Cortex XSOAR Content Release Notes for version 20.8.1 (88914)

Published on 16 August 2020

Welcome to the 20.8.1 Content Release for Cortex XSOAR. Starting from the 20.6.0 release, we restructured our release notes to be based on Content Packs. One of our team's top priorities is making our Content more accessible and understandable for both users and contributors. In this effort, we recently moved our Content repo to work in Pack format, in which there is a clear separation and grouping of Content artifacts. Each Content Pack provides a clear grouping of related Content artifacts used to either implement a use case, implement an integration, or provide a clear set of functionality. Our new release notes are structured around Content Packs and you will see related Content artifacts grouped together according to Packs. We hope you will find this new format useful and clear.

For Cortex XSOAR version 5.5 and earlier, you can still install content updates directly in the platform.


New: CyberArk Pack v1.0.0

Integrations

CyberArk PAS

Use the CyberArk Privileged Access Security (PAS) solution to manage users, safes, vaults, and accounts from Cortex XSOAR.


New: Druva Ransomware Response Pack v1.0.0

Integrations

Druva Ransomware Response

Druva Ransomware Response Integration provides ransomware protection for endpoints, SaaS applications, and data center workloads for Druva Ransomware Recovery customers.


New: Infinipoint Pack v1.0.0

Classifiers

Infinipoint - Classifier

Classifies Infinipoint incidents.

Infinipoint - Incoming Mapper

Maps Infinipoint incident fields.

IncidentFields

  • Infinipoint hostname
  • Infinipoint policyID
  • Infinipoint policyName

IncidentTypes

  • Infinipoint Compliant
  • Infinipoint NotCompliant

Integrations

Infinipoint

Use the Infinipoint integration to retrieve security and policy incompliance events, vulnerabilities, or incidents. Investigate and respond to events in real-time.

Layouts

  • Infinipoint Compliant - Summary
  • Infinipoint NotCompliant - Summary

New: Mail Listener Pack v1.0.0

Integrations

Mail Listener v2

Listens to a mailbox and enables incident triggering via email. We recommend using this integration instead of the built-in Mail Listener integration.


AWS - AccessAnalyzer (beta) Pack v1.0.1

Integrations

AWS - AccessAnalyzer (beta)

Adds fetch capability.


AWS Feed Pack v1.0.4

Integrations

AWS Feed

Set the feed to fetch indicators by default upon creating an instance.


Active Directory Query Pack v1.0.4

Integrations

Active Directory Query v2

Fixed an issue where the ad-get-user command caused performance issues because the limit argument was not defined.


AlienVault Feed Pack v1.0.4

Integrations

AlienVault Reputation Feed
  • Added the Tags parameter.
  • Set the feed to fetch indicators by default upon creating an instance.
AlienVault OTX TAXII Feed

Added clarification regarding the Timeout error.


ArcSight ESM Pack v1.0.5

Integrations

ArcSight ESM v2
  • Fixed an issue where a long eventId is not processed correctly in the as-get-security-events command.
  • Fixed an issue where the entry_filter argument in the as-get-entries command was not working with multiple filters.

AutoFocus Pack v1.1.2

Integrations

AutoFocus Feed

Set the feed to fetch indicators by default upon creating an instance.

AutoFocus Daily Feed

Set the feed to fetch indicators by default upon creating an instance.


Bambenek Consulting Feed Pack v1.0.2

Integrations

Bambenek Consulting Feed

Set the feed to fetch indicators by default upon creating an instance.


Base Pack v1.1.12

Scripts

CommonServerPython
  • Added the error_handler argument to BaseClient's http_request method. This argument retrieves the http request in case of an error and handles the error itself bypassing the client’s error handling.
  • Fixed an issue in which improper Context DT key was generated when only outputs_prefix was provided to the CommandResults object.
  • Added mirroring functionality as part of the common code.
SaneDocReports
  • Updated the sane-doc-reports Docker image.
  • Fixed a typo in the duration minutes label.

BigFix Pack v1.0.2

Integrations

BigFix

Updated the exceptions syntax to be compatible with both Python 2 and Python 3.


CSV Feed Pack v1.0.3

Integrations

CSV Feed

Set the feed to fetch indicators by default upon creating an instance.


Code42 Pack v2.0.2

Integrations

Code42
  • Fixed an issue caused by an incorrect docker image version.
  • Improved documentation and descriptions.

Cofense Feed Pack v1.0.5

Integrations

Cofense Feed

Set the feed to fetch indicators by default upon creating an instance.


Common Types Pack v1.8.0

Indicator Fields

STIX Indicator Fields

Added the following Structured Threat Information eXpression (STIX) indicator fields:

  • STIX Aliases
  • STIX Description
  • STIX Goals
  • STIX ID
  • STIX Is Malware Family
  • STIX Kill Chain Phases
  • STIX Malware Types
  • STIX Primary Motivation
  • STIX Resource Level
  • STIX Roles
  • STIX Secondary Motivations
  • STIX Sophistication
  • STIX Threat Actor Types
  • STIX Tool Types
  • STIX Tool Version

Indicator Types

STIX Indicator Types

Added the following Structured Threat Information eXpression (STIX) indicator types:

  • STIX Attack Pattern - A type of Time-Triggered Protocol (TTP) that describes ways that adversaries attempt to compromise targets.
  • STIX Malware - A type of TTP that represents malicious code.
  • STIX Report - Collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details.
  • STIX Threat Actor - Actual individuals, groups, or organizations believed to be operating with malicious intent.
  • STIX Tool - Legitimate software that can be used by threat actors to perform attacks.

Layouts

STIX Layouts

Added the following Structured Threat Information eXpression (STIX) layouts: Attack Pattern, Malware, Report, Threat Actor, Tool.


Common Scripts Pack v1.2.32

Scripts

ParseEmailFiles

Fixed an issue where some attachments were not correctly recognized.

SearchIncidentsV2

Fixed the query argument to not support an input as an array.

UnzipFile

Improved support for .rar files.

FailedInstances

Added several items to the context.

  • The number of enabled instances.
  • The number of failed instances.
  • The number of working instances.
  • The status of the instance. This introduces breaking changes for 6.0 and above.
  • Tests all integration instances available and returns detailed information about successful and failed integration instances.
New: jmespath

This is a transformer script that performs a JMESPath search on an input JSON format.

New: ModifyDateTime

Added a new transformer script that takes a date or time and applies a variation in human-readable format, such as "in 1 day" or "3 weeks ago".

New: FeedRelatedIndicatorsWidget

New widget script for the FeedRelatedIndicators section in the indicators layouts. Contains information about the relationship between an indicator, entity, such as malware, and other indicators, such as a MITRE ATT&CK indicator, and connects to indicators, if relevant. Added the script to the indicator layout using the Dynamic section.


Cortex Data Lake Pack v1.2.1

Integrations

Cortex Data Lake

Added url argument to the cdl-query-url-logs command.

  • Updated the SQL query which is sent to the API.
  • Added the following field arguments and outputs to search for the device source and destination hostname in the cdl-query-traffic-logs, cdl-query-threat-logs, and cdl-query-url-logs commands:
    • source_device_host
    • dest_device_host

CrowdStrike Falcon Streaming Pack v1.0.4

Integrations

CrowdStrike Falcon Streaming v2
  • Added a default classifier and incoming mapper.
  • Added the First fetch timestamp parameter.
  • Added mapping of event creation time to incident occurred time.

Darkfeed™ - Current Customer Edition Pack v1.1.3

Dashboards

Sixgill Darkfeed

Fixed an issue where the dashboard would be installed on non-marketplace XSOAR instances.

Integrations

Sixgill DarkFeed™ Threat Intelligence
  • Added the Tags parameter.
  • Set the feed to fetch indicators by default upon creating an instance.

EWS Pack v1.2.1

Classifiers

EWSO365

Added default classification and mapping to the EWS O365 integration.

EWS - Incoming Mapper

This mapper can now be used with both the EWS v2 and the EWS O365 integrations.

EWS - Classifier

This classifier can now be used with both the EWS v2 and the EWS O365 integrations.

Integrations

EWS O365

Added a default mapper and classifier to the integration. Fixed an issue where byte attachments were parsed incorrectly.


Elasticsearch Pack v1.1.0

Integrations

Elasticsearch v2

Added the get-mapping-fields command.


Elasticsearch Feed Pack v1.0.5

Integrations

Elasticsearch Feed

Set the feed to fetch indicators by default upon creating an instance.


GCP Whitelist Feed Pack v1.0.1

Integrations

GCP Whitelist Feed

Added the Tags parameter.


GenericSQL Pack v1.0.6

Integrations

Generic SQL

Updated the integration description.


Gmail Pack v1.0.4

Integrations

Gmail
  • Fixed an issue regarding the MIMEText mail sender. HTML emails were sent as attachments causing them not to display correctly.
  • Fixed an issue where the send-email command sends emails with both the textual body and HTML body.

Google Safe Browsing Pack v1.0.1

Integrations

Google Safe Browsing

Fixed an issue where the url command should return a Dbot score of 0 when no results are found.


IBM Resilient Systems Pack v1.0.3

Integrations

IBM Resilient Systems
  • Added an option to authenticate using your API key ID and API key secret.
  • Updated the exceptions syntax to be compatible with both Python 2 and Python 3.

Ipstack Pack v1.0.1

Integrations

ipstack

Updated the exceptions syntax to be compatible with both Python2 and Python 3.


JSON Feed Pack v1.0.2

Integrations

JSON Feed

Improved the parameter description.


MITRE ATT&CK Pack v1.1.1

Integrations

MITRE ATT&CK Feed
  • Added the Tags parameter.
  • Set the feed to fetch indicators by default upon creating an instance.

Scripts

MITREIndicatorsByOpenIncidents
  • Fixed the issue with the "MITRE ATT&CK Techniques by open incidents" section not loading when the phase name is empty.
  • Removed the Demisto REST API as a dependency for the script.

Machine Learning Pack v1.1.1

Scripts

EvaluateMLModllAtProduction

Bumped the docker image version.


Mail Sender (New) Pack v1.0.1

Integrations

Mail Sender (New)

Changed the default value and detailed description for the Sender parameter.


McAfee Advanced Threat Defense Pack v1.0.1

Integrations

McAfee Advanced Threat Defense

Updated the exceptions syntax to be compatible with both Python 2 and Python 3.


McAfee ESM v10 and v11 Pack v1.0.2

Integrations

McAfee ESM v10 and v11
  • Fixed an issue where a missing statusId caused an error in the following commands:
    • esm-get-case-list
    • esm-edit-case
    • esm-add-case
    • esm-get-case-detail
  • Fixed an issue where the esm-edit-case command resulted in an error caused by the notes and history values of the case.

Microsoft Graph Mail Pack v1.0.5

Integrations

Microsoft Graph Mail
  • Fixed the human readable output of the list-emails command in cases where no emails were found.
  • Changed the number of emails returned by the list-emails command to match the value specified for the pages_to_pull argument.
  • Fixed an issue where the same emails were repeatedly returned when the value of the pages_to_pull argument was greater than 2.

Microsoft Graph User Pack v1.1.0

Integrations

Microsoft Graph User

Added the msgraph-user-change-password command. Please note that the Directory.AccessAsUser.All permission is required.


Mimecast Pack v1.1.1

Integrations

Mimecast v2

Fixed error handling in the mimecast-download-attachments command.


Office 365 Feed Pack v1.1.4

Integrations

Office 365 Feed

Set the feed to fetch indicators by default upon creating an instance.


PANW Comprehensive Investigation Pack v1.3.0

Playbooks

New: Palo Alto Networks - Hunting And Threat Detection

This is a multipurpose playbook used for hunting and threat detection. The playbook receives inputs based on hashes, IP addresses, or domain names provided manually or from outputs by other playbooks.


PCAP Analysis Pack v2.3.1

Playbooks

PCAP Analysis

Fixed sub playbook input.

PCAP File Carving

Fixed sub playbook input.

PCAP Parsing And Indicator Enrichment

Changed task order.


Palo Alto Networks Cortex XDR - Investigation and Response Pack v2.3.2

Scripts

XDRSyncScript

Changed the default value of the assigned_user_mail argument to xdrassigneduseremail.


Phishing Pack v1.9.0

Playbooks

Process Email - Generic

Added tasks that save email attachment information in the Phishing incident layout.

Process Email - Core

Added tasks that save email attachment information in the Phishing incident layout.


Proofpoint Feed Pack v1.0.2

Integrations

Proofpoint Feed

Set the feed to fetch indicators by default upon creating an instance.


Proofpoint Protection Server Pack v1.0.3

Integrations

Proofpoint Protection Server (Beta)

Updated the exceptions syntax to be compatible with both Python 2 and Python 3.


RSA Archer Pack v1.1.0

Integrations

New: RSA Archer v2

The RSA Archer GRC Platform provides a common foundation for managing policies, controls, risks, assessments, and deficiencies across lines of business.

Scripts

New: ArcherCreateIncidentExample

This script is an example script of how to create an incident in Archer. The script generates the create incident data in JSON format and executes the archer-create-record command.


RTIR Pack v1.0.4

Integrations

RTIR

Updated the exceptions syntax to be compatible with both Python 2 and Python 3.


Rasterize Pack v1.0.4

Integrations

Rasterize

Fixed the entry return type for the rasterize-image command.


Recorded Future Pack v1.0.2

Integrations

Recorded Future

Updated the exceptions syntax to be compatible with both Python 2 and Python 3.


Recorded Future Feed Pack v1.0.3

Integrations

Recorded Future RiskList Feed

Set the feed to fetch indicators by default upon creating an instance.


SafeBreach - Breach and Attack Simulation platform Pack v1.0.5

Integrations

SafeBreach v2

Set the feed to fetch indicators by default upon creating an instance.


SplunkPy Pack v1.1.1

Integrations

SplunkPy
  • Set the default value for Use Splunk Clock Time For Fetch to True.
  • Fixed an issue where the connection parameter app had no default value.

Stealthwatch Cloud Pack v1.0.2

Integrations

Stealthwatch Cloud

Updated the exceptions syntax to be compatible with both Python 2 and Python 3.


Symantec Endpoint Protection Pack v1.0.1

Integrations

Symantec Endpoint Protection v2

Updated the exceptions syntax to be compatible with both Python 2 and Python 3.


TAXII Feed Pack v1.0.3

Integrations

TAXII 2 Feed

Improved the parameter description.


ThreatConnect Pack v2.0.4

Integrations

ThreatConnect v2
  • Replaced the ProxyIP and ProxyPort configuration parameters with the standard System Proxy configuration parameter. If you already configured the ProxyIP and ProxyPort parameters, make sure to switch to (reconfigure) using the System Proxy parameter.
  • Added the tc-download-report command to download group reports in PDF.

ThreatMiner Pack v1.0.2

Integrations

ThreatMiner

Updated the exceptions syntax to be compatible with both Python 2 and Python 3.


Tor Exit Addresses Feed Pack v1.0.1

Integrations

Tor Exit Addresses Feed

Improved the parameter description.


Unit42 Feed Pack v1.0.3

Integrations

Unit42 Feed
  • Improved the parameter description.
  • Set the feed to fetch indicators by default upon creating an instance.

VirusTotal - Private API Pack v1.0.2

Integrations

VirusTotal - Private API

Fixed an issue where the possible malicious URL was returned in a clickable format.


Zimperium Pack v1.0.4

Classifiers

Zimperium - Classifier

Fixed the classifier name to handle pack dependency warning.


Zscaler Pack v1.0.3

Integrations

Zscaler

Added urlClassificationsWithSecurityAlert to the url command context.


abuse.ch SSL Blacklist Feed Pack v1.0.2

Integrations

abuse.ch SSL Blacklist Feed
  • Added the Tags parameter.
  • Set the feed to fetch indicators by default upon creating an instance.

Assets