapMinerV2
PcapMIner V2 enables you to parse PCAP files by displaying all of the relevant data, including IP addresses, ports, flows, specific protocol breakdown, searching by regex, decrypting encrypted traffic, and more.
This automation takes about a minute to process 20,000 packets (which is approximately 10MB). If you want to mine large files you can either:
a) Use the pcap_filter parameter to filter your PCAP file and thereby make it smaller.
b) Copy the automation and change the default timeout parameter, as necessary.
New: Polygon Pack v1.0.0
Integrations
Group-IB TDS Polygon
TDS Polygon is a Malware Detonation & Research platform designed for deep dynamic analysis and enhanced indicators extraction. TDS Polygon analyzes submitted files and urls and extracts deep IOCs that appear when malicious code is triggered and executed. Polygon could be used either for application-level tasks (like smtp-based mail filtering) and analytical purposes (files/urls analysis for verdict, report and indicators).
Playbooks
Detonate File - Group-IB TDS Polygon
Detonates files using the Group-IB TDS Polygon integration. This playbook returns relevant reports to the War Room and file reputations to the context data.
Detonate URL - Group-IB TDS Polygon
Detonates URLs using the Group-IB TDS Polygon integration.
AWS - EC2 Pack v1.1.1
Scripts
AwsEC2GetPublicSGRules
Added support for security groups with only one ingress rule.
Playbooks
IP Whitelist - AWS Security Group
Syncs a list of IP addresses with an AWS Security Group. Moved from IPWhitelisting pack.
Base Pack v1.0.10
Scripts
CommonServerPython
- Added support for the CVE indicator class.
- Added safeget from the Python dict function.
- Fixed an issue where the argToList function did not behave as expected. This fix breaks backward compatibility.
- Fixed incorrect time zone parsing for timestamp_to_datestring.
CommonServerPowerShell
Updated the ReturnOutputs function to support object types.
BigFix Pack v1.0.1
Integrations
BigFix
Added the get_endpoints_details argument to the bigfix-get-endpoints command to see if details of endpoints should be retrieved or not.
CSV Feed Pack v1.0.1
Integrations
CSVFeed
Updated the Docker image to support the auto-detection function.
Carbon Black Enterprise Response Pack v1.0.3
Integrations
Carbon Black Enterprise Response v2
Fixed an issue where the file context did not behave as expected in the cb-get-processes command.
Playbook
Search Endpoints By Hash - Carbon Black Response V2
Searches for endpoints by hash.
Check Point Firewall Pack v1.0.2
Integrations
Check Point
Deprecated the ipname argument from the checkpoint-block-ip command.
Chronicle Pack v1.1.0
Integrations
Google Chronicle Backstory
- Added the gcb-list-events command.
- Added deep link to all commands.
Cisco Threat Grid Pack v1.0.2
Integrations
Threat Grid
Fixed a bug in threat-grid-get-analysis-by-id command, which failed on a syntax error.
Common Playbooks Pack v1.5.0
Playbooks
New: Entity Enrichment - Generic v3
Enrich entities using one or more integrations.
Send Investigation Summary Reports
Updated the SearchIncidents command to SearchIncidentsV2.
Get Original Email - Generic
Added an output of email headers.
Common Scripts Pack v1.1.9
Scripts
SetGridField
Fixed an issue in which non-alphabetically sorted values given to the columns were not processed as expected.
VerifyJSON
Updated the Docker image to PowerShell 7.
TimeStampCompare
Removed an empty tag from the TimeStampCompare script.
DateStringToISOFormat
Added a new transformer script for converting arbitrary date strings to ISO-8601 format.
Common Types Pack v1.2.1
IndicatorTypes
domainRepUnified
Updated the Domain indicator type's default mapping to use the new transformer DateStringToISOFormat (where relevant).
Compliance Pack v1.0.1
IncidentFields
New: Secretary Notification
New: Management Notification
New: DPO Notification
New: Media Notification
New: Individuals Notification
Cortex Data Lake Pack v1.0.3
Integrations
Cortex Data Lake
Adjusted the integration to work with a setup of non-root user in a Docker container.
Cortex XDR - IOC Pack v1.0.1
Integrations
Cortex XDR - IOC
Fixed an issue where trying to push a non-existing indicator in xdr-iocs-push raised an error that failed the command.
Deprecated Content Pack v1.2.0
Playbooks
Malware Playbook - Manual
Deprecated. Use "Malware Investigation - Manual" playbook instead.
EWS Pack v1.1.2
Integrations
New: EWSO365
The new EWS O365 integration uses OAuth 2.0 protocol and can be used with Exchange Online and Office 365 (mail).
EWS v2
- Fixed a bug in the test module which failed on a delegated mailbox.
- Improved handling of errors raised in the incident fetch flow.
Elasticsearch Feed Pack v1.0.2
Integrations
ElasticsearchFeed
Fixed an issue where the Feed Type was not processed as expected while fetching indicators.
FalconHost Pack v1.1.1
Integrations
FalconHost
Added support for 3 commands from the Threat graph API:
- cs-threatgraph-summary
- cs-threatgraph-processes
- cs-threatgraph-detections
Playbooks
Added rapid ioc hunting v2 playbook and replaced deprecated scripts.
FireEye ETP Pack v1.0.1
Integrations
FireEye ETP
Improved empty response handling.
FortiSIEM Pack v1.0.1
Integrations
FortiSIEM
- Fixed an issue where the authentication did not work properly.
- Fixed an issue where the fortisiem-get-events-by-incident command did not return results.
Google Cloud Compute Pack v1.0.1
Playbooks
IP Whitelist - GCP Firewall
Playbook to sync a list of IPs with a GCP Firewall. Moved from IPWhitelisting pack.
HelloWorld Pack v1.1.6
Integrations
HelloWorld
- Improved the fetch-incidents command to prevent duplicate incidents.
- Minor updates to documentation.
IBM QRadar Pack v1.0.3
Integrations
QRadar
Improved handling of unexpected responses.
Intezer Pack v1.0.1
Integrations
Intezer v2
Updated the integration to the latest Docker image.
JSON Feed Pack v1.0.1
Integrations
JSON Feed
Updated the description of the indicator type field.
Joe Security Pack v1.0.2
Integrations
Joe Security
Fixed a bug in the joe-analysis-info command where a DBotScore.Indicator wasn't returned when a URL was passed.
Malware Pack v1.1.0
Playbooks
New: Malware Investigation - Manual
Master manual playbook for investigating suspected malware presence on an endpoint.
IncidentTypes
Malware
Associated the new playbook Malware Investigation - Manual to the malware incident type.
McAfee DXL Pack v1.0.0
Playbook
Enrich DXL with ATD verdict v2 Playbook
Replaced deprecated scripts.
Enrich McAfee DXL using 3rd party sandbox v2 Playbook
Replaced deprecated scripts.
McAfee ePO Pack v1.0.1
Playbook
McAfee ePO Endpoint Compliance Playbook v2
Replaced deprecated scripts.
McAfee ePO Repository Compliance Playbook
Replaced deprecated scripts.
McAfee ePO Endpoint Connectivity Diagnostics Playbook
Replaced deprecated scripts.
Microsoft Defender Advanced Threat Protection Pack v1.1.2
Integrations
Microsoft Defender Advanced Threat Protection
Updated the permission scope for self-deployed applications to be Microsoft Defender Advanced Threat Protection default.
Microsoft Teams Pack v1.0.2
Integrations
Microsoft Teams
Fixed an issue where notifications to be sent to the dedicated channel were not handled appropriately.
Mimecast Pack v1.0.2
Integrations
MimecastV2
Added a pagination mechanism for URL log requests.
MongoDB Pack v1.0.4
Integrations
MongoDB
Fixed an issue where nested dictionaries containing a datetime object were not parsed properly.
PAN-OS Pack v1.0.5
Playbooks
PAN-OS - Create Or Edit Rule
Removed transformers that were no longer needed.
PAN-OS DAG Configuration
Removed transformers that were no longer needed.
Integrations
Panorama
Added logs for uncommitted items.
Palo Alto Networks BPA Pack v1.1.0
Integrations
BPA
Added the option to exclude passed checks in the pan-os-bpa-get-job-results command.
Palo Alto Networks Cortex XDR - Investigation and Response Pack v2.0.0
Integrations
Cortex XDR - IR
- Fixed a bug in the xdr-get-endpoint command where only the last endpoint was displayed in context.
- Added 6 commands.
- xdr-blacklist-files
- xdr-whitelist-files
- xdr-quarantine-files
- xdr-get-quarantine-status
- xdr-restore-file
- xdr-endpoint-scan
Playbooks
New: Cortex XDR - Malware Investigation
Investigates a Cortex XDR incident containing internal malware alerts. The playbook:
- Enriches the infected endpoint details.
- Lets the analyst manually retrieve the malicious file.
- Performs file detonation. The playbook is used as a sub- playbook in 'Cortex XDR Incident Handling - v2'
New: Cortex XDR - Port Scan - Adjusted
Investigates a Cortex XDR incident containing internal port scan alerts. The playbook:
- Syncs data with Cortex XDR.
- Notifies management about a compromised host.
- Escalates the incident in case of lateral movement alert detection. The playbook is used as a sub- playbook in 'Cortex XDR Incident Handling - v2'
New: Cortex XDR Alerts Handling
This playbook is used to loop over every alert in a Cortex XDR incident. Supported alert categories: - Malware - Port Scan
New: Cortex XDR Incident Handling v2
This playbook is triggered by fetching a Palo Alto Networks Cortex XDR incident. The playbook syncs and updates new XDR alerts that construct the incident and triggers a sub-playbook to handle each alert by type. Then, the playbook performs enrichment on the incident's indicators and hunting for related IOCs. Based on the severity, it lets the analyst decide whether to continue to the remediation stage or close the investigation as a false positive. After the remediation, if there are no new alerts, the playbook stops the alert sync and closes the XDR incident and investigation.
PaloAltoNetworks_XDR
Added a test for the quarantine file playbook.
Cortex XDR - quarantine file
Added a playbook that gets the status of a quarantined file.
Phishing Pack v1.6.0
Playbooks
Get Original Email - EWS
Added the email headersmap output. This enables phishing incidents to display email headers if the original email was retrieved.
Phishing - Core
- Fixed an issue where URL screenshots did not display in the layout.
- Merged 2 conditions into 1 to clean up playbook.
- Added checks to verify that the Rasterize integration is enabled before attempting to rasterize HTML-formatted emails, and before taking URL screenshots.
Process Email - Core
- Added checks to verify that the Rasterize integration is enabled before attempting to rasterize HTML-formatted emails, and before taking URL screenshots.
- Email headers will now show in phishing incident layouts.
Process Email - Generic
- Added a check that verifies whether the Rasterize integration is enabled before attempting to rasterize HTML-formatted emails.
- Added a check that verifies whether the Rasterize integration is enabled before attempting to rasterize HTML-formatted emails.
- Simplified the flow of the playbook by merging tasks where possible and renaming tasks to better reflect their purpose.
- Email headers will now show in phishing incident layouts.
Get Original Email - EWS
Added an output of email headers.
Layout
Phishing
The phishing layout now displays the email headers if the email was attached as file or was retrieved using mail listener integrations.
Plain Text Feed Pack v1.0.1
Integrations
Plain Text Feed
Updated the Docker image to support the auto-detection function.
Prisma Access Pack v1.0.1
Playbooks
Prisma Access Whitelist Egress IPs on SaaS Services
- Added a call for the Okta Zones subplaybook.
- Moved the names of the AWS security group, GCP firewall, and Okta Zone into playbook inputs. If the input is not set, the related subplaybook will be skipped.
Prisma Cloud Pack v1.2.0
Integrations
RedLock
- Added a default classifier and mapper.
- Added support for multi-environment instances.
- Added the get-remediation-details command.
Proofpoint Protection Server Pack v1.0.2
Integrations
Proofpoint Server Protection
- Improved parsing of responses returned from Proofpoint.
- Added support for Proofpoint Protection Server version 8.14.2.
RTIR Pack v1.0.3
Integrations
RTIR
- Fixed an issue where headers with 'ID' in their name got malformed when running rtir-search-ticket command and in fetch-incidents.
- Improved parsing of ticket attachments.
Recorded Future Feed Pack v1.0.1
Integrations
Recorded Future Feed
Improved parsing of IOC objects.
Red Canary Pack v1.0.2
Integrations
RedCanary
- Removed timeline details for a detection fetched as an incident.
- Fixed an issue in which acknowledged detections were fetched as incidents.
- Improved processing of outputs for endpoint details.
Securonix Pack v1.1.1
Integrations
Securonix
- Added the max parameter to the securonix-list-incidents command.
- Added the max_fetch parameter to the integration configuration. The default and maximum value is 50.
- Fixed an issue where duplicate incidents were fetched.
SentinelOne Pack v1.0.1
Integrations
SentinelOne V2
Improved processing of datetime strings.
ServiceNow Pack v1.1.4
Integrations
ServiceNow v2
Improved handling of authentication errors returned from ServiceNow.
Slack Pack v1.2.1
Integrations
SlackV2
Added stability improvements for long-running execution.
VirusTotal Pack v1.0.1
Integrations
VirusTotal
Fixed an issue where the url command lacked the default url argument.
Zscaler Pack v1.0.1
Integrations
Zscaler
Added the multiple argument to the url command, which when set to "false" enables users to submit singular URLs that contain commas.
ipinfo Pack v1.0.1
Integrations
ipinfo
Added support for HTTPS connection.
okta Pack v1.0.2
Integrations
Okta v2
Added 3 commands.
- okta-get-zone
- okta-update-zone
- okta-list-zones
Playbooks
Allow IP - Okta Zone
Syncs a list of IP addresses with an Okta Zone.
Assets
- Download: content_new.zip
- Browse the Source Code: Content Repo @ 20.6.1