Skip to main content

Cortex XSOAR Content Release Notes for version 21.10.0 (8038987)

Published on 12 October 2021#

Breaking Changes#

The following pack includes breaking changes: Azure Sentinel Pack v1.1.1

New: Cohesity Helios Pack v1.0.0 (Partner Supported)#

Classifiers#

CohesityHelios Incident Classifier#
Cohesity Helios Incoming mapper#

Incident Fields#

  • Cohesity Helios Alert Cause
  • Cohesity Helios Alert Description
  • Cohesity Helios Anomalous Object Name
  • Cohesity Helios Cluster Id
  • Cohesity Helios Cluster Name
  • Cohesity Helios Object Environment
  • Cohesity Helios Anomaly Strength

Incident Types#

Cohesity Helios Ransomware Incident

Integrations#

CohesityHelios#

Integrates with Cohesity Helios services to fetch alerts and take remedial action.

Layouts#

Cohesity Helios Ransomware Incident Layout (Available from Cortex XSOAR 6.0.0).


New: F5 LTM Pack v1.0.0 (Community Contributed)#

Integrations#

F5 LTM#

Manages F5 LTM


New: FileOrbis Pack v1.0.0 (Partner Supported)#

Integrations#

FileOrbis#

Manages FileOrbis operations.


New: FlashpointFeed Pack v1.0.0 (Partner Supported)#

Indicator Fields#

FlashpointFeed Attribute ID#

Unique Flashpoint ID used to identify an attribute.

FlashpointFeed Attribute UUID#

The UUID field represents the Universally Unique Identifier (UUID) [RFC4122] of the object.

FlashpointFeed Category#

Category represents the intent of what the attribute is describing as selected by the attribute creator, using a list of predefined attribute categories.

FlashpointFeed Event Creator Email#

This field represents the email address of the event creator.

FlashpointFeed Event Href#

URL reference of the event.

FlashpointFeed Event Information#

Information about the event.

FlashpointFeed Event UUID#

The Universally Unique Identifier of the event object.

FlashpointFeed Indicator Type#

The type field represents the means through which an attribute tries to describe the intent of the attribute creator, using a list of predefined attribute types.

FlashpointFeed Malware Description#

Malware description for the attribute.

FlashpointFeed Report#

URL of the intelligence report generated by Flashpoint.

FlashpointFeed Timestamp#

Reference to when attribute was created.

Indicator Types#

Packs/FlashpointFeed/IndicatorTypes/reputation-Flashpoint_Indicator.json

Integrations#

Flashpoint Feed#

Allows importing indicators of compromise that occur in the context of an event on the Flashpoint platform which contains finished intelligence reports data, data from illicit forums, marketplaces, chat services, blogs, paste sites, technical data, card shops, and vulnerabilities. The indicators of compromise are ingested as indicators in Cortex XSOAR and displayed in the War Room using a command.

Layouts#

Flashpoint Indicator (Available from Cortex XSOAR 6.0.0).


New: KELA RaDark Pack v1.0.0 (Partner Supported)#

Classifiers#

RaDark - Incoming Mapper#

Map incident data to RaDark incident fields.

Incident Fields#

  • KELA RaDark Details
  • KELA RaDark Sub Type
  • KELA RaDark Table Agressor
  • KELA RaDark Table Botnets
  • KELA RaDark Table Leaked Credentials From Citadel
  • KELA RaDark Table Leaked Credentials From Dump
  • KELA RaDark Table Leaked Credentials From Hacking Discussions
  • KELA RaDark Table Leaked Credentials From Instant Messaging
  • KELA RaDark Table Russian Market
  • KELA RaDark Incident URL
  • KELA RaDark Monitor ID

Incident Types#

RaDark

Integrations#

RaDark#

Enables you to fetch incidents and manage your RaDark monitor from Cortex XSOAR.

Layouts#

RaDark Layout (Available from Cortex XSOAR 6.0.0).

Playbooks#

Get RaDark Detailed Items#

Enriches RaDark incidents with detailed items.

Scripts#

MapRaDarkIncidentDetails#

Maps details to a RaDark incident.


New: PhishER Pack v1.0.0 (Partner Supported)#

Classifiers#

PhishER-mapper#

Incident Fields#

  • PhishER ML Report - The PhishML report associated with this message.
  • PhishER Action Status - Action status
  • PhishER Attachments - A collection of attachments associated with this message.
  • PhishER Category - The message's category
  • PhishER Comments - The message's comments
  • PhishER Created - Creation time of the message
  • PhishER Email From - Sender's email.
  • PhishER ID - Unique identifier for the message.
  • PhishER Links - A collection of links that were found in the message.
  • PhishER Pipeline Status - Pipeline Status
  • PhishER Raw URL - URL from where to download the raw message.
  • PhishER Reported By - The person who reported the message.
  • PhishER Severity - The message's severity
  • PhishER Subject - Subject of the message.
  • PhishER Tags - A collection of tags associated with this message.

Incident Types#

PhishER

Integrations#

PhishER#

KnowBE4 PhishER integration allows to pull events from the PhishER system and do mutations.

Layouts#

PhishER (Available from Cortex XSOAR 6.0.0).


New: ShiftLeft CORE Pack v1.0.0 (Partner Supported)#

Integrations#

ShiftLeft CORE#

Integrates the ShiftLeft CORE code analysis platform with Cortex XSOAR.


ApiModules Pack v2.2.4#

Scripts#

MicrosoftApiModule#

Updated http_request to not override the _ok_codes field by default.


Atlassian Jira Pack v1.3.8#

Integrations#

Atlassian Jira v2#

Fixed an issue where the jira-get-issue command tried to downloaded attachments even when the flag was false.


Azure Active Directory Identity and Access Pack v1.1.2#

Integrations#

Azure Active Directory Identity Protection (Beta)#
  • Clarified the login instructions.
  • Added a default value for the Application ID field.
  • Fixed an issue where the fetch-incidents command failed due to mismatching time zones.
  • Updated the Docker image to: demisto/crypto:1.0.0.24037.

Azure Sentinel Pack v1.1.1#

Integrations#

Azure Sentinel#
  • Breaking changes:
    • Changed the authentication to be based on client credentials instead of user impersonation.
    • Removed the following commands as they are not supported by the updated API version:
      • azure-sentinel-list-incident-entities
      • azure-sentinel-list-incident-entities
  • Added the following commands:
    • azure-sentinel-list-incident-entities
    • azure-sentinel-list-incident-alerts
    • azure-sentinel-list-watchlists
    • azure-sentinel-delete-watchlist
    • azure-sentinel-watchlist-create-update
    • azure-sentinel-list-watchlist-itemss
    • azure-sentinel-delete-watchlist-item
    • azure-sentinel-create-update-watchlist-item
  • Added the server_url instance parameter to allow using a customized server URL.
  • Added the azure-sentinel-update-incident argument to the azure-sentinel-update-incident command.
  • Added the User-Agent header to all requests.
  • Changed the API version to 2021-04-01.
  • Moved the pack from beta to GA.
  • Documentation and metadata improvements.
  • Updated the Docker image to: demisto/crypto:1.0.0.24037.

Base Pack v1.13.38#

Scripts#

SaneDocReports#

Updated the Docker image to: demisto/sane-doc-reports:1.0.0.24118.

CommonServerPython#
  • Fixed an issue where the integration_name argument in the DBotScore was empty for 5.0.0 servers.
  • Added the date_fields argument to the tableToMarkdown function to support displaying dates in a human-readable format.
DBotBuildPhishingClassifier#

Improved the memory consumption of the script.


Cherwell Pack v1.0.6#

Integrations#

Cherwell#

Added the following commands:

  • cherwell-run-one-step-action-on-business-object
  • cherwell-get-one-step-actions-for-business-object
  • cherwell-get-business-object-summary

Scripts#

CherwellCreateIncident#

Sets the CallSource field when creating an incident.


Cisco Meraki Pack v1.0.1#

Integrations#

Cisco Meraki#

Added documentation for the Cisco-Meraki integration.


Cisco Umbrella Investigate Pack v1.0.8#

Integrations#

Cisco Umbrella Investigate#

Maintenance and stability enhancements.


Common Scripts Pack v1.4.43#

Scripts#

IsRFC1918Address#

Updated the Docker image to: demisto/netutils:1.0.0.24101.

URLSSLVerification#

Added the set_http_as_suspicious argument that will allow the user to choose whether to set the URL as Suspicious in case the URL starts with HTTP and not HTTPS.

JsonToTable#

Added the headers argument.

ListUsedDockerImages#

Improved the output for the ListUsedDockerImages script to ignore the disabled integration and automation.


Common Widgets Pack v1.1.6#

Scripts#

GetLargestInputsAndOuputsInIncidents#

Deprecated. For XSOAR versions up to 6.2.0, Cortex XSOAR recommends not using this script as it can cause performance issues. For XSOAR 6.2.0 and later versions, refer to the System Diagnostic page as an alternative.

GetLargestInvestigations#

Deprecated. For XSOAR versions up to 6.2.0, Cortex XSOAR recommends not using this script as it can cause performance issues. For XSOAR 6.2.0 and later versions, refer to the System Diagnostic page as an alternative.


CrowdStrike Falcon Pack v1.3.2#

Integrations#

CrowdStrike Falcon#

Fixed an issue where the predefined values of the status argument in the cs-falcon-search-device command were incorrect.


Cybereason Pack v1.0.14#

Scripts#

CybereasonPreProcessingExample#

Updated the Docker image to: demisto/python:2.7.18.24066.


D2 Pack v1.0.3#

Scripts#

D2Remove#

Updated the Docker image to: demisto/python:2.7.18.24066.

Autoruns#

Updated the Docker image to: demisto/python:2.7.18.24066.

O365SearchEmails#

Updated the Docker image to: demisto/python:2.7.18.24066.

RegCollectValues#

Updated the Docker image to: demisto/python:2.7.18.24066.

RegProbeBasic#

Updated the Docker image to: demisto/python:2.7.18.24066.


Developer Tools Pack v1.2.7#

Scripts#

FetchFromInstance#

Updated the Docker image to: demisto/python:2.7.18.24066.


Dig Pack v1.0.1 (Community Contributed)#

Scripts#

Dig#

Updated the Docker image to: demisto/netutils:1.0.0.24101.


EWS Pack v1.9.5#

Integrations#

O365 - Security And Compliance - Content Search#

Documentation and metadata improvements.

Playbooks#

O365 - Security And Compliance - Search#

Added playbook inputs.

O365 - Security And Compliance - Search Action - Delete#

Added playbook inputs.

O365 - Security And Compliance - Search Action - Preview#

Added playbook inputs.

O365 - Security And Compliance - Search And Delete#

Added playbook inputs.

Scripts#

BuildEWSQuery#

Updated the Docker image to: demisto/python:2.7.18.24066.


Elasticsearch Pack v1.1.8#

Integrations#

Elasticsearch v2#

Updated the URL parameter description with the suggested default parameter.


Export Indicators Pack v1.0.12#

Integrations#

Export Indicators Service#

Fixed an issue where the Test button would fail when the Indicators Query parameter wasn't supplied.


Flashpoint Pack v1.2.1 (Partner Supported)#

Integrations#

Flashpoint#

Maintenance and stability enhancements.


Gmail Pack v1.1.9#

Integrations#

Gmail#
  • Documentation and metadata improvements.
  • Updated the Docker image to: demisto/google-api:1.0.0.24033.

Google Vault Pack v1.0.5#

Integrations#

Google Vault#
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/gvault:1.0.0.24033.

IBM QRadar Pack v2.0.28#

Integrations#

IBM QRadar v3#
  • Fixed an issue where the Long Running Instance and Mirror Offenses would fetch duplicate incidents.
  • Fixed an issue where a long-running instance would stop fetching incidents after upgrading to pack version 2.0.27.
  • Updated the Docker image to: demisto/python3:3.9.7.24076.

IBM Resilient Systems Pack v1.0.8#

Integrations#

IBM Resilient Systems#

Maintenance and stability enhancements.


IBM X-Force Exchange Pack v1.1.9#

Integrations#

IBM X-Force Exchange v2#

Documentation and metadata improvements.


Infocyte Pack v1.0.4 (Partner Supported)#

Integrations#

Infocyte#

Maintenance and stability enhancements. Updated the Docker image to: demisto/pwsh-infocyte:1.1.0.23036.


Integrations & Incidents Health Check Pack v1.2.6#

Playbooks#

JOB - Integrations and Incidents Health Check - Lists handling#

Fixed an issue where Set lists names to context (task 54) returned both the names and contents of the XSOAR lists when only the names were needed.


Intezer Pack v1.2.4 (Partner Supported)#

Scripts#

IntezerScanHost#

Updated the Docker image to: demisto/python:2.7.18.24066.


Jamf Pack v2.0.2#

Integrations#

JAMF v2#

Documentation and metadata improvements.


KELA RaDark Pack v1.0.1 (Partner Supported)#

Integrations#

RaDark#

Fixed an issue where the radark-item-purchase command failed to run because of an authorization error.


Kenna Pack v1.1.5#

Integrations#

Kenna v2#

Fixed an issue where the integration did not use the proxy parameter correctly.


Lacework Pack v1.1.0 (Community Contributed)#

Classifiers#

New: Lacework - Classifier#

Lacework Incident Classifier (Available from Cortex XSOAR 6.0.0).

New: Lacework#

Lacework Incident Classifier (Available from Cortex XSOAR 5.0.0).

Incident Fields#

  • Lacework Event ID - The ID of the Lacework event.
  • Lacework Event Actor - The 'Actor' that generated the Lacework event (App, Compliance, File, User, etc.).
  • Lacework Event Model - The 'Model' within the 'Actor' category that generated the Lacework event (AwsCompliance, PTypeConn, SystemRule, etc.).
  • Lacework Event Type - The 'Event Type' within the 'Model' and 'Actor' categories that generated the Lacework event.
  • Lacework Recommendation ID - The ID of the recommendation that generated a compliance violation event within Lacework.
  • Lacework Recommendation Title - The Title of the recommendation that generated a compliance violation event within Lacework.
  • Lacework Recommendation Account ID - The cloud service provider 'Account ID' (i.e., AWS account number) associated with the compliance violation.
  • Lacework Recommendation Account Alias - The cloud service provider 'Account Alias' (i.e., AWS account alias) associated with the compliance violation.

Incident Types#

Lacework Event

Integrations#

Lacework#
  • Added support for Lacework Organizations and Sub-Accounts.
  • Updated the Docker image to: demisto/lacework:1.0.0.24154.

Mappers#

New: Lacework - Incoming Mapper#

Added a mapper to automatically populate new incident fields (Available from Cortex XSOAR 6.0.0).


MISP Pack v2.0.3#

Integrations#

MISP v3#

Added the misp-update-attribute command to update an attribute of an existing MISP event.


Malwarebytes Pack v1.1.4 (Partner Supported)#

Integrations#

Malwarebytes#
  • Fixed the malwarebytes-list-endpoint-info command.
  • Fixed an issue with the fetch incidents command, which caused RTP Detections(EP) incident creation failures.

McAfee Advanced Threat Defense Pack v1.0.11#

Scripts#

ATDDetonate#

Updated the Docker image to: demisto/python:2.7.18.24066.


Microsoft Graph User Pack v1.3.13#

Integrations#

Azure Active Directory Users#

Documentation and metadata improvements.


Microsoft Management Activity API (O365/Azure Events) Pack v1.2.2#

Integrations#

Microsoft Management Activity API (O365 Azure Events)#

Updated the Docker image to: demisto/pyjwt3:1.0.0.23674.


Nexthink Pack v1.0.1 (Community Contributed)#

Integrations#

Nexthink#
  • Improved error handling.
  • Added validation for the following arguments:
    • ipaddress
    • hostname
  • Updated the Docker image to: demisto/python3:3.9.7.24076.

Office 365 Feed Pack v1.1.11#

Integrations#

Office 365 Feed#

Changed the feed default configuration to include all of the regions.


PAN-OS Pack v1.7.0#

Integrations#

Palo Alto Networks PAN-OS#

Added the following options to the panorama-edit-url-filter command to support categories management in PAN-OS 9.x versions or higher:

  • allow_categories
  • block_categories

Palo Alto Networks Cortex XDR - Investigation and Response Pack v4.1.3#

Incident Fields#

XDR Status v2

Integrations#

Palo Alto Networks Cortex XDR - Investigation and Response#
  • Added the xdr-get-endpoints-by-status command.
  • Added the incident_id argument to the following commands:
    • xdr-restore-file
    • xdr-retrieve-files
    • xdr-quarantine-files
    • xdr-whitelist-files
    • xdr-blacklist-files
    • xdr-isolate-endpoint
    • xdr-unisolate-endpoint
    • xdr-endpoint-scan
    • xdr-endpoint-scan-abort
    • xdr-run-script
    • xdr-run-script-execute-commands
    • xdr-run-script-delete-file
    • xdr-run-script-file-exists
    • xdr-run-script-kill-process
    • xdr-run-snippet-code-script
  • Added the suppress_disconnected_endpoint_error argument for the following commands which dictates whether to return an error when the endpoint is disconnected:
    • xdr-isolate-endpoint
    • xdr-unisolate-endpoint
Cortex XDR - XQL Query Engine#

Documentation and metadata improvements.

Scripts#

XDRDisconnectedEndpoints#

Uses the xdr-get-endpoints-by-status command to get the disconnected endpoint count.

XDRConnectedEndpoints#

Uses the xdr-get-endpoints-by-status command to get the connected endpoint count.

XDRSyncScript#

Maintenance and stability enhancements.


Palo Alto Networks PAN-OS EDL Service Pack v2.1.4#

Integrations#

Palo Alto Networks PAN-OS EDL Service#

Fixed an issue where the Test button would fail when the Indicators Query parameter wasn't supplied.


Palo Alto Networks WildFire Pack v1.4.3#

Integrations#

Palo Alto Networks WildFire v2#
  • Added reliability into create_file_report() for the file command.
  • Updated the Docker image to: demisto/python3:3.9.7.24076.

Phishing Pack v2.4.4#

Playbooks#

Phishing Investigation - Generic v2#

Fixed an issue where the ReporterAddress input for the send-mail task was not set properly.

Scripts#

CheckEmailAuthenticity#

Updated the Docker image to: demisto/python:2.7.18.24066.


Phishing Campaign Pack v3.0.6#

Incident Fields#

  • Actions On Low Similarity Incidents
  • Select Low Similarity Incidents

Scripts#

New: GetCampaignLowerSimilarityIncidentsIdsAsOptions#

Gets the IDs of incidents with lower similarity. Used to fill the optional values of the multi-select Select Low Similarity Incidents incident field.

PerformActionOnCampaignIncidents#
  • Added support for campaign lower similarity incident fields.
  • Added the Add to Campaign option to the possible actions of the interactive management section.
GetCampaignIncidentsInfo#
  • Changed the severity column values to human-readable.
  • The similarity values of incidents will now be rounded to two decimal places for readability.
  • Updated the Docker image to: demisto/python3:3.9.7.24076.
New: ShowCampaignSimilarityRange#

Displays the similarity range between the incidents that make up the phishing campaign. (Available from Cortex XSOAR 5.5.0).

New: ShowCampaignRecipients#

Displays the phishing campaign recipients' email addresses and the number of incidents each email address appears in. (Available from Cortex XSOAR 5.5.0).

New: ShowCampaignLastIncidentOccurred#

Displays the occurrence date of the last campaign incident. (Available from Cortex XSOAR 5.5.0).

New: ShowCampaignSenders#

Displays the phishing campaign senders' email addresses and the number of incidents each email address appears in. (Available from Cortex XSOAR 5.5.0).

New: GetCampaignLowSimilarityIncidentsInfo#

Gets the campaign incidents with low similarity information as a markdown table. (Available from Cortex XSOAR 5.5.0).

New: GetCampaignIndicatorsByIncidentId#

Gets the campaign indicators by the campaign incident IDs as a markdown table. (Available from Cortex XSOAR 5.5.0).

New: SplitCampaignContext#

Splits incidents in the context data to below and above a similarity threshold. (Available from Cortex XSOAR 5.5.0).


Qualys Pack v1.0.11#

Integrations#

Qualys v2#

Documentation and metadata improvements.


RecordedFuture v2 Pack v1.2.0 (Partner Supported)#

Incident Types#

Recorded Future Alert

Indicator Fields#

RecordedFuture Risk rules#

Maintenance and stability enhancements.

RecordedFuture Threat assessment#

Maintenance and stability enhancements.

Integrations#

Recorded Future v2#
  • Added support for fetching incidents.
  • Added the following commands:
    • recordedfuture-alert-set-status
    • recordedfuture-alert-set-note.

Layouts#

New: RecordedFutureLayout

Playbooks#

Recorded Future CVE Intelligence#

Maintenance and stability enhancements.

Recorded Future CVE Reputation#

Maintenance and stability enhancements.

Recorded Future Domain Intelligence#

Maintenance and stability enhancements.

Recorded Future Domain Reputation#

Maintenance and stability enhancements.

Recorded Future File Intelligence#

Maintenance and stability enhancements.

Recorded Future File Reputation#

Maintenance and stability enhancements.

Recorded Future IP Intelligence#

Maintenance and stability enhancements.

Recorded Future IP Reputation#

Maintenance and stability enhancements.

Recorded Future Threat Assessment#

Maintenance and stability enhancements.

Recorded Future URL Intelligence#

Maintenance and stability enhancements.

Recorded Future URL Reputation#

Maintenance and stability enhancements.


SafeNet Trusted Access Pack v1.0.2 (Partner Supported)#

Integrations#

SafeNet Trusted Access#

Updated the configuration guide links.


SentinelOne Pack v2.0.5#

Integrations#

SentinelOne v2#
  • Added the fetch_site_ids integration parameter to allow filtering of fetch by site ID.
  • Added the site_ids argument to the sentinelone-get-threats command.

ServiceNow Pack v2.2.7#

Playbooks#

Create ServiceNow Ticket#

Added ticket type input to the Create ServiceNow Ticket playbook.


Sophos Central Pack v1.1.0 (Partner Supported)#

Integrations#

Sophos Central#
  • Added support for partner and organization level credentials.
  • Added support for base URL caching.
  • Reformatted the entire code and fixed flake8 issues.
  • Added support for the following commands:
    • Isolate endpoint(s) (sophos-central-isolate-endpoint)
    • Deisolate endpoint(s) (sophos-central-deisolate-endpoint)
  • Updated the Docker image to: demisto/python3:3.9.5.21272.

Splunk Pack v2.2.1#

Integrations#

SplunkPy#

Updated the Docker image to: demisto/splunksdk:1.0.0.24033.


Splunk Prerelease Pack v1.0.1#

Integrations#

SplunkPy Prerelease (Beta)#
  • Fixed an issue where the same incident was fetched repeatedly when using the enrichment mechanism.
  • Updated the Docker image to: demisto/splunksdk:1.0.0.24033.

Symantec Endpoint Protection Pack v1.0.6#

Scripts#

SEPCheckOutdatedEndpoints#

Updated the Docker image to: demisto/python:2.7.18.24066.


TAXII Feed Pack v1.0.12#

Integrations#

TAXII Feed#

Fixed an issue where tags weren't being added to incoming indicators.


Tufin Pack v1.2.1 (Partner Supported)#

Integrations#

Tufin#

Updated the Docker image to: demisto/netutils:1.0.0.24101.


URLScan.io Pack v1.1.12 (Partner Supported)#

Integrations#

urlscan.io#
  • Finish adoption of urlscan.io pack by vendor.
  • Note: Support for this pack moved to the partner on September 21, 2021. Contact the partner directly.

VirusTotal Pack v2.1.9 (Partner Supported)#

Integrations#

VirusTotal (API v3)#

Note: Support for this pack moved to the partner on October 1, 2021. Contact the partner directly.


VirusTotal - Private API Pack v1.0.12 (Partner Supported)#

Integrations#

VirusTotal - Private API#

Note: Support for this pack moved to the partner on October 1, 2021. Contact the partner directly.


Assets#