Skip to main content

Cortex XSOAR Content Release Notes for version 21.11.0 (8620136)

Published on 09 November 2021#

Breaking Changes#

The following packs includes breaking changes:

New: MalwareBazaar Feed Pack v1.0.0#

Integrations#

MalwareBazaar Feed#

Use the MalwareBazaar Feed integration to get the list of malware samples added to MalwareBazaar within the last 60 minutes.


New: SecurityScorecard Pack v1.0.0 (Partner Supported)#

Classifiers#

SecurityScorecard Alert Mapper#

SecurityScorecard Alert Mapper

Incident Fields#

  • SecurityScorecard Company Name
  • SecurityScorecard Domain
  • SecurityScorecard Factor
  • SecurityScorecard Grade
  • SecurityScorecard Score
  • SecurityScorecard Score Impact
  • SecurityScorecard Username

Incident Types#

SecurityScorecard Alert

Integrations#

SecurityScorecard#

Provides scorecards for domains.

Layouts#

SecurityScorecard Alert Layout (Available from Cortex XSOAR 6.0.0)


AWS Feed Pack v1.1.9#

Integrations#

AWS Feed#

Enhanced noUpdate flagging when fetching indicators using ETAG and Last-Modified headers.


AWS-ILM Pack v1.0.1#

Integrations#

AWS - IAM (user lifecycle management)#

The iam-get-user command will now try to retrieve user details by ID, then by username.


Abuse.ch SSL Blacklist Feed Pack v1.1.8#

Integrations#

abuse.ch SSL Blacklist Feed#

New noUpdate flagging when fetching indicators using ETAG and Last-Modified headers from the feed response.


Active Directory Query Pack v1.3.7#

Integrations#

Active Directory Query v2#

Updated the the following commands according to the changes in IAMApiModule:

  • iam-get-user
  • iam-create-user
  • iam-update-user
  • iam-disable-user

AlienVault Feed Pack v1.1.8#

Integrations#

AlienVault Reputation Feed#

New noUpdate flagging when fetching indicators using ETAG and Last-Modified headers from the feed response.


Anomali ThreatStream Pack v2.0.0#

Integrations#

New: Anomali ThreatStream v3#

Use Anomali ThreatStream to query and submit threats. (Available from Cortex XSOAR 6.0.0).


ApiModules Pack v2.2.5#

Scripts#

JSONFeedApiModule#

Enhanced noUpdate flagging when fetching indicators using ETAG and Last-Modified headers.

HTTPFeedApiModule#

Enhanced noUpdate flagging when fetching indicators using ETAG and Last-Modified headers.

CSVFeedApiModule#

New noUpdate flagging when fetching indicators using ETAG and Last-Modified headers from the feed response.


Atlassian IAM Pack v1.1.3#

Integrations#

Atlassian IAM#

The iam-get-user command will now try to retrieve user details by ID, then by username, and finally by email.


AutoFocus Pack v2.0.1#

Integrations#

New: AutoFocus Tags Feed#

The AutoFocus Tags Feed integration is now a part of the AutoFocus pack.

AutoFocus Tags Feed#

Maintenance and stability enhancements.


Azure Compute Pack v1.0.9#

Integrations#

Azure Compute v2#
  • Fixed a bug in the login mechanism for self-deployed apps.
  • Updated the Docker image to demisto/crypto:1.0.0.24037.

Bambenek Consulting Feed Pack v1.1.8#

Integrations#

Bambenek Consulting Feed#

New noUpdate flagging when fetching indicators using ETAG and Last-Modified headers from the feed response.


Base Pack v1.14.0#

Scripts#

CommonServerPython#
  • Changed emailRegex to limit the local part to 64 characters and the domain part to 253 characters per RFC3696.
  • Fixed a typo in the error message when trying to create an indicator with an unsupported score value.

BitcoinAbuse Feed Pack v1.0.13#

Integrations#

BitcoinAbuse Feed#
  • New noUpdate flagging when fetching indicators using ETAG and Last-Modified headers from the feed response.
  • Fixed the indicator fetching failure.

BlockList DE Feed Pack v1.1.8#

Integrations#

Blocklist_de Feed#

Enhanced noUpdate flagging when fetching indicators using ETAG and Last-Modified headers.


BruteForce Feed Pack v1.1.8#

Integrations#

BruteForceBlocker Feed#

Enhanced noUpdate flagging when fetching indicators using ETAG and Last-Modified headers.


CSV Feed Pack v1.1.6#

Integrations#

CSV Feed#

Enhanced noUpdate flagging when fetching indicators using ETAG and Last-Modified headers.


Clarizen IAM Pack v1.0.2#

Integrations#

Clarizen IAM#

Maintenance and stability enhancements.

Mappers#

User Profile - Clarizen (Outgoing)#

Changed mapping name of the Username field to UserName.


Cloudflare Feed Pack v1.1.8#

Integrations#

Cloudflare Feed#

Enhanced noUpdate flagging when fetching indicators using ETAG and Last-Modified headers.


Common Playbooks Pack v2.0.7#

Playbooks#

Calculate Severity By Highest DBotScore#

Updated the playbook to use the GetIndicatorDBotScoreFromCache command to take into consideration the reliability parameter. (Available from Cortex XSOAR 6.0.0).


Common Scripts Pack v1.5.0#

Scripts#

LanguageDetect#

Updated the Docker image to: demisto/langdetect:1.0.0.24247.

ParseWordDoc#

Updated the Docker image to: demisto/docxpy:1.0.0.24033.

ParseExcel#

Updated the Docker image to: demisto/xlrd-py3:1.0.0.23423.

PDFUnlocker#

Updated the Docker image to: devdemisto/pypdf2:1.0.0.24259.

ExtractEmailV2#

Changed emailRegex to limit the local part to 64 characters and the domain part to 253 characters per RFC3696.

ReadPDFFileV2#

Updated the Docker image to: demisto/readpdf:1.0.0.24272.


Common Types Pack v3.1.22#

Indicator Fields#

Indicator Types#

cveRep - Fixed an issue where the Description accessor in the CVE indicator used an incorrect field name.


Common Widgets Pack v1.1.10#

Scripts#

GetLargestInputsAndOuputsInIncidents#

Added the ignore_deprecated argument to allow running the script on Cortex XSOAR version 6.2.0+. WARNING: Setting this argument to true might result in CPU and RAM issues.

GetLargestInvestigations#

Added the ignore_deprecated argument to allow running the script on Cortex XSOAR version 6.2.0+. WARNING: Setting this argument to true might result in CPU and RAM issues.


CrowdStrike Falcon Pack v1.4.0#

Integrations#

CrowdStrike Falcon#
  • Breaking Change: On November 4, 2021 the CrowdStrike Custom IOC APIs will be decommissioned and will cease to work. The IOC commands are deprecated and should be replaced with the following commands:
    • cs-falcon-search-custom-iocs should be used instead of cs-falcon-search-iocs.
    • cs-falcon-get-custom-ioc should be used instead of cs-falcon-get-ioc.
    • cs-falcon-upload-custom-ioc should be used instead of cs-falcon-upload-ioc.
    • cs-falcon-update-custom-ioc should be used instead of cs-falcon-update-ioc.
    • cs-falcon-delete-custom-ioc should be used instead of cs-falcon-delete-ioc.
  • Expanded the description for the cs-falcon-resolve-detection command detailing that it must be used with at least one optional argument.

CrowdStrike Falcon Streaming Pack v1.1.0#

Scripts#

CrowdStrikeStreamingPreProcessing#

Breaking Change: Removed DBotRole from this automation. This change will affect any playbook that is dependent on, or runs, this automation. This automation will now run using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html


CrowdStrike Malquery Pack v1.0.8#

Integrations#

CrowdStrike Malquery#

Added an API test call when clicking the test button.


CyberArk AIM Pack v1.0.9#

Integrations#

CyberArk AIM v2#
  • Fixed an issue where searching partial credential names in the Credentials tab failed the credentials search for other integrations.
  • Fixed an issue where the test module returned "success" for incorrect integration configuration.
  • Updated the Docker image to: demisto/ntlm:1.0.0.24037.

Cyberpion Pack v1.0.2 (Partner Supported)#

Classifiers#

Cyberpion-Classifier#

Changed from complex to simple classifier.

Incident Fields#

  • Cyberpion Description
  • Cyberpion Asset
  • Changed field name from Cyberpion Domain to Cyberpion Asset.

Integrations#

Cyberpion#
  • Added the first fetch parameter. User can determine from when to fetch incidents (months).
  • Updated the Docker image to: demisto/python3:3.9.6.22912.

Layouts#

  • Cyberpion - Action Item
  • Changed Cyberpion Domain to Cyberpion Asset.
  • Added summary and portal link.

Mappers#

Cyberpion-Mapper#
  • Changed Cyberpion Domain to Cyberpion Asset.
  • Added missing mapping (Cyberpion Impact, Cyberpion Solution, etc.)

Playbooks#

Cyberpion Domain State#

Now reads the domain name from the Cyberpion Asset field instead of the Cyberpion Domain field.


DShield Feed Pack v1.1.8#

Integrations#

DShield Feed#

Enhanced noUpdate flagging when fetching indicators using ETAG and Last-Modified headers.


Demisto REST API Pack v1.2.0#

Scripts#

New: GetTasksWithSections#

Retrieves incident task data and groups tasks by task headers (titles) in Task Details and Context Data. (Available from Cortex XSOAR 6.0.0).

New: SetIRProceduresMarkdown#

Creates the following four markdown tables in Task Details based on information from the GetTasksWithSection command (Available from Cortex XSOAR 6.0.0).

  • Threat Hunting
  • Mitigation
  • Remediation
  • Eradication

Dig Pack v1.1.0 (Community Contributed)#

Scripts#

Dig#

Breaking Change: The following breaking change applies to organizations that implement pre-set roles on their incidents: Removed DBotRole from this automation. This change will affect any playbook that is dependent on, or runs, this automation. This automation will now run using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html


Dnstwist Pack v1.1.1#

Integrations#

dnstwist#

Updated the Docker image to: demisto/dnstwist:1.0.0.24280.


Druva Pack v1.1.0 (Partner Supported)#

Playbooks#

Druva-Ransomware-Response#

Added the Druva Ransomware Response playbook that allows you to automate response actions like quarantining effected resources or snapshots to stop the spread of ransomware and avoid reinfection or contamination spread.


EWS Pack v1.10.0#

Mappers#

EWS - Incoming Mapper#
  • Breaking Change: Disassociated the Email Headers field since it represents the original email headers and not the reporter headers.
  • Added the Phishing Reporter Email Headers field.

Playbooks#

New: Get Original Email - EWS v2#

This playbook retrieves the original email in the thread as an eml file and not as an Email object (as in the previous version) by using the EWS v2 integration. This version also reduces the amount of tasks needed to perform the fetch action.

You must have the necessary permissions in the EWS integration to execute the global search: eDiscovery.


Envoy Pack v1.0.1#

Integrations#

Envoy IAM#

Maintenance and stability enhancements.


Exceed LMS Pack v1.0.2#

Integrations#

ExceedLMS IAM#

The iam-get-user command will now try to retrieve user details by ID, then by username, and finally by email.


Expanse v2 Pack v1.9.0#

Scripts#

ExpanseGenerateIssueMapWidgetScript#

Breaking Change: Removed DBotRole from this automation. This change will affect any playbook that is dependent on, or runs, this automation. This automation will now run using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html


Fastly Feed Pack v1.1.8#

Integrations#

Fastly Feed#

Enhanced noUpdate flagging when fetching indicators using ETAG and Last-Modified headers.


FeodoTracker Feed Pack v1.1.9#

Integrations#

Feodo Tracker IP Blocklist Feed#

Enhanced noUpdate flagging when fetching indicators using ETAG and Last-Modified headers.


G Suite Admin Pack v1.1.0#

Integrations#

G Suite Admin#

Added a more informative message if an error occurs in the user_service_account_json parameter in GSuite client.


G Suite Security Alert Center Pack v1.1.0#

Integrations#

G Suite Security Alert Center#

Added a more informative message if an error occurs in the user_service_account_json parameter in GSuite client.


GitHub Pack v1.3.9#

Integrations#

GitHub IAM#

The iam-get-user command will now try to retrieve user details by ID, then by username, and finally by email.


Gmail Pack v1.1.10#

Mappers#

Gmail - Incoming Mapper#
  • Breaking Change: Disassociated the Email Headers field as it represents the original email headers and not the reporter headers.
  • Added the Phishing Reporter Email Headers field.

Playbooks#

New: Get Original Email - Gmail v2#

This playbook uses the reporter email headers to retrieve the original email using Gmail integration, including headers and attachments. This decreases the amount of the tasks needed to retrieve the original email.

You must have the necessary permissions in your Gmail service to execute global search: Google Apps Domain-Wide Delegation of Authority.


Google Calendar Pack v1.1.0#

Integrations#

Google Calendar#

Added a more informative message if an error occurs in the user_service_account_json parameter in GSuite client.


GsuiteAuditor Pack v1.0.1#

Integrations#

G Suite Auditor#
  • Updated the README file.
  • Updated argument descriptions in the GsuiteAuditor.yml file
  • Updated the Docker image to: demisto/googleapi-python3:1.0.0.24037.

Gurucul Risk Analytics Pack v1.1.4 (Partner Supported)#

Classifiers#

The renamed classifiers#

Breaking Changes:

  • Renamed the GRACase_5_9_9 classifier.
  • Renamed the GRACase classifier.
  • Removed the GRAHighRiskUser classifier.
  • Removed the RAHighRiskUser_5_9_9 classifier.
  • Removed the GRAHighRiskUser classifier.

Integrations#

Gurucul-GRA#
  • Breaking Changes: The following drop-down lists were removed when adding an instance of the integration:
    • Fetch Incident Command
    • Fetch Incident Cases
  • Fixed an issue with fetch incidents.

Layouts#

New: GRACaseLayout - Added a new layout for the GRACase incident type.

Mappers#

The renamed incoming mapper#
  • Breaking Change: Removed the Gurucul-HighRiskUsers mapper.
  • Renamed the Gurucul-GRACases mapper to GRACase-mapper.

Playbooks#

Scripts#

New: GRAUpdateCaseStatus#

GRA Update Case Status (Available from Cortex XSOAR 5.5.0).

New: GRAAnalyticalFeatureDisplay#

Display GRA analytical feature in the layout (Available from Cortex XSOAR 5.5.0).


Hello World IAM Pack v1.1.3#

Integrations#

Hello World IAM#

Updated the template according to the changes in IAMApiModule.


HelloWorld Pack v1.2.8 (Community Contributed)#

Integrations#

HelloWorld Feed#

Added an example of indicator relationships creation in the fetch-indicators command.

HelloWorld#

Added an example of indicator relationships creation in the ip reputation command.


IBM QRadar Pack v2.1.5#

Integrations#

IBM QRadar v3#
  • Improved the error message which is returned when an error occurs during command execution due to missing permissions.
  • Fixed an issue where fetching incidents raised an error due to a format mismatch in the integration context data.
  • Fixed an issue where fetching incidents after running the qradar-reset-last-run command raised an error due to a format mismatch in the integration context data.
  • Maintenance and stability enhancements.

Playbooks#

QRadar - Get offense correlations v2#

Maintenance and stability enhancements.


Intel471 Feed Pack v2.0.5 (Partner Supported)#

Incident Fields#

  • Titan URL
  • Titan Watcher
  • Titan Watcher Group

Incident Types#

Intel 471 Watcher Alert

Integrations#

Intel471 Actors Feed#
  • Enhanced noUpdate flagging when fetching indicators using ETAG and Last-Modified headers.
  • Updated the Docker image to: demisto/jmespath:1.0.0.23980.
Intel471 Malware Feed (Deprecated)#

Small editing change in the text.

Intel471 Malware Indicator Feed#
  • Enhanced noUpdate flagging when fetching indicators using ETAG and Last-Modified headers.
  • Updated the Docker image to: demisto/jmespath:1.0.0.23980.
New: Intel471 Watcher Alerts#

Added the watcher alert integration.


JSON Feed Pack v1.1.8#

Integrations#

JSON Feed#

Enhanced noUpdate flagging when fetching indicators using ETAG and Last-Modified headers.


LogRhythmRest Pack v1.1.0#

Integrations#

LogRhythmRest#

Added the following commands for handling users in LogRhythm.

  • lr-get-users
  • lr-get-logins
  • lr-get-privileges
  • lr-get-profiles
  • lr-add-user
  • lr-add-login

MISP Pack v2.0.5#

Integrations#

MISP v3#

Added the attributes' feed hit outputs to the misp-search-events command.


MITRE ATT&CK Pack v1.1.17#

Integrations#

MITRE ATT&CK Feed#

Documentation and metadata improvements.


Mail Listener Pack v1.0.6#

Integrations#

Mail Listener v2#

Fixed an issue where the fetch incidents command failed to parse specific mail messages.


Majestic Million Feed Pack v1.1.6#

Integrations#

Majestic Million Feed#

New noUpdate flagging when fetching indicators using ETAG and Last-Modified headers from the feed response.


MalwareDomainList Feed Pack v1.1.6#

Integrations#

Malware Domain List Active IPs Feed (Deprecated)#

Enhanced noUpdate flagging when fetching indicators using ETAG and Last-Modified headers.


Microsoft 365 Defender Pack v2.0.0#

Integrations#

New: O365 Defender SafeLinks#

Provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages and other locations. (Available from Cortex XSOAR 6.0.0).


Microsoft Defender for Endpoint Pack v1.3.2#

Integrations#

Microsoft Defender for Endpoint#

The IP Address list with MAC Address info for interfaces on the machine are now part of the get-machine-details command output. This is useful for playbooks requiring MAC Address to IP mapping.


Microsoft Graph Mail Pack v1.1.0#

Integrations#

O365 Outlook Mail (Using Graph API)#

Fixed an issue in which the msgraph-mail-list-emails command failed to query values that include special characters, such as &.

Mappers#

Microsoft Graph Mail Mapper#
  • Breaking Change: Disassociated the Email Headers field, as it represents the original email headers and not the reporter headers.
  • Added the Phishing Reporter Email Headers field.

Playbooks#

New: Get Original Email - Microsoft Graph Mail#

Use this playbook to retrieve the original email in the thread as an eml file when the reporting user forwarded the original email not as an attachment. You must have the necessary permissions in the Microsoft Graph Mail integration as described here:


Microsoft Graph User Pack v1.3.15#

Integrations#

Azure Active Directory Users#

Fixed the misleading error message when running the msgraph-user-get command on a user containing an unsupported character.


Okta Pack v2.2.6#

Integrations#

Okta IAM#

The iam-get-user command will now try to retrieve user details by ID, then by username, and finally by email.

Mappers#

User Profile - Okta (Incoming)#

The Username field in Cortex XSOAR will now be mapped from the Okta login field, instead of the userName field.

User Profile - Okta (Outgoing)#

Breaking Change: Changed the mapping of the login field from Okta to the Username field in Cortex XSOAR instead of the Email field.


OnboardingIntegration Pack v1.1.0#

Integrations#

OnboardingIntegration#

Updated the Docker image to: demisto/faker3:1.0.0.17991.

Scripts#

OnboardingCleanup#

Breaking Change: Removed DBotRole from this automation. This change will affect any playbook that is dependent on, or runs, this automation. This automation will now run using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html


Oracle IAM Pack v1.0.1#

Integrations#

Oracle IAM#

The iam-get-user command will now try to retrieve user details by ID, then by username, and finally by email.


Palo Alto Networks Cortex XDR - Investigation and Response Pack v4.1.10#

Integrations#

Cortex XDR - XQL Query Engine_copy#
  • Added code to support extraction of more than 1,000 results to context and not just to a file.
  • Updated the Docker image to: demisto/python3:3.9.7.24076.

Playbooks#

Cortex XDR disconnected endpoints#
  • Fixed playbook inputs to support empty inputs for LastSeenStartDate and LastSeenEndDate.
  • Fixed the playbook broken context path for the agent information.
Cortex XDR incident handling v3#

The incident Resolved statuses are updated to enable greater flexibility.

  • For Cortex XDR v3.0 and greater, deprecated the Resolved status resolution reason Resolved - Threat Handled and replaced it with Resolved - True Positive.
  • Updated the Resolved status when closing a remediated Cortex XDR incident to RESOLVED_TRUE_POSITIVE.

Palo Alto Networks IoT 3rd Party Integrations Pack v1.1.0#

Scripts#

SendPANWIoTDevicesToCiscoISE#

Breaking Change: Removed DBotRole from this automation. This change will affect any playbook that is dependent on, or runs, this automation. This automation will now run using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html


Palo Alto Networks WildFire Pack v2.0.0#

Integrations#

New: Palo Alto Networks WildFire Reports#

Generates a Palo Alto Networks WildFire PDF report. (Available from Cortex XSOAR 6.5.0).


PhishLabs Pack v1.1.0#

Scripts#

PhishLabsPopulateIndicators#

Breaking Change: Removed DBotRole from this automation. This change will affect any playbook that is dependent on, or runs, this automation. This automation will now run using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html


Phishing Pack v2.5.0#

Incident Types#

  • Phishing - Added updated Phishing incident type for 6.1 incident field extraction.
  • Changed the "On incident creation" under the "Indicators Extraction Rules" to "Inline". This will extract indicators when the incident is created.

Playbooks#

Phishing Investigation - Generic v2#
  • Removed the Domain input from task 53 since it is not needed and may cause a failure of the workflow due to late field extraction.
  • Added a task to extract the ReporterAddress field correctly before storing it in the context.
New: Process Email - Generic v2#

This is a new version of the playbook (Available from Cortex XSOAR 6.1.0). Its functionality is the same as the previous version with these changes:

  • Changed incident labels to incident fields.

  • Added a new task to extract email artifacts when retrieving the original eml file.

  • Removed indicator extraction inside tasks where unnecessary.

  • Use the "Get Original Email - Generic v2" playbook.

  • Added the following playbook inputs that will be passed to the new Get Original Email - Generic v2 playbook:

    • MessageID
    • UserID
    • ThreadTopic

    These inputs will assist with generalizing the playbook in order to support other phishing scenariosl.

New: Get Original Email - Generic v2#

This is a new version of the playbook. Its functionality is the same as the previous version with these changes:

  • Removed existing playbook inputs and added the following new ones:

    • MessageID
    • UserID
    • ThreadTopic
    • EmailBrand

    These inputs assist with generalizing the playbook to support other phishing scenarios and also to allow the user to choose a specific email brand.

  • Added the new playbook Get Original Email - Microsoft Graph Mail to the flow.

  • Uses the new EWS playbook Get Original Email - EWS v2 instead of the previous one.

  • Uses the new Gmail playbook Get Original Email - Gmail v2 instead of the previous one.


Plain Text Feed Pack v1.1.7#

Integrations#

Plain Text Feed#

Enhanced noUpdate flagging when fetching indicators using ETAG and Last-Modified headers.


Prisma Cloud Pack v2.0.1#

Integrations#

PrismaCloud IAM#

The iam-get-user command will now try to retrieve user details by ID, then by username, and finally by email.

Mappers#

User Profile - PrismaCloud (Outgoing)#

Added a transformer to email field to get the username or ID if it's empty.


Rasterize Pack v1.0.14#

Integrations#

Rasterize#

Updated the Docker image to: demisto/chromium:1.0.0.24317.


SAP-IAM Pack v1.0.1#

Integrations#

SAP - IAM#

Maintenance and stability enhancements.


Saas Security (Prisma) Pack v1.2.0#

Incident Fields#

  • Saas Security Assigned To
  • Saas Security Status
  • Saas Security State
  • Saas Security Category
  • Saas Security Resolved By
  • Saas Security Remove Inherited Sharing
  • Saas Security Remediation Type
  • Saas Security Asset ID
  • Saas Security Asset Name
  • Saas Security Incident Severity Level
  • Saas Security Incident Id

Incident Types#

Saas Security Incident

Integrations#

SaaS Security#
  • Added the mirror in and out functionality.
  • Added the close_incident integration parameter that specifies whether to close mirrored incidents in XSOAR.
  • Documentation improvements.

Layouts#

Saas Security Layout - Added the new Saas Security Incident Fields and the mirroring fields to the layout.

Mappers#

New: Saas Security - Outgoing Mapper#

Added the Saas Security Outgoing Mapper. (Available from Cortex XSOAR 6.0.0).

Saas Security - Incoming Mapper#

Added the new incident fields to the Incoming Mapper.

Playbooks#

New: Saas Security - Incident Processor#

This playbook notifies the incident owner and provides remediation options to the Saas Security admin for resolving incidents. (Available from Cortex XSOAR 6.0.0).

New: Saas Security - Take Action on the Incident#

This sub-playbook sends email notification to the Saas Security admin in order to take remediation action on the incident. (Available from Cortex XSOAR 6.0.0).


Salesforce Pack v1.1.5#

Integrations#

Salesforce IAM#

Updated the following commands according to the changes in IAMApiModule:

  • iam-get-user
  • iam-create-user
  • iam-update-user
  • iam-disable-user

Salesforce Fusion Pack v1.0.1#

Integrations#

Salesforce Fusion IAM#

The iam-get-user command will now try to retrieve user details by ID, then by username, and finally by email.

Mappers#

User Profile - Salesforce Fusion (Incoming)#

Added mapping from the Name SalesforceFusion field to the Username Cortex XSOAR field.

User Profile - Salesforce Fusion (Outgoing)#

Changed the mapping of the Name field from displayname to username.


Secureworks Pack v2.0.0 (Partner Supported)#

Integrations#

Updated: Dell Secureworks#

Migrated the CTP integration from the legacy pack format.

New: TaegisXDR#

Used for integration with the Secureworks Taegis XDR platform (Available from Cortex XSOAR 5.5.0).


ServiceNow Pack v2.2.11#

Incident Fields#

ServiceNow Ticket ID

Integrations#

ServiceNow v2#

Added the Custom Fields to Mirror parameter to allow mirroring to work with custom fields created in ServiceNow.

ServiceNow IAM#

The iam-get-user command will now try to retrieve user details by ID, then by username, and finally by email.

Layouts#

  • ServiceNow Ticket - Added the ServiceNow Ticket ID incident field under the Snow Ticket Information section.

  • ServiceNow Create Ticket and Mirror - Added the ServiceNow Ticket ID incident field under the Ticket Info section.

Mappers#

User Profile - ServiceNow (Incoming)#

Added mapping of the user_name field from ServiceNow to the Username field in Cortex XSOAR.

User Profile - ServiceNow (Outgoing)#

Added mapping of the Username field from Cortex XSOAR to the user_name field in ServiceNow.

ServiceNow - Incoming Mapper#

Added mapping from the sys_id field of a ServiceNow ticket to the ServiceNow Ticket ID incident field.


Shift Management - Assign to Next Shift Pack v1.1.0 (Community Contributed)#

Scripts#

AssignToNextShift#

Breaking Change: The following breaking change applies to organizations that implement pre-set roles on their incidents: Removed DBotRole from this automation. This change will affect any playbook that is dependent on, or runs, this automation. This automation will now run using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html


Slack Pack v2.2.0#

Integrations#

Slack IAM#

The iam-get-user command will now try to retrieve user details by ID, then by username, and finally by email.

Slack v3#
  • Fixed an issue where all messages from a Bot user were ignored.
  • Promoted SlackV3 out of Beta and into General Availability (GA).

SlashNext Phishing Incident Response - Annual Subscription (Direct Subscription) Pack v1.3.0 (Partner Supported)#

Integrations#

SlashNext Phishing Incident Response#

Added the following commands for checking the URL reputation from SlashNext cloud:

  • url
  • slashnext-url-reputation

Playbooks#

Abuse Inbox Management Protection#

Updated the URL enrichment path to match the host enrichment path and updated the tags accordingly.


Spamhaus Feed Pack v1.1.8#

Integrations#

Spamhaus Feed#

Enhanced noUpdate flagging when fetching indicators using ETAG and Last-Modified headers.


Splunk Pack v2.2.2#

Scripts#

SplunkShowIdentity#

Improved the readable output returned in case of an error.

SplunkShowAsset#

Improved the readable output returned in case of an error.

SplunkShowDrilldown#

Improved the readable output returned in case of an error.


TAXII Feed Pack v1.1.1#

Indicator Fields#

New: STIX Indicator Description#

Description for the STIX indicator.

New: STIX Indicator Name#

Name for the STIX indicator.

New: STIX TTP Title#

Title for the STIX TTP indicator.

Integrations#

TAXII 2 Feed#
  • Added support to fetch non indicator stix objects, e.g, attack pattern, tool.
  • Added relationships ingestion between objects.
  • Added certificate authentication.
  • Updated the Docker image to: demisto/taxii2:1.0.0.23423.
TAXII Feed#
  • Added new fields to the indicator.
  • Added support for relationships between indicators.

Tanium Pack v1.0.11#

Integrations#

Tanium#

Updated the Docker image to: demisto/pytan:1.0.0.24291.


Tanium Threat Response Pack v2.0.2#

Integrations#

Tanium Threat Response v2#

Documentation improvements.

Tanium Threat Response#
  • Added the following commands:
    • tanium-tr-intel-doc-create
    • tanium-tr-start-quick-scan
  • Added the following parameters to the Client.do_request function to allow passing XML data in addition to JSON data:
    • json_data'*
    • headers

Threat Intel Report Pack v1.0.11#

Layouts#

  • Improved the following layouts:
    • Threat Actor Report
    • Campaign Report
    • Malware Report
    • Vulnerability Report
  • New: Executive Brief Report (Available from Cortex XSOAR 6.5.0).

Modules#

Threat Intel#

Updated widget queries.

Object Types#

(Threat Intel Report) - Malware#
  • (Threat Intel Report) - Threat Actor
  • (Threat Intel Report) - Vulnerability
  • (Threat Intel Report) - Campaign
(Threat Intel Report) - Executive Brief#
(Threat Intel Report) - Vulnerability#
  • (Threat Intel Report) - Campaign
  • (Threat Intel Report) - Malware
  • (Threat Intel Report) - Executive Brief
  • (Threat Intel Report) - Threat Actor

Scripts#

New: UnpublishThreatIntelReport#

Sets a Threat Intel Report as unpublished. (Available from Cortex XSOAR 6.5.0).

New: PublishThreatIntelReport#

Sets a Threat Intel Report as published. (Available from Cortex XSOAR 6.5.0).


Threat Intelligence Management Pack v1.1.0#

Scripts#

ThreatIntelManagementGetIncidentsPerFeed#

Breaking Change: Removed DBotRole from this automation. This change will affect any playbook that is dependent on, or runs, this automation. This automation will now run using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html


ThreatConnect Pack v2.0.16#

Integrations#

ThreatConnect v2#
  • Added the owner argument to the tc-update-indicator command.
  • Updated the Docker image to: demisto/threatconnect-py3-sdk:1.0.0.23423.

VMware Pack v1.1.2#

Integrations#

VMware#

Updated the Docker image to: demisto/vmware:1.0.0.24293.


Zoom Pack v1.1.1#

Integrations#

Zoom_IAM#

The iam-get-user command will now try to retrieve user details by ID, and then by username.


Zoom Feed Pack v1.1.5 (Community Contributed)#

Integrations#

Zoom Feed (Beta)#
  • Changed the fetch-incidents mechanism to gather complete data from Zoom while fetching.
  • Removed the Zoom Endpoint URL parameter, since the URL being used is now hard-coded.

iDefense Pack v3.1.2#

Integrations#

iDefense Feed#

Enhanced noUpdate flagging when fetching indicators using ETAG and Last-Modified headers.


Assets#