Cortex XSOAR Content Release Notes for version 21.3.1 (303170)#

Published on 16 March 2021#

Breaking Changes#

The following pack includes breaking changes: EWS Pack v1.8.6

New: Campaign Pack v1.0.0#

Scripts#

FindEmailCampaign#

Find a campaign of emails based on their textual similarity.


New: Nist NVD Pack v1.0.0 (Community Contributed)#

Integrations#

Nist NVD#

Allows government agencies, software vendors, and researchers to search and view information about vulnerabilities and vulnerable products.


New: Opsgeniev2 Pack v1.0.0 (Community Contributed)#

Integrations#

Opsgeniev2#

Provides actionable and reliable alerting.


New: PICUS Pack v1.0.0 (Community Contributed)#

Integrations#

PICUS#

Continuous Breach And Attack simulation.


New: Popular Cybersecurity News Pack v1.0.0 (Community Contributed)#

Incident Fields#

CustomNewsGrid

Incident Types#

News Type

Integrations#

Popular News#

Fetches the security news from three sources: Threatpost, The Hacker News and Krebs. The output includes the titles, links of the news articles and other metadata, in the format of a markdown table. The integration commands can either fetch the news from one source or from all sources at a time.

Layouts#

News Layout

Playbooks#

JOB - Popular News#

Playbook can be run ad-hoc or as a job to fetch results from popular news sites.


New: QR Code Reader Pack v1.0.0 (Community Contributed)#

Integrations#

QR Code Reader - goqr.me#

Reads a QR Code from an image file.


New: UpdateEntriesBySearch Pack v1.0.0 (Community Contributed)#

Scripts#

MarkAsEvidenceBySearch#

Searches entries in the War Room for the pattern text, and mark them as evidence.

MarkAsNoteBySearch#

Searches entries in the War Room for the pattern text, and mark them as notes.

SetTagsBySearch#

Searches entries in the War Room for the pattern text, and set tags for the entries found.


AWS - S3 Pack v1.0.4#

Integrations#

AWS - S3#
  • Fixed an issue in the aws-s3-list-bucket-objects command where an empty bucket would cause the command to fail.
  • Updated the Docker image to: demisto/boto3:2.0.0.17503.

AbuseIPDB Pack v1.0.2#

Integrations#

AbuseIPDB#

Added the confidence argument to the abuseipdb-get-blacklist command.

Scripts#

AbuseIPDBPopulateIndicators#

Added the confidence argument to the script.


Active Directory Query Pack v1.1.7#

Playbooks#

New: Active Directory Investigation#

Provides tools and guidance to investigate changes and manipulation in Active Directory containers, ACLs, schema, and objects. This playbook uses a 3rd party tool provided by Microsoft to scan the Active Directory access list, trees, and objects. Additional investigative information is provided for manual investigation. (Available from Cortex XSOAR 6.0.0).


ArcSight Logger Pack v1.0.2#

Integrations#

ArcSight Logger#

This release introduces the following fetch features:

  • Fetch limit
  • Aggregate fetch - Fetches all events from the query into one fetch.
  • Fields to fetch - Allows the user to specify which fields to fetch.

Atlassian Jira Pack v1.2.13#

Integrations#

Atlassian Jira v2#
  • Fixed an issue where the issue type was printed instead of the project name in the War Room response of the jira-create-issue command.
  • Updated the Docker image to: demisto/oauthlib:1.0.0.15507 to handle possible OAuth1 authentication failures introduced in version 1.2.12 of the pack.

Azure Compute Pack v1.0.7#

Integrations#

Azure Compute v2#
  • Updated the MicrosoftApiModule script to handle a 404 - Page Not Found response.
  • Fixed an issue where the ok_codes argument was passed to the HTTP request two times.

Azure Kubernetes Services Pack v1.0.2#

Integrations#

Azure Kubernetes Services (Beta)#
  • Updated the MicrosoftApiModule script to handle a 404 - Page Not Found response.
  • Fixed an issue where the ok_codes argument was passed to the HTTP request two times.

Azure Log Analytics Pack v1.0.7#

Integrations#

Azure Log Analytics (Beta)#
  • Updated the MicrosoftApiModule script to handle a 404 - Page Not Found response.
  • Fixed an issue where the ok_codes argument was passed to the HTTP request two times.

Azure Network Security Groups Pack v1.0.2#

Integrations#

Azure Network Security Groups#
  • Updated the MicrosoftApiModule script to handle a 404 - Page Not Found response.
  • Fixed an issue where the ok_codes argument was passed to the HTTP request two times.

Azure SQL Management (Beta) Pack v1.0.3#

Integrations#

Azure SQL Management (Beta)#
  • Updated the MicrosoftApiModule script to handle a 404 - Page Not Found response.
  • Fixed an issue where the ok_codes argument was passed to the HTTP request two times.

Azure Security Center Pack v1.1.7#

Integrations#

Azure Security Center v2#
  • Updated the MicrosoftApiModule script to handle a 404 - Page Not Found response.
  • Fixed an issue where the ok_codes argument was passed to the HTTP request two times.

Azure WAF Pack v1.0.3#

Integrations#

Azure Web Application Firewall#
  • Updated the MicrosoftApiModule script to handle a 404 - Page Not Found response.
  • Fixed an issue where the ok_codes argument was passed to the HTTP request two times.

AzureSentinel Pack v1.0.8#

Integrations#

Azure Sentinel (Beta)#
  • Updated the MicrosoftApiModule script to handle a 404 - Page Not Found response.
  • Fixed an issue where the ok_codes argument was passed to the HTTP request two times.

Base Pack v1.7.23#

Scripts#

SanePdfReports#
  • Fixed an issue where stacked charts could be empty if the group by argument was not provided.
  • Fixed an issue where line chart sizing in reports could be out of bounds.
  • Added support for paddings in list widgets.
  • Updated the Docker image to: demisto/sane-pdf-reports:1.0.0.17031.
FindSimilarIncidentsByText#

The script will now run in a separate container.

CommonServerPython#
  • Fixed an issue where TableToMarkdown modified the headers parameter when removeNull=True.
  • Maintenance and stability enhancements.
New: ValidateContent#

Runs validation and linting on content items.

CommonServerPowerShell#

Fixed the FileResult function to support file info entries.


Cisco umbrella cloud security Pack v1.0.1 (Community Contributed)#

Integrations#

Cisco umbrella cloud security#
  • Added the umbrella-remove-domain command.
  • Updated the Docker image to: demisto/python3:3.9.1.15759.

Common Playbooks Pack v1.9.0#

Playbooks#

Get File Sample By Hash - Generic v3#
  • Added Code42 File Download as a sub-playbook to retrieve files using the Code42 integration.
  • Fixed an issue that caused an error in the playbook when one of the sub-playbooks was not available.
Get File Sample From Path - Generic V2#

Fixed an issue that caused an error in the playbook when one of the sub-playbooks was not available.


Common Scripts Pack v1.3.28#

Scripts#

CheckFieldValue#

Fixed an issue where the script was failing for certain fields.

ConvertXmlToJson#

Metadata and documentation enhancements.

IncidentAddSystem#

Metadata and documentation enhancements.

ParseJSON#

Metadata and documentation enhancements.

IsGreaterThan#

Metadata and documentation enhancements.

MathUtil#

Metadata and documentation enhancements.

CreateArray#

Metadata and documentation enhancements.

ConvertXmlFileToJson#

Metadata and documentation enhancements.

UnEscapeIPs#

Metadata and documentation enhancements.

CreateEmailHtmlBody#

Metadata and documentation enhancements.

LessThanPercentage#

Metadata and documentation enhancements.

FileCreateAndUpload#

Metadata and documentation enhancements.

NotInContextVerification#

Metadata and documentation enhancements.

FindSimilarIncidents#
  • Fixed an issue where the script would not find similar incidents using the similarIncidentFields argument when given an int type.
  • Updated the Docker image to: demisto/python:2.7.18.15765.
PortListenCheck#

Metadata and documentation enhancements.

DumpJSON#

Metadata and documentation enhancements.

UnPackFile#

Metadata and documentation enhancements.

Base64EncodeV2#

Updated the Docker image to: demisto/python3:3.9.1.15759.

DT#

Metadata and documentation enhancements.

InRange#

Metadata and documentation enhancements.

GetDuplicatesMlv2#

The script will now run in a separate container.

IsRFC1918Address#
  • Fixed an issue where the script was not working as a transformer.
  • Updated the Docker image to: demisto/netutils:1.0.0.14492.

Common Types Pack v2.8.7#

Incident Fields#

Hostnames

Indicator Types#

urlRep - Fixed an issue where URLs with an underscore were not extracted.


ConcentricAI Pack v1.2.0 (Partner Supported)#

Integrations#

ConcentricAI#

Enhanced the playbook and the overall functioning.

Playbooks#

ConcentricAI Demo Playbook#

The playbook now enables you to fetch all file details, file sharing permissions, user details of the owner, and the summaryReport of the incident.


Cyberint Pack v1.0.3 (Partner Supported)#

Incident Fields#

Added the following incident fields:

  • incident_cyberintalertid
  • incident_cyberintattachments
  • incident_cyberintcategory
  • incident_cyberintclosurereason
  • incident_cyberintconfidence
  • incident_cyberintcreatedby
  • incident_cyberintcreateddate
  • incident_cyberintdescription
  • incident_cyberintexpertanalysis
  • incident_cyberintimpact
  • incident_cyberintrecommendation
  • incident_cyberintrelatedentities
  • incident_cyberintrelatediocs
  • incident_cyberintsource
  • incident_cyberintsourcecategory
  • incident_cyberintstatus
  • incident_cyberinttags
  • incident_cyberinttargetedbrand
  • incident_cyberinttargetedvector
  • incident_cyberintthreatactor
  • incident_cyberintticketid
  • incident_cyberinttitle
  • incident_cyberinttype
  • incident_cyberinvulnerablecnamerecord

Incident Types#

Cyberint Incident#

Improved Cyberint Incident coverage.

Integrations#

Cyberint#
  • Updated the mapper, classifier, and layout.
  • Added new incident fields.

Layouts Containers#

Cyberint Incident Layout#

Improved Cyberint Incident Layout coverage.

Mappers#

CyberInt (mapper)#

Improved CyberInt (mapper) coverage.


Digital Shadows Pack v1.0.1#

Integrations#

Digital Shadows#
  • Added support for pagination in ingesting incidents into XSOAR to ensure all entries are retrieved.
  • Removed the creation of duplicate XSOAR incidents for each Digital Shadows Exposed Credential alert.

Playbooks#

New: Digital Shadows Retrieve Exposed Credentials#

Retrieves the exposed email address and password relating to a Digital Shadows Exposed Credential alert. (Available from Cortex XSOAR 5.0.0.)


EWS Pack v1.8.6#

Integrations#

EWS O365#
  • Updated the MicrosoftApiModule script to handle a 404 - Page Not Found response.
  • Fixed an issue where the ok_codes argument was passed to the HTTP request two times.
O365 - Security And Compliance - Content Search (beta)#

Fixed an issue where using the limit parameter in the O365-sc-get-search-action command resulted in an error.

Playbooks#

O365 - Security And Compliance - Search Action - Delete#

Breaking Change - Changed the context-keys mapping of the results returned for a SearchAction object. After the change, all of the results are mapped to O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.

O365 - Security And Compliance - Search Action - Preview#

Breaking Change - Changed the context-keys mapping of the results returned for a SearchAction object. After the change, all of the results are mapped to O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.

O365 - Security And Compliance - Search#

Breaking Change

  • Changed the context-keys mapping of the results returned for a SearchAction object. After the change, all of the results are mapped to O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.
  • Changed the context-keys mapping of the results returned for a Search object. After the change, all of the results are mapped to O365.SecurityAndCompliance.ContentSearch.Search.Results.

Scripts#

CreateCertificate#
  • Fixed an issue where the script was prevented from running by a The term 'New-SelfSignedCertificate' is not recognized as a name of a cmdlet error message.
  • Updated the Docker image to: demisto/pwsh-exchange:1.0.0.17451.

Exabeam Pack v2.0.0#

Integrations#

Exabeam#
  • Added 19 commands:
    • exabeam-get-session-info-by-id
    • exabeam-list-top-domains
    • exabeam-list-triggered-rules
    • exabeam-get-asset-info
    • exabeam-list-asset-timeline-next-events
    • exabeam-list-security-alerts-by-asset
    • exabeam-search-rules
    • exabeam-get-rule-string
    • exabeam-fetch-rules
    • exabeam-get-rules-model-definition
    • exabeam-list-context-table-records
    • exabeam-add-context-table-records
    • exabeam-update-context-table-records
    • exabeam-context-table-delete-records
    • exabeam-context-table-addbulk
    • exabeam-get-context-table-in-csv
    • exabeam-watchlist-add-from-csv
    • exabeam-watchlist-asset-search
    • exabeam-watchilst-remove-items
  • Added support for Cluster Authentication Token.
  • Enabled Cross-Site Request Forgery (CSRF) protection support.
  • Updated the Docker image to: demisto/python3:3.9.1.15759.

Farsight DNSDB Pack v2.1.2 (Partner Supported)#

Integrations#

Farsight DNSDB v2#

Changed the swclient reported to DNSDB to remove an unwanted hyphen.


GraphQL Pack v1.0.1#

Integrations#

GraphQL#

Updated the Docker image to: demisto/graphql:1.0.0.17480.


IBM QRadar Pack v1.2.12#

Integrations#

IBM QRadar v2#
  • Fixed an issue where the integration would return None instead of displaying an error message.
  • Updated the Docker image to: demisto/python3:3.9.2.17246.

IntSights Pack v1.0.4#

Integrations#

IntSights#

Maintenance and stability enhancements.


Integrations & Incidents Health Check Pack v1.1.16#

Scripts#

IntegrationsCheck-Widget-NumberFailingInstances#

Fixed an issue where the IntegrationsErrorsInfo widget would show an error after a fresh install.

IntegrationsCheck-Widget-IntegrationsErrorsInfo#

Fixed an issue where the NumberFailingInstances widget would display 1 failed instance after a fresh install when there were no failed instances.


Intel471 Feed Pack v1.1.0#

Integrations#

Intel471 Malware Feed#

Removed duplicates of a parameter that prevented configuring an instance.

Intel471 Intel471 Actors Feed#

Removed duplicates of a parameter that prevented configuring an instance.


Joe Security Pack v1.0.4#

Integrations#

Joe Security#

Fixed an issue where the joe-analysis-submit-sample command failed if given a file with non-ASCII characters.


MITRE ATT&CK Pack v1.1.10#

Indicator Fields#

Layouts#

MITRE ATT&CK - Added Courses of Action data.

Layouts Containers#

MITRE ATT&CK Indicator - Added Courses of Action data.


Microsoft Defender for Endpoint Pack v1.2.12#

Integrations#

Microsoft Defender for Endpoint#
  • Updated the MicrosoftApiModule script to handle a 404 - Page Not Found response.
  • Fixed an issue where the ok_codes argument was passed to the HTTP request two times.

Microsoft Graph API Pack v1.0.2#

Integrations#

Microsoft Graph API#
  • Updated the MicrosoftApiModule script to handle a 404 - Page Not Found response.
  • Fixed an issue where the ok_codes argument was passed to the HTTP request two times.

Microsoft Graph Applications Pack v1.0.2#

Integrations#

Microsoft Graph Applications#
  • Updated the MicrosoftApiModule script to handle a 404 - Page Not Found response.
  • Fixed an issue where the ok_codes argument was passed to the HTTP request two times.

Microsoft Graph Calendar Pack v1.0.7#

Integrations#

Microsoft Graph Calendar#
  • Updated the MicrosoftApiModule script to handle a 404 - Page Not Found response.
  • Fixed an issue where the ok_codes argument was passed to the HTTP request two times.

Microsoft Graph Device Management Pack v1.0.8#

Integrations#

Microsoft Graph Device Management (Microsoft Intune)#
  • Updated the MicrosoftApiModule script to handle a 404 - Page Not Found response.
  • Fixed an issue where the ok_codes argument was passed to the HTTP request two times.

Microsoft Graph Files Pack v1.0.7#

Integrations#

Microsoft Graph Files#
  • Updated the MicrosoftApiModule script to handle a 404 - Page Not Found response.
  • Fixed an issue where the ok_codes argument was passed to the HTTP request two times.

Microsoft Graph Groups Pack v1.0.6#

Integrations#

Microsoft Graph Groups#
  • Updated the MicrosoftApiModule script to handle a 404 - Page Not Found response.
  • Fixed an issue where the ok_codes argument was passed to the HTTP request two times.

Microsoft Graph Identity & Access Pack v1.0.2#

Integrations#

Microsoft Graph Identity & Access#
  • Updated the MicrosoftApiModule script to handle a 404 - Page Not Found response.
  • Fixed an issue where the ok_codes argument was passed to the HTTP request two times.

Microsoft Graph Mail Pack v1.0.16#

Integrations#

Microsoft Graph Mail#
  • Updated the MicrosoftApiModule script to handle a 404 - Page Not Found response.
  • Fixed an issue where the ok_codes argument was passed to the HTTP request two times.

Microsoft Graph Mail Single User Pack v1.0.13#

Integrations#

Microsoft Graph Mail Single User#
  • Updated the MicrosoftApiModule script to handle a 404 - Page Not Found response.
  • Fixed an issue where the ok_codes argument was passed to the HTTP request two times.

Microsoft Graph Security Pack v2.0.9#

Integrations#

Microsoft Graph Security#
  • Updated the MicrosoftApiModule script to handle a 404 - Page Not Found response.
  • Fixed an issue where the ok_codes argument was passed to the HTTP request two times.

Microsoft Graph User Pack v1.3.8#

Integrations#

Microsoft Graph User#
  • Changed the msgraph-user-get command to handle 404 errors instead of raising an error.
  • Fixed an issue where the ok_codes argument was passed to the HTTP request two times.
  • Updated the Docker image to: demisto/crypto:1.0.0.16776.

Microsoft Management Activity API (O365/Azure Events) Pack v1.1.8#

Integrations#

Microsoft Management Activity API (O365 Azure Events)#
  • Updated the MicrosoftApiModule script to handle a 404 - Page Not Found response.
  • Fixed an issue where the ok_codes argument was passed to the HTTP request two times.

Microsoft Teams Pack v1.1.3#

Integrations#

Microsoft Teams Management#
  • Updated the MicrosoftApiModule script to handle a 404 - Page Not Found response.
  • Fixed an issue where the ok_codes argument was passed to the HTTP request two times.

MongoDB Pack v1.2.1#

Integrations#

MongoDB#
  • Added the mongodb-pipeline-query command.
  • Improved the description and documentation for the mongodb-query command.
  • Updated the Docker image to: demisto/pymongo:1.0.0.16066.

Orca Pack v1.0.4 (Partner Supported)#

Integrations#

Orca#
  • Added dynamic informational alerts querying.
  • Fixed a timestamp bug.
  • Enabled alert sync by relative time.

PAN-OS Pack v1.6.15#

Integrations#

Palo Alto Networks PAN-OS#
  • Adding 3 commands:
    • panorama-list-configured-user-id-agents
    • panorama-show-user-id-interfaces-config
    • panorama-show-zones-config
  • Updated the Docker image to: demisto/python3:3.9.2.17246.

Palo Alto Networks Cortex XDR - Investigation and Response Pack v2.9.2#

Integrations#

Palo Alto Networks Cortex XDR - Investigation and Response#
  • Improved implementation of empty parameters handling provided to the xdr-run-script command.
  • Updated the Docker image to: demisto/python3:3.9.2.17246.

Playbooks#

Cortex XDR incident handling v3#
  • Fixed an issue that prevented XDR incidents from closing as false positives.
  • Fixed an issue that prevented the execution of incident auto-remediation.
  • Fixed an issue that affected indicator hunting using the Palo Alto Networks - Hunting And Threat Detection playbook.
  • Fixed an issue where the Palo Alto Networks - Hunting And Threat Detection playbook was not skipped when unavailable.

Palo Alto Networks PAN-OS EDL Management Pack v1.0.2#

Integrations#

Palo Alto Networks PAN-OS EDL Management (Deprecated)#

Deprecated. Use the Palo Alto Networks PAN-OS EDL Service integration instead.


Palo Alto Networks WildFire Pack v1.3.0#

Integrations#

Palo Alto Networks WildFire v2#
  • Added the wildfire-get-url-webartifacts command.
  • Added detection_reasons to the outputs of the wildfire-report command.
  • Updated the Docker image to: demisto/python3:3.9.2.17246.

Playbooks#

Detonate URL - WildFire v2.1#

Added detection_reasons to the playbook outputs.


Phishing Pack v2.2.1#

Scripts#

FindDuplicateEmailIncidents#

Maintenance and stability enhancements.


RSA Archer Pack v1.1.12#

Integrations#

RSA Archer v2#
  • Improved implementation of the incident time field comparison to be accurate to a microsecond level.
  • Added the isDescending argument to the archer-search-records command.
  • Updated the Docker image to: demisto/python3:3.9.1.15759.

Ransomware Pack v1.0.3#

Incident Fields#

  • Ransomware Note
  • Ransomware Encrypted File Owner
  • Ransomware Cryptocurrency Address Type
  • Ransomware Data Encryption Status
  • Ransomware Approximate Number Of Encrypted Endpoints
  • Ransomware Recovery Tool
  • Ransomware Strain
  • Ransomware Onion Address
  • Ransomware Email
  • Ransomware Cryptocurrency Address

Incident Types#

Layouts Containers#

New: Post Intrusion Ransomware#

New layout for the Post Intrusion Ransomware Investigation playbook. (Available from Cortex XSOAR 6.0.0.)

Playbooks#

New: Post Intrusion Ransomware Investigation#

Provides the first step in the investigation of ransomware attacks.

The playbook requires the ransom note and an example of an encrypted file (<1MB) to try to identify the ransomware and find a recovery tool via the online database.

You will be guided with further investigation steps throughout the playbook. Some of the key features are:

  • Encrypted file owner investigation.
  • Endpoint forensic investigation.
  • Active Directory investigation.
  • Timeline of the breach investigation.
  • Indicator and account enrichment.

For the full operation of the playbook, the following data should be mapped to the relevant incident fields.

  • Username - Usernames (common incident field)
  • Hostname - Hostnames (common incident field)

(Available from Cortex XSOAR 6.0.0.)

Scripts#

New: RansomwareDataEncryptionStatus#

This widget script checks for the data encryption status in the Post Intrusion Ransomware Investigation playbook and layout. (Available from Cortex XSOAR 6.0.0.)

New: RansomwareHostWidget#

Entry widget that returns the number of affected hosts in a Post Intrusion Ransomware incident. (Available from Cortex XSOAR 6.0.0.)


Rapid Breach Response Pack v1.4.3#

Playbooks#

New: HAFNIUM - Exchange 0-day exploits#

This playbook includes the following tasks:

  • Collects indicators to be used in your threat hunting process.
  • Retrieves IOCs related to HAFNIUM and the exploited exchange 0-day vulnerabilities.
  • Discovers IOCs related to the attack.
  • Queries firewall logs to detect malicious network activity.
  • Searches endpoint logs for malicious hashes to detect compromised hosts. (Available from Cortex XSOAR 5.5.0.)
  • Blocks indicators.

Read more about the attack in the Unit42 blog: https://unit42.paloaltonetworks.com/microsoft-exchange-server-vulnerabilities/

HAFNIUM - Exchange 0-day exploits#
  • Expanded IOC coverage.
  • Queries Expanse issues to detect malicious network activity.
  • Added mitigation tasks.
  • Added more coverage for XDR and Expanse hunting.
  • Added IOCs hunting using Splunk.
  • Added predefined automated Windows Event Logs hunting queries for SIEMs.
  • Added IOCs hunting using Qradar.
  • Links related Expanse and Cortex XDR incidents.

Recorded Future Feed Pack v1.0.7#

Integrations#

Recorded Future RiskList Feed#
  • Reduced memory consumption during feed download.
  • Enhanced download speed by downloading a compressed feed file.
  • Updated the Docker image to: demisto/python3:3.9.1.15759.

Splunk Pack v1.3.2#

Integrations#

SplunkPy#
  • Fixed an issue where some events were dropped instead of being properly fetched.
  • This is a rollback of the latest version, due to a possible failure of fetch-incidents introduced in version 1.3.1 of the pack.

Unit42 Feed Pack v1.1.1#

Integrations#

Unit42 Feed#
  • Creates MITRE ATT&CK indicators when fetching STIX reports.
  • Updated the Docker image to: demisto/taxii2:1.0.0.13859.

mnemonic MDR Pack v1.1.0 (Partner Supported)#

Incident Fields#

  • Argus Case HTML - Allows the user to see Argus Case descriptions with correct formatting in the incident layout.
  • Argus Case Link - Provides the user with a direct link to the Argus Case in the incident layout.

Integrations#

mnemonic MDR - Argus Managed Defence (Partner Contribution)#
  • Rapidly detect, analyze, and respond to security threats with mnemonic’s leading Managed Detection and Response (MDR) service. (Available from Cortex XSOAR 6.0.0.)
  • Provides support for incident mirroring
    • Implements the get-remote-data, update-remote-system, and get-mapping-fields methods.
    • Mirrors up and down Argus Case comments, attachments, priority, and status.
    • The default playbook is required to fetch all attachments and comments that are added to the Argus Case prior to the incident being fetched in XSOAR. This is important to remember if defining your own playbooks.
  • Added 3 commands
    • argus-print-case-comments - Prints Argus Case comments as War Room notes instead of adding them to context data.
    • argus-print-case-metadata-by-id - Prints Argus Case metadata as a War Room chat instead of adding the JSON to the context data.
    • argus-download-case-attachments - Downloads all Argus Case attachments with one dedicated integration command instead of having to use a playbook to list all attachments and download them one by one.
  • Added 3 integration parameters
    • exclude_tag - Allows the integration to exclude fetching incidents from Argus Cases with the specified tag of key or key: value pair.
    • mirroring_direction - Defines the directions the integration will mirror incidents: None, In, Out, Both.
    • mirror_tag - Defines the tag to attach to War Room entries (notes or attachments) that will be mirrored out.
  • Updated the Docker image to: demisto/argus-toolbelt:2.0.0.16706.

Layouts Containers#

Argus Case#

Updated to use the new print-comments/attachments and HTML fields.

Mappers#

Argus Case Mapper#

Updated to reflect incident mirroring support and new fields.

  • Support for dBotMirroring keys.
  • Support for mapping the following incident fields:
    • Argus Case HTML
    • Argus Case Link

Playbooks#

Pull Case Metadata - Argus Managed Defence#
  • Pulls metadata, attachments, comments, tags, and events related to the Argus Case for later use.
  • Updated to use new commands where comments are displayed as notes in the incident.
  • Downloads all case attachments with a new dedicated integration command.

Assets#