Skip to main content

Cortex XSOAR Content Release Notes for version 21.2.0 (267504)#

Published on 02 February 2021#

New: Acalvio ShadowPlex Pack v1.0.0 (Partner Supported)#

Integrations#

Acalvio ShadowPlex#

Acalvio ShadowPlex is a comprehensive autonomous deception platform that offers advanced threat detection, investigation, and response capabilities.


New: Agari Phishing Defense Pack v1.0.0 (Partner Supported)#

Classifiers#

Agari Phishing Defense - Classifier#

Removed non-existing incident fields.

Agari Phishing Defense - Mapper#

Maps incoming Agari Phishing Defense incident fields.

Dashboards#

Agari Phishing Defense#

Incident Fields#

  • APD Admin Recipients
  • APD Alert Definition Name
  • APD Attack Types
  • APD Created At
  • APD Enforcement Action
  • APD Global Message ID
  • APD Internal Message ID
  • APD Message Authentication Results
  • APD Message Authenticity Score
  • APD Message DKIM D Tag
  • APD Message Date
  • APD Message Domain Reputation
  • APD Message From
  • APD Message From Domain
  • APD Message Mail From
  • APD Message PTR Name
  • APD Message Reply To
  • APD Message Reputation
  • APD Message Risk Reason
  • APD Message Sender IP Address
  • APD Message Subject
  • APD Message To
  • APD Message Trust Score
  • APD Notified Original Recipients
  • APD Policy Action
  • APD Policy Enabled
  • APD Policy Event ID
  • APD Summary
  • APD Updated At

Incident Types#

Agari Phishing Defense Policy Event

Integrations#

Agari Phishing Defense#

Agari Phishing Defense stops phishing, BEC, and other identity deception attacks that trick employees into harming your business.

Layouts#

Agari Phishing Defense Policy Event - Summary

Playbooks#

Agari Message Remediation - Agari Phishing Defense#

Investigates Agari policy events by obtaining the original message and attachments from the existing email integrations and remediates in Agari.

Remediate Message - Agari Phishing Defense#

Remediates a given message ID.

Retrieve Email Data - Agari Phishing Defense#

Retrieves email data from one of the following integrations:

  • Gmail.
  • Mail Listener v2.
  • EWS O365.
  • Microsoft Graph Mail integrations.

New: Arduino Pack v1.0.0 (Community Contributed)#

Integrations#

Arduino#

Connects to and controls an Arduino pin system using the network.


New: ComputerVisionEngine Pack v1.0.1 (Community Contributed)#

Integrations#

Computer Vision Engine#

Processes images or movies and detects objects in them by using machine learning. It uses OpenCV with YOLO COCO.


New: Cyberint Pack v1.0.1 (Partner Supported)#

Classifiers#

Cyberint - Classifier#
CyberInt (mapper)#

Incident Types#

Cyberint Incident

Integrations#

Cyberint#

Cyberint provides intelligence-driven digital risk protection. This integration will help your enterprise effectively consume actionable cyber alerts to increase your security posture.

Layouts#

Cyberint incident layout


New: Intel471 Feed Pack v1.0.0#

Integrations#

Intel471 Actors Feed#

Intel 471's Actors Feed is an actor-centric intelligence feature. It combines both a field-based intelligence collection and a headquartered-based intelligence analysis component. This feed allows getting data out of closed sources (typically referred to as the deep and dark web) where threat actors collaborate, communicate, and plan cyber attacks.

Intel471 Malware Feed#

Intel471's Malware Intelligence is focused on the provisioning of a high fidelity and timely indicators feed with rich context, TTP information, and malware intelligence reports. This feed allows customers to block and gain an understanding of the latest crimeware campaigns and is for those who value timeliness, confidence (little to no false positives), and seek rich context and insight around the attacks they are seeing.

Indicator Fields#

Forum Post Total Count#
Forum Total Count#
Instant Message Total Count#
Report Total Count#

New: LSASS Credential Dumping Pack v1.0.0 (Community Contributed)#

Playbooks#

LSASS Credential Dumping#

Detects credential dumping attacks as researched by Accenture Security analysts and engineers.


New: LogPoint SIEM Integration Pack v1.0.0 (Partner Supported)#

Classifiers#

LogPoint SIEM Integration - Incoming Mapper#

Maps LogPoint Incident fields

Incident Fields#

  • LogPoint AlertObjId - LogPoint Alert Obj Id
  • LogPoint Assigned To - LogPoint Assigned To
  • LogPoint Comments - LogPoint Comments
  • LogPoint Comments Count - LogPoint Comments Count
  • LogPoint Detection Timestamp - LogPoint Detection Timestamp
  • LogPoint IncidentId - LogPoint Incident ID
  • LogPoint Last Action - LogPoint Last Action
  • LogPoint LogPoint Name - LogPoint LogPoint Name
  • LogPoint Loginspect IP DNS - LogPoint Loginspect IP DNS
  • LogPoint Object ID - LogPoint Incident Object ID
  • LogPoint Query - LogPoint Query
  • LogPoint Repos - LogPoint Repos
  • LogPoint Rows Count - LogPoint Rows Count
  • LogPoint Status - LogPoint Status
  • LogPoint Throttle Enabled - LogPoint Throttle Enabled
  • LogPoint Tid - LogPoint Tid
  • LogPoint Time Range - LogPoint Time Range
  • LogPoint User Id - LogPoint User Id
  • LogPoint Username - LogPoint Username
  • LogPoint Visible To - LogPoint Visible To

Incident Types#

LogPoint Incident

Integrations#

LogPoint SIEM Integration#

Use this content pack to fetch incident logs from LogPoint, analyze them for underlying threats, and respond to these threats in real-time.


New: Mantis Pack v1.0.0 (Community Contributed)#

Integrations#

Mantis#

Creates and updates issues in MantisBT. MantisBT is a popular, free, web-based bug tracking system.


New: NCSC Cyber Assessment Framework Pack v1.0.0 (Community Contributed)#

Incident Fields#

  • CAF A Achievement
  • CAF A Answers
  • CAF A Details
  • CAF A Email
  • CAF A Questions
  • CAF A Result
  • CAF A Result Raw
  • CAF A Status
  • CAF B Achievement
  • CAF B Answers
  • CAF B Details
  • CAF B Email
  • CAF B Questions
  • CAF B Result
  • CAF B Result Raw
  • CAF B Status
  • CAF C Achievement
  • CAF C Answers
  • CAF C Details
  • CAF C Email
  • CAF C Questions
  • CAF C Result
  • CAF C Result Raw
  • CAF C Status
  • CAF D Achievement
  • CAF D Answers
  • CAF D Details
  • CAF D Email
  • CAF D Questions
  • CAF D Result
  • CAF D Result Raw
  • CAF D Status
  • CAF Overall Result
  • CAF Regulator Email
  • NCSC Assessment Status

Incident Types#

NCSC CAF Assessment

Layouts#

Assessment Info

Playbooks#

NCSC CAF Assessment#

Executes automatically as part of the NCSC Assessment incident type. It sends the relevant questions (via email) to each participant and generates the assessment results.

Reports#

NCSC Assessment#

This is the final report generated when all CAF section questions are answered.

Scripts#

EntryWidgetNCSCResultsA#

Populates results for the dynamic content shown in the incident layout.

EntryWidgetNCSCResultsB#

Populates results for the dynamic content shown in the incident layout.

EntryWidgetNCSCResultsC#

Populates results for the dynamic content shown in the incident layout.

EntryWidgetNCSCResultsD#

Populates results for the dynamic content shown in the incident layout.

NCSCCalculateQuestionsScore#

Calculates the score based on the question and answer responses.

NCSCFieldProtection#

Protects the fields associated with the assessment from accidental modification.

NCSCQuestionPopulate#

Populates the "NCSC CAF Assessment" list with the list of NCSC questions.

NCSCReportDetails#

Generates the report details used in the final report.

NCSCReportDetails_A#

Generates the report details for the individual CAF section.

NCSCReportDetails_B#

Generates the report details for the individual CAF section.

NCSCReportDetails_C#

Generates the report details for the individual CAF section.

NCSCReportDetails_D#

Generates the report details for the individual CAF section.

NCSCReportOverview#

Generates the report details for the individual CAF section.


New: Netmiko Pack v1.0.0 (Community Contributed)#

Integrations#

Netmiko#

Multi-vendor library to simplify SSH connections to network devices. Utilizes the Netmiko Python library for connections. Supports SSH key authentication and username/password.


New: Orca Pack v1.0.0 (Partner Supported)#

Classifiers#

Orca Alert - Classification#

Classifies Orca Alert incidents.

Orca Mapper#

Maps Orca fields for use in integration playbooks.

Incident Fields#

  • Orca Alert ID
  • Orca Asset Unique ID
  • Orca Cloud Account
  • Orca Reason

Incident Types#

Orca Alert

Integrations#

Orca#

Agentless, workload-deep, context-aware security and compliance for AWS, Azure, and GCP.


New: Palo Alto Networks Automatic SLR Pack v1.0.0 (Community Contributed)#

Integrations#

Palo Alto Networks Automatic SLR#

A community supported integration to allow XSOAR to automatically generate Security Lifecycle Reviews (SLRs).

Playbooks#

Palo Alto Networks - Automatic SLR#

Initial default playbook to run the Palo Alto Networks Automatic SLR (Community) integration.


New: RST Threat Feed Pack v1.0.0 (Partner Supported)#

Integrations#

RST Cloud - Threat Feed API#

The RST Threat Feed integration for interacting with APIs.

Playbooks#

Domain Enrichment - RST Threat Feed#

Enriches domains using one or more integrations. Domain enrichment includes threat information.

IP Enrichment - External - RST Threat Feed#

Enriches IP addresses using one or more integrations.

  • Resolves IP addresses to host names (DNS).
  • Provides threat information.
  • Separates internal and external addresses.
URL Enrichment - RST Threat Feed#

Enriches URLs using one or more integrations.

  • Provides SSL verification for URLs.
  • Provides threat information.
  • Provides URL screenshots.

New: SSL Certificate Verifier Pack v1.0.0 (Community Contributed)#

Scripts#

SSLVerifier#

Checks for the validity of your SSL certificate and gets the time until expiration.


ANY.RUN Pack v1.0.1#

Integrations#

ANY.RUN#
  • Fixed an issue where some arguments were incorrectly marked as default arguments.
  • Updated the Docker image to: demisto/python3:3.9.1.14969.

AWS Feed Pack v1.1.1#

Integrations#

AWS Feed#

Internal code improvements.


Active Directory Query Pack v1.1.3#

Integrations#

Active Directory Query v2#

Added the import for IAMApiModule to support all IAM classes.


ActiveMQ Pack v1.0.1#

Integrations#

ActiveMQ#

Removed the Use system proxy settings configuration parameter as proxy is not supported by the integration.


Agari Phishing Defense Pack v1.0.1 (Partner Supported)#

Classifiers#

Agari Phishing Defense - Mapper#

Removed non-existing incident fields.

Agari Phishing Defense - Classifier#

Removed non-existing incident fields.

Layouts#

Agari Phishing Defense Policy Event


Alexa Rank Indicator Pack v1.1.1#

Integrations#

Alexa Rank Indicator#

Fixed an issue where the Dbot score was not calculated correctly for the domain command.


Analyst1 Pack v1.0.6 (Partner Supported)#

Integrations#

illuminate (Deprecated)#

Documentation and metadata improvements.

Analyst1#
  • Fixed the display names for various integration parameters.
  • Updated the Docker image to: demisto/python3:3.9.1.15759.

Ansible Tower Pack v1.0.1#

Integrations#

Ansible Tower#

Fixed an issue where some arguments were incorrectly marked as default arguments.


ArcSight ESM Pack v1.1.0#

Integrations#

ArcSight ESM v2#

Fixed an issue where the wrong context path was declared in the as-get-entries command.

Playbooks#

TIM - ArcSight Add Url Indicators#

Maintenance and stability enhancements.

TIM - ArcSight Add IP Indicators#

Maintenance and stability enhancements.

TIM - ArcSight Add Domain Indicators#

Maintenance and stability enhancements.


ArcSight Logger Pack v1.0.1#

Integrations#

ArcSight Logger#
  • Improved the documentation for the local_search argument of the as-search-events command.
  • Fixed an issue where the field_summary argument of the as-search-events command was not working as expected.

Atlassian Jira Pack v1.2.11#

Integrations#

Atlassian Jira v2#
  • Fixed an issue where the assignee argument referred to the user's name and not its Account ID in the jira-create-issue command.
  • Fixed the display names for various integration parameters.
  • Reverted a change that was made in version 1.2.9 since it was not compatible with the Jira server.
  • Added the assignee_id argument to the following commands which enables user assignment to an issue using the user's Account ID in order to support changes in the Jira Cloud API.
    • jira-create-issue
    • jira-edit-issue
  • Added the jira-get-id-by-attribute command, which searches and retrieves the Account ID for a given user's attribute.
  • Updated the Docker image to: demisto/oauthlib:1.0.0.15507.

AutoFocus Pack v1.1.13#

Integrations#

Palo Alto Networks AutoFocus v2#
  • Fixed an issue where the following arguments did not work as expected in the autofocus-search-sessions command.
    • time_range
    • time_after
    • time_before
  • Updated the Docker image to: demisto/python3:3.9.1.14969.

Axonius Pack v1.0.1 (Partner Supported)#

Integrations#

Axonius#

Updated the Docker image to: demisto/axonius:1.0.0.15518.


Base Pack v1.7.5#

Scripts#

CommonServerPython#
  • You can now log the return value from a function in debug mode when using the logger decorator.
  • Added the reliability argument to the DBotScore class.
  • Added the ability to mark an entry as a note for results of the CommandResults function by using the mark_as_note flag.
  • Moved all IAM classes to the separate IAMApiModule module.
  • Fixed an issue where several incident types were not extracted correctly in the GetMappingFieldsResponse class.
SanePdfReports#

Updated the Docker image to: demisto/sane-pdf-reports:1.0.0.15795.

CheckDockerImageAvailable#

Updated to support checking Docker availability in the xsoar-registry.

DBotMLFetchData#

The script now collects the following additional data:

  • Whether an email is a forwarded message.
  • The average embeddings of the email subject.
  • Pre-process the subject email to remove [] prefixes.
  • Additional features that might indicate if the incident was closed automatically.

BitcoinAbuse Feed Pack v1.0.1#

Integrations#

BitcoinAbuse Feed#
  • Fixed an issue with the handling of the Description indicator field for non-English text.
  • Added the bitcoinabuse-get-indicators command.
  • Updated the Docker image to: demisto/python3:3.9.1.14969.

BlockList DE Feed Pack v1.0.3#

Integrations#

Blocklist_de Feed#

The Use system proxy settings parameter now works as expected.


Box Pack v2.0.1#

Integrations#

Box (Deprecated)#

Documentation and metadata improvements.


BruteForce Feed Pack v1.0.3#

Integrations#

BruteForceBlocker Feed#

The Use system proxy settings parameter now works as expected.


Carbon Black Enterprise Protection Pack v1.0.5#

Integrations#

VMware Carbon Black App Control v2#
  • Removed the following unused arguments from the cbp-computer-update command:
    • templateCloneCleanupMode
    • templateCloneCleanupTime
    • templateCloneCleanupTimeScale
    • templateTrackModsOnly
    • changeDiagnostics
    • changeTemplate
    • delete
    • resetCLIPassword
  • Fixed an issue where the reputationApprovalsEnabled argument was not used correctly in the cbp-fileRule-update command.

Check Point Firewall Pack v2.0.7#

Integrations#

Check Point Firewall v2#
  • Fixed the display names for various integration parameters.
  • Updated the Docker image to: demisto/python3:3.9.1.15759.

Cisco ASA Pack v1.0.4#

Integrations#

Cisco ASA#
  • Fixed the display names for various integration parameters.
  • Updated the Docker image to: demisto/python3:3.9.1.15759.

Cisco ESA IronPort Email API Pack v1.0.1 (Community Contributed)#

Integrations#

Cisco IronPort EMail API#
  • Fixed the display names for various integration parameters.
  • Updated the Docker image to: demisto/python3:3.9.1.15759.

Cloudflare Feed Pack v1.0.3#

Integrations#

Cloudflare Feed#

The Use system proxy settings parameter now works as expected.


Cofense Triage Pack v1.1.7 (Partner Supported)#

Integrations#

Cofense Triage (Deprecated)#

Documentation and metadata improvements.


Common Playbooks Pack v1.8.11#

Playbooks#

Block File - Generic v2#

Added the Cortex XDR - Block File sub-playbook.


Common Scripts Pack v1.3.16#

Scripts#

PcapHTTPExtractor#

Updated the Docker image to: demisto/pcap-http-extractor:1.0.0.15436.

SetGridField#
  • Improved the error messages.
  • Fixed an issue where the script failed when an empty value was entered.
  • Fixed an issue where the script failed on an "unhashable type" error.
  • Updated the Docker image to: demisto/pandas:1.0.0.15584.
ModifyDateTime#
  • Fixed an issue where the time zone was ignored.
  • Updated the Docker image to: demisto/python3:3.9.1.15759.

Common Types Pack v2.8.1#

Incident Fields#

  • Team name
  • app channel name
  • similarIncidents
  • App message

Indicator Fields#

Mitre Tactics#

Download URL


CrowdStrike Falcon Pack v1.2.12#

Integrations#

CrowdStrike Falcon#
  • Fixed an issue where an unsupported media type was sent.
  • Updated the Docker image to: demisto/python3:3.9.1.14969.

CrowdStrike Falcon Intel Pack v2.0.9#

Integrations#

CrowdStrike Falcon Intel (Deprecated)#

Documentation and metadata improvements.


CrowdStrike Falcon Streaming Pack v1.0.16#

Integrations#

CrowdStrike Falcon Streaming v2#

Improved the handling of the discovery attempt for stream resources when they are not required.


Cryptocurrency Pack v1.1.3#

Indicator Fields#

Integrations#

Cryptocurrency#
  • Added the Source Reliability integration parameter to define the reliability of the source providing the intelligence data.
  • Added the Reputation integration parameter to define the reputation of the ingested indicators.

Layouts#

  • Cryptocurrency - Added the Count field to the layout.
  • Cryptocurrency Address - Added the Count field to the layout.

Scripts#

CryptoCurrenciesFormat#

Maintenance and stability enhancements.


CyberArk AIM Pack v1.0.5#

Integrations#

CyberArk AIM (Deprecated)#

Documentation and metadata improvements.

CyberArk AIM v2#
  • Fixed an issue were credentials fetched from this integration could not be used in other integrations.
  • Updated the Docker image to: demisto/ntlm:1.0.0.15081.

CyberX - Central Manager Pack v1.0.1 (Community Contributed)#

Integrations#

CyberX - Central Manager#
  • Fixed the display names for various integration parameters.
  • Updated the Docker image to: demisto/python3-deb:3.9.1.15758.

Cymulate Pack v1.0.8 (Partner Supported)#

Integrations#

Cymulate#
  • Fixed the display names for various integration parameters.
  • Update the Docker image to: demisto/python3:3.9.1.15759.

Cyren Threat InDepth Threat Intelligence Pack v1.2.0 (Partner Supported)#

Classifiers#

New: Cyren Threat InDepth Indicator Mapper#

Cyren Threat InDepth Indicator Mapper - Provides flexibility to gather the data the way it is needed in the customer's process.(Available from Cortex XSOAR 6.0.0.)

Dashboards#

New: Cyren Threat InDepth Dashboard#

Cyren Threat InDepth Dashboard - Provides general information about the data pulled from Cyren Threat InDepth. It can be used directly as a new dashboard or individual widgets can be added to existing dashboards. (Available from Cortex XSOAR 6.0.0.)

Indicator Fields#

Cyren Feed Relationships#
  • Cyren IP Intensity
  • Cyren IP Risk
  • Cyren Source Tags

Integrations#

Cyren Threat InDepth Threat Intelligence Feed#
  • Deprecated the Creation Date field for indicator fields. Use the Updated Date field instead.
  • Creates or updates indicators from feed relationships now (for instance, ingesting both a malicious SHA256 and the URL potentially hosting it).
  • Added the Cyren Threat InDepth Indicator Mapper default mapper.

Layouts#

Scripts#

New: CyrenThreatInDepthRelatedWidget#

Shows feed relationship data in a table with the ability to navigate. (Available from Cortex XSOAR 6.0.0.)


DShield Feed Pack v1.0.3#

Integrations#

DShield Feed#

The Use system proxy settings parameter now works as expected.


Darktrace Pack v1.0.2 (Partner Supported)#

Integrations#

Darktrace#

Fixed an issue where some arguments were incorrectly marked as default arguments.


DeepInstinct Pack v1.0.3 (Partner Supported)#

Integrations#

Deep Instinct#
  • Fixed the display names for various integration parameters.
  • Updated the Docker image to: demisto/python3:3.9.1.15759.

EWS Pack v1.7.3#

Integrations#

EWS v2#

Fixed an issue where the fetch incidents command failed to parse email headers.


EWS Mail Sender Pack v1.1.1#

Integrations#

EWS Mail Sender#
  • Fixed a regression where the integration failed to connect to older versions of Exchange, which still use TLS1.0.
  • Updated the Docker image to: demisto/py2-exchangelib:1.0.0.15788.

Elasticsearch Pack v1.1.4#

Integrations#

Elasticsearch v2#
  • Fixed an issue where JSON incident labels were not saved correctly.
  • Updated the Docker image to: demisto/elasticsearch:1.0.0.14274.

Expanse v2 Pack v1.0.6#

Integrations#

Expanse Expander Feed#

Fixed an issue where some arguments were incorrectly marked as default arguments.

Playbooks#

Handle Expanse Incident#

Added a check to avoid failures when no Asset tags are associated to the Expanse issue.

Handle Expanse Incident - Attribution Only#

Added a check to avoid failures when no Asset tags are associated to the Expanse issue.

Scripts#

ExpanseRefreshIssueAssets#

Fixed an issue when handling Asset tags returned by Expanse.


Fastly Feed Pack v1.1.1#

Integrations#

Fastly Feed#

Internal code improvements.


FeodoTracker Feed Pack v1.0.6#

Integrations#

Feodo Tracker Hashes Feed (Deprecated)#
  • The Use system proxy settings parameter now works as expected.
  • Documentation and metadata improvements.
Feodo Tracker IP Blocklist Feed#
  • Fixed an issue where the indicators were not extracted from the feed.
  • Updated the Docker image to: demisto/python3:3.9.1.15759.

Forescout Pack v1.0.2#

Integrations#

Forescout#
  • Fixed an issue where some arguments were incorrectly marked as default arguments.
  • Updated the Docker image to: demisto/python3:3.9.1.14969.

GitHub Pack v1.1.7#

Integrations#

GitHub IAM#
  • Added the import for IAMApiModule to support all IAM Classes.
  • Fixed the display names for various integration parameters.
  • Updated the Docker image to: demisto/python3:3.9.1.15759.

Gmail Pack v1.1.4#

Integrations#

Gmail#
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/google-api:1.0.0.15653.

Gmail Single User (Beta) Pack v1.1.1#

Integrations#

Gmail Single User (Beta)#
  • Added the Maximum number of emails to pull per fetch configuration parameter.
  • Improved fetch incidents logic to avoid duplicate incidents.
  • Improved handling of emails with an invalid Date header.
  • Fixed an issue where the integration attempted to send requests via proxy even though the Use system proxy settings integration parameter was not checked.
  • Fixed an issue where the send-email command sent emails with both a textual and HTML body.
  • Fixed an issue where attachments were not sent in the correct format.
  • Documentation improvements on using your own Google App.
  • Updated the Docker image to: demisto/google-api-py3:1.0.0.14611.

Google Vision AI Pack v1.0.1#

Integrations#

Google Vision AI#

Updated the Docker image to: demisto/google-vision-api:1.0.0.15679.


Graylog Pack v1.0.1 (Community Contributed)#

Integrations#

Graylog#
  • Fixed an issue where some arguments were incorrectly marked as default arguments.
  • Updated the Docker image to: demisto/python3:3.9.1.14969.

Hello World IAM Pack v1.0.1#

Integrations#

Hello World IAM#

General performance and reliability improvements.


HelloWorld Pack v1.2.1 (Community Contributed)#

Integrations#

HelloWorld#
  • Fixed a typo in the comments.
  • Updated the Docker image to: demisto/python3:3.9.1.14969.

Playbooks#

Handle Hello World Alert#

Maintenance and stability enhancements.


IBM QRadar Pack v1.2.11#

Integrations#

IBM QRadar#

Fixed an issue where the test-module command did not work as expected.

IBM QRadar v2#
  • Fixed an issue where the fetch-incidents command missed events when fetching an offense with unindexed events.
  • Updated the Docker image to: demisto/python3:3.9.1.14969.

IBM X-Force Exchange Pack v1.0.7#

Integrations#

IBM X-Force Exchange (Deprecated)#

Documentation and metadata improvements.


IntSights Pack v1.0.2#

Integrations#

IntSights#

Fixed the display names for various integration parameters.


Integrations & Incidents Health Check Pack v1.1.11#

Playbooks#

Integrations and Playbooks Health Check - Running Scripts#

Fixed an issue where the playbooktaskserrors incident field was filled incorrectly.

Scripts#

IncidentsCheck-PlaybooksHealthNames#
  • Fixed an issue where some colors appeared transparent.
  • Updated the Docker image to: demisto/python3:3.9.1.15759.
IncidentsCheck-PlaybooksFailingCommands#
  • Fixed an issue where some colors appeared transparent.
  • Updated the Docker image to: demisto/python3:3.9.1.15759.
IncidentsCheck-Widget-PlaybookNames#
  • Fixed an issue where some colors appeared transparent.
  • Updated the Docker image to: demisto/python3:3.9.1.15759.
IncidentsCheck-Widget-CreationDate#
  • Fixed an issue where some colors appeared transparent.
  • Updated the Docker image to: demisto/python3:3.9.1.15759.
GetFailedTasks#
  • Fixed an issue where the script output always added an empty object.
  • Updated the Docker image to: demisto/python3:3.9.1.15759.
IncidentsCheck-Widget-CommandsNames#
  • Fixed an issue where some colors appeared transparent.
  • Updated the Docker image to: demisto/python3:3.9.1.15759.
IncidentsCheck-Widget-IncidentsErrorsInfo#
  • Improved error handling.
  • Updated the Docker image to: demisto/python3:3.9.1.15759.
InstancesCheck-FailedCategories#
  • Fixed an issue where some colors appeared transparent.
  • Updated the Docker image to: demisto/python3:3.9.1.15759.
IntegrationsCheck-Widget-IntegrationsCategory#
  • Fixed an issue where some colors appeared transparent.
  • Updated the Docker image to: demisto/python3:3.9.1.15759.

JSON Feed Pack v1.1.1#

Integrations#

JSON Feed#

Internal code improvements.


Kafka Pack v1.0.2#

Integrations#

Kafka v2#
  • Fixed the display names for various integration parameters.
  • Updated the Docker image to: demisto/pykafka:1.0.0.15212.

Lastline Pack v1.0.5#

Integrations#

Lastline v2#
  • Fixed an issue where the threshold integration parameter was not used correctly.
  • Updated the Docker image to: demisto/python3:3.9.1.14969.

Maltiverse Pack v1.0.2#

Integrations#

Maltiverse#
  • Fixed an issue where some arguments were incorrectly marked as default arguments.
  • Updated the Docker image to: demisto/python3:3.9.1.14969.

MalwareDomainList Feed Pack v1.0.3#

Integrations#

Malware Domain List Active IPs Feed#

The Use system proxy settings parameter now works as expected.


Manage Engine Service Desk Plus Pack v1.2.2#

Integrations#

Service Desk Plus#
  • The update_reason argument in the service-desk-plus-request-update command now works as expected.
  • The status_change_comments argument was removed from the service-desk-plus-request-update command since it was unused.
  • Updated the Docker image to: demisto/python3:3.9.1.14969.

McAfee Advanced Threat Defense Pack v1.0.5#

Integrations#

McAfee Advanced Threat Defense#

Fixed the display names for various integration parameters.


McAfee ESM Pack v1.1.3#

Integrations#

McAfee ESM v2#
  • Fixed an issue where some arguments were incorrectly marked as default arguments.
  • Updated the Docker image to: demisto/python3:3.9.1.14969.

McAfee ESM v10 and v11 Pack v1.0.6#

Integrations#

McAfee ESM v10 and v11 (Deprecated)#

Documentation and metadata improvements.


Microsoft Graph Device Management Pack v1.0.6#

Integrations#

Microsoft Graph Device Management (Microsoft Intune)#
  • Fixed an issue where some arguments were incorrectly marked as default arguments.
  • Updated the Docker image to: demisto/crypto:1.0.0.14297.

Netmiko Pack v1.0.1 (Community Contributed)#

Integrations#

Netmiko#

Updated the client method to include missing input parameter.


Orca Pack v1.0.2 (Partner Supported)#

Classifiers#

Orca Mapper#

Corrected the name of a misspelled incident field.

Integrations#

Orca#

Updated the following commands so that they do not fail on empty results:

  • orca-get-asset
  • orca-get-alerts

Palo Alto Networks Cortex XDR - Investigation and Response Pack v2.8.1#

Layouts#

Cortex XDR Incident

  • Added the Work Plan section to the Cortex XDR Incident layout for better playbook tasks execution monitoring.
  • Maintenance and stability enhancements.

Playbooks#

Cortex XDR incident handling v3#
  • Replaced the Rest API LinkIncident command with the built-in LinkIncident command.
  • Maintenance and stability enhancements.
New: Cortex XDR - Block File#

Adds files to the Cortex XDR block list with a given file SHA256 playbook input. (Available from Cortex XSOAR 5.0.0.)

Cortex XDR incident handling v2#

Replaced the Rest API LinkIncident command with the built-in LinkIncident command.


Palo Alto Networks PAN-OS EDL Management Pack v1.0.1#

Integrations#

Palo Alto Networks PAN-OS EDL Management#
  • Fixed the display names for various integration parameters.
  • Updated the Docker image to: demisto/openssh:1.0.0.12410.

Palo Alto Networks PAN-OS EDL Service Pack v1.0.6#

Integrations#

Palo Alto Networks PAN-OS EDL Service#
  • Fixed an issue where selecting a value from the Should collapse IPs integration parameter could cause an out of memory error.
  • Fixed an issue where redundant data was saved in the integration context.
  • Updated the Docker image to: demisto/teams:1.0.0.15630.

Palo Alto Networks WildFire Pack v1.2.3#

Integrations#

Palo Alto Networks WildFire v2#
  • Fixed an issue where uploading js files using the wildfire-upload command failed.
  • Updated the Docker image to: demisto/python3:3.9.1.14969.

PassiveTotal Pack v2.0.6 (Partner Supported)#

Integrations#

PassiveTotal (Deprecated)#

Documentation and metadata improvements.


PhishTank Pack v2.0.4#

Integrations#

PhishTank (Deprecated)#

Documentation and metadata improvements.


Phishing Pack v2.2.0#

Layouts#

Playbooks#

Phishing Playbook - Manual#

Maintenance and stability enhancements.

Scripts#

FindDuplicateEmailIncidents#
  • Added additional incident fields to the entry results contents.
  • Updated the Docker image to: demisto/sklearn:1.0.0.15163.

Plain Text Feed Pack v1.0.4#

Integrations#

Plain Text Feed#

The Use system proxy settings parameter now works as expected.


Proofpoint Protection Server Pack v2.0.2#

Integrations#

Proofpoint Protection Server (Deprecated)#
  • Deprecated. Use Proofpoint Protection Server v2 instead.
  • Improved deprecation comment.
New: Proofpoint Protection Server v2#

Proofpoint email security appliance.


RSA Archer Pack v1.1.11#

Integrations#

RSA Archer (Deprecated)#

Documentation and metadata improvements.

RSA Archer v2#

Fixed an issue where duplicate incidents were fetched when they occurred at the same time as the previous fetch.


RSA NetWitness v11.1 Pack v1.0.1#

Integrations#

RSA NetWitness v11.1#

Fixed the display names for various integration parameters.


Rapid7 Nexpose Pack v1.0.3#

Integrations#

Rapid7 Nexpose#

Fixed the display names for various integration parameters.


Remedy SR (Beta) Pack v1.0.2#

Integrations#

BMC Remedy SR (Beta)#

Improved proxy handling.


ReversingLabs A1000 Pack v1.0.1#

Integrations#

ReversingLabs A1000#
  • Added a custom error class for better error handling.
  • Added user agent functionality.

ReversingLabs Titanium Cloud Pack v1.0.1#

Integrations#

ReversingLabs Titanium Cloud#
  • Added user agent functionality.
  • Fixed some error messages.

RiskSense Pack v1.0.4 (Partner Supported)#

Integrations#

RiskSense#
  • Fixed an issue where some arguments were incorrectly marked as default arguments.
  • Updated the Docker image to: demisto/python3:3.9.1.14969.

Salesforce Pack v1.0.3#

Classifiers#

New: User Profile - Salesforce (Incoming)#

(Available from Cortex XSOAR 6.0.0.)

New: User Profile - Salesforce (Outgoing)#

(Available from Cortex XSOAR 6.0.0.)

Integrations#

New: Salesforce IAM#

Integrates with Salesforce's services to perform Identity Lifecycle Management operations. (Available from Cortex XSOAR 6.0.0.)

Scripts#

New: generate_profile_id#

Generates profileId by user data. (Available from Cortex XSOAR 6.0.0.)

New: generate_timezonesidkey#
  • Generates timezonesidkey by user data. (Available from Cortex XSOAR 6.0.0.)
  • Updated the Docker image to: demisto/python3:3.9.1.14969.

ServiceNow Pack v2.1.9#

Integrations#

ServiceNow (Deprecated)#

Documentation and metadata improvements.

ServiceNow v2#
  • Added the following arguments to the servicenow-update-ticket and servicenow-create-ticket commands:
    • reassignment_count
    • reopen_count
    • sys_updated_by
    • sys_updated_on
  • Added the above mentioned ticket fields to the context data.
  • Removed the following arguments from the servicenow-update-ticket and servicenow-create-ticket commands, as they are not supported in the API.
    • display
    • escalation
  • Added the fields_delimiter argument to the following commands:
    • servicenow-create-ticket
    • servicenow-update-ticket
    • servicenow-create-record
    • servicenow-update-record
    • servicenow-get-ticket
  • Updated the Docker image to: demisto/python3:3.9.1.14969.
ServiceNow CMDB#
  • Fixed an issue where some arguments were incorrectly marked as default arguments.
  • Updated the Docker image to: demisto/python3:3.9.1.14969.
ServiceNow IAM#

Added the import for IAMApiModule to support all IAM classes.

Scripts#

ServiceNowIncidentStatus#

Updated the Docker image to: demisto/python3:3.9.1.14969.


Shift Management Pack v1.2.1#

Incident Fields#

  • Out off the office
  • To start the meeting
  • To join the meeting
  • Shift open incidents
  • Shift manager briefing

Incident Types#

Shift handover

Layouts#

Shift handover

Playbooks#

New: Set up a Shift handover meeting#

Create an online meeting for shift handover. Currently, this playbook supports Zoom. (Available from Cortex XSOAR 6.0.0).

New: Assign Active Incidents to Next Shift V2#

Reassigns active incidents to the current users who are on call. It requires shift management to be set up. The playbook can be run as a job a few minutes after the scheduled shift change time. (Available from Cortex XSOAR 6.0.0.)

Scripts#

GetUsersOnCall#

Added the listname argument that allows users to specify a new name for the out-of-office list. The default name is OOO List.

GetShiftsPerUser#

Updated the Docker image to: demisto/python3:3.9.1.14969.

GetRolesPerShift#

Updated the Docker image to: demisto/python3:3.9.1.14969.

GetNumberOfUsersOnCall#

Updated the Docker image to: demisto/python3:3.9.1.14969.

GetOnCallHoursPerUser#

Updated the Docker image to: demisto/python3:3.9.1.14969.

New: CreateChannelWrapper#

Creates a channel in Slack v2 or in Microsoft Teams. If both Slack v2 and Microsoft Teams are available, it creates the channel in both. (Available from Cortex XSOAR 5.5.0.)

New: AssignToNextShiftOOO#

Reassigns the active incidents to the next shift. (Available from Cortex XSOAR 5.0.0.)

New: TimeToNextShift#

Retrieves the time left until the next shift begins. (Available from Cortex XSOAR 5.5.0.)

New: AssignAnalystToIncidentOOO#

Assigns all on-call analysts to the active incidents. This automation will not assign users who appear in the out-of-office list. (Available from Cortex XSOAR 5.5.0).

New: ManageOOOusers#

Adds or removes an analyst from the out-of-office list in XSOAR. When used with the AssignAnalystToIncidentOOO automation, prevents incidents from being assigned to an analyst who is out of the office. (Available from Cortex XSOAR 5.5.0).

New: OutOfOfficeListCleanup#

Removes any analyst from the out-of-office list whose 'off until day' is in the past. (Available from Cortex XSOAR 5.5.0).

New: GetUsersOOO#

Retrieves users who are currently out of office. (Available from Cortex XSOAR 5.5.0).

GetUsersOOO#

Fixed an issue when the OOO List is empty.

Widgets#

New: Out of office users#

Details of the users who are currently out of office. (Available from Cortex XSOAR 5.5.0).

New: Shift changes in#

Displays the amount of time left until the end of shift. (Available from Cortex XSOAR 5.5.0).


Sixgill Darkfeed - Annual Subscription Pack v1.2.4 (Partner Supported)#

Integrations#

Sixgill DarkFeed Enrichment#

Fixed an issue where some arguments were incorrectly marked as default arguments.


Skyformation Pack v1.0.2 (Partner Supported)#

Integrations#

Skyformation (Deprecated)#
  • Deprecated. Following M&A, partner declared end-of-life for this integration.

Slack Pack v1.3.13#

Integrations#

New: Slack IAM#
  • Integrates with Slack's services to execute create, read, update, and delete operations for employee lifecycle processes. (Available from Cortex XSOAR 6.0.0.)
  • Updated the Docker image to: demisto/python3:3.9.1.14969.
Slack IAM#

Fixed display names for various integration parameters.


Snowflake Pack v1.0.2#

Integrations#

Snowflake#
  • Fixed an issue where some arguments were incorrectly marked as default arguments.
  • Fixed the display names for various integration parameters.
  • Updated the Docker image to: demisto/snowflake:1.0.0.2505.

Spamhaus Feed Pack v1.0.3#

Integrations#

Spamhaus Feed#

The Use system proxy settings parameter now works as expected.


Splunk Pack v1.2.9#

Integrations#

SplunkPy#
  • Added support for the limit argument in the splunk-results command in order to control the number of returned results.
  • Fixed an issue where a KeyError exception was raised while trying to edit a notable.
  • Fixed an issue where some arguments were incorrectly marked as default.

Stealthwatch Cloud Pack v1.0.3#

Integrations#

Stealthwatch Cloud#

Fixed the display names for various integration parameters.


Symantec Blue Coat Content and Malware Analysis (Beta) Pack v1.0.2#

Integrations#

Symantec Blue Coat Content and Malware Analysis (Beta)#

Removed the following integration parameters which were not in use.

  • Verbose
  • Max. Polling Time

Symantec Managed Security Services Pack v1.0.2#

Integrations#

Symantec Managed Security Services#

Fixed an issue where the integration failed on an XML parsing error.


ThreatConnect Pack v2.0.12#

Integrations#

ThreatConnect (Deprecated)#

Documentation and metadata improvements.

ThreatConnect v2#
  • Fixed an issue where the security_label argument was not used correctly in the tc-create-document-group command.
  • Removed the updatedValues argument from the tc-update-indicator command since it is not used.
  • Fixed the display names for various integration parameters.

Troubleshoot Pack v2.0.1#

Playbooks#

Integration Troubleshooting#

Fixed an issue where the playbook failed to run due to an incorrect condition handling in the What is the troubleshoot type? task.


TruSTAR Pack v2.1.2 (Partner Supported)#

Integrations#

TruSTAR (Deprecated)#

Documentation and metadata improvements.


Uptycs Pack v1.0.4 (Partner Supported)#

Integrations#

Uptycs#
  • Fixed the display names for various integration parameters.
  • Updated the Docker image to: demisto/uptycs:1.0.0.15503.

VirusTotal Pack v1.0.3#

Integrations#

VirusTotal#

Fixed an issue in the url command where invalid URLs were not handled correctly.


VulnDB Pack v1.0.2#

Integrations#

VulnDB#
  • Fixed the display names for various integration parameters.
  • Updated the Docker image to: demisto/python3:3.9.1.15759.

Windows Defender Advanced Threat Protection (Deprecated) Pack v1.0.3#

Integrations#

Windows Defender Advanced Threat Protection (Deprecated)#

Documentation and metadata improvements.


WootCloud Pack v1.0.3 (Partner Supported)#

Integrations#

WootCloud#
  • Fixed an issue where some arguments were incorrectly marked as default arguments.
  • Updated the Docker image to: demisto/python3:3.9.1.14969.

Workday Pack v1.0.8#

Integrations#

Workday#
  • Fixed an issue where some arguments were incorrectly marked as default arguments.
  • Updated the Docker image to: demisto/python3:3.9.1.14969.
Workday IAM#

Added the import for IAMApiModule to support all IAM Classes.


XSOAR Mirroring Pack v2.0.1#

Integrations#

XSOAR Mirroring#
  • Fixed an issue where the columns argument did not work as expected in the xsoar-search-incidents command.
  • Updated the Docker image to: demisto/python3:3.9.1.14969.

Zscaler Pack v1.1.1#

Integrations#

Zscaler#

Fixed an issue where some arguments were incorrectly marked as default arguments.


iDefense Pack v3.0.1#

Integrations#

iDefense Feed#

Internal code improvements.


mnemonic MDR Pack v1.0.1 (Partner Supported)#

Integrations#

mnemonic MDR - Argus Managed Defence#
  • Fixed an issue where some arguments were incorrectly marked as default arguments.
  • Fixed an issue where the First fetch time parameter was not handled correctly.
  • Updated the Docker image to: demisto/argus-toolbelt:1.0.0.15350.

okta Pack v2.1.5#

Integrations#

Okta IAM#

Added the import for IAMApiModule to support all IAM Classes.


Assets#