Cortex XSOAR Content Release Notes for version 20.7.0 (61242)#

Published on 07 July 2020#

Welcome to the 20.7.0 Content release for Cortex XSOAR. Starting from the 20.6.0 release, we restructured our release notes to be based upon Content Packs. One of our team's top priorities is making our Content more accessible and understandable for both users and contributors. In this effort, we recently moved our Content repo to work in Packs format were there is a clear separation and grouping of Content artifacts. Each Content Pack provides a clear grouping of related Content artifacts used to either implement a use case, implement an integration or provide a clear set of functionality. Our new release notes are structured around Content Packs and you will see related Content artifacts grouped together according to Packs. We hope you will find this new format useful and clear.


End Of Life Notice#

The following Integrations were deprecated in November 2019:

  • Azure Compute
  • Azure Security Center

These integrations will reach end of life on July 31, 2020, due to changes to the backend authentication services needed for these integrations. Use the Azure Compute v2 and Azure Security Center v2 integrations instead.


New: CrowdStrike Falcon X Pack v1.0.0#

Integrations#

CrowdStrike Falcon X#

Use the CrowdStrike Falcon X integration to submit files, file hashes, URLs, and FTPs for sandbox analysis and to retrieve reports.

Playbooks#

Detonate File - CrowdStrike Falcon X#

Detonates a file using CrowdStrike Falcon X sandbox.

Detonate URL - CrowdStrike Falcon X#

Detonates one or more files using the CrowdStrike Falcon Sandbox integration. This playbook returns relevant reports to the War Room and file reputations to the context data.


New: DeHashed Pack v1.0.0#

Integrations#

DeHashed#

This integration allows you to check if your personal information, such as your email, username, or password, has been compromised.


New: Google Kubernetes Engine Pack v1.0.0#

Integrations#

Google Kubernetes Engine#

The Google Kubernetes Engine integration is used for building and managing container-based applications in Google Cloud Platform (GCP), powered by the open source Kubernetes technology.

Playbooks#

Google Kubernetes Engine Operations Generic Polling#

This playbook checks the operation status of the Google Kubernetes Engine. It runs until the operation completes, and facilitates the waiting between steps in Cluster configuration.


New: Manage Engine Service Desk Plus Pack v1.0.0#

Integrations#

Service Desk Plus#

Use this integration to manage Service Desk Plus requests. The integration allows you to create, update, and delete requests, assign groups and technicians to requests, and link/unlink requests and modify their resolution.


New: Microsoft Azure AD Connect Health Feed Pack v1.0.0#

Integrations#

Azure AD Connect Health Feed#

Use the Microsoft Azure AD Connect Health Feed integration to get indicators from the feed.


New: Quest Kace Pack v1.0.0#

Integrations#

Quest KACE Systems Management Appliance (Beta)#

Use the Quest KACE integration to provision, manage, secure, and service all network-connected devices.


New: Unit42 Feed Pack v1.0.0#

Integrations#

Unit42 Feed#

Unit42 feed of published IOCs, which contains known malicious indicators.


New: Workday Pack v1.0.0#

Integrations#

Workday#

Use the Workday integration to manage workers and employees.


New: Zoom Feed Pack v1.1.0#

Integrations#

Zoom Feed#

You can now use the new Zoom site configuration using the feed.


New: TAXII 2 Feed Pack v.1.0.0#

Integrations#

TAXII Feed#

Ingests indicator feeds from TAXII 2.0 and 2.1 servers.


ApiModules Pack v1.0.3#

Scripts#

CSVFeedApiModule#

Added the Tags parameter.


ArcSight ESM Pack v1.0.3#

Integrations#

ArcSight ESM v2#
  • Fixed a bug in which some fetches returned duplicate alerts.
  • Added the Use REST Endpoints integration parameter, which enables using REST endpoints for the as-get-entries and as-clear-entries commands.

Attivo Botsink Pack v1.0.1#

Integrations#

Attivo Botsink#

Fixed an issue where errors were not handled as expected.


Bambenek Consulting Feed Pack v1.0.1#

Integrations#

Bambenek Consulting Feed#

Added the Tags parameter.


Base Pack v1.1.0#

Scripts#

SaneDocReports#
  • Fixed SVG image rendering in doc reports.
  • Added the ability to add customer logos to doc reports.
  • Reverted changes made in v1.0.12.
SanePdfReports#
  • Fixed word overlapping in graphs.
  • Rolled back the Docker image to fix a conflict issue.
  • Updated the sane-pdf-reports Docker tag, which fixes the graph labels overlap bug.
CommonServerPython#
  • Fixed an issue where the to_context function did not return the proper outputs when the CommandResult object was supplied with only readable_outputs.
  • Fixed and issue where the to_context function returned null instead of an empty list when supplied with empty outputs.
  • Added wrapper functions for getting and setting integration context.

CSV Feed Pack v1.0.2#

Integrations#

CSVFeed#

Added the Tags parameter.


Carbon Black Enterprise Protection Pack v1.0.2#

Playbooks#

Carbon black Protection Rapid IOC Hunting#

Updated the playbook to use the Carbon Black Enterprise Protection v2 integration .


Check Point Firewall Pack v1.0.3#

Integrations#

Check Point#

Fixed an issue where the checkpoint command did not work as expected.


Common Playbooks Pack v1.5.1#

Playbooks#

Block IP - Generic v2#

Added the FortiGate Ban IP command to the Block IP - Generic v2 playbook.


Common Scripts Pack v1.2.3#

Scripts#

ParseEmailFiles#
  • Fixed an issue where errors were not handled as expected.
  • Fixed an issue where EMLfiles with the content type "message/rfc822" were not recognized as expected.
SetGridField#

Fixed an issue where the script failed on mixed-types error.

JSONtoCSV#

Improved the error message when an invalid JSON entry is given.


Common Types Pack v1.4.0#

Layouts#

domainRepUnified#

Added the Feed Related Indicators section to the layout.

unifiedFileRep#

Added the Feed Related Indicators section to the layout.

ipRep#

Added the Feed Related Indicators section to the layout.

urlRep#

Added the Feed Related Indicators section to the layout.


FalconHost Pack v1.1.2#

Integrations#

FalconHost#
  • Added support for IPv4 and IPv6 indicator types to the cs-device-ran-on command.
    • Deprecated the following commands:
      • cs-resolve-detection: Use the cs-falcon-resolve-detection command from the CrowdStrike Falcon integration instead.
      • cs-detection-details: Use the cs-falcon-search-detection command from the CrowdStrike Falcon integration instead.
      • cs-detection-search: Use the cs-falcon-search-detection command from the CrowdStrike Falcon integration instead.

Infocyte Pack v1.0.1#

Integrations#

Infocyte#

Fixed a bug where fetch_incidents printed an error message if no new incidents/alerts were found.


JsonWhoIs Pack v1.0.3#

Integrations#

JsonWhoIs#

Fixed a bug when running the integration resulted in the exceptions must derive from BaseException error.


Kafka Pack v1.0.1#

Integrations#

Kafka V2#
  • Fixed an issue in which the offset for the fetch did not function as expected.
  • Improved error handling in the kafka-print-topics command.

Kenna Pack v1.0.3#

Integrations#

Kennav2#

Fixed an issue where the limit argument did not work when set above 25 in the kenna-search-fixes command.


Machine Learning Pack v1.1.0#

Scripts#

HashIncidentsFields#

Search for incidents by arguments with an option to hash some of the incident's fields.


Office 365 Feed Pack v1.1.2#

Integrations#

Office 365 Feed#

Added the Tags parameter.


PAN-OS Pack v1.2.0#

Integrations#

Panorama#
  • Added outputs to the panorama-get-logs command.
  • Added the source_zone and destination_zone arguments to the panorama-create-rule command.

PANW Comprehensive Investigation Pack v1.2.0#

Layouts#

PANW Endpoint Malware#

Added the new layout Palo Alto Networks - Endpoint Malware Investigation v2.

Playbooks#

Palo Alto Networks - Endpoint Malware Investigation v2#

Added the new playbook Palo Alto Networks - Endpoint Malware Investigation v2.


PCAP Analysis Pack v2.1.0#

Playbooks#

New: PCAP Search#

This playbook is used to parse and search within PCAP files.

New: PCAP Parsing And Indicator Enrichment.#

This playbook is used to parse and extract indicators within PCAP files and perform enrichment on the detected indicators.


Palo Alto Networks BPA Pack v1.2.0#

Layout#

Panorama Best Practice Assessment#

Added the Panorama Best Practice Assessment incident layout.

Playbooks#

Run Panorama Best Practice Assessment#

Marked the generate_zip_bundle fiter to fetch the report bundle ZIP file.

Comprehensive PAN-OS Best Practice Assessment#

Added Comprehensive PAN-OS Best Practice Assessment to the pack.


Palo Alto Networks Cortex XDR - Investigation and Response Pack v2.0.0#

Playbooks#

New: Cortex XDR - Malware Investigation#

Investigates a Cortex XDR incident that contains internal malware alerts. The playbook does the following:

  • Enriches the infected endpoint details.
  • Lets the analyst manually retrieve the malicious file.
  • Performs file detonation.

The playbook is used as a sub-playbook in the Cortex XDR Incident Handling - v2 playbook.

New: Cortex XDR - Port Scan - Adjusted#

Investigates a Cortex XDR incident that contains internal port scan alerts. The playbook does the following:

  • Syncs data with Cortex XDR.
  • Notifies management about a compromised host.
  • Escalates the incident in case of lateral movement alert detection.

The playbook is used as a sub-playbook in the Cortex XDR Incident Handling - v2.

New: Cortex XDR Alerts Handling#

This playbook is used to loop over every alert in a Cortex XDR incident. Supported alert categories:

  • Malware
  • Port Scan
New: Cortex XDR Incident Handling v2#

This playbook is triggered by fetching a Palo Alto Networks Cortex XDR incident.


Palo Alto Networks PAN-OS EDL Service Pack v1.0.3#

Playbooks#

PAN-OS EDL Service Configuration#

Added a conditional task that validates if an EDL security rule with the same name already exists.


Phishing Pack v1.7.0#

Playbooks#

Process Email - Generic#

The task that updates the email headers in the layout will no longer continue on errors.

Process Email - Core#

The task that updates the email headers in the layout will no longer continue on errors.


Proofpoint Feed Pack v1.0.1#

Integrations#

Proofpoint Feed#

Added the Tags parameter.


Rasterize Pack v1.0.3#

Integrations#

Rasterize#
  • Fixed an issue where the rasterize-image command returned an image instead of a PDF file.
  • Added support for additional languages.

Recorded Future Feed Pack v1.0.2#

Integrations#

Recorded Future RiskList Feed#

Added the Tags parameter.


Remedy On-Demand Pack v1.0.1#

Integrations#

Remedy On-Demand#

Fixed an issue where the remedy-incident-update and remedy-get-incident commands required the request ID instead of the entry ID.


RiskSense Pack v1.0.1#

Integrations#

RiskSense#

Added the *risksense-apply-tag, which applies tags as part of the playbook.

Playbooks#

CVE Exposure - RiskSense#

Blocks IP addresses and applies the tag to assets that are vulnerable to the specified CVE.

Scripts#

DisplayCVEChartScript#

Displays a bar chart based on the CVEs count and the trending CVEs count with the different colors.


ServiceNow Pack v1.1.5#

Integrations#

ServiceNow v2#

Fixed the test button to work with debug mode.


Slack Pack v1.3.1#

Integrations#

SlackV2#

Increased integration context reliability by using versions (supported in Cortex XSOAR v6.0 and later).


Symantec Management Center Pack v1.0.1#

Integrations#

Symantec Management Center#

Added support for the content type LOCAL_CATEGORY_DB.


TAXII Feed Pack v1.0.1#

Integrations#

TAXII Feed#

Added the Tags parameter.


ThreatConnect Pack v2.0.1#

Integrations#

ThreatConnect#

Deprecated. Use the ThreatConnect v2 integration instead.

New: ThreatConnect v2#

Use the ThreatConnect v2 integration to manage your threat intelligence environment.


ThreatQ Pack v1.0.3#

Integrations#

ThreatQ v2#

Fixed an issue where the the URL schema was enforced in the url command.


TruSTAR Pack v2.0.0#

Integrations#

TruSTAR v2#

The TruSTAR v2 integration introduces rewritten code, tests, docstrings on code functions, and new commands. For commands that return indicators, the data is put in 3 contexts:

  • The standard context, without the malicious field because TruSTAR doesn't currently have a score for every indicator.
  • DBotScore context with score as 0 for the same reason.
  • TruSTAR context with all the information returned by the command.
    • trustar-get-reports
    • trustar-get-enclaves
    • trustar-related-indicators
    • trustar-indicators-metadata
    • trustar-indicator-summaries
    • trustar-get-whitelisted-indicators
    • trustar-move-report
    • trustar-trending-indicators
    • trustar-get-indicators-for-report
    • trustar-search-indicators
    • trustar-submit-report
    • trustar-delete-report
    • trustar-correlated-reports
    • trustar-add-to-whitelist
    • trustar-remove-from-whitelist
    • trustar-report-details
    • trustar-update-report
    • trustar-search-reports
    • trustar-get-phishing-indicators
    • trustar-get-phishing-submissions
    • trustar-set-triage-status
    • trustar-copy-report
TruSTAR#

Deprecated - Use the TruSTAR v2 integration instead.


US - Breach Notification Pack v1.0.3#

Layout#

US Breach Notification#
  • Added a new widget to the layout.
  • Added Notifications status to the layout.

Playbooks#

Illinois - Breach Notification#

Added setincidents to the playbook for the new layout.

New York - Breach Notification#

Added setincidents to the playbook for the new layout.

California - Breach Notification#

Added setincidents to the playbook for the new layout.

Residents Notification - Breach Notification#

Added setincidents to the playbook for the new layout.


Zscaler Pack v1.0.2#

Integrations#

Zscaler#
  • Added the multiple argument to the url command, which when set to "false" enables users to submit singular URLs that contain commas.
  • Improved list handling for the zscaler-category-add-url and zscaler-category-add-ip commands.

iDefense Pack v1.0.1#

Integrations#

iDefense#

Fixed an issue where the Set API token parameter was visible in the integration configuration window.


Okta Pack v1.0.3#

Integrations#

Okta#

Deprecated. Use the Okta v2 integration instead.


Assets#