Skip to main content

Cortex XSOAR Content Release Notes for version 20.9.0 (98126)#

This content release includes new content packs and updates to existing content packs.

Published on 1 September 2020#

New Content Packs#


New: Email Communication Pack v1.2.0#

Do you have to send multiple emails to end users? This content pack helps you streamline the process and automate updates, notifications and more.

IncidentFields#

  • Add CC To Email

IncidentTypes#

  • Email Communication

Scripts#

PreprocessEmail#

Preprocessing script for email communication layout. This script checks if the incoming email contains an Incident ID to link the mail to an existing incident, and tags the email as "email-thread".

For more information about the preprocessing rules, refer to: https://demisto.developers.paloaltonetworks.com/docs/incidents/incident-pre-processing

SendEmailReply#

Sends email massages with the configured mail sender integration.


New: Genians Pack v1.0.0 (Partner Supported)#

Integrations#

Genians#

Use the Genians integration to block IP addresses using the assign tag and unassign tag.


New: McAfee ESM Pack v1.0.0#

Integrations#

McAfee ESM v2#

Run queries and receive alarms from McAfee ESM. The integration supports McAfee version 10 and above.


New: Microsoft Advanced Threat Analytics Pack v1.0.0#

Classifiers#

Microsoft Advanced Threat Analytics - Classification#

Classifies Microsoft Advanced Threat Analytics suspicious activities.

Microsoft Advanced Threat Analytics#
Microsoft Advanced Threat Analytics - Incoming Mapper#

Maps Microsoft Advanced Threat Analytics suspicious activity fields.

IncidentFields#

  • Suspicious Activity End Time
  • Suspicious Activity ID
  • Suspicious Activity Severity
  • Suspicious Activity Start Time
  • Suspicious Activity Status

IncidentTypes#

  • Microsoft ATA Suspicious Activity

Integrations#

Microsoft Advanced Threat Analytics#

Use Microsoft Advanced Threat Analytics integration to manage suspicious activities, and monitor alerts and entities.


New: NTT Cyber Threat Sensor Pack v1.0.0 (Partner Supported)#

Classifiers#

NTT Cyber Threat Sensor - Classifier#

Classifies NTT Cyber Threat Sensor incidents.

NTT Cyber Threat Sensor#
NTT Cyber Threat Sensor - Incoming Mapper#

Maps incoming NTT Cyber Threat Sensor fields.

IncidentFields#

  • FAERE Description
  • Graph Plot

IncidentTypes#

  • TD Incident

Integrations#

NTT Cyber Threat Sensor#

Retrieves alerts and recommendations from NTT CTS.

Playbooks#

Handle TD events#

Enriches TD events


New: PiHole Pack v1.0.0 (Community Supported)#

Integrations#

PiHole#

Pi-hole is a network-level advertisement and Internet tracker blocking application that acts as a DNS sinkhole and optionally a DHCP server, intended for use on a private network.


New: QueryAI Pack v1.0.0 (Partner Supported)#

Integrations#

Query.AI#

Query.AI is a decentralized data access and analysis technology that simplifies security investigations across disparate platforms without data duplication.

Updated Content Packs#


Access Investigation Pack v1.2.2#

Layouts#

layout-edit-Access.json#

Set the default incident type for the layout

layout-details-Access.json#

Set the default incident type for the layout


Base Pack v1.1.17#

Scripts#

WordTokenizerNLP#

Updated the script Docker image to the latest version.

CommonServerPython#
  • Added the following code objects, which simplifies creating widgets.
    • TextWidget
    • TrendWidget
    • NumberWidget
    • BarColumnPieWidget
    • LineWidget
    • TableOrListWidget
  • Fixed an issue with the mirroring mapper scheme.
  • Fixed an issue in the return_outputs function where the content type was incorrect.
SaneDocReports#

Fixed an issue with the table readable headers.


CheckPhish Pack v1.0.1#

Integrations#

CheckPhish#
  • Updated the default API URL.
  • Adjusted the error handling to use the new API format.

Cisco AMP Pack v1.0.1#

Integrations#

Cisco AMP#

Fixed an issue that caused the amp_move_computer to fail.


Cisco Umbrella Investigate Pack v1.0.1#

Integrations#

Cisco Umbrella Investigate#

Fixed an issue where the umbrella-ip-dns-history command failed when no IP results were found.


Code42 Pack v2.0.3 (Partner Supported)#

Integrations#

Code42#

Fixed a bug where File Category would not map correctly when creating incidents from Code42 alerts.


Cofense Triage Pack v1.1.4 (Partner Supported)#

Integrations#

Cofense Triage v2#

Fixed an issue in the cofense-get-attachment command.


Common Playbooks Pack v1.7.1#

Playbooks#

Extract Indicators From File - Generic v2#

Added support for UTF-8 Unicode text files.


Common Scripts Pack v1.2.34#

Scripts#

WhereFieldEquals#

Fixed an issue where WhereFieldEquals returned a string instead of a list.

FeedRelatedIndicatorsWidget#

Fixed an issue where the indicator link value was incorrect.


Common Types Pack v1.8.8#

Layouts#

  • File Indicator
  • layout-edit-Vulnerability.json
  • layout-details-Vulnerability.json

CrowdStrike Falcon Streaming Pack v1.0.7#

Integrations#

CrowdStrike Falcon Streaming v2#
  • Improved error handling of unsupported media types.
  • Improved handling when the stream response client is not completed.
  • Maintenance and stability enhancements.

CyberArk Pack v1.0.2#

Integrations#

CyberArk PAS#
  • Added documentation for the integration.
  • Updated the the cyberark-pas-credentials-verify command to use the new API.
  • Added the cyberark-pas-account-get-details command.

DUO Admin Pack v2.0.1#

Integrations#

DUO Admin#

Updated the integration Docker image to the latest version.


Endace Pack v1.1.0 (Partner Supported)#

Integrations#

Endace#
  • Added support for directionless IP and port search.
  • Improved error handling messages.
  • The hostname parameter is now mandatory.

Playbooks#

Endace Search Archive and Download#

This playbook is deprecated. Use the Endace Search Archive Download PCAP v2 playbook instead.

Deprecated: Endace Search Archive Download PCAP#

This playbook is deprecated. Use the Endace Search Archive Download PCAP v2 instead.

Endace Search Archive Download PCAP v2#
  • Added support for directionless IP and port search, user friendly timeframe values.
  • Updated the playbook input and output variables and their definitions.

Expanse Pack v1.1.1 (Partner Supported)#

Integrations#

Expanse#

Updated the version number in the user-agent header.


GDPR Pack v1.0.5#

Layouts#

  • layout-edit-GDPR_Data_Breach.json
  • layout-details-GDPR_Data_Breach.json

GitHub Pack v1.1.1#

Integrations#

GitHub#

Improved error handling of parameter errors.


Gmail Pack v1.0.5#

Integrations#

Gmail#

Removed the event argument from the gmail-list-users command. If you currently use this argument it will be ignored when executing the command. If you do not install this upgrade, the following integration components will fail:

  • Test button
  • gmail-list-users command
  • gmail-search-all-mailboxes command

IBM QRadar Pack v1.0.8#

Integrations#

IBM QRadar#

Added a parameter that enables you to specify the number of addresses to enrich per API call.


IronDefense Pack v1.1.1 (Partner Supported)#

Classifiers#

IronDefense#

Added a new classifier.

IronDefense - Incoming Mapper#

Added a new incoming mapper.

IronDefense - Classifier#

Added a new classifier.

Integrations#

IronDefense#
  • Added the ability to retrieve IronDefense alerts and events.
  • Improved integration descriptions.

Layouts#

  • layout-details-IronDefense_IronDome_Notification.json
  • layout-details-IronDefense_Event_Notification.json
  • layout-details-IronDefense_Alert_Notification.json

Malware Pack v1.2.3#

Layouts#

  • layout-edit-Malware.json
  • layout-details-Malware.json

Malwarebytes Pack v1.0.2 (Partner Supported)#

Integrations#

Malwarebytes#

Added Code for Usage Analytics.


McAfee ESM v10 and v11 Pack v1.0.3#

Integrations#

Deprecated: McAfee ESM v10 and v11#

Use the McAfee ESM v2 integration instead.


Microsoft Graph User Pack v1.2.0#

Integrations#

Microsoft Graph User#

Fixed an issue where the next_page argument in the msgraph-user-list command did not work as expected.


Palo Alto Networks Cortex XDR - Investigation and Response Pack v2.3.3#

Integrations#

Palo Alto Networks Cortex XDR - Investigation and Response#

Added a default classifier and mapper.


PassiveTotal Pack v1.0.1#

Integrations#

PassiveTotal#

Limited the number of related domains that display in the War Room for enrichment commands.


Phishing Pack v1.10.2#

Layouts#

layout-quickView-Phishing#

Set the default incident type for the layout.

layout-mobile-Phishing#

Set the default incident type for the layout.

Phishing Incident#

Set the default incident type for the layout.

layout-edit-Phishing#

Set the default incident type for the layout.


Proofpoint TAP Pack v1.1.0#

Integrations#

Proofpoint TAP v2#

Fixed an issue in the proofpoint-get-forensics command where the command failed when getting a threat by campaignId.


ServiceNow Pack v1.2.1#

Classifiers#

New: ServiceNow Classifier#

Classifies ServiceNow tickets.

New: ServiceNow - Outgoing Mapper#

Maps outgoing ServiceNow incident fields.

New: ServiceNow - Incoming Mapper#

Maps incoming ServiceNow incident fields.

Integrations#

ServiceNow v2#
  • Added the ability to mirror tickets between ServiceNow and Cortex XSOAR.
  • Removed unnecessary import.

Layouts#

ServiceNow Ticket


SplunkPy Pack v1.1.3#

Integrations#

SplunkPy#
  • Fixed an issue where the splunk-parse-raw command failed when the raw argument received input in JSON format.
  • Fixed an issue in which some incidents were not fetched.

Symantec Endpoint Protection Pack v1.0.2#

Integrations#

Symantec Endpoint Protection v2#

Fixed an issue in which the domain parameter was not parsed correctly.


Tanium Pack v1.0.2#

Integrations#

Tanium v2#

Added the completion-percantage argument to the following commands.

  • tn-get-saved-question-result
  • tn-get-question-result

ThreatConnect Pack v2.0.5#

Integrations#

ThreatConnect v2#

Fixed an issue where the DBotScore calculation did not work as expected.


Assets#