Cortex XSOAR Content Release Notes for version 20.8.1 (88914)#

Published on 16 August 2020#

Welcome to the 20.8.1 Content Release for Cortex XSOAR. Starting from the 20.6.0 release, we restructured our release notes to be based on Content Packs. One of our team's top priorities is making our Content more accessible and understandable for both users and contributors. In this effort, we recently moved our Content repo to work in Pack format, in which there is a clear separation and grouping of Content artifacts. Each Content Pack provides a clear grouping of related Content artifacts used to either implement a use case, implement an integration, or provide a clear set of functionality. Our new release notes are structured around Content Packs and you will see related Content artifacts grouped together according to Packs. We hope you will find this new format useful and clear.

For Cortex XSOAR version 5.5 and earlier, you can still install content updates directly in the platform.#


New: CyberArk Pack v1.0.0#

Integrations#

CyberArk PAS#

Use the CyberArk Privileged Access Security (PAS) solution to manage users, safes, vaults, and accounts from Cortex XSOAR.


New: Druva Ransomware Response Pack v1.0.0#

Integrations#

Druva Ransomware Response#

Druva Ransomware Response Integration provides ransomware protection for endpoints, SaaS applications, and data center workloads for Druva Ransomware Recovery customers.


New: Infinipoint Pack v1.0.0#

Classifiers#

Infinipoint - Classifier#

Classifies Infinipoint incidents.

Infinipoint - Incoming Mapper#

Maps Infinipoint incident fields.

IncidentFields#

  • Infinipoint hostname
  • Infinipoint policyID
  • Infinipoint policyName

IncidentTypes#

  • Infinipoint Compliant
  • Infinipoint NotCompliant

Integrations#

Infinipoint#

Use the Infinipoint integration to retrieve security and policy incompliance events, vulnerabilities, or incidents. Investigate and respond to events in real-time.

Layouts#

  • Infinipoint Compliant - Summary
  • Infinipoint NotCompliant - Summary

New: Mail Listener Pack v1.0.0#

Integrations#

Mail Listener v2#

Listens to a mailbox and enables incident triggering via email. We recommend using this integration instead of the built-in Mail Listener integration.


AWS - AccessAnalyzer (beta) Pack v1.0.1#

Integrations#

AWS - AccessAnalyzer (beta)#

Adds fetch capability.


AWS Feed Pack v1.0.4#

Integrations#

AWS Feed#

Set the feed to fetch indicators by default upon creating an instance.


Active Directory Query Pack v1.0.4#

Integrations#

Active Directory Query v2#

Fixed an issue where the ad-get-user command caused performance issues because the limit argument was not defined.


AlienVault Feed Pack v1.0.4#

Integrations#

AlienVault Reputation Feed#
  • Added the Tags parameter.
  • Set the feed to fetch indicators by default upon creating an instance.
AlienVault OTX TAXII Feed#

Added clarification regarding the Timeout error.


ArcSight ESM Pack v1.0.5#

Integrations#

ArcSight ESM v2#
  • Fixed an issue where a long eventId is not processed correctly in the as-get-security-events command.
  • Fixed an issue where the entry_filter argument in the as-get-entries command was not working with multiple filters.

AutoFocus Pack v1.1.2#

Integrations#

AutoFocus Feed#

Set the feed to fetch indicators by default upon creating an instance.

AutoFocus Daily Feed#

Set the feed to fetch indicators by default upon creating an instance.


Bambenek Consulting Feed Pack v1.0.2#

Integrations#

Bambenek Consulting Feed#

Set the feed to fetch indicators by default upon creating an instance.


Base Pack v1.1.12#

Scripts#

CommonServerPython#
  • Added the error_handler argument to BaseClient's http_request method. This argument retrieves the http request in case of an error and handles the error itself bypassing the client’s error handling.
  • Fixed an issue in which improper Context DT key was generated when only outputs_prefix was provided to the CommandResults object.
  • Added mirroring functionality as part of the common code.
SaneDocReports#
  • Updated the sane-doc-reports Docker image.
  • Fixed a typo in the duration minutes label.

BigFix Pack v1.0.2#

Integrations#

BigFix#

Updated the exceptions syntax to be compatible with both Python 2 and Python 3.


CSV Feed Pack v1.0.3#

Integrations#

CSV Feed#

Set the feed to fetch indicators by default upon creating an instance.


Code42 Pack v2.0.2#

Integrations#

Code42#
  • Fixed an issue caused by an incorrect docker image version.
  • Improved documentation and descriptions.

Cofense Feed Pack v1.0.5#

Integrations#

Cofense Feed#

Set the feed to fetch indicators by default upon creating an instance.


Common Types Pack v1.8.0#

Indicator Fields#

STIX Indicator Fields#

Added the following Structured Threat Information eXpression (STIX) indicator fields:

  • STIX Aliases
  • STIX Description
  • STIX Goals
  • STIX ID
  • STIX Is Malware Family
  • STIX Kill Chain Phases
  • STIX Malware Types
  • STIX Primary Motivation
  • STIX Resource Level
  • STIX Roles
  • STIX Secondary Motivations
  • STIX Sophistication
  • STIX Threat Actor Types
  • STIX Tool Types
  • STIX Tool Version

Indicator Types#

STIX Indicator Types#

Added the following Structured Threat Information eXpression (STIX) indicator types:

  • STIX Attack Pattern - A type of Time-Triggered Protocol (TTP) that describes ways that adversaries attempt to compromise targets.
  • STIX Malware - A type of TTP that represents malicious code.
  • STIX Report - Collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details.
  • STIX Threat Actor - Actual individuals, groups, or organizations believed to be operating with malicious intent.
  • STIX Tool - Legitimate software that can be used by threat actors to perform attacks.

Layouts#

STIX Layouts#

Added the following Structured Threat Information eXpression (STIX) layouts: Attack Pattern, Malware, Report, Threat Actor, Tool.


Common Scripts Pack v1.2.32#

Scripts#

ParseEmailFiles#

Fixed an issue where some attachments were not correctly recognized.

SearchIncidentsV2#

Fixed the query argument to not support an input as an array.

UnzipFile#

Improved support for .rar files.

FailedInstances#

Added several items to the context.

  • The number of enabled instances.
  • The number of failed instances.
  • The number of working instances.
  • The status of the instance. This introduces breaking changes for 6.0 and above.
  • Tests all integration instances available and returns detailed information about successful and failed integration instances.
New: jmespath#

This is a transformer script that performs a JMESPath search on an input JSON format.

New: ModifyDateTime#

Added a new transformer script that takes a date or time and applies a variation in human-readable format, such as "in 1 day" or "3 weeks ago".

New: FeedRelatedIndicatorsWidget#

New widget script for the FeedRelatedIndicators section in the indicators layouts. Contains information about the relationship between an indicator, entity, such as malware, and other indicators, such as a MITRE ATT&CK indicator, and connects to indicators, if relevant. Added the script to the indicator layout using the Dynamic section.


Cortex Data Lake Pack v1.2.1#

Integrations#

Cortex Data Lake#

Added url argument to the cdl-query-url-logs command.

  • Updated the SQL query which is sent to the API.
  • Added the following field arguments and outputs to search for the device source and destination hostname in the cdl-query-traffic-logs, cdl-query-threat-logs, and cdl-query-url-logs commands:
    • source_device_host
    • dest_device_host

CrowdStrike Falcon Streaming Pack v1.0.4#

Integrations#

CrowdStrike Falcon Streaming v2#
  • Added a default classifier and incoming mapper.
  • Added the First fetch timestamp parameter.
  • Added mapping of event creation time to incident occurred time.

Darkfeed™ - Current Customer Edition Pack v1.1.3#

Dashboards#

Sixgill Darkfeed#

Fixed an issue where the dashboard would be installed on non-marketplace XSOAR instances.

Integrations#

Sixgill DarkFeed™ Threat Intelligence#
  • Added the Tags parameter.
  • Set the feed to fetch indicators by default upon creating an instance.

EWS Pack v1.2.1#

Classifiers#

EWSO365#

Added default classification and mapping to the EWS O365 integration.

EWS - Incoming Mapper#

This mapper can now be used with both the EWS v2 and the EWS O365 integrations.

EWS - Classifier#

This classifier can now be used with both the EWS v2 and the EWS O365 integrations.

Integrations#

EWS O365#

Added a default mapper and classifier to the integration. Fixed an issue where byte attachments were parsed incorrectly.


Elasticsearch Pack v1.1.0#

Integrations#

Elasticsearch v2#

Added the get-mapping-fields command.


Elasticsearch Feed Pack v1.0.5#

Integrations#

Elasticsearch Feed#

Set the feed to fetch indicators by default upon creating an instance.


GCP Whitelist Feed Pack v1.0.1#

Integrations#

GCP Whitelist Feed#

Added the Tags parameter.


GenericSQL Pack v1.0.6#

Integrations#

Generic SQL#

Updated the integration description.


Gmail Pack v1.0.4#

Integrations#

Gmail#
  • Fixed an issue regarding the MIMEText mail sender. HTML emails were sent as attachments causing them not to display correctly.
  • Fixed an issue where the send-email command sends emails with both the textual body and HTML body.

Google Safe Browsing Pack v1.0.1#

Integrations#

Google Safe Browsing#

Fixed an issue where the url command should return a Dbot score of 0 when no results are found.


IBM Resilient Systems Pack v1.0.3#

Integrations#

IBM Resilient Systems#
  • Added an option to authenticate using your API key ID and API key secret.
  • Updated the exceptions syntax to be compatible with both Python 2 and Python 3.

Ipstack Pack v1.0.1#

Integrations#

ipstack#

Updated the exceptions syntax to be compatible with both Python2 and Python 3.


JSON Feed Pack v1.0.2#

Integrations#

JSON Feed#

Improved the parameter description.


MITRE ATT&CK Pack v1.1.1#

Integrations#

MITRE ATT&CK Feed#
  • Added the Tags parameter.
  • Set the feed to fetch indicators by default upon creating an instance.

Scripts#

MITREIndicatorsByOpenIncidents#
  • Fixed the issue with the "MITRE ATT&CK Techniques by open incidents" section not loading when the phase name is empty.
  • Removed the Demisto REST API as a dependency for the script.

Machine Learning Pack v1.1.1#

Scripts#

EvaluateMLModllAtProduction#

Bumped the docker image version.


Mail Sender (New) Pack v1.0.1#

Integrations#

Mail Sender (New)#

Changed the default value and detailed description for the Sender parameter.


McAfee Advanced Threat Defense Pack v1.0.1#

Integrations#

McAfee Advanced Threat Defense#

Updated the exceptions syntax to be compatible with both Python 2 and Python 3.


McAfee ESM v10 and v11 Pack v1.0.2#

Integrations#

McAfee ESM v10 and v11#
  • Fixed an issue where a missing statusId caused an error in the following commands:
    • esm-get-case-list
    • esm-edit-case
    • esm-add-case
    • esm-get-case-detail
  • Fixed an issue where the esm-edit-case command resulted in an error caused by the notes and history values of the case.

Microsoft Graph Mail Pack v1.0.5#

Integrations#

Microsoft Graph Mail#
  • Fixed the human readable output of the list-emails command in cases where no emails were found.
  • Changed the number of emails returned by the list-emails command to match the value specified for the pages_to_pull argument.
  • Fixed an issue where the same emails were repeatedly returned when the value of the pages_to_pull argument was greater than 2.

Microsoft Graph User Pack v1.1.0#

Integrations#

Microsoft Graph User#

Added the msgraph-user-change-password command. Please note that the Directory.AccessAsUser.All permission is required.


Mimecast Pack v1.1.1#

Integrations#

Mimecast v2#

Fixed error handling in the mimecast-download-attachments command.


Office 365 Feed Pack v1.1.4#

Integrations#

Office 365 Feed#

Set the feed to fetch indicators by default upon creating an instance.


PANW Comprehensive Investigation Pack v1.3.0#

Playbooks#

New: Palo Alto Networks - Hunting And Threat Detection#

This is a multipurpose playbook used for hunting and threat detection. The playbook receives inputs based on hashes, IP addresses, or domain names provided manually or from outputs by other playbooks.


PCAP Analysis Pack v2.3.1#

Playbooks#

PCAP Analysis#

Fixed sub playbook input.

PCAP File Carving#

Fixed sub playbook input.

PCAP Parsing And Indicator Enrichment#

Changed task order.


Palo Alto Networks Cortex XDR - Investigation and Response Pack v2.3.2#

Scripts#

XDRSyncScript#

Changed the default value of the assigned_user_mail argument to xdrassigneduseremail.


Phishing Pack v1.9.0#

Playbooks#

Process Email - Generic#

Added tasks that save email attachment information in the Phishing incident layout.

Process Email - Core#

Added tasks that save email attachment information in the Phishing incident layout.


Proofpoint Feed Pack v1.0.2#

Integrations#

Proofpoint Feed#

Set the feed to fetch indicators by default upon creating an instance.


Proofpoint Protection Server Pack v1.0.3#

Integrations#

Proofpoint Protection Server (Beta)#

Updated the exceptions syntax to be compatible with both Python 2 and Python 3.


RSA Archer Pack v1.1.0#

Integrations#

New: RSA Archer v2#

The RSA Archer GRC Platform provides a common foundation for managing policies, controls, risks, assessments, and deficiencies across lines of business.

Scripts#

New: ArcherCreateIncidentExample#

This script is an example script of how to create an incident in Archer. The script generates the create incident data in JSON format and executes the archer-create-record command.


RTIR Pack v1.0.4#

Integrations#

RTIR#

Updated the exceptions syntax to be compatible with both Python 2 and Python 3.


Rasterize Pack v1.0.4#

Integrations#

Rasterize#

Fixed the entry return type for the rasterize-image command.


Recorded Future Pack v1.0.2#

Integrations#

Recorded Future#

Updated the exceptions syntax to be compatible with both Python 2 and Python 3.


Recorded Future Feed Pack v1.0.3#

Integrations#

Recorded Future RiskList Feed#

Set the feed to fetch indicators by default upon creating an instance.


SafeBreach - Breach and Attack Simulation platform Pack v1.0.5#

Integrations#

SafeBreach v2#

Set the feed to fetch indicators by default upon creating an instance.


SplunkPy Pack v1.1.1#

Integrations#

SplunkPy#
  • Set the default value for Use Splunk Clock Time For Fetch to True.
  • Fixed an issue where the connection parameter app had no default value.

Stealthwatch Cloud Pack v1.0.2#

Integrations#

Stealthwatch Cloud#

Updated the exceptions syntax to be compatible with both Python 2 and Python 3.


Symantec Endpoint Protection Pack v1.0.1#

Integrations#

Symantec Endpoint Protection v2#

Updated the exceptions syntax to be compatible with both Python 2 and Python 3.


TAXII Feed Pack v1.0.3#

Integrations#

TAXII 2 Feed#

Improved the parameter description.


ThreatConnect Pack v2.0.4#

Integrations#

ThreatConnect v2#
  • Replaced the ProxyIP and ProxyPort configuration parameters with the standard System Proxy configuration parameter. If you already configured the ProxyIP and ProxyPort parameters, make sure to switch to (reconfigure) using the System Proxy parameter.
  • Added the tc-download-report command to download group reports in PDF.

ThreatMiner Pack v1.0.2#

Integrations#

ThreatMiner#

Updated the exceptions syntax to be compatible with both Python 2 and Python 3.


Tor Exit Addresses Feed Pack v1.0.1#

Integrations#

Tor Exit Addresses Feed#

Improved the parameter description.


Unit42 Feed Pack v1.0.3#

Integrations#

Unit42 Feed#
  • Improved the parameter description.
  • Set the feed to fetch indicators by default upon creating an instance.

VirusTotal - Private API Pack v1.0.2#

Integrations#

VirusTotal - Private API#

Fixed an issue where the possible malicious URL was returned in a clickable format.


Zimperium Pack v1.0.4#

Classifiers#

Zimperium - Classifier#

Fixed the classifier name to handle pack dependency warning.


Zscaler Pack v1.0.3#

Integrations#

Zscaler#

Added urlClassificationsWithSecurityAlert to the url command context.


abuse.ch SSL Blacklist Feed Pack v1.0.2#

Integrations#

abuse.ch SSL Blacklist Feed#
  • Added the Tags parameter.
  • Set the feed to fetch indicators by default upon creating an instance.

Assets#