Cortex XSOAR Content Release Notes for version 20.7.1 (70449)

Published on 21 July 2020

Welcome to the 20.7.1 Content Release for Cortex XSOAR. Starting from the 20.6.0 release, we restructured our release notes to be based on Content Packs. One of our team's top priorities is making our Content more accessible and understandable for both users and contributors. In this effort, we recently moved our Content repo to work in Pack format, in which there is a clear separation and grouping of Content artifacts. Each Content Pack provides a clear grouping of related Content artifacts used to either implement a use case, implement an integration or provide a clear set of functionality. Our new release notes are structured around Content Packs and you will see related Content artifacts grouped together according to Packs. We hope you will find this new format useful and clear.

For Cortex XSOAR version 5.5 and earlier, you can still install content updates directly in the platform.

End Of Life Notice

The following integrations were deprecated in November 2019:

  • Azure Compute
  • Azure Security Center

These integrations will reach end of life on July 31, 2020, due to changes to the backend authentication services needed for these integrations. Use the Azure Compute v2 and Azure Security Center v2 integrations instead.

New: Blueliv ThreatCompass Pack v1.0.0


Blueliv ThreatCompass

Blueliv ThreatCompass systematically looks for information about companies,products, people, brands, logos, assets, technology and other information, depending on your needs. Blueliv ThreatCompass allows you to monitor and track all this information to keep your data, your organization and its employees safe

New: Blueliv ThreatContext Pack v1.0.0


Blueliv ThreatContext

The Threat Context module provides SOC, Incident Response, and Threat Intelligence teams with continuously updated and intuitive information around threat actors, campaigns, malware indicators, attack patterns, tools, signatures and CVEs.

New: Zimperium Pack v1.0.0


Zimperium - Classifier

Classifies Zimperium incidents.

Zimperium - Incoming Mapper

Maps incoming Zimperium incident fields.


Zimperium event



Zimperium is a mobile security platform that generates alerts based on anomalous or unauthorized activities detected on a user's mobile device.


Zimperium Event - Summary


Zimperium Incident Enrichment

Enriches Zimperium incidents.

AWS Feed Pack v1.0.2


AWS Feed

Added the Tags parameter.

Active Directory Query Pack v1.0.2


Active Directory Query v2

Added the time_limit argument to the ad-get-group-members command. Default is 180 seconds.

AlienVault Feed Pack v1.0.1


AlienVault OTX TAXII Feed

Added the Tags parameter.

Atlassian Jira Pack v1.0.2



Fixed an issue where an error was raised when no issues matched the query.

AttackIQ Platform Pack v1.0.2


AttackIQ Platform

Fixed the Job State and Assessment outputs in the attackiq-get-test-results command.

Azure Security Center Pack v1.0.1


Azure Security Center v2
  • Added support to authenticate using a self-deployed Azure application.
  • Fixed an issue where the azure-sc-update-atp command failed due to an incorrect parameter being passed in the request body.

Base Pack v1.1.4



Added additional arguments for increased functionality when using logos.

Brute Force Pack v1.1.2


Brute Force Incident

Updated incident and indicator layouts to content pack format.

Cofense Feed Pack v1.0.4


Cofense Feed

Added the Tags parameter.

Common Playbooks Pack v1.6.1


Detonate File - Generic
  • Added the Detonate File - Group-IB TDS Polygon playbook as a sub-playbook
  • Added the CrowdStrike Falcon X integration.
  • Updated sub-playbook inputs to be inputs.File.
Detonate URL - Generic
  • Added the Detonate File - Group-IB TDS Polygon playbook as a sub-playbook
  • Added the CrowdStrike Falcon X integration.

Common Scripts Pack v1.2.5


  • Fixed an issue where "None" values caused the script to fail.
  • Improved argument descriptions.
  • Improved error messaging in cases of invalid grid ID.
  • Added handling for empty values in cells and columns (i.e. context paths with no value).
  • Changed the default value of the overwrite argument from false to true.

Compliance Pack v1.0.4



Fixed a typo.

CrowdStrike Falcon Pack v1.1.0


CrowdStrike Falcon
  • Added the following real-time response API commands:
    • cs-falcon-run-get-command
    • cs-falcon-status-get-command
    • cs-falcon-status-command
    • cs-falcon-get-extracted-file
    • cs-falcon-list-host-files
    • cs-falcon-refresh-session
  • Added the target argument to the cs-falcon-run-command command to support single and batch operations.
  • Fixed entry context keys
  • Fixed the cs-falcon-get-script command. A script entry returned from the command replaces the entry identifying with ID in CrowdStrike.Script.
  • Fixed the cs-falcon-list-scripts command. Script entries returned from the command replace the entries identifying with IDs in CrowdStrike.Script.

Elasticsearch Feed Pack v1.0.3


Elasticsearch Feed

Added the Tags parameter.

Expanse Pack v1.1.0



Updated the classifier to include mappings for all relevant Expanse Incident fields.



Updated the integration to respect the configured page limit when fetching new incidents.

Expanse Behavior

Added a layout for Expanse Behavior Incidents.

Expanse Appearance

The layout for Expanse Appearance Incidents was updated to include new Incident Fields.


New: Expanse Behavior Severity Update

This playbook updates the severity of an Expanse Behavior incident based on the presence of other active Exposures for the IP address.

GenericSQL Pack v1.0.3


Generic SQL
  • Added support for database connection pooling.
  • Improved debug output when running commands with debug-mode=true.

IBM QRadar Pack v1.0.5


IBM QRadar

Improved handling of unicode responses.

MITRE ATT&CK Pack v1.0.8



Fixed an issue where a non-existing indicator query using the mitre-reputation command did not return results.


New: MITREIndicatorsByOpenIncidents

This is a widget script that returns information for MITRE indicators for top indicators shown in incidents.

Microsoft Graph Mail Pack v1.0.2



Fixed an issue where communication tasks were sending emails in text format only.

Microsoft Graph Mail Single User Pack v1.0.4


Microsoft Graph Mail Single User

Fixed an issue where communication tasks were sending emails in text format only.

Microsoft Management Activity API (O365/Azure Events) Pack v1.0.1


Microsoft Management Activity API (O365 Azure Events)

Fixed test module logic and the credentials error.

NIST Pack v1.0.3


Access Investigation - Generic - NIST

Added tasks that check if Active Directory is enabled.

Office 365 Feed Pack v1.1.3


Office 365 Feed

Fixed an issue with the insecure parameter.

PAN-OS Pack v1.4.1



Added the following commands:

  • panorama-block-vulnerability: Overrides single vulnerability signature and changes the default action.
  • panorama-get-predefined-threats-list: Retrieves the entire signature database from a PAN-OS device.
  • panorama-show-location-ip: Gets the location of an IP address.


NetOps - Firewall Version and Content Upgrade

Fixed DT syntax issues.

PCAP Analysis Pack v2.2.0


New: PCAP File Carving

This playbook is used to carve (extract) files from within PCAP files and perform enrichment and detonation of the extracted files.


New: PcapFileExtractor

This script extract files from PCAP files using http, smb, tftp, imf and dicom protocols.

Prisma Access Pack v1.0.2


Prisma Access Egress IP feed

Fixed an issue where the Location parameter was not handled correctly.

Pwned Pack v1.0.1


Have I Been Pwned? v2

Fixed an issue where the Test button did not validate the API Key.

Slack Pack v1.3.3


Slack - General Failed Logins v2.1

The playbook now checks if the Active Directory Query v2 integration is enabled before expiring a user password.

SplunkPy Pack v1.0.4



Changed the fetch limit parameter to handle cases where this field is left empty in the instance configuration.

TIM - SIEM Integration Pack v1.0.2


TIM - Add All Indicator Types To SIEM

Improved the indicator query to include only active indicators. Pack v1.0.1


Fixed an issue in the tenable-io-launch-scan command where the scanTargets argument was ignored.

VMware Pack v1.0.1



Added support for additional TLS versions. The highest supported version will be used.

VirusTotal - Private API Pack v1.0.1


VirusTotal - Private API

Fixed an issue wiht the output paths for the vt-private-search-file command.

Whois Pack v1.1.1


TIM - Process Domains With Whois

Added a task that checks if the Whois integration is enabled.

Workday Pack v1.0.2



General performance and reliability improvements.