Skip to main content

Cortex XSOAR Content Release Notes for version 20.8.0 (80195)#

Published on 4 August 2020#

Welcome to the 20.8.0 Content Release for Cortex XSOAR. Starting from the 20.6.0 release, we restructured our release notes to be based on Content Packs. One of our team's top priorities is making our Content more accessible and understandable for both users and contributors. In this effort, we recently moved our Content repo to work in Pack format, in which there is a clear separation and grouping of Content artifacts. Each Content Pack provides a clear grouping of related Content artifacts used to either implement a use case, implement an integration or provide a clear set of functionality. Our new release notes are structured around Content Packs and you will see related Content artifacts grouped together according to Packs. We hope you will find this new format useful and clear.

For Cortex XSOAR version 5.5 and earlier, you can still install content updates directly in the platform.#


New: CVSS Pack v1.0.0#

Scripts#

CVSSCalculator#

This script calculates the CVSS Base Score, Temporal Score, and Environmental Score using either the CVSS 3.0 or CVSS 3.1 calculator. You can learn more about calculations here: https://www.first.org/cvss/.


New: CrowdStrike Malquery Pack v1.0.0#

Integrations#

CrowdStrike Malquery#

Use the MalQuery Integration to query the contents of clean and malicious binary files, which forms part of Falcon's search engine.

Playbooks#

CrowdStrikeMalquery - Multidownload and Fetch#

Schedule samples for download. Using samples-multidownload is a three-step process: 1. Schedule the download with samples-multidownload, which returns a request ID. 2. Provide that request ID to the cs-malquery-get-request, in order to check the status of the operation. 3. When the request status is “done”, use cs-malquery-sample-fetch to download the results as a password-protected archive Use this playbook as a sub-playbook to schedule samples for download. This playbook implements polling by continuously running the get-request command until the operation completes. Once the request status is done the sub-playbook runs cs-malquery-sample-fetch.

The remote action should have the following structure:
1. Initiate the operation - insert the sample SHA256 ids.
2. Poll to check if the operation completed.
3. Get the results of the operation.
CrowdStrikeMalquery - Search#

Use this playbook as a sub-playbook to query the contents of binary files. This playbook implements polling by continuously running the get-request command until the operation completes. The remote action should have the following structure:

  1. Initiate the operation - insert the type of search command (hunt or exact-search) and it's additional arguments if necessary.
  2. Poll to check if the operation completed.
  3. Get the results of the operation.

New: CyberTotal Pack v1.0.0#

Integrations#

CyberTotal#

CyberTotal is a cloud-based threat intelligence service developed by CyCraft.

Playbooks#

CyberTotal Auto Enrichment - CyCraft#

This playbook automatically enriches indicators (including IPs, URLs, domains; MD5, SHA-1, and SHA-256 file hashes). Playbook input: the indicators you want to enrich. Playbook output: detection engine results, positive detections, detection ratios; as well as severity, confidence, and threat scores.

CyberTotal Whois - CyCraft#

This playbook is used to automatically retrieve Whois information regarding IPs, URLs and domains. Playbook input: IPs, URLs, domains. Playbook output: Whois lookup information.


New: Imperva WAF Pack v1.0.0#

Integrations#

Imperva WAF#

Use the Imperva WAF integration to manage IP groups and web security policies in Imperva WAF.


New: Ivanti Heat Pack v1.0.0#

Integrations#

Ivanti Heat#

Use the Ivanti Heat integration to manage issues and create Cortex XSOAR incidents from Ivanti Heat.

Scripts#

IvantiHeatCloseIncidentExample#

This is a sample script that demonstrates how to close an incident in Ivanti Heat. The script generates data of the closed incident in JSON format and writes it to the IvantiHeat.CloseIncidentJSON context path.

IvantiHeatCreateIncidentExample#

This is a sample script that demonstrates how to create an incident in Ivanti Heat. The script generates data of the created incident in JSON format and writes it to the IvantiHeat.CreateIncidentJSON context path.

IvantiHeatCreateProblemExample#

This is a sample script that demonstrates how to create a problem in Ivanti Heat. The script generates data of the created problem in JSON format and writes it to the IvantiHeat.CreateProblemJSON context path.


New: Nozomi Networks Pack v1.0.0#

Integrations#

Nozomi Networks#

The Nozomi Networks Guardian platform is a hardware or virtual appliance that is used to monitor OT/IoT/IT networks. It combines asset discovery, network visualization, vulnerability assessment, risk monitoring and threat detection in a single solution. This integration is used to gather alerts and assets information from Nozomi.


New: RecordedFuture v2 Pack v1.0.0#

Integrations#

Recorded Future v2#

Unique threat intel technology that automatically serves up relevant insights in real time.

Playbooks#

Recorded Future CVE Intelligence#

CVE enrichment using Recorded Future intelligence.

Recorded Future CVE Reputation#

CVE reputation with Recorded Future SOAR enrichment.

Recorded Future Domain Intelligence#

Domain enrichment using Recorded Future intelligence.

Recorded Future Domain Reputation#

Domain reputation using Recorded Future SOAR enrichment.

Recorded Future File Intelligence#

File enrichment using Recorded Future intelligence.

Recorded Future File Reputation#

File reputation using Recorded Future SOAR enrichment.

Recorded Future IOC Reputation#

Entity Reputation using sub-playbooks.

Recorded Future IP Intelligence#

IP Address Enrichment using Recorded Future Intelligence.

Recorded Future IP Reputation#

IP address reputation using Recorded Future SOAR enrichment.

Recorded Future Threat Assessment#

Threat Assessment using the Recorded Future SOAR Triage API and the context Phishing.

Recorded Future URL Intelligence#

URL Enrichment using Recorded Future intelligence.

Recorded Future URL Reputation#

URL reputation using Recorded Future SOAR enrichment.


New: Sepio Pack v1.0.0#

IncidentTypes#

Sepio Systems#

Integrations#

Sepio#

Get Agent, Switches, and Events from your Sepio Prime environment.


RSA Archer Pack 1.1.0#

Integrations#

New: RSA Archer v2#

The RSA Archer GRC Platform provides a common foundation for managing policies, controls, risks, assessments and deficiencies across lines of business.

Scripts#

New: ArcherCreateIncidentExample#

This script is an example script of how to create an Incident in Archer. The script generates the create incident data in JSON format and execute the command archer-create-record.


AWS - Security Hub Pack v1.0.1#

Integrations#

AWS - Security Hub#
  • Added the aws-securityhub-batch-update-findings command, which enables you to update information in a finding. Master accounts can update findings for their account and members accounts, such as confidence, note, criticality, severity, etc. Member accounts can only update can update the Note object.
  • Added arguments to the following commands.
    • aws-securityhub-disable-security-hub
    • aws-securityhub-enable-security-hub
    • aws-securityhub-list-members
    • aws-securityhub-get-findings
  • Fetched incidents can be set as NOTIFIED, and can no longer be archived.

AWS Feed Pack v1.0.3#

Integrations#

AWS Feed#

Added default classifiers and mappers. (Available from Cortex XSOAR 6.0)


Active Directory Query Pack v1.0.3#

Integrations#

Active Directory Query v2#

Added the disable-nested-search argument to the ad-get-group-members command, which enables you to disable recursive retrieval of a user's group memberships.


Anomali ThreatStream Pack v1.0.1#

Integrations#

Anomali ThreatStream v2#

Fixed an issue in the threatstream-import-indicator-with-approval command where it would not import indicators properly.


Atlassian Jira Pack v1.1.0#

Integrations#

Atlassian Jira v2#
  • Internal code improvements.
  • The Test button will now test the fetch incidents flow.

AutoFocus Pack v1.1.0#

Integrations#

AutoFocus Daily Feed#

The AutoFocus Daily Feed integration is now a part of the AutoFocus pack.

AutoFocus Feed#

The AutoFocus Feed integration is now a part of the AutoFocus pack.


Base Pack v1.1.7#

Scripts#

CommonServerPython#

Removed an unnecessary variable assignment.

SaneDocReports#
  • Updated the sane-doc-reports Docker image.
  • Fixed markdown HTML tag inconsistencies.
  • Fixed trend direction icons and rare cases when there are large values.
  • Fixed Markdown placeholder styles.
  • Fixed an issue where an array would be returned instead of 0 when the number is zero.
  • Fixed empty Markdown page break elements that were not working as expected.

Brute Force Pack v1.2.0#

Playbooks#

Brute Force Investigation - Generic#

Now verifies that the Active Directory Query v2 integration is enabled before using it.


Carbon Black Cloud Enterprise EDR Pack v1.0.2#

Integrations#

VMware Carbon Black Enterprise EDR#
  • Renamed the integration Carbon Black Enterprise EDR to VMware Carbon Black Enterprise EDR.

Carbon Black Defense Pack v1.1.1#

Integrations#

VMware Carbon Black Endpoint Standard#

Renamed the integration Carbon Black Defense to VMware Carbon Black Endpoint Standard.


Carbon Black Enterprise Live Response Pack v1.0.2#

Integrations#

VMware Carbon Black EDR (Live Response API)#

Renamed the integration Carbon Black Enterprise (Live) Response to VMware Carbon Black EDR (Live Response API).


Carbon Black Enterprise Protection Pack v1.0.3#

Integrations#

VMware Carbon Black App Control v2#

Renamed the integration Carbon Black Enterprise Protection v2 to VMware Carbon Black App Control v2.


Carbon Black Enterprise Response Pack v1.0.4#

Integrations#

VMware Carbon Black EDR v2#

Renamed the integration Carbon Black Enterprise Response v2 to VMware Carbon Black EDR v2.


Cherwell Pack v1.0.2#

Integrations#

Cherwell#

Removed assignment of a variable to itself.


Chronicle Pack v1.1.1#

Integrations#

Chronicle#

Removed a redundant 'else'.


Claroty Pack v1.0.5#

Integrations#

Claroty#

Added default classifiers and mappers. (Available from Cortex XSOAR 6.0)


Code42 Pack v2.0.0#

Classifiers#

Code42#

New classifier

Integrations#

Code42#
  • Internal code improvements.
  • Added new commands:
    • code42-departingemployee-get-all
    • code42-highriskemployee-add
    • code42-highriskemployee-remove
    • code42-highriskemployee-get-all
    • code42-highriskemployee-add-risk-tags
    • code42-highriskemployee-remove-risk-tags
    • code42-user-deactivate
    • code42-user-reactivate
    • code42-user-block
    • code42-user-unblock
    • code42-user-create
    • code42-legalhold-add-user
    • code42-legalhold-remove-user
    • code42-file-download
  • Improved error messages for all commands to include exception details.
  • Fixed a bug in the Fetch function where errors occurred when FileCategory was set to include only one category.
  • Fixed a bug in the Fetch function to handle the new Code42 exposure type Outside trusted domains.
  • Improved the Fetch function to better handle unsupported exposure types.

Layouts#

Code42 Security Alert#

Internal code improvements.

Playbooks#

Code42 File Download#

This playbook downloads a file via Code42 by either MD5 or SHA256 hash.

Code42 Exfiltration Playbook#

The playbook now downloads the file in replace of a manual step for retrieving file contents.


Common Scripts Pack v1.2.21#

Scripts#

ReadPDFFileV2#
  • Removed an unnecessary 'pass' statement.
  • Fixed an issue where PDFs with multiple different encoding types were not handled.
NumberOfPhishingAttemptPerUser#

Changed the default query to search only for incidents from the last 30 days.

ParseEmailFiles#
  • Fixed an issue where the body text of the email was None.
  • Fixed an issue where the headers of the email were None.
New: If-Then-Else#

A transformer for simple if-then-else logic. This can potentially reduce the number of tasks required for a given playbook.

ParseCSV#

Fixed script arguments descriptions.

GenerateSummaryReports#

Fixed various script descriptions.

IncreaseIncidentSeverity#

The automation optionally increases the incident severity to the new value if it is greater than the existing severity.

Set#

Improved the script description.

SetAndHandleEmpty#

Improved the script description.

PrintRaw#

Added new Automation PrintRaw, which prints a raw representation of a string or object, visualising things likes tabs and newlines. This is useful for debugging issues where things aren't behaving as expected, such as when parsing a string with a regular expression.

IsUrlPartOfDomain#

Changed the way localhost is handled. URLs starting with localhost are universally returned as internal.

GetTime#

Fixed an issue where the script failed if it was executed from another script or with raw-response=true.

CalculateEntropy#

Calculates the entropy of the given data. -response=true.


Common Types Pack v1.7.2#

IndicatorFields#

Category#

Added the Category indicator field.

Layouts#

domainRepUnified#

Updated the design for the Domain indicator layout.

  • Replaced the Info tab with the Summary and Additional Details tabs.
  • In the Info tab:
    • Added the following widgets: Actions, Highest Reliability, Assignee, Community Score. The Actions widget provides the ability to enrich or expire indicators.
    • Removed the Aggregated Reliability and Tags fields from the Domain Details widget.
    • Renamed the Tags widget to Tags and TLP (Traffic Light Protocol) and added the ability to add and remove tags.
    • Moved the Custom Details, and Extended Details widgets to the Additional Details tab.
  • In the Additional Details tab:
    • Added the Tags and Feed Related Indicators fields to the Extended Details widget.
  • In the Quick View tab:
    • Renamed the Tags widget to Tags and TLP (Traffic Light Protocol).
    • Added the Domain details and Whois widget.
ipRep#

Updated the design for the IP indicator layout.

  • Replaced the Info tab with the Summary and Additional Details tabs.
  • In the Info tab:
    • Added the following widgets: Actions, Highest Reliability, Assignee, Community Score. The Actions widget provides the ability to enrich or expire indicators.
    • Removed the Aggregated Reliability field from the IP Details widget.
    • Renamed the Tags widget to Tags and TLP (Traffic Light Protocol) and added the ability to add and remove tags.
    • Moved the Custom Details and Extended Details widgets to the Additional Details tab.
  • In the Additional Details tab:
    • Added the Tags and Feed Related Indicators fields to the Extended Details widget.
  • In the Quick View tab:
    • Renamed the Tags widget to Tags and TLP (Traffic Light Protocol).
    • Added the IP details widget.
unifiedFileRep#

Updated the design for the File indicator layout.

  • Replaced the Info tab with the Summary and Additional Details tabs.
  • In the Info tab:
    • Added the following widgets: Actions, Highest Reliability, Assignee, Community Score. The Actions widget provides the ability to enrich or expire indicators.
    • Moved the SHA512 field from the Hashes widget to the File Details widget.
    • Removed the Aggregated Reliability and Tags fields from the File Details widget.
    • Renamed the Tags widget to Tags and TLP (Traffic Light Protocol) and added the ability to add and remove tags.
    • Renamed the Signatures widget to File signature.
    • Moved the Custom Details and Extended Details widgets to the Additional Details tab.
  • In the Additional Details tab:
    • Added the Tags and Feed Related Indicators fields to the Extended Details widget.
  • In the Quick View tab:
    • Renamed the Tags widget to Tags and TLP (Traffic Light Protocol).
    • Added the IP details widget.
emailRep#

Updated the design for the Email indicator layout.

  • Replaced the Info tab with the Summary and Additional Details tabs.
  • In the Info tab:
    • Added the following widgets: Actions, Highest Reliability, Assignee, Community Score. The Actions widget provides the ability to enrich or expire indicators.
    • Removed the Aggregated Reliability field from the Account Details widget.
    • Removed the Close Notes field from the Related Incidents widget.
    • Added the Severity and Owner fields to the Related Incidents widget.
    • Renamed the Sources Data widget to Sources.
    • Renamed the Tags widget to Tags and TLP (Traffic Light Protocol) and added the ability to add and remove tags.
    • Moved the Custom Details and Extended Details widgets to the Additional Details tab.
  • In the Additional Details tab:
    • Added the Tags field to the Extended Details widget.
  • In the Quick View tab:
    • Renamed the Tags widget to Tags and TLP (Traffic Light Protocol).
    • Added the Email details widget.
registryKey#

Updated the design for the RegistryKey indicator layout.

  • Replaced the Info tab with the Summary and Additional Details tabs.
  • In the Info tab:
    • Added the following widgets: Actions, Highest Reliability, Assignee, Community Score. The Actions widget provides the ability to enrich or expire indicators.
    • Removed the Aggregated Reliability field from the Account Details widget.
    • Removed the Close Notes field from the Related Incidents widget.
    • Added the Severity and Owner fields to the Related Incidents widget.
    • Renamed the Sources Data widget to Sources.
    • Renamed the Tags widget to Tags and TLP (Traffic Light Protocol) and added the ability to add and remove tags.
    • Moved the Custom Details and Extended Details widgets to the Additional Details tab.
  • In the Additional Details tab:
    • Added the Tags field to the Extended Details widget.
  • In the Quick View tab:
    • Renamed the Tags widget to Tags and TLP (Traffic Light Protocol).
    • Added the Registry Key details widget.
hostRep#

Updated the design for the Host indicator layout.

  • Replaced the Info tab with the Summary and Additional Details tabs.
  • In the Info tab:
    • Added the following widgets: Actions, Highest Reliability, Assignee, Community Score. The Actions widget provides the ability to enrich or expire indicators.
    • Removed the Aggregated Reliability field from the Account Details widget.
    • Removed the Close Notes field from the Related Incidents widget.
    • Added the Severity and Owner fields to the Related Incidents widget.
    • Renamed the Sources Data widget to Sources.
    • Renamed the Tags widget to Tags and TLP (Traffic Light Protocol) and added the ability to add and remove tags.
    • Moved the Custom Details and Extended Details widgets to the Additional Details tab.
  • In the Additional Details tab:
    • Added the Tags field to the Extended Details widget.
  • In the Quick View tab:
    • Renamed the Tags widget to Tags and TLP (Traffic Light Protocol).
    • Added the Host details widget.
accountRep#

Updated the design for the Account indicator layout as follows:

  • Replaced the Info tab with the Summary and Additional Details tabs.
  • In the Info tab:
    • Added the following widgets: Actions, Highest Reliability, Assignee, Community Score. The Actions widget provides the ability to enrich or expire indicators.
    • Removed the Aggregated Reliability field from the Account Details widget.
    • Removed the Close Notes field from the Related Incidents widget.
    • Added the Severity field to the Related Incidents widget.
    • Renamed the Sources Data widget to Sources.
    • Renamed the Tags widget to Tags and TLP (Traffic Light Protocol) and added the ability to add and remove tags.
    • Moved the Custom Details and Extended Details widgets to the Additional Details tab.
  • In the Additional Details tab:
    • Added the Tags field to the Extended Details widget.
  • In the Quick View tab:
    • Renamed the Tags widget to Tags and TLP (Traffic Light Protocol).
    • Added the Account details widget.
cveRep#

Updated the design for the CVE indicator layout.

  • Replaced the Info tab with the Summary and Additional Details tabs.
  • In the Info tab:
    • Added the following widgets: Actions, Highest Reliability, Assignee, Community Score. The Actions widget provides the ability to enrich or expire indicators.
    • Added the CVE Modified field to the Account Details widget.
    • Removed the Aggregated Reliability field from the Account Details widget.
    • Removed the Close Notes field from the Related Incidents widget.
    • Added the Severity field to the Related Incidents widget.
    • Renamed the Sources Data widget to Sources.
    • Renamed the Tags widget to Tags and TLP (Traffic Light Protocol) and added the ability to add and remove tags.
    • Moved the Custom Details and Extended Details widgets to the Additional Details tab.
  • In the Additional Details tab:
    • Added the Tags field to the Extended Details widget.
  • In the Quick View tab:
    • Renamed the Tags widget to Tags and TLP (Traffic Light Protocol).
    • Added the CVE details widget.

Cortex Data Lake Pack v1.1.0#

Integrations#

Cortex Data Lake#
  • Fixed the default values for arguments in the cdl-query-logs.
  • Added the ip and port arguments to the cdl-query-threat-logs and the cdl-query-traffic-logs commands.
  • Added the cdl-query-url-logs command, which enables searching the URL log table.

Cymulate Pack v1.0.3#

Integrations#

Cymulate#

dded default classifiers and mappers. (Available from Cortex XSOAR 6.0)


DUO Admin Pack v2.0.0#

Integrations#

DUO Admin#

Improved implementation of logging and error handling.


Darkfeed™ - Current Customer Edition Pack v1.1.0#

Dashboards#

Sixgill Darkfeed#

Providing high-level analytics and segmentations of Darkfeed™ IOCs and the context in which they were detected.

Integrations#

Sixgill DarkFeed™ Threat Intelligence#

New custom Sixgill fields added to the IOCs, providing greater context into where the IOCs were shared and by whom.

Playbooks#

Darkfeed - malware download from feed#

Set this playbook as an automated job in order to automatically download malware from new Darkfeed IOCs and run them through the "Darkfeed IOC detonation and proactive blocking" playbook.

Darkfeed IOC detonation and proactive blocking#

Download malicious files from a Darkfeed IOC, detonate them in automated sandboxes, and extract and block any additional indicators and files.

Darkfeed Threat hunting-research#

Automatically discover and enrich indicators with the same actor and source as the triggering IOC. Search for and isolate any compromised endpoints and proactively block IOCs from entering your network.

Script#

SearchIndicators#

Searches indicators based on a given query.

Widgets#

Sixgill Darkfeed - Threads from the Underground#

Highlighting IOC-related conversations from the cyber underground.

Sixgill Darkfeed Indicators by Type#

Segmenting Darkfeed™ IOCs by type (URL, Domain, File, IP)

Sixgill Darkfeed - Subfeed Composition#

Displaying the segmentation of the Darkfeed™ into the various Subfeeds.

Sixgill Darkfeed - Collected IOCs#

Overall line chart of number of IOCs detected daily.

Sixgill Mitre ATT&CK Techniques#

Segmentation of the Darkfeed™ by Mitre ATT&CK techniques.

Sixgill Darkfeed - Mitre ATT&CK Tactics#

Segmentation of the Darkfeed™ by Mitre ATT&CK Tactics.

Sixgill Darkfeed - Top 10 Threat Actors#

The top-ten threat actors who posted the largest number of Darkfeed™ IOCs.

Sixgill Darkfeed IOC detection rate by Virus Total#

The detection rate of Darkfeed™ IOCs in Virus total.


DeHashed Pack v1.1.0#

Integrations#

DeHashed#

Added the email command, which checks if an email address was compromised.


Deprecated Content Pack v1.5.4#

Integrations#

SafeBreach (deprecated)#

Use the SafeBreach v2 integration instead.


DomainTools Iris Pack v1.0.1#

Integrations#

DomainTools Iris#

Internal code improvements.


EWS Pack v1.1.5#

Integrations#

EWS v2#
  • Removed assignment of a variable to itself.
  • Added default classifiers and mappers. (Available from Cortex XSOAR 6.0)

Elasticsearch Pack v1.0.2#

Integrations#

Elasticsearch Feed#

Fixed an issue where API key authentication didn't work correctly for some users.

Elasticsearch v2#

Fixed an issue where API key authentication didn't work correctly for some users.


Elasticsearch Feed Pack v1.0.4#

Integrations#

Elasticsearch Feed#

Fixed an issue where API key authentication didn't work correctly for some users.


Fetch Indicators From File Pack v1.0.1#

Scripts#

FetchIndicatorsFromFile#

Added supported file types to the script description.


FireEye HX Pack v1.0.3#

Integrations#

FireEye HX#

Documentation and metadata improvements.


GenericSQL Pack v1.0.5#

Integrations#

Generic SQL#
  • Disabled warnings from the Oracle driver.
  • Added the pgsql-query command, which simplifies migrating from PostgreSQL.
  • Marked the query command as deprecated. Use the sql-command command instead.

GitHub Pack v1.1.0#

Integrations#

GitHub#

Added the Github-get-github-actions-usage command, which monitors GitHub actions usage for private repositories.


Gmail Single User (Beta) Pack v1.0.2#

Integrations#

Gmail Single User (Beta)#

Added default classifiers and mappers. (Available from Cortex XSOAR 6.0)


HIPAA - Breach Notification Pack v1.0.5#

Playbooks#

HIPAA - Breach Notification#

General documentation improvements.


HelloWorld Pack v1.1.9#

Integrations#

HelloWorld#

Added default classifiers and mappers. (Available from Cortex XSOAR 6.0)


IBM QRadar Pack v1.0.7#

Integrations#

IBM QRadar#

Added default classifiers and mappers. (Available from Cortex XSOAR 6.0)


Illusive Networks Pack v1.0.4#

Classifiers#

IllusiveNetworks#
  • Updated the mapper with 2 fields.
    • Illusive Networks Deception Families
    • Illusive Networks Events Number

Integrations#

IllusiveNetworks#
  • Added default classifiers and mappers. (Available from Cortex XSOAR 6.0)
  • Added 4 commands.
    • illusive-get-incident-events
    • illusive-get-forensics-analyzers
    • illusive-get-forensics-triggering-process-info
    • illusive-get-forensics-artifacts

Layouts#

Illusive Networks Incident#

Added new fields to Illusive Networks Incident layout

Playbooks#

Illusive-Collect-Forensics-On-Demand#

This playbook is used to collect forensics on-demand on any compromised host and retrieve the forensics timeline upon successful collection.

Illusive - Incident Escalation#

Added a playbook that performs incident escalation.

Illusive - Data Enrichment#

Added a playbook that enriches data.


Impossible Traveler Pack v1.2.0#

Playbooks#

Impossible Traveler#

The playbook now checks if the Rasterize integration is enabled before using it.


Indeni Pack v1.0.5#

Integrations#

Indeni#

Added default classifiers and mappers. (Available from Cortex XSOAR 6.0)


Logz.io Pack v1.1.0#

Integrations#

Logz.io#

Fixed search logs with "human date".

Playbooks#

New: Logz.io Indicator Hunting#

Added a new hunting playbook.


MISP Pack v1.0.2#

Integrations#

MISP v2#

Fixed a syntax error.


Manage Engine Service Desk Plus Pack v1.2.0#

Integrations#

ServiceDeskPlus#

Added support for closure information in the close command.

Playbook#

Service Desk Plus - Generic Polling#

Performs polling of a request given by the request ID input. The request status is polled until the request is closed.


Microsoft Graph Mail Pack v1.0.4#

Integrations#

Microsoft Graph Mail#
  • Updated the description of the message_id argument in all relevant commands.
  • Fixed an issue where using the OData parameter in the msgraph-mail-list-emails and msgraph-mail-get-email commands caused the command to fail with a Bad Request error.

Microsoft Graph Mail Single User Pack v1.0.5#

Integrations#

Microsoft Graph Mail Single User#

Added default classifiers and mappers. (Available from Cortex XSOAR 6.0)


Non Supported Pack v1.0.1#

Playbooks#

QRadar - Get offense correlations#

Moved playbook to Non-Supported.


OnboardingIntegration Pack v1.0.2#

Integrations#

OnboardingIntegration#

Added default classifiers and mappers. (Available from Cortex XSOAR 6.0)


PAN-OS Pack v1.5.1#

Integrations#

Palo Alto Networks PAN-OS#
  • PAN-OS - Panorama get url category
    • Added DBot outputs.
  • PAN-OS - url
    • Added the url command, based on URL filtering.

Playbooks#

PAN-OS - Delete Static Routes#

Replaced the deprecated playbook PanoramaCommitConfiguration with the PAN-OS Commit Configuration playbook.

PAN-OS - Add Static Routes#

Replaced the deprecated playbook PanoramaCommitConfiguration with the PAN-OS Commit Configuration playbook.


PANW Comprehensive Investigation Pack v1.2.2#

Playbooks#

Palo Alto Networks - Malware Remediation#

Handled dependencies for the playbook.

Palo Alto Networks - Endpoint Malware Investigation v2#

Handled dependencies for the playbook.

Palo Alto Networks - Endpoint Malware Investigation#

Handled dependencies for the playbook.


PCAP Analysis Pack v2.3.0#

Playbooks#

PCAP File Carving#

Added new playbook input to validate if detonation is required.

New: PCAP Analysis#

Added a playbook that analyzes a PCAP file.

PCAP Parsing And Indicator Enrichment#
  • Improved task name.
  • Fixed setting to ExternalIPAddresses context key.

Palo Alto Networks Cortex XDR - Investigation and Response Pack v2.3.1#

Integrations#

Cortex XDR - IOC#
  • The Cortex XDR - IOC is now a part of the Palo Alto Networks Cortex XDR - Investigation and Response pack.
  • Fixed an issue where the additional info for the Cortex XDR - IOC integration parameter did not appear as expected.
  • Updated parameter name.
Palo Alto Networks Cortex XDR - Investigation and Response#
  • Fixed an issue where the xdr-endpoint-scan command did not work when the hostname argument was passed.
  • Added standards output to the xdr-get-endpoints and xdr-get-incident-extra-data commands.

Playbooks#

Cortex XDR incident handling v2#

Fixed a bug in the "Find similar incidents" task, and added default input values.


Palo Alto Networks WildFire Pack v1.1.0#

Integrations#

Palo Alto Networks WildFire v2#

Added the url argument to the wildfire-report command, which enables retrieving reports using the new WildFire analysis. Currently this is only available for US cloud.

Playbooks#

Detonate URL - WildFire v2.1#

Added the Detonate URL - WildFire v2.1 playbook, which supports the new WildFire URL analysis.


PhishTank Pack v1.0.1#

Integrations#

PhishTank#
  • Fixed the output types of the url command.
  • Fixed integration descriptions.

Phishing Pack v1.8.0#

Playbooks#

Process Email - Generic#

The task that updates the incident layout with email headers will not stop on errors.

Process Email - Core#

The task that updates the incident layout with email headers will not stop on errors.


Prisma Access Pack v1.0.3#

Integrations#

Prisma Access Egress IP feed#

Added the Tags parameter.


Prisma Cloud Pack v1.2.3#

Integrations#

Prisma Cloud (RedLock)#

Added default classifiers and mappers. (Available from Cortex XSOAR 6.0)

Playbooks#

Prisma Cloud Remediation - GCP VPC Network Firewall Misconfiguration#

Handled dependencies for the playbook.

Prisma Cloud Remediation - AWS CloudTrail Misconfiguration#

Handled dependencies for the playbook.

Prisma Cloud Remediation - GCP Compute Engine Instance Misconfiguration#

Handled dependencies for the playbook.

Prisma Cloud Remediation - GCP VPC Network Misconfiguration#

Handled dependencies for the playbook.

Prisma Cloud Remediation - AWS IAM Policy Misconfiguration#

Handled dependencies for the playbook.

Prisma Cloud Remediation - AWS CloudTrail Is Not Integrated With CloudWatch Logs#

Handled dependencies for the playbook.

Prisma Cloud Remediation - GCP Compute Engine Misconfiguration#

Handled dependencies for the playbook.

Prisma Cloud Remediation - AWS Security Groups Allows Internet Traffic To TCP Port#

Handled dependencies for the playbook.

Prisma Cloud Remediation - AWS IAM Password Policy Misconfiguration#

Handled dependencies for the playbook.

Prisma Cloud Remediation - AWS EC2 Instance Misconfiguration#

Handled dependencies for the playbook.

Prisma Cloud Remediation - AWS EC2 Security Group Misconfiguration#

Handled dependencies for the playbook.

Prisma Cloud Remediation - AWS CloudTrail Trail Misconfiguration#

Handled dependencies for the playbook.

Prisma Cloud Remediation - GCP VPC Network Project Misconfiguration#

Handled dependencies for the playbook.

Prisma Cloud Remediation - AWS IAM User Policy Misconfiguration#

Handled dependencies for the playbook.


Red Canary Pack v1.0.3#

Integrations#

Red Canary#

Fixed an issue where the same detection was fetched multiple times.


RiskSense Pack v1.0.2#

Integrations#

RiskSense#

Improved error messages.


SANS Pack v1.1.0#

Playbooks#

Brute Force Investigation - Generic - SANS#

Now verifies that the Active Directory Query v2 integration is enabled before using it.


SafeBreach - Breach and Attack Simulation platform Pack v1.0.4#

Integrations#

SafeBreach v2#

Added the Tags parameter.

Layouts#

Playbooks#

New: SafeBreach - Create Incidents per Insight and Associate Indicators#

This is a sub-playbook that creates incidents per SafeBreach insight, enriched with all the related indicators and additional SafeBreach insight contextual information. Used in main SafeBreach playbooks, such as "SafeBreach - Process Behavioral Insights Feed” and "SafeBreach - Process Non-Behavioral Insights Feed".

New: SafeBreach - Process Non-Behavioral Insights Feed#

Automatically remediates all non-behavioral indicators generated from SafeBreach Insights. To validate the remediation, it reruns the related insights and classifies the indicators as Remediated or Not Remediated.

New: SafeBreach - Rerun Single Insight#

This is an auxiliary sub-playbook that reruns a single insight using a specified Insight Id as an input. It is used to loop over insights as part of the main rerun playbook - "SafeBreach Rerun Insights".

New: SafeBreach - Rerun Insights#

Reruns a SafeBreach insight based on Insight ID and waits until it completes.

New: SafeBreach - Compare and Validate Insight Indicators#

Compares Insight indicators before and after being processed. It receives an Insight and its indicators before validation, fetches updated indicators after rerunning the Insight, and then compares the results to validate mitigation. Indicators are classified as Remediated or Not Remediated based on their validated status and the appropriate field (SafeBreach Remediation Status) is updated.

Scripts#

JoinListsOfDicts#

Joins two list of dictionaries by a key. If the key name differs between the two lists, specify both key (for left list) and rightkey (for right list).

ListGroupBy#

Groups an output field from a list using multiple keys.


Securonix Pack v1.1.2#

Integrations#

Securonix#

The Test button now tests the fetch incidents flow.


ServiceNow Pack v1.1.7#

Integrations#

ServiceNow v2#

Added the input_display_value argument to the following commands:

  • servicenow-update-ticket
  • servicenow-update-record
  • servicenow-create-ticket
  • servicenow-create-record

Slack Pack v1.3.4#

Integrations#

Slack v2#

Removed unnecessary 'pass' statements.

Playbooks#

Slack - General Failed Logins v2.1#

Added a task that checks if the Active Directory Query v2 is enabled before expiring a user password.


Smokescreen IllusionBLACK Pack v1.0.4#

Integrations#

Smokescreen IllusionBLACK#

Added default classifiers and mappers.


SplunkPy Pack v1.1.0#

Integrations#

SplunkPy#

Added default classifiers and mappers.


Thinkst Canary Pack v1.0.1#

Integrations#

Thinkst Canary#

Fixed an issue where incidents were repeatedly fetched.


ThreatConnect Pack v2.0.2#

Integrations#

ThreatConnect v2#

Fixed an issue where the tc-group-associate-indicator command failed to associate URL indicators.


Tufin Pack v1.1.0#

Integrations#

Tufin#

Minor updates.

Playbooks#

New: Tufin - Enrich IP Address(es)#

Added a playbook that enriches a single IP address or multiple IP addresses.

New: Tufin - Get Network Device Info by IP Address#

Added a playbook that gets network device information, by IP address.

New: Tufin - Investigate Network Alert#

Added a playbook that investigates a network alert.

New: Tufin - Get Application Information from SecureApp#

Added a playbook that gets application information from SecureApp.

New: Tufin - Enrich Source & Destination IP Information#

Added a playbook that enriches source and destination IP address information.


Unit42 Feed Pack v1.0.1#

Integrations#

Unit42 Feed#

Fixed an issue where the Feed Related Indicators indicator field was not populated.


Whois Pack v1.1.2#

Integrations#

Whois#

Fixed an issue where arguments of type array were not processed correctly.


Zimperium Pack v1.0.3#

Integrations#

Zimperium#

Added default classifiers and mappers. (Available from Cortex XSOAR 6.0)


Assets#