Cortex XSOAR Content Release Notes for version 20.7.0 (61242)
Published on 07 July 2020
Welcome to the 20.7.0 Content release for Cortex XSOAR. Starting from the 20.6.0 release, we restructured our release notes to be based upon Content Packs. One of our team's top priorities is making our Content more accessible and understandable for both users and contributors. In this effort, we recently moved our Content repo to work in Packs format were there is a clear separation and grouping of Content artifacts. Each Content Pack provides a clear grouping of related Content artifacts used to either implement a use case, implement an integration or provide a clear set of functionality. Our new release notes are structured around Content Packs and you will see related Content artifacts grouped together according to Packs. We hope you will find this new format useful and clear.
End Of Life Notice
The following Integrations were deprecated in November 2019:
- Azure Compute
- Azure Security Center
These integrations will reach end of life on July 31, 2020, due to changes to the backend authentication services needed for these integrations. Use the Azure Compute v2 and Azure Security Center v2 integrations instead.
New: CrowdStrike Falcon X Pack v1.0.0
Integrations
CrowdStrike Falcon X
Use the CrowdStrike Falcon X integration to submit files, file hashes, URLs, and FTPs for sandbox analysis and to retrieve reports.
Playbooks
Detonate File - CrowdStrike Falcon X
Detonates a file using CrowdStrike Falcon X sandbox.
Detonate URL - CrowdStrike Falcon X
Detonates one or more files using the CrowdStrike Falcon Sandbox integration. This playbook returns relevant reports to the War Room and file reputations to the context data.
New: DeHashed Pack v1.0.0
Integrations
DeHashed
This integration allows you to check if your personal information, such as your email, username, or password, has been compromised.
New: Google Kubernetes Engine Pack v1.0.0
Integrations
Google Kubernetes Engine
The Google Kubernetes Engine integration is used for building and managing container-based applications in Google Cloud Platform (GCP), powered by the open source Kubernetes technology.
Playbooks
Google Kubernetes Engine Operations Generic Polling
This playbook checks the operation status of the Google Kubernetes Engine. It runs until the operation completes, and facilitates the waiting between steps in Cluster configuration.
New: Manage Engine Service Desk Plus Pack v1.0.0
Integrations
Service Desk Plus
Use this integration to manage Service Desk Plus requests. The integration allows you to create, update, and delete requests, assign groups and technicians to requests, and link/unlink requests and modify their resolution.
New: Microsoft Azure AD Connect Health Feed Pack v1.0.0
Integrations
Azure AD Connect Health Feed
Use the Microsoft Azure AD Connect Health Feed integration to get indicators from the feed.
New: Quest Kace Pack v1.0.0
Integrations
Quest KACE Systems Management Appliance (Beta)
Use the Quest KACE integration to provision, manage, secure, and service all network-connected devices.
New: Unit42 Feed Pack v1.0.0
Integrations
Unit42 Feed
Unit42 feed of published IOCs, which contains known malicious indicators.
New: Workday Pack v1.0.0
Integrations
Workday
Use the Workday integration to manage workers and employees.
New: Zoom Feed Pack v1.1.0
Integrations
Zoom Feed
You can now use the new Zoom site configuration using the feed.
New: TAXII 2 Feed Pack v.1.0.0
Integrations
TAXII Feed
Ingests indicator feeds from TAXII 2.0 and 2.1 servers.
ApiModules Pack v1.0.3
Scripts
CSVFeedApiModule
Added the Tags parameter.
ArcSight ESM Pack v1.0.3
Integrations
ArcSight ESM v2
- Fixed a bug in which some fetches returned duplicate alerts.
- Added the Use REST Endpoints integration parameter, which enables using REST endpoints for the as-get-entries and as-clear-entries commands.
Attivo Botsink Pack v1.0.1
Integrations
Attivo Botsink
Fixed an issue where errors were not handled as expected.
Bambenek Consulting Feed Pack v1.0.1
Integrations
Bambenek Consulting Feed
Added the Tags parameter.
Base Pack v1.1.0
Scripts
SaneDocReports
- Fixed SVG image rendering in doc reports.
- Added the ability to add customer logos to doc reports.
- Reverted changes made in v1.0.12.
SanePdfReports
- Fixed word overlapping in graphs.
- Rolled back the Docker image to fix a conflict issue.
- Updated the sane-pdf-reports Docker tag, which fixes the graph labels overlap bug.
CommonServerPython
- Fixed an issue where the to_context function did not return the proper outputs when the CommandResult object was supplied with only readable_outputs.
- Fixed and issue where the to_context function returned null instead of an empty list when supplied with empty outputs.
- Added wrapper functions for getting and setting integration context.
CSV Feed Pack v1.0.2
Integrations
CSVFeed
Added the Tags parameter.
Carbon Black Enterprise Protection Pack v1.0.2
Playbooks
Carbon black Protection Rapid IOC Hunting
Updated the playbook to use the Carbon Black Enterprise Protection v2 integration .
Check Point Firewall Pack v1.0.3
Integrations
Check Point
Fixed an issue where the checkpoint command did not work as expected.
Common Playbooks Pack v1.5.1
Playbooks
Block IP - Generic v2
Added the FortiGate Ban IP command to the Block IP - Generic v2 playbook.
Common Scripts Pack v1.2.3
Scripts
ParseEmailFiles
- Fixed an issue where errors were not handled as expected.
- Fixed an issue where EMLfiles with the content type "message/rfc822" were not recognized as expected.
SetGridField
Fixed an issue where the script failed on mixed-types
error.
JSONtoCSV
Improved the error message when an invalid JSON entry is given.
Common Types Pack v1.4.0
Layouts
domainRepUnified
Added the Feed Related Indicators section to the layout.
unifiedFileRep
Added the Feed Related Indicators section to the layout.
ipRep
Added the Feed Related Indicators section to the layout.
urlRep
Added the Feed Related Indicators section to the layout.
FalconHost Pack v1.1.2
Integrations
FalconHost
- Added support for IPv4 and IPv6 indicator types to the cs-device-ran-on command.
- Deprecated the following commands:
- cs-resolve-detection: Use the cs-falcon-resolve-detection command from the CrowdStrike Falcon integration instead.
- cs-detection-details: Use the cs-falcon-search-detection command from the CrowdStrike Falcon integration instead.
- cs-detection-search: Use the cs-falcon-search-detection command from the CrowdStrike Falcon integration instead.
- Deprecated the following commands:
Infocyte Pack v1.0.1
Integrations
Infocyte
Fixed a bug where fetch_incidents printed an error message if no new incidents/alerts were found.
JsonWhoIs Pack v1.0.3
Integrations
JsonWhoIs
Fixed a bug when running the integration resulted in the exceptions must derive from BaseException error.
Kafka Pack v1.0.1
Integrations
Kafka V2
- Fixed an issue in which the offset for the fetch did not function as expected.
- Improved error handling in the kafka-print-topics command.
Kenna Pack v1.0.3
Integrations
Kennav2
Fixed an issue where the limit argument did not work when set above 25 in the kenna-search-fixes command.
Machine Learning Pack v1.1.0
Scripts
HashIncidentsFields
Search for incidents by arguments with an option to hash some of the incident's fields.
Office 365 Feed Pack v1.1.2
Integrations
Office 365 Feed
Added the Tags parameter.
PAN-OS Pack v1.2.0
Integrations
Panorama
- Added outputs to the panorama-get-logs command.
- Added the source_zone and destination_zone arguments to the panorama-create-rule command.
PANW Comprehensive Investigation Pack v1.2.0
Layouts
PANW Endpoint Malware
Added the new layout Palo Alto Networks - Endpoint Malware Investigation v2.
Playbooks
Palo Alto Networks - Endpoint Malware Investigation v2
Added the new playbook Palo Alto Networks - Endpoint Malware Investigation v2.
PCAP Analysis Pack v2.1.0
Playbooks
New: PCAP Search
This playbook is used to parse and search within PCAP files.
New: PCAP Parsing And Indicator Enrichment.
This playbook is used to parse and extract indicators within PCAP files and perform enrichment on the detected indicators.
Palo Alto Networks BPA Pack v1.2.0
Layout
Panorama Best Practice Assessment
Added the Panorama Best Practice Assessment incident layout.
Playbooks
Run Panorama Best Practice Assessment
Marked the generate_zip_bundle fiter to fetch the report bundle ZIP file.
Comprehensive PAN-OS Best Practice Assessment
Added Comprehensive PAN-OS Best Practice Assessment to the pack.
Palo Alto Networks Cortex XDR - Investigation and Response Pack v2.0.0
Playbooks
New: Cortex XDR - Malware Investigation
Investigates a Cortex XDR incident that contains internal malware alerts. The playbook does the following:
- Enriches the infected endpoint details.
- Lets the analyst manually retrieve the malicious file.
- Performs file detonation.
The playbook is used as a sub-playbook in the Cortex XDR Incident Handling - v2 playbook.
New: Cortex XDR - Port Scan - Adjusted
Investigates a Cortex XDR incident that contains internal port scan alerts. The playbook does the following:
- Syncs data with Cortex XDR.
- Notifies management about a compromised host.
- Escalates the incident in case of lateral movement alert detection.
The playbook is used as a sub-playbook in the Cortex XDR Incident Handling - v2.
New: Cortex XDR Alerts Handling
This playbook is used to loop over every alert in a Cortex XDR incident. Supported alert categories:
- Malware
- Port Scan
New: Cortex XDR Incident Handling v2
This playbook is triggered by fetching a Palo Alto Networks Cortex XDR incident.
Palo Alto Networks PAN-OS EDL Service Pack v1.0.3
Playbooks
PAN-OS EDL Service Configuration
Added a conditional task that validates if an EDL security rule with the same name already exists.
Phishing Pack v1.7.0
Playbooks
Process Email - Generic
The task that updates the email headers in the layout will no longer continue on errors.
Process Email - Core
The task that updates the email headers in the layout will no longer continue on errors.
Proofpoint Feed Pack v1.0.1
Integrations
Proofpoint Feed
Added the Tags parameter.
Rasterize Pack v1.0.3
Integrations
Rasterize
- Fixed an issue where the rasterize-image command returned an image instead of a PDF file.
- Added support for additional languages.
Recorded Future Feed Pack v1.0.2
Integrations
Recorded Future RiskList Feed
Added the Tags parameter.
Remedy On-Demand Pack v1.0.1
Integrations
Remedy On-Demand
Fixed an issue where the remedy-incident-update and remedy-get-incident commands required the request ID instead of the entry ID.
RiskSense Pack v1.0.1
Integrations
RiskSense
Added the *risksense-apply-tag, which applies tags as part of the playbook.
Playbooks
CVE Exposure - RiskSense
Blocks IP addresses and applies the tag to assets that are vulnerable to the specified CVE.
Scripts
DisplayCVEChartScript
Displays a bar chart based on the CVEs count and the trending CVEs count with the different colors.
ServiceNow Pack v1.1.5
Integrations
ServiceNow v2
Fixed the test button to work with debug mode.
Slack Pack v1.3.1
Integrations
SlackV2
Increased integration context reliability by using versions (supported in Cortex XSOAR v6.0 and later).
Symantec Management Center Pack v1.0.1
Integrations
Symantec Management Center
Added support for the content type LOCAL_CATEGORY_DB.
TAXII Feed Pack v1.0.1
Integrations
TAXII Feed
Added the Tags parameter.
ThreatConnect Pack v2.0.1
Integrations
ThreatConnect
Deprecated. Use the ThreatConnect v2 integration instead.
New: ThreatConnect v2
Use the ThreatConnect v2 integration to manage your threat intelligence environment.
ThreatQ Pack v1.0.3
Integrations
ThreatQ v2
Fixed an issue where the the URL schema was enforced in the url command.
TruSTAR Pack v2.0.0
Integrations
TruSTAR v2
The TruSTAR v2 integration introduces rewritten code, tests, docstrings on code functions, and new commands. For commands that return indicators, the data is put in 3 contexts:
- The standard context, without the malicious field because TruSTAR doesn't currently have a score for every indicator.
- DBotScore context with score as 0 for the same reason.
- TruSTAR context with all the information returned by the command.
- trustar-get-reports
- trustar-get-enclaves
- trustar-related-indicators
- trustar-indicators-metadata
- trustar-indicator-summaries
- trustar-get-whitelisted-indicators
- trustar-move-report
- trustar-trending-indicators
- trustar-get-indicators-for-report
- trustar-search-indicators
- trustar-submit-report
- trustar-delete-report
- trustar-correlated-reports
- trustar-add-to-whitelist
- trustar-remove-from-whitelist
- trustar-report-details
- trustar-update-report
- trustar-search-reports
- trustar-get-phishing-indicators
- trustar-get-phishing-submissions
- trustar-set-triage-status
- trustar-copy-report
TruSTAR
Deprecated - Use the TruSTAR v2 integration instead.
US - Breach Notification Pack v1.0.3
Layout
US Breach Notification
- Added a new widget to the layout.
- Added Notifications status to the layout.
Playbooks
Illinois - Breach Notification
Added setincidents to the playbook for the new layout.
New York - Breach Notification
Added setincidents to the playbook for the new layout.
California - Breach Notification
Added setincidents to the playbook for the new layout.
Residents Notification - Breach Notification
Added setincidents to the playbook for the new layout.
Zscaler Pack v1.0.2
Integrations
Zscaler
- Added the multiple argument to the url command, which when set to "false" enables users to submit singular URLs that contain commas.
- Improved list handling for the zscaler-category-add-url and zscaler-category-add-ip commands.
iDefense Pack v1.0.1
Integrations
iDefense
Fixed an issue where the Set API token parameter was visible in the integration configuration window.
Okta Pack v1.0.3
Integrations
Okta
Deprecated. Use the Okta v2 integration instead.
Assets
- Download: content_new.zip
- Browse the Source Code: Content Repo @ 20.7.0