Skip to main content

Cortex XSOAR Content Release Notes for version 21.3.0 (292063)

Published on 02 March 2021#

New: Ansible Powered Integrations Pack v1.0.0 (Community Contributed)#

Integrations#

ACME#

Automatic Certificate Management Environment of Linux hosts.

Alibaba Cloud#

Manage Alibaba Cloud Elastic Compute instances.

Azure Compute v3#

Manage Azure Compute resources.

Azure Networking#

Manage Azure Networking resources.

Cisco IOS#

Cisco IOS Platform management over SSH.

Cisco NX-OS#

Cisco NX-OS Platform management over SSH.

DNS#

Manage DNS records using nsupdate.

HCloud#

Manage your Hetzner Cloud environment.

Kubernetes#

Manage Kubernetes.

Linux#

Agentlesss Linux host management over SSH.

Microsoft Windows#

Agentless Windows host management over WinRM.

OpenSSL#

Control OpenSSL on remote Linux hosts.

VMware v2#

Manage VMware vSphere Server, guests, and ESXi Hosts.

Playbooks#

Wait Until Windows Host Online#

Pauses execution until the Windows host responds to a ping over WinRM.

Windows Application Deployment#

Helps an operator install Windows applications to workstations using the Chocolatey package manager.


New: Atlassian IAM Pack v1.0.0#

Integrations#

Atlassian IAM#

Integrate with Atlassian services to execute create, read, update, and delete operations for employee lifecycle processes.


New: CTIX Pack v1.0.0 (Partner Supported)#

Integrations#

Cyware Threat Intelligence eXchange#

Cyware Threat Intelligence eXchange (CTIX) integration enriches IP/Domain/URL/File data.


New: GraphQL Pack v1.0.0#

Integrations#

GraphQL#

The Generic GraphQL client can interact with any GraphQL server API.


New: JARM Pack v1.0.0#

Indicator Fields#

JARM Hosts#

Indicator Types#

JARM

Integrations#

JARM#

Active TLS fingerprinting using JARM.


New: Malware Lateral Movement Assessment and Response Pack v1.0.0 (Community Contributed)#

Playbooks#

Powershell Payload Response#

When file payload executions are detected from an endpoint machine PowerShell, this playbook begins the remediation process.


New: Manage Engine Service Desk Plus (On-Premise) Pack v1.0.0#

Integrations#

Service Desk Plus (On-Premise)#

Manage your on-premises Service Desk Plus requests. This integration allows you to create, update, and delete requests, assign groups and technicians to requests, and link/unlink requests and modify their resolution.


New: Microsoft Graph Applications Pack v1.0.0#

Integrations#

Microsoft Graph Applications#

Manages authorized applications.


New: Microsoft Graph Identity & Access Pack v1.0.0#

Integrations#

Microsoft Graph Identity & Access#

Manages roles and members.


New: RubrikPolaris Pack v1.0.0 (Partner Supported)#

Classifiers#

Rubrik Polaris Radar - Classification#
Rubrik Polaris Radar - Mapping#

Incident Fields#

  • Rubrik Polaris Activity Series ID
  • Rubrik Polaris Analysis Progress
  • Rubrik Polaris CDM Cluster ID
  • Rubrik Polaris CDM Cluster Name
  • Rubrik Polaris Event Completed
  • Rubrik Polaris Event ID
  • Rubrik Polaris Last Activity Status
  • Rubrik Polaris Last Updated
  • Rubrik Polaris Message
  • Rubrik Polaris Object ID
  • Rubrik Polaris Object Name
  • Rubrik Polaris Object Type

Incident Types#

Rubrik Radar

Integrations#

Rubrik Polaris#

Creates a new incident when a Polaris Radar anomaly event is detected and determines whether any Sonar data classification hits were found on that object.

Playbooks#

Rubrik Polaris - Anomaly Analysis#

Monitors the progress of a Rubrik Radar anamoly event and uses Rubrik Sonar to check for data classification hits.

Scripts#

RubrikSonarSensitiveHits#

Displays the Rubrik Polaris Sonar data classification results.


New: Salesforce Indicators Pack v1.0.0 (Community Contributed)#

Integrations#

Salesforce Indicators#

Pulls any Salesforce object as an indicator.


New: XSOAR - Simple Dev to Prod Pack v1.0.0 (Community Contributed)#

Incident Fields#

  • XSOAR Dev Instance Name The name of the Dev Demisto REST API instance in the simple Dev to Prod setup.
  • XSOAR Dev to Prod Method The method used in the XSOAR Dev to Prod playbook (manual or automated).
  • XSOAR Prod Instance Name The name of the Prod Demisto REST API instance in the simple Dev to Prod setup.

Incident Types#

XSOAR Dev to Prod

Layouts#

XSOAR_Dev_to_Prod

Playbooks#

JOB - XSOAR - Export Selected Custom Content#

This playbook is intended to be run as an adhoc job to quickly create a custom content bundle with only the selected items from the server's custom content. You can import the new zip file to other XSOAR servers.

Create a Job with the Type XSOAR Dev to Prod, and select this playbook to get started. For more information on Jobs: https://xsoar.pan.dev/docs/incidents/incident-jobs.

JOB - XSOAR - Simple Dev to Prod#

This playbook is intended to be run as an adhoc job to quickly create a custom content bundle with only the selected items from the servers custom content. You can import the new zip file to other XSOAR servers, or push it to production using the Demisto REST API integration.

Please make sure to read the setup instructions for this pack carefully.

Create a Job with the Type XSOAR Dev to Prod, and select this playbook to get started. For more information on Jobs: https://xsoar.pan.dev/docs/incidents/incident-jobs.

Scripts#

CustomContentBundleWizardry#

Accepts an XSOAR custom content bundle, and either returns a list of file names, or the files you want to the War Room.

IsDemistoRestAPIInstanceAvailable#

Checks if the provided Demisto REST API instance is available for the XSOAR Simple Dev to Prod workflow.


ANY.RUN Pack v1.0.2#

Integrations#

ANY.RUN#
  • Fixed an issue where the anyrun-get-report command unexpectedly returned a 403 error.
  • Updated the Docker image to: demisto/python3:3.9.1.15759.

AWS - Security Hub Pack v1.0.4#

Integrations#

AWS - Security Hub#
  • Fixed a pagination issue with the aws-securityhub-get-findings command.
  • Updated the Docker image to: demisto/boto3py3:1.0.0.16892.

Active Directory Query Pack v1.1.6#

Integrations#

Active Directory Query v2#

Fixed an issue where a duplicated field caused the iam-create-user command to fail.

Scripts#

IAMInitADUser#

Fixed an issue where an email was sent even though the create user flow had failed.


AutoFocus Pack v1.1.14#

Integrations#

Palo Alto Networks AutoFocus v2#
  • Fixed an issue where file tags were not available in the File.Tags context path in the file command.
  • Updated the Docker image to: demisto/python3:3.9.1.15759.

Azure Compute Pack v1.0.5#

Integrations#

Azure Compute v2#
  • Removed the markdown format of links in the description of an argument.
  • Updated the Docker image to: demisto/crypto:1.0.0.16548.

Base Pack v1.7.17#

Scripts#

CommonServerPython#
  • Deleted mirroring logging in the GetRemoteDataResponse class that used an invalid key.
  • Added an EMAIL class.
DBotMLFetchData#
  • Maintenance and stability enhancements.

BlockList DE Feed Pack v1.0.5#

Integrations#

Blocklist_de Feed#

Fixed an issue where the following indicator fields were incorrectly populated.

  • First Seen By source
  • Last Seen By source

Box Pack v2.1.1#

Integrations#

Box v2#
  • Added the box-move-folder command to match the functionality found in Box v1.
  • Fixed an issue where the box-upload-file command would ignore a given folder ID.

BruteForce Feed Pack v1.0.5#

Integrations#

BruteForceBlocker Feed#

Fixed an issue where the following indicator fields were incorrectly populated.

  • First Seen By source
  • Last Seen By source

Cloudflare Feed Pack v1.0.5#

Integrations#

Cloudflare Feed#

Fixed an issue where the following indicator fields were incorrectly populated.

  • First Seen By source
  • Last Seen By source

Common Playbooks Pack v1.8.12#

Playbooks#

New: Context Polling - Generic#

Polls a context key to check if a specific value exists.


Common Scripts Pack v1.3.22#

Scripts#

New: CheckContextValue#

Checks that a context key exists (and contains data), and optionally checks the value of the context key for a match against an input value.

CheckFieldValue#
  • Internal code improvements.
  • Updated the Docker image to: demisto/python3:3.9.1.15759.
GetIndicatorDBotScore#

Fixed an issue where the script failed on indicators with Type File-256.

CheckContextValue#

Fixed an issue where the script was failing for certain context paths.


Common Widgets Pack v1.0.7#

Widgets#

New: MTTR by Type (in minutes)#

Displays changes in Mean Time to Resolution (in minutes), over time, while differentiating between incident types.

MTTR by Type#

Metadata and documentation enhancements.


CrowdStrike Falcon Pack v1.2.13#

Classifiers#

CrowdStrike Falcon#

Fixed an issue where the Device Name field in the mapper would not work properly.

CrowdStrike Falcon Mapper#

Fixed an issue where the Device Name field in the mapper would not work properly.


Crowdstrike Falcon Intel Feed Pack v1.0.5#

Integrations#

Crowdstrike Falcon Intel Feed#
  • Removed the markdown format of links in the description of an argument.
  • Added the Cloud Base URL integration parameter.
  • Updated the Docker image to: demisto/python3:3.9.1.15759.

Cyren Threat InDepth Threat Intelligence Pack v1.4.0 (Partner Supported)#

Classifiers#

Cyren Threat InDepth Indicator Mapper#
  • Maps the malware family for Cyren Threat InDepth file indicators into the Cyren Malware Family indicator field.
  • Translates the country code from Cyren Threat InDepth IP indicators to a full country name in the Cyren Country Name indicator field.

Dashboards#

Cyren Threat InDepth Dashboard#

Contains new statistics for malware families and countries hosting malicious IPs.

Indicator Fields#

Integrations#

Cyren Threat InDepth Threat Intelligence Feed#
  • Updated requests to the Cyren Threat InDepth Service to contain additional headers that specifically marks them as coming from Cortex XSOAR (including the pack's version number).
  • Updated the DBot score for IP indicators to also take Cyren IP Risk into consideration now.
  • Added the cyren-threat-indepth-get-client-offset command that allows you to retrieve the stored feed offset.
  • Added the cyren-threat-indepth-reset-client-offset command that allows you to reset the stored feed offset if necessary.

Layouts#

Scripts#

New: CyrenCountryLookup#

Translates a country code provided by Cyren products to a full country name (English, country code based on ISO 3166-1). (Available from Cortex XSOAR 6.0.0.)

New: CyrenThreatInDepthRelatedWidgetQuick#

Displays limited feed relationship data in a table for quick view with the ability to navigate. (Available from Cortex XSOAR 6.0.0.)

CyrenThreatInDepthRelatedWidget#

Updated to use an intermediary script to provide the data.

New: CyrenThreatInDepthRenderRelated#

Intermediary script to provide relationship data in a table with the ability to navigate. (Available from Cortex XSOAR 6.0.0.)


DShield Feed Pack v1.0.5#

Integrations#

DShield Feed#

Fixed an issue where the following indicator fields were incorrectly populated.

  • First Seen By source
  • Last Seen By source

EWS Pack v1.8.1#

Integrations#

EWS O365#

Fixed an issue where the ews-move-item-between-mailboxes command would fail due to an access denied error.

New: O365 - EWS - Extension Online Powershell v2#

Gets information about mailboxes and users in your organization. (Available from Cortex XSOAR 5.5.0.)

O365 - EWS - Extension#
  • Added the following commands:
    • ews-mailbox-audit-bypass-association-list
    • ews-user-list
    • ews-remote-domain-get
    • ews-federation-configuration
    • ews-federation-trust
  • Updated the Docker image to: demisto/powershell-ubuntu:7.1.1.16151.

Scripts#

New: CreateCertificate#

Creates a pfx certificate in base64 and a public key cert file.


Export Indicators Pack v1.0.3#

Integrations#

Export Indicators Service#
  • Fixed an issue where empty indicators were returned.
  • Added support for sorting the exported indicators by a given indicator field.
  • Updated the Docker image to: demisto/teams:1.0.0.demisto16907.

FeodoTracker Feed Pack v1.0.8#

Integrations#

Feodo Tracker Hashes Feed (Deprecated)#

Fixed an issue where the following indicator fields were incorrectly populated.

  • First Seen By source
  • Last Seen By source

FireEye (AX Series) Pack v1.0.1#

Integrations#

FireEye (AX Series)#

Added support for multiple submission keys in the fe-submit-status command.


FireEye ETP Pack v1.0.2#

Integrations#

FireEye ETP#

Fixed an issue in the fireeye-etp-get-alerts command where directly accessing fields in the response would cause a KeyError exception.


GenericSQL Pack v1.0.10#

Integrations#

Generic SQL#
  • Added support for Microsoft ODBC Driver for SQL Server.
  • Updated the Docker image to: demisto/genericsql:1.1.0.16026.
  • Maintenance and stability enhancements.

GitHub Pack v1.1.9#

Integrations#

GitHub#

Removed the markdown format of links in the description of an argument.

GitHub IAM#

Maintenance and stability enhancements.


Google Key Management Service Pack v1.0.2#

Integrations#

Google Key Management Service#
  • Updated the Docker image to: demisto/google-kms:1.0.0.16731.
  • Maintenance and stability enhancements.

Hello World IAM Pack v1.0.2#

Integrations#

Hello World IAM#

Maintenance and stability enhancements.


IntSights Pack v1.0.3#

Integrations#

IntSights#
  • Fixed an issue where the fetch-incident command did not pull all incidents.

Integrations & Incidents Health Check Pack v1.1.15#

Playbooks#

JOB - Integrations and Incidents Health Check - Lists handling#

Changed the playbook name to JOB - Integrations and Incidents Health Check - Lists handling.

Integrations and Incidents Health Check - Running Scripts#

Changed the playbook name to JOB - Integrations and Incidents Health Check - Running Scripts.

JOB - Integrations and Incidents Health Check#
  • Changed the playbook name to JOB - Integrations and Incidents Health Check
  • Added the auto close investigation option to the playbook input.

Scripts#

CopyLinkedAnalystNotes#
  • Fixed an issue where sorting main_incident_grid failed due to TypeError.
  • Updated the Docker image to: demisto/python3:3.9.1.15759.
GetFailedTasks#
  • Fixed an issue where an empty failed incidents list created a null value in the context.
  • Fixed the format of the Incident Created Date field.
IncidentsCheck-Widget-IncidentsErrorsInfo#

Fixed the format of the Incident Created Date field.


MailListener - POP3 (Beta) Pack v1.0.2#

Integrations#

MailListener - POP3 Beta#

Fixed an issue where decoding non-UTF-8 characters caused the fetch-incidents command to fail on some emails.


MalwareDomainList Feed Pack v1.0.5#

Integrations#

Malware Domain List Active IPs Feed#

Fixed an issue where the following indicator fields were incorrectly populated.

  • First Seen By source
  • Last Seen By source

McAfee ESM Pack v1.1.4#

Integrations#

McAfee ESM v2#
  • Removed the markdown format of links in the description of an argument.
  • Updated the Docker image to: demisto/python3:3.9.1.15759.

Microsoft Cloud App Security Pack v1.0.15#

Integrations#

Microsoft Cloud App Security#

Removed the markdown format of links in the description of an argument.


Nutanix Hypervisor Pack v1.0.1#

Integrations#

Nutanix Hypervisor#

Removed the markdown format of links in the description of an argument.


PAN-OS Pack v1.6.14#

Integrations#

Palo Alto Networks PAN-OS#
  • Added the serialNumber argument to the following command to allow downloading a PCAP file from a Panorama instance.
    • panorama-get-pcap
    • panorama-list-pcap
  • Improved the error returned from the URL filtering commands when running on a Panorama instance.
  • Updated the Docker image to: demisto/python3:3.9.1.15759.

Palo Alto Networks BPA Pack v1.2.4#

Playbooks#

Run Panorama Best Practice Assessment#

Changed the context of the GenericPolling task to be private in the sub-playbook.


Palo Alto Networks Cortex XDR - Investigation and Response Pack v2.9.0#

Integrations#

Palo Alto Networks Cortex XDR - Investigation and Response#

Added the following commands.

  • xdr-run-script
  • xdr-run-snippet-code-script
  • xdr-get-script-execution-status
  • xdr-get-script-execution-results
  • xdr-get-script-execution-result-files
  • xdr-run-script-execute-commands
  • xdr-run-script-delete-file
  • xdr-run-script-file-exists
  • xdr-run-script-kill-process

Palo Alto Networks PAN-OS EDL Service Pack v1.0.9#

Integrations#

Palo Alto Networks PAN-OS EDL Service#
  • Added the XSOAR Indicator Page Size parameter that allows modifying the internal page size used when querying XSOAR for the EDL.
  • Updated the Docker image to: demisto/teams:1.0.0.16813.

Palo Alto Networks WildFire Pack v1.2.6#

Integrations#

Palo Alto Networks WildFire v2#
  • Fixed an issue in the wildfire-upload command where multiple file uploads overrode the context.
  • Updated the Docker image to demisto/python3:3.9.1.15759.

Playbooks#

WildFire - Detonate file#
  • Added support for JS files.
  • Fixed an issue in the inputs of one of the tasks.
Detonate URL - WildFire v2.1#

Fixed an issue where multiple URL and Remote Files submissions failed to retrieve all of the reports.


Plain Text Feed Pack v1.0.6#

Integrations#

Plain Text Feed#

Fixed an issue where the following indicator fields were incorrectly populated.

  • First Seen By source
  • Last Seen By source

Proofpoint Protection Server Pack v2.0.3#

Integrations#

Proofpoint Protection Server v2#

Fixed an issue where the following arguments of the proofpoint-pps-smart-search command were not handled properly for Proofpoint on-premise appliance version 8.14.2.

  • start_time
  • end_time

Rapid7 InsightIDR Pack v1.0.1#

Integrations#

Rapid7 InsightIDR#
  • Updated the Docker image to: demisto/python3:3.9.1.15759.
  • Maintenance and stability enhancements.

Salesforce Pack v1.0.5#

Integrations#

Salesforce#

Maintenance and stability enhancements.

Salesforce IAM#

Maintenance and stability enhancements.


ServiceNow Pack v2.1.18#

Integrations#

ServiceNow v2#

Added support for the get-modified-remote-data command that returns a list of modified incidents since the last update. The incoming mirror command, get-remote-data, will run only on the modified incidents identified by this command. For more information, see our documentation.

  • Fixed an issue in the following commands where attachments were not pulled.
    • fetch-incidents
    • servicenow-get-ticket
ServiceNow IAM#

Maintenance and stability enhancements.

Playbooks#

ServiceNow Ticket State Polling#

Fixed the AdditionalPollingCommandName playbook input description.


Slack Pack v1.3.16#

Integrations#

Slack IAM#

Maintenance and stability enhancements.


Sophos XG Firewall Pack v1.0.2#

Integrations#

Sophos Firewall#

Maintenance and stability enhancements.


Spamhaus Feed Pack v1.0.5#

Integrations#

Spamhaus Feed#

Fixed an issue where the following indicator fields were incorrectly populated.

  • First Seen By source
  • Last Seen By source

SumoLogic Pack v1.0.6#

Integrations#

SumoLogic#

Removed the markdown format of links in the description of an argument.


TAXII Feed Pack v1.0.8#

Integrations#

TAXII 2 Feed#

Added the Incremental Feed configuration parameter. This parameter indicates that the feed pulls only indicators that are new or modified. Set this parameter to true when the Full Feed Fetch parameter is disabled.


ThreatX Pack v1.0.1#

Integrations#

ThreatX#
  • Added support for a custom description in the following commands:
    • threatx-block-ip
    • threatx-blacklist-ip
    • threatx-whitelist-ip

Tidy Pack v1.0.1 (Community Contributed)#

Integrations#

Tidy#

Updated the Docker image to: demisto/tidy:1.0.0.16979.


Tor Exit Addresses Feed Pack v1.0.3#

Integrations#

Tor Exit Addresses Feed#
  • Fixed an issue where the following indicator fields were incorrectly populated.
    • First Seen By source
    • Last Seen By source
  • Updated the Docker image to: demisto/python3:3.9.1.15759.

Venafi Pack v1.0.1#

Integrations#

Venafi#

Added the Limit argument to the venafi-get-certificates command.


Workday Pack v1.0.12#

Integrations#

Workday IAM Event Generator (Beta)#
  • Fixed an issue where entries were not returned to the War Room.
  • Added the following commands:
    • workday-generate-hire-event
    • workday-generate-update-event
    • workday-generate-rehire-event
    • workday-generate-terminate-event
Workday IAM#
  • Added support for different date formats in Workday reports.
  • Fixed an issue where duplicate incidents were created.

X509Certificate Pack v1.0.4#

Scripts#

CertificateExtract#
  • Updated the Docker image to: demisto/crypto:1.0.0.16776.
  • Maintenance and stability enhancements.

XM Cyber Pack v1.0.6 (Partner Supported)#

Incident Types#

XM Cyber IP Incident - An incident type for incoming incidents that only have an IP address.

Playbooks#

IP Enrichment - XM Cyber#

Fixed an issue where the playbook failed when the entity wasn't found in XM Cyber.


okta Pack v2.1.6#

Integrations#

Okta IAM#

Maintenance and stability enhancements.


Assets#