Skip to main content

Cortex XSOAR Content Release Notes for version 21.12.1 (9599967)

Published on 21 December 2021#

Breaking Changes#

The following packs includes breaking changes:


New: AppendIfNotEmpty Pack v1.0.0 (Community Contributed)#

Scripts#

AppendIfNotEmpty#

Appends item(s) to the end of the list if they are not empty.


New: CVE-2021-44228 - Log4j RCE Pack v1.0.0#

Playbooks#

CVE-2021-44228 - Log4j RCE#

Critical RCE Vulnerability: log4j - CVE-2021-44228

On Dec. 9, 2021, a remote code execution (RCE) vulnerability in Apache log4j 2 was identified being exploited in the wild. Public proof of concept (PoC) code was released and subsequent investigation revealed that exploitation was incredibly easy to perform.

On Dec. 14 2021, another vulnerability was discovered related to the log4j 0-day exploit known as CVE-2021-45046.

On Dec 18 2021, yet another vulnerability was discovered related to the log4j 0-day exploit known as CVE-2021-45105 that allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.

Affected Version

Apache Log4j 2.x <= 2.15.0-rc1

This playbook should be triggered manually or can be configured as a job. Create a new incident and choose the CVE-2021-44228 - Log4j RCE playbook and Rapid Breach Response incident type.

The playbook includes the following tasks:

  • Collect related known indicators from several sources.
  • Indicators and exploitation patterns hunting using PAN-OS, Cortex XDR, and SIEM products.
  • Search for possible vulnerable servers using Xpanse.
  • Block indicators automatically or manually.

Mitigations:

  • Apache official CVE-2021-44228 patch.
  • Unit42 recommended mitigations.
  • Detection Rules.
    • Snort
    • Suricata
    • Sigma
    • Yara

For more information, see: Apache Log4j Vulnerability Is Actively Exploited in the Wild (CVE-2021-44228)

Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.


New: Content Installation Pack v1.0.0#

Scripts#

ContentPackInstaller#

Installs content packs from marketplace.


New: CreateHash Pack v1.0.0 (Community Contributed)#

Scripts#

CreateHash#

Creates a hash of a given input. Supports sha1, sha256, md5, and blake. Wrapper for https://docs.python.org/3/library/hashlib.html.


New: DeduplicateValuesbyKey Pack v1.0.0 (Community Contributed)#

Scripts#

DeduplicateValuesbyKey#

Given a list of objects and a key found in each of those objects, returns a unique list of values associated with that key. Returns an error if the objects provided do not contain the specified key.


New: IsArrayItemInList Pack v1.0.0 (Community Contributed)#

Scripts#

isArrayItemInList#

This automation is for comparing array(list) data of context to existing lists on the Cortex XSOAR server. This enables you to avoid using a sub-playbook loop.


New: MS-ISAC Pack v1.0.0 (Community Contributed)#

Integrations#

MS-ISAC#

This API queries alerts and alert data from the MS-ISAC API to enrich and query alerts from the platform.


New: PhishingAlerts Pack v1.0.0#

Incident Fields#

  • Email Queue ID
  • Email Source Domain

Incident Types#

Phishing Alerts

Layouts#

Phishing Alerts Incident (Available from Cortex XSOAR 6.0.0).

Playbooks#

Phishing Alerts - Check Severity#

This playbook calculates and assigns the incident severity based on the highest returned severity level from the following calculations:

  • Email security alert action
  • DBotScores of indicators
  • Critical assets
  • Email authenticity
  • Current incident severity
  • Microsoft headers
Phishing Alerts Investigation#

This playbook investigates and remediates potential phishing incidents produced by either an email security gateway or a SIEM product. It retrieves original email files from the email security gateway or email service provider and generates a response based on the initial severity, hunting results, and the existence of similar phishing incidents in Cortex XSOAR. No action is taken without an initial approval given by the analyst using the playbook inputs.


New: PicusAutomation Pack v1.0.0 (Partner Supported)#

Integrations#

Picus Security#

Runs commands on Picus and automates security validation with playbooks.

Playbooks#

PICUS - Attack Validation Automation#

Picus attack validation automation.


New: SOCRadar ThreatFeed Pack v1.0.0 (Partner Supported)#

Integrations#

SOCRadar Threat Feed#

Retrieves indicators provided by collections via SOCRadar Threat Intelligence Feeds.


New: Social Engineering Domain Analysis Pack v1.0.0 (Community Contributed)#

Incident Fields#

  • Social Engineering Domain Analysis Registered Domain - The registered organization domain.
  • Social Engineering Domain Analysis CSV - A CSV file that contains potentially suspicious domains. Note that they need to be in the URL format in order to be extracted.
  • Social Engineering Domain Analysis List - A CSV list of potentially malicious domains to investigate.
  • Social Engineering Domain Analysis Summary - An HTML table.

Incident Types#

Social Engineering Domain Investigation

Layouts#

Social Engineering Domain Investigation Layout (Available from Cortex XSOAR 6.0.0).

Playbooks#

Social Engineering Domain Enrichment#

Enriches a domain and compares it against your registered domain for potential social engineering against your organization.

Social Engineering Domain Investigation#

Enriches and investigates domains that may present a social engineering threat to your organization. Review before blocking potentially dangerous indicators.


AWS - ACM Pack v1.1.3#

Integrations#

AWS - ACM#

Updated the Docker image to: demisto/boto3py3:1.0.0.25131.


AWS - Lambda Pack v1.2.4#

Integrations#

AWS - Lambda#

Updated the Docker image to: demisto/boto3py3:1.0.0.25131.


AWS - Security Hub Pack v1.1.4#

Integrations#

AWS - Security Hub#

Updated the Docker image to: demisto/boto3py3:1.0.0.25131.


AWS Feed Pack v1.1.11#

Integrations#

AWS Feed#

Changed the feed to be Incremental Feed.


Active Directory Query Pack v1.3.9#

Integrations#

Active Directory Query v2#

Updated the Docker image to: demisto/ldap:1.0.0.25149.


Advanced Filter Pack v1.1.9 (Community Contributed)#

Scripts#

ExtFilter#
  • Fixed an issue where the script did not parse the DT syntax correctly.
  • Fixed the test script to cover additional test cases.

Agari Phishing Defense Pack v1.0.8 (Partner Supported)#

Classifiers#

New: Agari Phishing Defense - Phishing Alerts - Classifier#

Classifies Agari Phishing Defense alerts as the Phishing Alerts incident type. (Available from Cortex XSOAR 6.0.0).

Mappers#

Agari Phishing Defense - Mapper#

Added mapping for the Phishing Alerts incident type.


Altipeak Pack v1.0.2 (Partner Supported)#

Integrations#

Safewalk Management#

Updated the Docker image to: demisto/python3:3.9.8.24399.

Safewalk Reports#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Amazon DynamoDB Pack v1.0.8#

Integrations#

Amazon DynamoDB#

Updated the Docker image to: demisto/boto3py3:1.0.0.25131.


Atlassian Jira Pack v1.4.4#

Integrations#

Atlassian Jira v2#

Added outputs to the jira-get-issue and jira-issue-query commands:

  • Ticket.Priority
  • Ticket.ProjectName
  • Ticket.DueDate
  • Ticket.Created
  • Ticket.LastSeen
  • Ticket.LastUpdate

Scripts#

JiraCreateIssue-example#

Updated the Docker image to: demisto/python:2.7.18.24398.


Azure Active Directory Identity and Access Pack v1.2.0#

Integrations#

Azure Active Directory Identity Protection (Beta)#

Fixed an issue where fetch functionality was flawed and no incidents were fetched.


Azure Feed Pack v1.0.11#

Integrations#

Azure Feed#

Updated the services parameter with additional services to fetch from.


Azure Security Center Pack v1.2.0#

Integrations#

Azure Security Center v2#

Added the SecureScore command.


Base Pack v1.17.4#

Scripts#

CommonServerPython#
  • Added the register_signal_handler_threads_dump function, which enables doing a thread dump with a signal.
  • Added a memory dump to the thread dump capability when receiving a signal.
  • Updated to use signal profiling dump only on non-Windows OS.
  • Fixed a typo in a log message.
  • Maintenance and stability enhancements.
ValidateContent#
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/xsoar-tools:1.0.0.25075
SanePdfReports#

Updated the Docker image to: demisto/sane-pdf-reports:1.0.0.25047


CVE-2021-44228 - Log4j RCE Pack v1.0.6#

Playbooks#

CVE-2021-44228 - Log4j RCE#
  • Added Sigma and Yara rules.
  • Added more IoCs to the threat hunting tasks.
  • Replaced the xdr-run-script-execute-commands task with the Cortex XDR - Execute Commands playbook.
  • Fixed XDREndpointIDs inputs in the Cortex XDR - Execute Commands playbook.
  • Added an option to automatically execute commands using Cortex XDR on all Linux OS connected endpoints.
  • Added a link to Apache's official release site for both patched versions (2.15.0-rc2 & 2.16.0).
  • Added a manual task for hunting using Cortex XDR - XQL queries.
  • Fixed the Deploy detection rules task's description.
  • Added 3 threat IDs to Panorama hunting.
  • Added information in the playbook and pack descriptions about CVE-2021-45046.
  • Changed the BlockIndicatorsAutomatically playbook input to False.
  • Updated the playbook description.
  • Added XDR XQL queries.
  • Discovered another vulnerability on Dec 18 2021 related to the log4j 0-day exploit known as CVE-2021-45105.
  • Added a new threat ID.
  • Added the new patch for mitigation.
  • Updated the playbook to also search for potentially vulnerable servers using Xpanse.

Censys Pack v2.0.0#

Integrations#

New: Censys v2#

Censys is a search engine that allows computer scientists to ask questions about the devices and networks that compose the internet. Driven by internet-wide scanning, Censys lets researchers find specific hosts and create aggregate reports on how devices and certificates are configured and deployed. (Available from Cortex XSOAR 6.1.0).

Censys (Deprecated)#

Deprecated. Use Censys v2 instead.


Check Point Sandblast Cloud Services Pack v1.0.5#

Scripts#

SbDownload#

Updated the Docker image to: demisto/python:2.7.18.24398.

SbQuery#

Updated the Docker image to: demisto/python:2.7.18.24398.

SbQuota#

Updated the Docker image to: demisto/python:2.7.18.24398.

SbUpload#

Updated the Docker image to: demisto/python:2.7.18.24398.


Cisco Umbrella cloud security Pack v1.1.0 (Community Contributed)#

Integrations#

Cisco Umbrella Cloud Security#
  • Added the umbrella-get-destination-domains command to search for one or more domains in the list
  • Updated the Docker image to: demisto/python3:3.9.8.24399.

Cofense Feed Pack v1.1.1 (Partner Supported)#

Integrations#

Cofense Feed#

Fixed an issue with Cofense Feed Threat ID indicator field not displaying hyperlinks.


Common Playbooks Pack v2.1.5#

Playbooks#

Threat Hunting - Generic#

Added inputs for Splunk and QRadar time frame search.

New: Get Email From Email Gateway - Generic#

Retrieves a specified EML/MSG file directly from the email security gateway product. (Available from Cortex XSOAR 6.0.0).

New: Email Headers Check - Generic#

Executes one sub-playbook and one automation to check the email headers:

  • Process Microsoft's Anti-Spam Headers - This playbook stores the SCL, BCL and PCL scores if they exist to the relevant incident fields (Phishing SCL Score, Phishing PCL Score, Phishing BCL Score).
  • CheckEmailAuthenticity - This automation checks email authenticity based on its SPF, DMARC, and DKIM. (Available from Cortex XSOAR 6.0.0).
New: Search And Delete Emails - Generic v2#

Searches and deletes emails with similar attributes of a malicious email using one of the following integrations:

  • EWS
  • Office 365
  • Gmail
  • Agari Phishing Defense

(Available from Cortex XSOAR 6.0.0).


Common Scripts Pack v1.6.11#

Parse Email Files#

Scripts#

FormattedDateToEpoch#
  • Added support to FormattedDateToEpoch to work without the formatter argument.
  • Updated the Docker image to: demisto/python3:3.9.8.24399.
ParseEmailFiles#

Fixed an issue where the encoding of an attachment name was not handled properly.

PositiveDetectionsVSDetectionEngines#
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/python3:3.9.8.24399.
SearchIncidentsV2#

Fixed an issue where the type and name filters did not work properly.

AddDBotScoreToContext#

Updated the Docker image to: demisto/python3:3.9.8.24399.

AddKeyToList#

Updated the Docker image to: demisto/python3:3.9.8.24399.

AfterRelativeDate#

Updated the Docker image to: demisto/python3:3.9.8.24399.

Base64Decode#

Updated the Docker image to: demisto/python3:3.9.8.24399.

Base64EncodeV2#

Updated the Docker image to: demisto/python3:3.9.8.24399.

BetweenDates#

Updated the Docker image to: demisto/python3:3.9.8.24399.

BetweenHours#

Updated the Docker image to: demisto/python3:3.9.8.24399.

CalculateEntropy#

Updated the Docker image to: demisto/python3:3.9.8.24399.

ChangeContext#

Updated the Docker image to: demisto/python3:3.9.8.24399.

CheckContextValue#

Updated the Docker image to: demisto/python3:3.9.8.24399.

CheckFieldValue#

Updated the Docker image to: demisto/python3:3.9.8.24399.

CompareLists#

Updated the Docker image to: demisto/python3:3.9.8.24399.

ConvertAllExcept#

Updated the Docker image to: demisto/python3:3.9.8.24399.

ConvertDatetoUTC#

Updated the Docker image to: demisto/python3:3.9.8.24399.

ConvertToSingleElementArray#

Updated the Docker image to: demisto/python3:3.9.8.24399.

CopyNotesToIncident#

Updated the Docker image to: demisto/python3:3.9.8.24399.

CreateIndicatorsFromSTIX#

Updated the Docker image to: demisto/python3:3.9.8.24399.

Cut#

Updated the Docker image to: demisto/python3:3.9.8.24399.

DateStringToISOFormat#

Updated the Docker image to: demisto/python3:3.9.8.24399.

DemistoVersion#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Common Types Pack v3.1.28#

Incident Fields#

  • Alert Source
  • Source Priority
  • Source Status
  • Title
  • Last Seen
  • Last Update Time
  • Alert Acknowledgement

Common Widgets Pack v1.2.4#

Scripts#

RSSWidget#
  • Fixed an issue where the RSS feed entries were in ascending order (they are now in descending order).
  • Updated the Docker image to: demisto/feed-parser:1.0.0.25187.

Widgets#

Unit 42 Blog Feed#

Documentation and metadata improvements.


Cortex Data Lake Pack v1.3.5#

Integrations#

Cortex Data Lake#

Improved the integration configuration instructions.


Cortex Xpanse Pack v1.10.0#

Integrations#

Cortex Xpanse#

Breaking Changes: The following commands are no longer supported in the Xpanse API, and have been deprecated.

  • expanse-get-risky-flows
  • expanse-list-risk-rules

Playbooks#

Handle Expanse Incident - Attribution Only#

Breaking Changes: Removed Behavior References.

Handle Expanse Incident#

Breaking Changes: Removed Behavior References.


Crowdstrike Falcon Intel Feed Pack v2.0.9#

Integrations#

CrowdStrike Indicator Feed#

Added relationships between indicators.


Cuckoo Sandbox Pack v1.1.0#

Integrations#

Cuckoo Sandbox#

Added support for API key authentication.

Scripts#

CuckooDetonateFile#

Updated the Docker image to: demisto/python:2.7.18.24398.

CuckooDetonateURL#

Updated the Docker image to: demisto/python:2.7.18.24398.

CuckooDisplayReport#

Updated the Docker image to: demisto/python:2.7.18.24398.

CuckooGetReport#

Updated the Docker image to: demisto/python:2.7.18.24398.

CuckooGetScreenshot#

Updated the Docker image to: demisto/python:2.7.18.24398.

CuckooTaskStatus#

Updated the Docker image to: demisto/python:2.7.18.24398.


Cybereason Pack v1.0.17#

Scripts#

CybereasonPreProcessingExample#

Updated the Docker image to: demisto/python:2.7.18.24398.


Cybersixgill-DVE Pack v1.0.2 (Partner Supported)#

Integrations#

Cybersixgill DVE Enrichment#
  • Updated the integration image.
Cybersixgill DVE Feed Threat Intelligence v2#
  • Updated the integration image.

Cymulate Pack v2.0.9 (Partner Supported)#

Integrations#

Cymulate v2#

Added the API Token integration parameter to support credentials fetching object.


D2 Pack v1.0.5#

Scripts#

D2Remove#

Updated the Docker image to: demisto/python:2.7.18.24398.

RegPathReputationBasicLists#

Updated the Docker image to: demisto/python:2.7.18.24398.

Autoruns#

Updated the Docker image to: demisto/python:2.7.18.24398.

O365SearchEmails#

Updated the Docker image to: demisto/python:2.7.18.24398.

RegCollectValues#

Updated the Docker image to: demisto/python:2.7.18.24398.

RegProbeBasic#

Updated the Docker image to: demisto/python:2.7.18.24398.


Developer Tools Pack v1.2.10#

Scripts#

FetchFromInstance#

Updated the Docker image to: demisto/python:2.7.18.24398.


EWS Pack v1.10.6#

Playbooks#

Get Original Email - EWS v2#

Updated the fromversion playbook from 6.1.0 to 6.0.0

Scripts#

BuildEWSQuery#

Updated the Docker image to: demisto/python:2.7.18.24398.


Elasticsearch Pack v1.2.1#

Integrations#

Elasticsearch v2#

Updated the Docker image to: demisto/elasticsearch:1.0.0.25270.


Elasticsearch Feed Pack v1.0.12#

Integrations#

Elasticsearch Feed#

Updated the Docker image to: demisto/elasticsearch:1.0.0.25270.


Email Communication Pack v1.4.4#

Scripts#

PreprocessEmail#

Fixed an issue where inline images weren't displaying in some cases.

DisplayEmailHtml#
  • Fixed an issue where inline images weren't displaying in some cases.
  • Updated the Docker image to: demisto/python3:3.9.8.24399.

F5 Silverline Pack v1.0.6#

Integrations#

F5 Silverline#

The cidr_range argument for the f5-silverline-ip-object-add command now supports a list of ranges.


FalconHost Pack v1.1.6#

Scripts#

CrowdStrikeUrlParse#

Updated the Docker image to: demisto/python:2.7.18.24398.


FireEye (AX Series) Pack v1.0.7#

Scripts#

FireEyeDetonateFile#

Updated the Docker image to: demisto/python:2.7.18.24398.


FireEye Common Fields Pack v1.0.1#

Incident Fields#

Mappers#

FireEye EX - Incoming Mapper#

Added mapping for the Phishing Alerts incident type.


FireEye Email Security (EX) Pack v2.0.4#

Classifiers#

New: FireEye Email Security - Phishing Alerts - Classifier#

Classifies FireEye Email Security Alerts as Phishing Alerts incident type. (Available from Cortex XSOAR 6.0.0).

Playbooks#

New: Get Email From Email Gateway - FireEye#

Retrieves a specified EML/MSG file directly from FireEye Email Security or Central Management. (Available from Cortex XSOAR 6.0.0).


FireMon Security Manager Pack v1.0.2 (Partner Supported)#

Incident Types#

  • FireMon Policy Planner
  • FireMon Pre Change Assessment

Forcepoint Pack v1.0.3#

Scripts#

FPDeleteRule#

Updated the Docker image to: demisto/python:2.7.18.24398.

FPSetRule#

Updated the Docker image to: demisto/python:2.7.18.24398.


G Suite Admin Pack v1.1.2#

Integrations#

G Suite Admin#

Updated the Docker image to: demisto/googleapi-python3:1.0.0.25341.


G Suite Security Alert Center Pack v1.1.1#

Integrations#

G Suite Security Alert Center#

Updated the Docker image to: demisto/googleapi-python3:1.0.0.25341.


GRR Pack v1.0.4#

Scripts#

GrrGetFiles#

Updated the Docker image to: demisto/python:2.7.18.24398.

GrrGetFlows#

Updated the Docker image to: demisto/python:2.7.18.24398.

GrrGetHunt#

Updated the Docker image to: demisto/python:2.7.18.24398.

GrrGetHunts#

Updated the Docker image to: demisto/python:2.7.18.24398.

GrrSetFlows#

Updated the Docker image to: demisto/python:2.7.18.24398.

GrrSetHunts#

Updated the Docker image to: demisto/python:2.7.18.24398.


Generic Webhook Pack v1.0.3#

Integrations#

Generic Webhook#

Updated the Docker image to: demisto/fastapi:1.0.0.25202.


Gmail Pack v1.1.11#

Playbooks#

Get Original Email - Gmail v2#

Updated the fromversion playbook from 6.1.0 to 6.0.0.

New: Search And Delete Emails - Gmail#

Searches Gmail to identify and delete emails with similar attributes to the malicious email. (Available from Cortex XSOAR 6.0.0).


Gmail Single User (Beta) Pack v1.1.4#

Integrations#

Gmail Single User (Beta)#

Updated the Docker image to: demisto/google-api-py3:1.0.0.25342.


Google Calendar Pack v1.1.1#

Integrations#

Google Calendar#

Updated the Docker image to: demisto/googleapi-python3:1.0.0.25341.


Google Cloud Functions Pack v1.0.4#

Integrations#

Google Cloud Functions#

Updated the Docker image to: demisto/google-api-py3:1.0.0.25342.


Google Cloud Pub / Sub Pack v1.0.4#

Integrations#

Google Cloud Pub/Sub#

Updated the Docker image to: demisto/googleapi-python3:1.0.0.25341.


Google Docs Pack v1.0.3#

Integrations#

Google Docs#

Updated the Docker image to: demisto/googleapi-python3:1.0.0.25341.


Google Drive Pack v1.2.1#

Integrations#

Google Drive#

Updated the Docker image to: demisto/googleapi-python3:1.0.0.25341.


Google Vision AI Pack v1.0.3#

Integrations#

Google Vision AI#

Updated the Docker image to: demisto/google-vision-api:1.0.0.25362.


GreyNoise Pack v1.1.1 (Partner Supported)#

Integrations#

GreyNoise#

Fixed a bug to allow backward compatibility.

GreyNoise Community#

Fixed a bug to allow backward compatibility.


GsuiteAuditor Pack v1.0.2#

Integrations#

G Suite Auditor#

Updated the Docker image to: demisto/googleapi-python3:1.0.0.25341.


HashiCorp Vault Pack v1.0.6#

Integrations#

HashiCorp Vault#

Added the folder argument to the hashicorp-configure-engine command to set a specific folder to fetch secrets from.


Hatching Triage Pack v1.0.3 (Partner Supported)#

Integrations#

Hatching Triage#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Hello World IAM Pack v1.1.4#

Integrations#

Hello World IAM#

Updated the Docker image to: demisto/python3:3.9.8.24399.


HelloWorld Pack v1.2.10 (Community Contributed)#

Integrations#

HelloWorld Feed#

Updated the Docker image to: demisto/python3:3.9.8.24399.

HelloWorld#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Humio Pack v1.0.9 (Partner Supported)#

Integrations#

Humio#

Updated the Docker image to: demisto/python3:3.9.8.24399.


IBM QRadar Pack v2.1.22#

Integrations#

IBM QRadar v3#
  • Added the ability to do a thread dump with a USR1 signal.
  • Added the ability to do a memory dump when requesting a thread dump with the USR1 signal.
  • Updated to use signal profiling dump only on non-Windows OS.
  • Maintenance and stability enhancements.

Scripts#

New: QRadarCreateAQLQuery#

Build QRadar AQL Query. (Available from Cortex XSOAR 6.0.0).


IP-API Pack v1.0.1 (Community Contributed)#

Integrations#

IP-API#

Updated the Docker image to: demisto/python3:3.9.8.24399.


IPQualityScore (IPQS) Threat Risk Scoring Pack v1.0.5 (Partner Supported)#

Integrations#

IPQualityScore#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Illusive Networks Pack v1.0.11 (Partner Supported)#

Integrations#

IllusiveNetworks#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Imperva Incapsula Pack v1.0.4#

Scripts#

IncapGetAppInfo#

Updated the Docker image to: demisto/python:2.7.18.24398.

IncapGetDomainApproverEmail#

Updated the Docker image to: demisto/python:2.7.18.24398.

IncapListSites#

Updated the Docker image to: demisto/python:2.7.18.24398.

IncapScheduleTask#

Updated the Docker image to: demisto/python:2.7.18.24398.

IncapWhitelistCompliance#

Updated the Docker image to: demisto/python:2.7.18.24398.


Imperva Skyfence Pack v1.0.3#

Scripts#

ImpSfListEndpoints#

Updated the Docker image to: demisto/python:2.7.18.24398.

ImpSfRevokeUnaccessedDevices#

Updated the Docker image to: demisto/python:2.7.18.24398.

ImpSfScheduleTask#

Updated the Docker image to: demisto/python:2.7.18.24398.

ImpSfSetEndpointStatus#

Updated the Docker image to: demisto/python:2.7.18.24398.


Indeni Pack v1.0.11 (Partner Supported)#

Integrations#

Indeni#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Infoblox Pack v1.0.8#

Integrations#

Infoblox#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Intezer Pack v1.2.5 (Partner Supported)#

Scripts#

IntezerScanHost#

Updated the Docker image to: demisto/python:2.7.18.24398.


IronNet Pack v1.1.9 (Partner Supported)#

Integrations#

IronDefense#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Ironscales Pack v1.1.1 (Partner Supported)#

Integrations#

Ironscales#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Ivanti Heat Pack v1.0.4#

Integrations#

Ivanti Heat#

Updated the Docker image to: demisto/python3:3.9.8.24399.


JSON Sample Incident Generator Pack v1.0.2 (Community Contributed)#

Integrations#

JSON Sample Incident Generator#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Ja3er Pack v1.0.2 (Community Contributed)#

Integrations#

Ja3er#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Jamf Pack v2.0.3#

Integrations#

JAMF v2#

Updated the Docker image to: demisto/btfl-soup:1.0.1.25192.


Kafka Pack v2.0.0#

Integrations#

New: Kafka v3#

The Open source distributed streaming platform. (Available from Cortex XSOAR version 6.1.0).

Kafka v2 (Deprecated)#

Deprecated. Use the Kafka v3 integration instead.


LINENotify Pack v1.0.2 (Community Contributed)#

Integrations#

LINENotify#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Lastline Pack v1.0.9#

Integrations#

Lastline v2#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Linkshadow Pack v1.0.4 (Partner Supported)#

Integrations#

Linkshadow#

Updated the Docker image to: demisto/python3:3.9.8.24399.


LogPoint SIEM Integration Pack v1.2.3 (Partner Supported)#

Integrations#

LogPoint SIEM Integration#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Logsign SIEM Pack v1.0.2 (Partner Supported)#

Integrations#

LogsignSiem#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Logz.io Pack v1.1.8 (Partner Supported)#

Integrations#

Logz.io#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Looker Pack v1.0.5#

Integrations#

Looker#

Updated the Docker image to: demisto/python3:3.9.8.24399.


MISP Feed Pack v1.0.3#

Integrations#

MISP Feed#
  • Added the Timeout parameter, which sets the timeout for HTTP requests to the MISP API.
  • Updated so that tags provided by the user will be added to retrieved indicators.

Mail Listener Pack v1.0.8#

Integrations#

Mail Listener v2#
  • Fixed an issue where the fetch-incidents command with filters would not return emails from some of the mail services.
  • Fixed an issue where the integration failed to parse raw unicode escape characters.
  • Updated the Docker image to: demisto/imap:1.0.0.25133.

Manage Engine Service Desk Plus (On-Premise) Pack v1.0.5#

Integrations#

Service Desk Plus (On-Premise) (Deprecated)#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Mantis Pack v1.0.2 (Community Contributed)#

Integrations#

Mantis#

Updated the Docker image to: demisto/python3:3.9.8.24399.


MapPattern Pack v1.0.5 (Community Contributed)#

Scripts#

MapPattern#
  • Added the wildcards argument for matching to any values.
  • Added the dt argument to the supported algorithms.
  • Added a feature to support DT translation for structured data.
  • Added a feature to replace a template string for structured data in regex matching.
  • Added a feature to ignore syntax errors to the pattern.
  • Fixed an issue where to parse a DT syntax.
  • Improved the DT syntax to refer to the target value.
  • Improved performace.

McAfee Advanced Threat Defense Pack v1.0.14#

Scripts#

ATDDetonate#

Updated the Docker image to: demisto/python:2.7.18.24398.


McAfee DAM Pack v1.0.3#

Scripts#

DamSensorDown#

Updated the Docker image to: demisto/python:2.7.18.24398.


McAfee ePO Pack v1.0.4#

Scripts#

EPOFindSystem#

Updated the Docker image to: demisto/python:2.7.18.24398.


MicroFocus SMAX Pack v1.0.1 (Community Contributed)#

Integrations#

MicroFocus SMAX#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Microsoft 365 Defender Pack v2.0.3#

Integrations#

Microsoft 365 Defender (Beta)#

Fixed an issue where the microsoft-365-defender-incidents-list command failed due to empty incident fields.


Microsoft Azure AD Connect Health Feed Pack v1.0.4#

Integrations#

Azure AD Connect Health Feed#

Updated the Docker image to: demisto/btfl-soup:1.0.1.25192.


Microsoft Graph Groups Pack v1.0.12#

Integrations#

Azure Active Directory Groups#

Fixed an issue where the msgraph-groups-list-members command did not handle more than 100 members in a single group properly.


Microsoft Graph Mail Pack v1.1.7#

Integrations#

O365 Outlook Mail (Using Graph API)#
  • Fixed an issue in the msgraph-mail-list-attachments command where attachments without a name were mishandled.
  • Fixed an issue where inline images were not inserted into the attachments list, and therefore were not being parsed as part of the incident.
  • Added national cloud support.

Playbooks#

Get Original Email - Microsoft Graph Mail#

Updated the fromversion playbook from 6.1.0 to 6.0.0.


Microsoft Graph Mail Single User Pack v1.0.21#

Integrations#

O365 Outlook Mail Single User (Using Graph API)#

Fixed an issue where inline images were not inserted into the attachments list, and therefore were not being parsed as part of the incident.


Microsoft Intune Feed Pack v1.0.4#

Integrations#

Microsoft Intune Feed#

Updated the Docker image to: demisto/btfl-soup:1.0.1.25192.


Mimecast Pack v1.1.9#

Playbooks#

New: Get Email From Email Gateway - Mimecast#

Retrieves a specified EML/MSG file directly from Mimecast. (Available from Cortex XSOAR 6.0.0).

Scripts#

MimecastFindEmail#

Updated the Docker image to: demisto/python:2.7.18.24398.

MimecastQuery#

Updated the Docker image to: demisto/python:2.7.18.24398.


MobileIron-UEM Pack v1.0.6 (Partner Supported)#

Integrations#

MobileIronCLOUD#

Updated the Docker image to: demisto/python3:3.9.8.24399.

MobileIronCORE#

Updated the Docker image to: demisto/python3:3.9.8.24399.


NTT Cyber Threat Sensor Pack v1.0.4 (Community Contributed)#

Integrations#

NTT Cyber Threat Sensor#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Nexthink Pack v1.0.2 (Community Contributed)#

Integrations#

Nexthink#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Nist NVD Pack v1.0.2 (Community Contributed)#

Integrations#

Nist NVD#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Nozomi Networks Pack v1.0.5 (Partner Supported)#

Integrations#

Nozomi Networks#

Updated the Docker image to: demisto/python3:3.9.8.24399.


NucleonCyber Pack v1.0.2 (Partner Supported)#

Integrations#

NucleonCyberFeed#

Updated the Docker image to: demisto/python3:3.9.8.24399.


OS Query Pack v1.0.4#

Scripts#

OSQueryBasicQuery#

Updated the Docker image to: demisto/python:2.7.18.24398.

OSQueryLoggedInUsers#

Updated the Docker image to: demisto/python:2.7.18.24398.

OSQueryOpenSockets#

Updated the Docker image to: demisto/python:2.7.18.24398.

OSQueryProcesses#

Updated the Docker image to: demisto/python:2.7.18.24398.

OSQueryUsers#

Updated the Docker image to: demisto/python:2.7.18.24398.


Okta Pack v2.2.9#

Integrations#

Okta v2#

Fixed an issue in the okta-get-logs command where logs without chain IPs were mishandled.


OpenLDAP Pack v1.0.5#

Integrations#

OpenLDAP#

Updated the Docker image to: demisto/ldap:1.0.0.25149.


OpenPhish Pack v2.0.8#

Integrations#

OpenPhish v2#

Updated the Docker image to: demisto/python3:3.9.8.24399.


OpsGenie Pack v2.0.0#

Classifiers#

New: OpsGenie - Classifier#

(Available from Cortex XSOAR 6.2.0).

Incident Fields#

  • OpsGenie Alias
  • OpsGenie Count Linked Alerts
  • OpsGenie Responder
  • OpsGenie TinyId

OpsGenieV3#

Breaking changes: The following are breaking changes from the previous version of this integration.

Commands#

Removed the following commands in this version:

  • opsgenie-list-alerts - replaced by opsgenie-get-alerts.
  • opsgenie-get-alert - replaced by opsgenie-get-alerts.
  • opsgenie-get-schedule - replaced by opsgenie-get-schedules.
  • opsgenie-list-schedules - replaced by opsgenie-get-schedules.

Arguments#

  • In the opsgenie-get-on-call command, the schedule-id argument was replaced by the following arguments:
    • schedule_id
    • schedule_name
  • In the opsgenie-create-alert command, the default value of the priority argument was changed to 'P3'.

Outputs#

  • In the opsgenie-create-alert command the following outputs were replaced:

    • OpsGenieV2.CreatedAlert.action - replaced by OpsGenie.Alert.action.
    • OpsGenieV2.CreatedAlert.alertId - replaced by OpsGenie.Alert.alertId.
    • OpsGenieV2.CreatedAlert.alias - replaced by OpsGenie.Alert.alias.
    • OpsGenieV2.CreatedAlert.integrationId - replaced by OpsGenie.Alert.integrationId.
    • OpsGenieV2.CreatedAlert.isSuccess - replaced by OpsGenie.Alert.isSuccess.
    • OpsGenieV2.CreatedAlert.processedAt - replaced by OpsGenie.Alert.processedAt.
    • OpsGenieV2.CreatedAlert.requestId - replaced by OpsGenie.Alert.requestId.
    • OpsGenieV2.CreatedAlert.status - replaced by OpsGenie.Alert.status.
    • OpsGenieV2.CreatedAlert.success - replaced by OpsGenie.Alert.success.
  • In the opsgenie-delete-alert command the following outputs were replaced:

    • OpsGenieV2.DeletedAlert.action - replaced by OpsGenie.DeletedAlert.action.
    • OpsGenieV2.DeletedAlert.alertId - replaced by OpsGenie.DeletedAlert.alertId.
    • OpsGenieV2.DeletedAlert.alias - replaced by OpsGenie.DeletedAlert.alias.
    • OpsGenieV2.DeletedAlert.integrationId - replaced by OpsGenie.DeletedAlert.integrationId.
    • OpsGenieV2.DeletedAlert.isSuccess - replaced by OpsGenie.DeletedAlert.isSuccess.
    • OpsGenieV2.DeletedAlert.processedAt - replaced by OpsGenie.DeletedAlert.processedAt.
    • OpsGenieV2.DeletedAlert.requestId - replaced by OpsGenie.DeletedAlert.requestId.
    • OpsGenieV2.DeletedAlert.status - replaced by OpsGenie.DeletedAlert.status.
    • OpsGenieV2.DeletedAlert.success - replaced by OpsGenie.DeletedAlert.success.
  • In the opsgenie-ack-alert command the following outputs were replaced:

    • OpsGenieV2.AckedAlert.action - replaced by OpsGenie.AckedAlert.action.
    • OpsGenieV2.AckedAlert.alertId - replaced by OpsGenie.AckedAlert.alertId.
    • OpsGenieV2.AckedAlert.alias - replaced by OpsGenie.AckedAlert.alias.
    • OpsGenieV2.AckedAlert.integrationId - replaced by OpsGenie.AckedAlert.integrationId.
    • OpsGenieV2.AckedAlert.isSuccess - replaced by OpsGenie.AckedAlert.isSuccess.
    • OpsGenieV2.AckedAlert.processedAt - replaced by OpsGenie.AckedAlert.processedAt.
    • OpsGenieV2.AckedAlert.requestId - replaced by OpsGenie.AckedAlert.requestId.
    • OpsGenieV2.AckedAlert.status - replaced by OpsGenie.AckedAlert.status.
    • OpsGenieV2.AckedAlert.success - replaced by OpsGenie.AckedAlert.success.
  • In the opsgenie-get-on-call command the following outputs were replaced:

    • OpsGenieV2.OnCall._parent.enabled - replaced by OpsGenie.Schedule.OnCall._parent.enabled.
    • OpsGenieV2.OnCall._parent.id - replaced by OpsGenie.Schedule.OnCall._parent.id.
    • OpsGenieV2.OnCall._parent.name - replaced by OpsGenie.Schedule.OnCall._parent.name.
    • OpsGenieV2.OnCall.onCallParticipants.id - replaced by OpsGenie.Schedule.OnCall.onCallParticipants.id.
    • OpsGenieV2.OnCall.onCallParticipants.name - replaced by OpsGenie.Schedule.OnCall.onCallParticipants.name.
    • OpsGenieV2.OnCall.onCallParticipants.type - replaced by OpsGenie.Schedule.OnCall.onCallParticipants.type.
  • In the opsgenie-close-alert command the following outputs were replaced:

    • OpsGenieV2.CloseAlert.action - replaced by OpsGenie.ClosedAlert.action.
    • OpsGenieV2.CloseAlert.alertId - replaced by OpsGenie.ClosedAlert.alertId.
    • OpsGenieV2.CloseAlert.alias - replaced by OpsGenie.ClosedAlert.alias.
    • OpsGenieV2.CloseAlert.integrationId - replaced by OpsGenie.ClosedAlert.integrationId.
    • OpsGenieV2.CloseAlert.isSuccess - replaced by OpsGenie.ClosedAlert.isSuccess.
    • OpsGenieV2.CloseAlert.processedAt - replaced by OpsGenie.ClosedAlert.processedAt.
    • OpsGenieV2.CloseAlert.requestId - replaced by OpsGenie.ClosedAlert.requestId.
    • OpsGenieV2.CloseAlert.status - replaced by OpsGenie.ClosedAlert.status.
    • OpsGenieV2.CloseAlert.success - replaced by OpsGenie.ClosedAlert.success.

Incident Types#

  • OpsGenie Incident
  • OpsGenie Alert

Integrations#

OpsGenie (Deprecated)#

Deprecated. Use the OpsGenie v3 integration instead.

New: OpsGenie v3#

Integration with Atlassian OpsGenie (Available from Cortex XSOAR 6.2.0).

Mappers#

New: OpsGenie - Mapper#

(Available from Cortex XSOAR 6.2.0).


Opsgenie v2 Pack v1.0.4 (Community Contributed)#

Integrations#

Opsgenie v2#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Oracle IAM Pack v1.0.2#

Integrations#

Oracle IAM#

Updated the Docker image to: demisto/python3:3.9.8.24399.


PAN-OS Pack v1.7.7#

Integrations#

Palo Alto Networks PAN-OS#
  • Added the API Key integration parameter to support credentials fetching object.
  • Maintenance and stability enhancements.

PAN-OS Policy Optimizer Pack v1.0.2#

Integrations#

PAN-OS Policy Optimizer#

Updated the Docker image to: demisto/python3:3.9.8.24399.


PICUS Pack v1.0.2 (Community Contributed)#

Integrations#

PICUS#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Palo Alto Networks Cortex XDR - Investigation and Response Pack v4.2.11#

Integrations#

Cortex XDR - XQL Query Engine#
  • Added an option to filter queries using a time range format.
  • Removed the "notes" validation check.
Palo Alto Networks Cortex XDR - Investigation and Response#

Breaking Change: Changed the names of the incidents created by the fetch-incidents command as they failed to parse correctly into the incidents tab.


Palo Alto Networks IoT 3rd Party Integrations Pack v1.1.2#

Integrations#

Palo Alto Networks IoT 3rd Party#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Palo Alto Networks Traps (Deprecated) Pack v1.0.7#

Integrations#

Palo Alto Networks Traps (Deprecated)#

Deprecated. Use the CortexXDR integrations instead.


Palo Alto Networks WildFire Pack v2.0.3#

Integrations#

Palo Alto Networks WildFire v2#
  • Added the url argument to the wildfire-get-verdict command.
  • The API Key integration parameter now supports credentials fetching object.

PassiveTotal Pack v2.1.1 (Partner Supported)#

Integrations#

PassiveTotal v2#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Perception Point Pack v1.0.2 (Partner Supported)#

Integrations#

PerceptionPoint#

Updated the Docker image to: demisto/python3:3.9.8.24399.


PhishLabs Pack v1.1.4#

Integrations#

PhishLabs IOC DRP#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Phishing Pack v2.5.3#

Incident Fields#

  • Email Internal Message ID
  • Phishing BCL Score
  • Phishing PCL Score
  • Phishing SCL Score
  • Email Body
  • Email BCC
  • Email HTML
  • Email Size
  • Email Return Path
  • Attachment size
  • Email Source
  • Email Authenticity Check
  • Email URL Clicked
  • Email Classification
  • Email From
  • Attachment type
  • Attachment Extension
  • Email Message ID
  • Email In Reply To
  • Email Sender IP
  • Attachment Count
  • Email Body HTML
  • Email To
  • Email Body Format
  • Email CC
  • Attachment Name
  • Attachment Hash
  • Email Headers
  • Email HTML Image
  • Email Subject
  • Email Reply To
  • Attachment ID
  • Email Client Name

Incident Types#

Playbooks#

Get Original Email - Generic v2#

Added Get Email From Email Gateway - Generic playbook to retrieve EML files from email security gateways.

Process Email - Generic v2#
  • Added tasks to handle multiple files if retrieved by Get Original Email - Generic v2 playbook.
  • Fixed the playbook flow for showing email headers in the phishing layout.

Scripts#

CheckEmailAuthenticity#

Updated the Docker image to: demisto/python:2.7.18.24398.


Phishing Campaign Pack v3.2.0#

Layouts#

Phishing Campaign

  • Replaced the Ssummary section with new sections that update dynamically as incidents progress. This change improves readability and removes inaccurate information that was displayed.
  • Added a section that shows the current owners of all related phishing incidents.
  • The Mutual Campaign Indicators section now updates automatically when new indicators are discovered in the related phishing incidents.
  • Reverted the latest update due to an issue.

Playbooks#

Detect & Manage Phishing Campaigns#
  • Fixed a race-condition issue that caused the creation of multiple phishing campaigns instead of just one. To use this fix, install and enable the Demisto Lock integration.
  • The playbook now uses SetPhishingCampaignDetails instead of SetByIncidentId to prevent possible abuse of a privileged script.
  • Improved playbook readability.
  • Reverted the latest update due to an issue.

Scripts#

New: SetPhishingCampaignDetails#

Copies EmailCampaign context from current incident to other existing incident. This script runs with elevated permissions. Cortex XSOAR recommends using the built-in RBAC functionality to limit access to only those users requiring access to this script. (Available from Cortex XSOAR 6.0.0).

GetCampaignIndicatorsByIncidentId#

Fixed issues that prevented the campaign indicators from updating and displaying properly in the Phishing Campaign incident layout.

SetPhishingCampaignDetails#

Fixed an issue where due to low permissions, a campaign was not updated.


PiHole Pack v1.0.2 (Community Contributed)#

Integrations#

PiHole#

Updated the Docker image to: demisto/python3:3.9.8.24399.


PingCastle Pack v1.0.2 (Partner Supported)#

Integrations#

PingCastle#

Updated the Docker image to: demisto/python3:3.9.8.24399.


PingIdentity Pack v1.0.1 (Partner Supported)#

Integrations#

PingOne#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Pipl Pack v1.0.3#

Scripts#

CheckSender#

Updated the Docker image to: demisto/python:2.7.18.24398.


Polygon Pack v1.0.7 (Partner Supported)#

Integrations#

Group-IB THF Polygon#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Prisma Access Pack v1.0.9#

Integrations#

Prisma Access Egress IP feed#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Prisma Cloud Pack v2.0.4#

Integrations#

PrismaCloud IAM#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Prisma Cloud Compute Pack v1.1.0#

Integrations#

Palo Alto Networks - Prisma Cloud Compute#
  • Added 8 commands:
    • prisma-cloud-compute-profile-host-list
    • prisma-cloud-compute-profile-container-list
    • prisma-cloud-compute-profile-container-hosts-list
    • prisma-cloud-compute-profile-container-forensic-list
    • prisma-cloud-compute-host-forensic-list
    • prisma-cloud-compute-console-version-info
    • prisma-cloud-compute-custom-feeds-ip-list
    • prisma-cloud-compute-custom-feeds-ip-add
  • Updated the Docker image to: demisto/python3:3.9.8.24399.

Proofpoint Protection Server Pack v2.0.8#

Integrations#

Proofpoint Protection Server v2#

Updated the Docker image to: demisto/python3:3.9.8.24399.

Playbooks#

New: Get Email From Email Gateway - Proofpoint Protection Server#

Retrieves a specified EML/MSG file directly from the Proofpoint Protection Server. (Available from Cortex XSOAR 6.0.0).


Proofpoint TAP Pack v1.1.8#

Integrations#

Proofpoint TAP v2#

Updated the Docker image to: demisto/python3:3.9.8.24399.

Mappers#

Proofpoint TAP Mapper#

Added mapping to the PhishingAlerts incident type.


Proofpoint Threat Response (Beta) Pack v1.0.10#

Integrations#

Proofpoint Threat Response (Beta)#

Updated the Docker image to: demisto/python3:3.9.8.24399.


ProtectWise Pack v1.0.3#

Scripts#

PWEventPcapDownload#

Updated the Docker image to: demisto/python:2.7.18.24398.

PWObservationPcapDownload#

Updated the Docker image to: demisto/python:2.7.18.24398.


Pulsedive Pack v1.0.4 (Community Contributed)#

Integrations#

Pulsedive#

Updated the Docker image to: demisto/python3:3.9.8.24399.


QR Code Reader Pack v1.0.2 (Community Contributed)#

Integrations#

QR Code Reader - goqr.me#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Qintel Pack v1.0.1 (Partner Supported)#

Integrations#

Qintel PMI#

Updated the Docker image to: demisto/python3:3.9.8.24399.

Qintel QSentry#

Updated the Docker image to: demisto/python3:3.9.8.24399.

Qintel QWatch#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Qualys Pack v1.0.14#

Scripts#

QualysCreateIncidentFromReport#

Updated the Docker image to: demisto/python:2.7.18.24398.


QualysFIM Pack v1.0.5#

Integrations#

Qualys FIM#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Quantum Security Systems Pack v1.0.4 (Partner Supported)#

Integrations#

QSS#

Updated the Docker image to: demisto/python3:3.9.8.24399.


QueryAI Pack v1.0.8 (Partner Supported)#

Integrations#

Query.AI#

Updated the Docker image to: demisto/python3:3.9.8.24399.


RSA NetWitness Packets and Logs Pack v1.0.3#

Scripts#

NetwitnessQuery#

Updated the Docker image to: demisto/python:2.7.18.24398.

NetwitnessSearch#

Updated the Docker image to: demisto/python:2.7.18.24398.


RSA NetWitness Security Analytics Pack v1.0.4#

Scripts#

NetwitnessSAAddEventsToIncident#

Updated the Docker image to: demisto/python:2.7.18.24398.

NetwitnessSACreateIncident#

Updated the Docker image to: demisto/python:2.7.18.24398.

NetwitnessSAGetAvailableAssignees#

Updated the Docker image to: demisto/python:2.7.18.24398.

NetwitnessSAGetComponents#

Updated the Docker image to: demisto/python:2.7.18.24398.

NetwitnessSAGetEvents#

Updated the Docker image to: demisto/python:2.7.18.24398.

NetwitnessSAListIncidents#

Updated the Docker image to: demisto/python:2.7.18.24398.


RST Threat Feed Pack v1.0.5 (Partner Supported)#

Integrations#

RST Cloud - Threat Feed API#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Rapid Breach Response Pack v1.6.22#

Incident Fields#

Total Indicator Count

Playbooks#

Rapid Breach Response - Set Incident Info#

Added the StringToArray transformer to sourceofindicators Set task.


Rapid7 Nexpose Pack v1.1.5#

Integrations#

Rapid7 Nexpose#

Added a default value to the limit argument for the following commands:

  • nexpose-get-assets
  • nexpose-search-assets
  • nexpose-get-sites

Recorded Future Pack v1.1.3#

Scripts#

RecordedFutureDomainRiskList#

Updated the Docker image to: demisto/python:2.7.18.24398.

RecordedFutureHashRiskList#

Updated the Docker image to: demisto/python:2.7.18.24398.

RecordedFutureIPRiskList#

Updated the Docker image to: demisto/python:2.7.18.24398.

RecordedFutureURLRiskList#

Updated the Docker image to: demisto/python:2.7.18.24398.

RecordedFutureVulnerabilityRiskList#

Updated the Docker image to: demisto/python:2.7.18.24398.


RecordedFuture v2 Pack v1.2.1 (Partner Supported)#

Integrations#

Recorded Future v2#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Respond Analyst Pack v1.0.3 (Partner Supported)#

Integrations#

Mandiant Automated Defense (Formerly Respond Software)#

Updated the Docker image to: demisto/python3:3.9.8.24399.


RiskIQ Digital Footprint Pack v1.0.13 (Partner Supported)#

Integrations#

RiskIQ Digital Footprint#

Updated the Docker image to: demisto/python3:3.9.8.24399.


RiskSense Pack v1.0.9 (Partner Supported)#

Integrations#

RiskSense#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Rubrik Polaris Pack v1.0.6 (Partner Supported)#

Integrations#

Rubrik Radar#

Updated the Docker image to: demisto/python3:3.9.8.24399.


SAP-IAM Pack v1.0.2#

Integrations#

SAP - IAM#

Updated the Docker image to: demisto/python3:3.9.8.24399.


SOCRadar Pack v2.0.0 (Partner Supported)#

Integrations#

SOCRadar Incidents#
  • Revised and updated the README document by changing the SOCRadar version.
  • Changed the SOCRadar Incidents endpoint to the newest version and updated tests accordingly.
  • Fixed an issue with fetch-incidents command, which caused the occurrence time of the fetched incidents not to be converted to UTC timezone.
  • Updated the Docker image to: demisto/python3:3.9.8.24399.
SOCRadar ThreatFusion#
  • Revised and updated the README document by changing the SOCRadar version and fixing the punctuation.
  • Updated the Docker image to: demisto/python3:3.9.8.24399.

SafeBreach - Breach and Attack Simulation platform Pack v1.1.9 (Partner Supported)#

Integrations#

SafeBreach v2#

Updated the Docker image to: demisto/python3:3.9.8.24399.


SailPoint IdentityIQ Pack v1.0.5 (Partner Supported)#

Integrations#

SailPoint IdentityIQ#

Updated the Docker image to: demisto/python3:3.9.8.24399.


SailPoint IdentityNow Pack v1.0.4 (Partner Supported)#

Integrations#

SailPoint IdentityNow#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Salesforce Pack v1.1.7#

Integrations#

Salesforce IAM#

Updated the Docker image to: demisto/python3:3.9.8.24399.

Scripts#

SalesforceAskUser#

Updated the Docker image to: demisto/python:2.7.18.24398.


Salesforce Fusion Pack v1.0.2#

Integrations#

Salesforce Fusion IAM#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Salesforce Indicators Pack v1.0.4 (Community Contributed)#

Integrations#

Salesforce Indicators#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Screenshot Machine Pack v1.0.2 (Community Contributed)#

Integrations#

Screenshot Machine#

Updated the Docker image to: demisto/python3:3.9.8.24399.


SecBI Pack v1.0.3 (Partner Supported)#

Integrations#

SecBI#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Secureworks Pack v2.0.1 (Partner Supported)#

Integrations#

TaegisXDR#

Updated the Docker image to: demisto/python3:3.9.8.24399.


SecurityAdvisor Pack v1.0.3 (Partner Supported)#

Integrations#

SecurityAdvisor#

Updated the Docker image to: demisto/python3:3.9.8.24399.


SecurityScorecard Pack v1.0.1 (Partner Supported)#

Integrations#

SecurityScorecard#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Securonix Pack v1.1.9#

Integrations#

Securonix#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Sepio Pack v1.0.5 (Partner Supported)#

Integrations#

Sepio#

Updated the Docker image to: demisto/python3:3.9.8.24399.


ServiceNow Pack v2.2.17#

Integrations#

ServiceNow v2#

Added the clear_fields argument in the following commands:

  • servicenow-update-ticket
  • servicenow-update-record

Scripts#

ServiceNowCreateIncident#

Updated the Docker image to: demisto/python:2.7.18.24398.

ServiceNowQueryIncident#

Updated the Docker image to: demisto/python:2.7.18.24398.

ServiceNowUpdateIncident#

Updated the Docker image to: demisto/python:2.7.18.24398.


ShiftLeft CORE Pack v1.0.1 (Partner Supported)#

Integrations#

ShiftLeft CORE#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Signal Sciences WAF Pack v1.0.7#

Integrations#

Signal Sciences WAF#

Added array support for the sigsci-blacklist-add-ip command.


Silverfort Pack v1.0.7 (Partner Supported)#

Integrations#

Silverfort#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Sixgill Darkfeed - Annual Subscription Pack v2.0.7 (Partner Supported)#

Integrations#

Sixgill DarkFeed Threat Intelligence#
  • Updated the integration image.
Cybersixgill DVE Feed Threat Intelligence (Deprecated)#
  • Updated the integration image.
Sixgill DarkFeed Enrichment#
  • Updated the integration image.

Slack Pack v2.2.2#

Integrations#

Slack v3#

Updated the Docker image to: demisto/slackv3:1.0.0.25130.

Slack IAM#

Updated the Docker image to: demisto/python3:3.9.8.24399.


SlashNext Phishing Incident Response - Annual Subscription (Direct Subscription) Pack v1.3.1 (Partner Supported)#

Integrations#

SlashNext Phishing Incident Response#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Smokescreen IllusionBLACK Pack v1.0.11 (Partner Supported)#

Integrations#

Smokescreen IllusionBLACK#

Updated the Docker image to: demisto/python3:3.9.8.24399.


SolarWinds Pack v1.0.3#

Integrations#

SolarWinds#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Sophos Central Pack v1.1.1 (Partner Supported)#

Integrations#

Sophos Central#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Spamcop Pack v1.0.3 (Community Contributed)#

Integrations#

Spamcop#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Splunk Pack v2.2.9#

Classifiers#

Splunk - Classifier#

Updated the Splunk classifier. Splunk rules named 'Threat - Suspicious Email - URL - Rule' will be set to the Phishing Alerts incident type.

Mappers#

Splunk - Notable Generic Incoming Mapper#

Added mapping for the Phishing Alerts incident type.


Starter Pack Pack v1.0.7 (Community Contributed)#

Integrations#

Starter Base Integration - Name the integration as it will appear in the XSOAR UI#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Sumo Logic Pack v1.1.0#

Integrations#

SumoLogic#

Breaking Change: Added the Escape URLs parameter. When set to true, it adds a \\ prefix to = characters in queried URLs.


Sumo Logic Cloud SIEM Pack v1.1.4 (Partner Supported)#

Integrations#

Sumo Logic Cloud SIEM#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Symantec Blue Coat Content and Malware Analysis (Beta) Pack v1.0.4#

Integrations#

Symantec Blue Coat Content and Malware Analysis (Beta)#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Symantec Endpoint Protection Pack v1.0.8#

Scripts#

SEPCheckOutdatedEndpoints#

Updated the Docker image to: demisto/python:2.7.18.24398.


Symantec Management Center Pack v1.0.6#

Integrations#

Symantec Management Center#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Syslog Pack v2.0.0#

Integrations#

Syslog v2#

A Syslog server enables automatically opening incidents from Syslog clients. This integration supports filtering logs to convert to incidents, or alternatively converting all logs.


TAXII Feed Pack v1.1.2#

Integrations#

TAXII Feed#

Updated the Docker image to: demisto/taxii:1.0.0.25216.


TIM - Indicator Auto-Processing Pack v1.1.11#

Playbooks#

New: TIM - Run Enrichment For Hash Indicators#

This playbook processes indicators by enriching indicators based on the indicator feed's reputation, as specified in the playbook inputs. This playbook needs to be used with caution as it might use up the user enrichment integration's API license when running enrichment for large amounts of indicators. (Available from Cortex XSOAR 6.0.0).

The playbook uses the EnrichIndicators command rather then the previous file command. This fixes the issue of indicators not updating properly.

TIM - Run Enrichment For Domain Indicators#

This playbook processes indicators by enriching indicators based on the indicator feed's reputation, as specified in the playbook inputs. This playbook needs to be used with caution as it might use up the user enrichment integration's API license when running enrichment for large amounts of indicators. (Available from Cortex XSOAR 6.0.0).

The playbook uses the EnrichIndicators command rather then the previous domain command. This fixes the issue of indicators not getting updated properly.

New: TIM - Run Enrichment For IP Indicators#

This playbook processes indicators by enriching indicators based on the indicator feed's reputation, as specified in the playbook inputs. This playbook needs to be used with caution as it might use up the user enrichment integration's API license when running enrichment for large amounts of indicators. (Available from Cortex XSOAR 6.0.0).

The playbook uses the EnrichIndicators command rather then the previous ip command. This fixes the issue of indicators not getting updated properly.

New: TIM - Run Enrichment For Url Indicators#

This playbook processes indicators by enriching indicators based on the indicator feed's reputation, as specified in the playbook inputs. This playbook needs to be used with caution as it might use up the user enrichment integration's API license when running enrichment for large amounts of indicators. (Available from Cortex XSOAR 6.0.0).

The playbook uses the EnrichIndicators command rather then the previous url command. This fixes the issue of indicators not getting updated properly.


TOPdesk Pack v1.0.6#

Integrations#

TOPdesk#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Tanium Pack v1.0.14#

Integrations#

Tanium v2#

Fixed an issue where the login failed on Tanium v7.5.

Scripts#

TaniumFilterComputersByIndexQueryFileDetails#

Updated the Docker image to: demisto/python:2.7.18.24398.


Tanium Threat Response Pack v2.0.5#

Integrations#

Tanium Threat Response v2#

Fixed an issue where the login failed on Tanium v7.5.

Tanium Threat Response#

Fixed an issue where the login failed on Tanium v7.5.


Telegram (Beta) Pack v1.0.4#

Integrations#

Telegram (Beta)#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Threat Crowd Pack v2.0.6#

Integrations#

Threat Crowd v2#

Updated the Docker image to: demisto/python3:3.9.8.24399.


ThreatQ Pack v1.0.14 (Partner Supported)#

Integrations#

ThreatQ v2#

Updated the Docker image to: demisto/python3:3.9.8.24399.


ThreatX Pack v1.0.6#

Integrations#

ThreatX#

Added array support for the threatx-blacklist-ip command.


Thycotic Secret Server Pack v1.0.2 (Partner Supported)#

Integrations#

Thycotic#

Updated the Docker image to: demisto/python3:3.9.8.24399.


ThycoticDSV Pack v1.0.2 (Partner Supported)#

Integrations#

ThycoticDSV#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Trello Pack v1.0.5 (Community Contributed)#

Integrations#

Trello#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Trend Micro Pack v1.0.3#

Scripts#

TrendMicroClassifier#

Updated the Docker image to: demisto/python:2.7.18.24398.

TrendMicroGetHostID#

Updated the Docker image to: demisto/python:2.7.18.24398.

TrendMicroGetPolicyID#

Updated the Docker image to: demisto/python:2.7.18.24398.

TrendmicroAlertStatus#

Updated the Docker image to: demisto/python:2.7.18.24398.

TrendmicroAntiMalwareEventRetrieve#

Updated the Docker image to: demisto/python:2.7.18.24398.

TrendmicroHostAntimalwareScan#

Updated the Docker image to: demisto/python:2.7.18.24398.

TrendmicroHostRetrieveAll#

Updated the Docker image to: demisto/python:2.7.18.24398.

TrendmicroSecurityProfileAssignToHost#

Updated the Docker image to: demisto/python:2.7.18.24398.


Trend Micro Deep Security Pack v1.0.2#

Integrations#

Trend Micro Deep Security#

Updated the Docker image to: demisto/python3:3.9.8.24399.


TrustwaveSEG Pack v1.0.4#

Integrations#

Trustwave Secure Email Gateway#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Twinwave Pack v1.0.6 (Partner Supported)#

Integrations#

Twinwave#

Updated the Docker image to: demisto/python3:3.9.8.24399.


TwitterIOCHunter - Full Daily Feed Pack v1.0.4 (Community Contributed)#

Integrations#

TwitterIOCHunter Feed#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Unit42 v2 Feed Pack v1.0.7#

Integrations#

Unit42 ATOMs Feed#

Fixed an issue where the unit42-get-indicators command was not handling the limit argument properly.

Unit 42 ATOMs Feed#

Documentation and metadata improvements.


Uptycs Pack v1.0.7 (Partner Supported)#

Integrations#

Uptycs#

Maintenance and stability enhancements.


XSOAR CI/CD (Beta) Pack v1.0.11#

Playbooks#

Configuration Setup#
  • Replaced the deprecated the MarketplacePackInstaller script with the new ContentPackInstaller script.
  • Made the !http artifact download method a GET request.
  • Appended a .zip suffix to a pack zip downloaded via !http.

Scripts#

MarketplacePackInstaller (Deprecated)#

Deprecated. Use the ContentPackInstaller script instead.


iLert Pack v1.0.4 (Partner Supported)#

Integrations#

iLert#

Updated the Docker image to: demisto/python3:3.9.8.24399.


Assets#