Skip to main content

Cortex XSOAR Content Release Notes for version 21.3.2 (314549)

Published on 30 March 2021#

Breaking Changes#

The following pack includes breaking changes: MISP Pack v1.0.5

New: Cisco Stealthwatch Pack v1.0.0#

Integrations#

Cisco Stealthwatch#

Scalable visibility and security analytics.

Playbooks#

List Cisco Stealthwatch Security Events#

Lists security events and returns results to the context.

Query Cisco Stealthwatch Flows#

Runs a query on Cisco Stealthwatch flows and returns results to the context.


New: FraudWatch PhishPortal Pack v1.0.0#

Classifiers#

FraudWatch#
FraudWatch Incident - Incoming Mapper#

Incident Fields#

  • FraudWatch Abuse Type

  • FraudWatch Abuse URL

  • FraudWatch Additional URLs

  • FraudWatch Brand

  • FraudWatch Reference ID

Incident Types#

FraudWatch Incident

Integrations#

FraudWatch#

Manage incidents via the Fraudwatch API. FraudWatch International provides a fully managed Enterprise Digital Brand Protection Suite, including online brand management and monitoring, as well as providing other brand protection solutions that protect organizations and their customers around the world against online brand-related abuse.

Layouts#

FraudWatch Incident - Summary


New: Gamma Pack v1.0.0 (Partner Supported)#

Integrations#

Gamma#

Query and update violations in Gamma.


New: Microsoft Policy And Compliance Pack v1.0.0#

Playbooks#

Azure Configuration Analysis#

Helps you collect, review, and find misconfigurations within your Azure environment.

Azure Hunting playbook#

Enables you to collect and investigate suspicious security events from your Azure AD environment.


New: ParseYAML Pack v1.0.0 (Community Contributed)#

Scripts#

ParseYAML#

Parses a YAML string into context.


New: QualysFIM Pack v1.0.0#

Classifiers#

QualysFIM Mapper#
QualysFim Classifier#

Incident Fields#

  • Qualys-Fim Alert ID

  • Qualys-Fim Alert Name

  • Qualys-Fim Approval Date

  • Qualys-Fim Approval Status

  • Qualys-Fim Approval Type

  • Qualys-Fim Assigned Date

  • Qualys-Fim Changed Type

  • Qualys-Fim Comment

  • Qualys-Fim Created By

  • Qualys-Fim Created Date

  • Qualys-Fim Event Type

  • Qualys-Fim Last updated by

  • Qualys-Fim Query

  • Qualys-Fim Reviewers

  • Qualys-Fim Status

  • Qualys-Fim Updated Date

Incident Types#

Qualys-Fim

Integrations#

Qualys FIM#

Log and track file changes across global IT systems.

Layouts#

Qualys FIM


New: SailPoint IdentityNow Pack v1.0.0 (Partner Supported)#

Classifiers#

SailPoint IdentityNow Trigger Mapper#

Incident Fields#

  • SailPoint IdentityNow Trigger Access Request Details Access request details. Returned for the following event trigger types - idn:access-request-pre-approval & idn:access-request-post-approval.
  • SailPoint IdentityNow Trigger Account Aggregated Details Account aggregation details. Returned for the following event trigger type - idn:aggregation-accounts-collected.
  • SailPoint IdentityNow Trigger Attributes Attributes of the Identity. Returned for the following event trigger types - idn:identity-created & idn:identity-deleted.
  • SailPoint IdentityNow Trigger Changes Changes in the attributes of the Identity. Returned for the following event trigger type - idn:identity-attributes-changed.
  • SailPoint IdentityNow Trigger Identity Identity information for whom this event was generated (id, name & type). Returned for the following event trigger types - idn:identity-attributes-changed, idn:identity-created & idn:identity-deleted.
  • SailPoint IdentityNow Trigger Metadata Metadata of the IdentityNow Events (invocationId, triggerId, triggerType, callbackURL, secret & responseMode). Returned for all event trigger types.
  • SailPoint IdentityNow Trigger Post Provisioning Details Post provisioning details. Returned for the following event trigger type - idn:post-provisioning.
  • SailPoint IdentityNow Trigger Search Completed Details Saved completed details. Returned for the following event trigger type - idn:saved-search-complete.

Incident Types#

SailPoint IdentityNow Trigger

Integrations#

SailPoint IdentityNow#

The SailPoint IdentityNow security platform can be configured either on-prem/single-tenant SaaS, or multi-tenant SaaS. This package is intended to be used with the multi-tenant SaaS solution.

Layouts#

SailPoint IdentityNow Trigger


New: USTA Pack v1.0.0 (Community Contributed)#

Integrations#

USTA#

USTA is a Cyber Intelligence Platform that responds directly and effectively to today's complex cyber threats.


New: UnifiVideo NVR Pack v1.0.0 (Community Contributed)#

Classifiers#

UnifiVideo Classifier#

The recommended classifier for the CCTV incident type.

UnifiVideo Mapper#

The mapper for the CCTV incident type.

Incident Fields#

  • UnifiVideo Camera Name

  • UnifiVideo End Time

  • UnifiVideo Start Time

  • UnifiVideo Ubnt ID

Incident Types#

CCTV

Integrations#

UnifiVideo#

Connect to UnifiVideo NVR and manage CCTV cameras.

This integration allows you to fetch motion recording events as incidents.

The integration commands also allow downloading snapshots, recordings, and controlling the camera's infra-red capabilities.

Layouts#

CCTV

Playbooks#

CCTV Motion Detected#

Runs ComputerVision on CCTV events.


AWS - GuardDuty Pack v1.0.1#

Integrations#

AWS - GuardDuty#
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/boto3:2.0.0.17652.

AbuseIPDB Pack v1.0.3#

Integrations#

AbuseIPDB#
  • Added support for the Source Reliability integration parameter.
  • Upgraded the Docker image to: demisto/python3:3.9.2.17246.

Atlassian Jira Pack v1.2.15#

Integrations#

Atlassian Jira v2#
  • Fixed an issue where the jira-get-id-by-attribute command would return a list of active and inactive users. Now, the command returns only a list of active users.
  • Updated the Docker image to: demisto/oauthlib:1.0.0.17529.
  • Documentation and metadata improvements.

AutoFocus Pack v1.1.15#

Integrations#

Palo Alto Networks AutoFocus v2#
  • Added support for the Source Reliability integration parameter.
  • Updated the Docker image to: demisto/python3:3.9.2.17246.

Base Pack v1.7.28#

Scripts#

CommonServerPython#
  • Added support for the fetch-credentials command in the return_error function.
  • Fixed an issue in the CommandResult.to_context function that would result in no DBotScore being created in the entry context while passing an indicator.
ValidateContent#

Maintenance and stability enhancements.

New: DBotFindSimilarIncidents#

Finds past similar incidents based on incident fields' similarity. Includes an option to also display indicators similarity. (Available from Cortex XSOAR 5.0.0).

New: DBotFindSimilarIncidentsByIndicators#

Finds similar incidents based on indicators' similarity. Indicators' contribution to the final score is based on their scarcity. (Available from Cortex XSOAR 5.0.0).


BeyondTrust Password Safe Pack v1.0.3#

Integrations#

BeyondTrust Password Safe#
  • Internal code improvements.
  • Updated the Docker image to: demisto/python3:3.9.2.17246.

Carbon Black Enterprise Response Pack v1.1.5#

Integrations#

VMware Carbon Black EDR#

Fixed an issue where the cb-quarantine-device command would fail with VMware Carbon Black EDR version 7.1.


Common Scripts Pack v1.3.30#

Scripts#

ParseEmailFiles#

Fixed an issue where the script failed to parse emails that contained Russian words.

GetIndicatorDBotScore#

Added support for using multiple indicators at a single time.


CrowdStrike Falcon Pack v1.2.14#

Integrations#

CrowdStrike Falcon#
  • Added the Status output to the cs-falcon-search-device command.
  • Updated the Docker image to: demisto/python3:3.9.2.17246.

CrowdStrike Falcon Sandbox Pack v1.0.4#

Integrations#

CrowdStrike Falcon Sandbox#

Maintenance and stability enhancements.


CrowdStrike FalconX Pack v1.1.1#

Integrations#

CrowdStrike Falcon X#
  • Fixed an issue where the cs-fx-upload-file command did not correctly upload .exe and .dll files.
  • Updated the Docker image to: demisto/python3:3.9.2.17246.

Crowdstrike Falcon Intel Feed Pack v2.0.0#

Integrations#

New: CrowdStrike Indicator Feed#
  • CrowdStrike Falcon Intel Indicator Feed. (Available from Cortex XSOAR 5.5.0.)
  • Updated the Docker image to: demisto/python3:3.9.2.17246.
CrowdStrike Falcon Intel Feed Actors#
  • Changed the integration's display name from: CrowdStrike Falcon Intel Feed to CrowdStrike Falcon Intel Feed Actors.
  • Updated the Docker image to: demisto/python3:3.9.2.17246.

CyberArk AIM Pack v1.0.7#

Integrations#

CyberArk AIM v2#
  • Fixed an issue where the following parameters were not encrypted: Certificate File as Text and Key File as Text.
  • Fixed an issue where the Certificate File as Text parameter was encrypted unnecessarily.
  • Updated the Docker image to: demisto/ntlm:1.0.0.17343.

Cyberint Pack v1.0.4 (Partner Supported)#

Integrations#

Cyberint#
  • Added missing outputs.
  • Updated the Docker image to: demisto/python3:3.9.2.17246.

Cyren Threat InDepth Threat Intelligence Pack v1.5.0 (Partner Supported)#

Indicator Fields#

Integrations#

Cyren Threat InDepth Threat Intelligence Feed#

The integration now requests its data from the V2 endpoints of the various feeds offered by Cyren Threat InDepth. The new version, V2, presents the relationship data in a slightly different format. It also provides more geographic information around IP indicators, such as geo-location or city name.

Layouts Containers#

Cyren Threat InDepth Indicator Template#

New fields Cyren City Name, Cyren Geo Location, are now integrated into indicator details and quick view templates.

Mappers#

Cyren Threat InDepth Indicator Mapper#
  • Maps the new fields, Cyren City Name and Cyren Geo Location, from the new feed data.
  • Uses direct feed data for Cyren Country Name (instead of indirect data from CyrenCountryLookup).

EWS Pack v1.8.9#

Integrations#

O365 - Security And Compliance - Content Search (beta)#

Fixed the o365-sc-get-search and o365-sc-get-search-action commands so they return an InfoFile entry (instead of a File entry) when the export argument is specified.

EWS v2#

Fixed an issue where the fetch-incidents command would not handle a message subject that is longer than 255 characters.

Playbooks#

Office 365 Search and Delete#

Fixed an issue where the playbook would fail when there was an excessive number of concurrent connections.

O365 - Security And Compliance - Search#

Fixed an issue where the playbook would run if O365 SecurityAndCompliance was not enabled.


FireEye (AX Series) Pack v1.0.4#

Integrations#

FireEye (AX Series)#
  • Fixed an issue where the submission key was missing from the result of the fe-submit-status command.
  • Fixed an issue where the info_level argument was not working in the fe-submit-result and fe-submit-url-result commands.

FireEye HX Pack v1.0.9#

Integrations#

FireEye HX#

Fixed an issue where the fetch-incidents command would fail on non-ASCII data.


FraudWatch PhishPortal Pack v1.0.1#

Integrations#

FraudWatch#

Improved argument descriptions.


GraphQL Pack v1.0.2#

Integrations#

GraphQL#

Updated the Test method to fully test that the configured endpoint is a valid GraphQL endpoint.


Humio Pack v1.0.4 (Partner Supported)#

Integrations#

Humio#
  • Fixed a bug in the fetch_incidents command where query start would be set to the value 1 if the first fetch yielded an empty result. Instead, query start now defaults to the timestamp of the last attempted fetch.
  • Updated the Docker image to: demisto/python3:3.9.2.17246.

IntSights Pack v1.0.5#

Integrations#

IntSights#
  • Fixed display names of various integration parameters.
  • Added the intsights-request-ioc-enrichment command, which can be used for IOC enrichment.

Integrations & Incidents Health Check Pack v1.1.18#

Integrations#

IntegrationsCheck-Widget-IntegrationsErrorsInfo#
  • Fixed an issue where N/A values were incorrectly formatted.
  • Updated the Docker image to: demisto/python3:3.9.2.17246.
IntegrationsCheck-Widget-IntegrationsCategory#
  • Fixed an issue where N/A values were incorrectly formatted.
  • Updated the Docker image to: demisto/python3:3.9.2.17246.

Playbooks#

IncidentsCheck-PlaybooksHealthNames#
  • Fixed an issue where N/A values were incorrectly formatted.
  • Updated the Docker image to: demisto/python3:3.9.2.17246.
IncidentsCheck-PlaybooksFailingCommands#
  • Fixed an issue where N/A values were incorrectly formatted.
  • Updated the Docker image to: demisto/python3:3.9.2.17246.

Scripts#

GetFailedTasks#
  • Added a hard limit to the number of incidents that can be queried.
  • Updated the Docker image to: demisto/python3:3.9.2.17246.
IncidentsCheck-Widget-IncidentsErrorsInfo#
  • Fixed an issue where N/A values were incorrectly formatted.
  • Updated the Docker image to: demisto/python3:3.9.2.17246.
IncidentsCheck-Widget-PlaybookNames#
  • Fixed an issue where N/A values were incorrectly formatted.
  • Updated the Docker image to: demisto/python3:3.9.2.17246.
InstancesCheck-FailedCategories#
  • Fixed an issue where N/A values were incorrectly formatted.
  • Updated the Docker image to: demisto/python3:3.9.2.17246.
IncidentsCheck-Widget-CommandsNames#
  • Fixed an issue where N/A values were incorrectly formatted.
  • Updated the Docker image to: demisto/python3:3.9.2.17246.

LogPoint SIEM Integration Pack v1.1.0 (Partner Supported)#

Integrations#

LogPoint SIEM Integration#

Updated the Docker image to: demisto/python3:3.9.2.17246.

Playbooks#

New: LogPoint SIEM Playbook#

Guides users on use cases like blocking IP and domain and disabling users using products like CheckPoint Firewall, Active Directory, and VirusTotal. The actions depicted in the playbook help analysts create their playbooks based on actual requirements and products deployed. (Available from Cortex XSOAR 6.0.0).


MISP Pack v1.0.5#

Integrations#

MISP v2#

Breaking Change: Added the parameter Maximum attributes in event in order to limit attributes per event in the context output. By default, the parameter is set to 1000. This limit was added in order to prevent issues where large MISP events would create high memory and disk usage.


Mail Listener Pack v1.0.3#

Integrations#

Mail Listener v2#
  • Fixed an issue where mail messages that were received before the first fetch time were fetched.
  • Updated the Docker image to: demisto/imap:1.0.0.17111.

Microsoft Defender for Endpoint Pack v1.2.13#

Integrations#

Microsoft Defender for Endpoint#
  • Added the timeout argument to the microsoft-atp-start-investigation command.
  • Fixed an issue where the microsoft-atp-start-investigation command failed to run.
  • Updated the Docker image to: demisto/crypto:1.0.0.16776.

Microsoft Graph Mail Pack v1.0.18#

Integrations#

Microsoft Graph Mail#
  • Fixed an issue where the msgraph-mail-get-attachment command would not handle attachments that were of the message type.
  • Added the page_size argument to the msgraph-mail-list-emails command in order to limit the number of emails in each request.
  • Added the NextPage attribute to the msgraph-mail-list-emails command outputs in order to retrieve additional emails, if needed.

Mimecast Pack v1.1.3#

Integrations#

Mimecast v2#

Added a reference to the Mimecast documentation regarding application registration to the integration README.


PagerDuty Pack v1.0.4#

Integrations#

PagerDuty v2#
  • Added the incident_key argument to the PagerDuty-incidents command to fetch a specific incident via its de-duplication key.
  • Added the PagerDuty.Incidents.incident_key context output to the PagerDuty-incidents and the PagerDuty-get-incident-data commands.
  • Fixed an issue where resolving an acknowledged incident returned an error intermittently.

Palo Alto Networks Cortex XDR - Investigation and Response Pack v2.9.5#

Integrations#

Palo Alto Networks Cortex XDR - Investigation and Response#
  • Added the status integration parameter, which enables you to filter fetched incidents by their status.
  • Added the status argument to the xdr-get-incidents command, which enables you to return only incidents with the given status.
  • Added an option to the xdr-retrieve-files command to not specify the OS type of the file path and to use the generic_file_path instead.

Playbooks#

Cortex XDR disconnected endpoints#

Added DISCONNECTED as a filter to the playbook tasks.


Palo Alto Networks PAN-OS EDL Management Pack v1.0.3#

Integrations#

Palo Alto Networks PAN-OS EDL Management (Deprecated)#

Maintenance and stability enhancements.


Perch Pack v1.0.1#

Integrations#

Perch#
  • Added support for the Incident Soc Statuses to Fetch integration parameter, which enables filtering fetched incidents by their soc_status.
  • Updated the Docker image to: demisto/python3:3.9.2.17246.

PhishTank Pack v2.0.6#

Integrations#

PhishTank v2#
  • Added support for the Source Reliability integration parameter.
  • Updated the Docker image to: demisto/python3:3.9.2.17246.

Ransomware Pack v1.0.4#

Layouts Containers#

Post Intrusion Ransomware#

Fixed Ransomware pack dependencies.


Rapid Breach Response Pack v1.5.1#

Playbooks#

SolarStorm and SUNBURST Hunting and Response Playbook#

Expanded hunting and mitigation with Azure.

New: SolarStorm Activity Behavior Hunting playbook#

This manual playbook helps you to discover the SolarStorm activity behavior.

Sources:

SolarStorm Activity Behavior Hunting playbook#

Updated playbook descriptions.


Recorded Future Feed Pack v1.0.8#

Integrations#

Recorded Future RiskList Feed#
  • Fixed an issue where the fetch-indicators command would fail when the received indicator was missing the EvidenceDetails value.
  • Updated the Docker image to: demisto/python3:3.9.2.17246.

RecordedFuture v2 Pack v1.1.0 (Partner Supported)#

Dashboards#

New: Recorded Future#

Added a dashboard that displays data in six widgets; three widgets for indicators and three widgets for incidents.

Indicator Fields#

Integrations#

Recorded Future v2#
  • Added a new alert action to fetch a single alert.
  • Updated the Docker image to: demisto/python3:3.9.2.17246.

Playbooks#

New: Recorded Future Detailed Alert example#
Recorded Future Domain Reputation#

Now also populating indicator field.

Recorded Future CVE Intelligence#

Now also populating indicator field.

Recorded Future File Reputation#

Now also populating indicator field.

Recorded Future Threat Assessment#

Now also populating indicator field.

Recorded Future IP Intelligence#

Now also populating indicator field.

Recorded Future URL Intelligence#

Now also populating indicator field.

Recorded Future Domain Intelligence#

Now also populating indicator field.

Recorded Future URL Reputation#

Now also populating indicator field.

Recorded Future CVE Reputation#

Now also populating indicator field.

Recorded Future File Intelligence#

Now also populating indicator field.

Recorded Future IP Reputation#

Now also populating indicator field.


Salesforce Indicators Pack v1.0.1 (Community Contributed)#

Integrations#

Salesforce Indicators#

Fixed an issue where the Indicator Reputation and Fetch indicators parameters were duplicated in the integration configuration.


ServiceNow Pack v2.1.19#

Classifiers#

ServiceNow Classifier#

Resolved an issue for XSOAR versions earlier than 6.0.0 where dates received from ServiceNow in the European date format (DD/MM/YYYY) were incorrectly interpreted as MM/DD/YYYY.

Mappers#

ServiceNow - Incoming Mapper#

Fixed an issue where dates received from ServiceNow in the European date format (DD/MM/YYYY) were incorrectly interpreted as MM/DD/YYYY.

ServiceNow Create Ticket - Incoming Mapper#

Fixed an issue where dates received from ServiceNow in the European date format (DD/MM/YYYY) were incorrectly interpreted as MM/DD/YYYY.


Splunk Pack v1.3.3#

Integrations#

SplunkPy#

Added support for Splunk token authentication.


Tenable.io Pack v1.1.0#

Integrations#

Tenable.io#
  • Added the tenable-io-resume-scan command, which resumes all specified scans.
  • Added the tenable-io-pause-scan command, which pauses all specified scans.
  • Fixed an issue where some commands returned multiple entries for the same scan ID.

ThreatConnect Pack v2.0.13#

Integrations#

ThreatConnect v2#

Added support for the Source Reliability integration parameter.


Whois Pack v1.1.8#

Integrations#

Whois#
  • Added support for the Source Reliability integration parameter.
  • Updated the Docker image to: demisto/ippysocks:1.0.0.17325.

iDefense Pack v3.0.2#

Integrations#

iDefense v2#
  • Added support for the Source Reliability integration parameter.
  • Updated the Docker image to: demisto/python3:3.9.2.17246.

mnemonic MDR Pack v1.1.1 (Partner Supported)#

Integrations#

mnemonic MDR - Argus Managed Defence#
  • Added the argus-add-attachment command.
  • Added the following integration parameters:
    • Close Argus Case
    • Close XSOAR Incident
  • Updated the Docker image to: demisto/argus-toolbelt:2.0.0.17621.

Okta Pack v2.1.7#

Classifiers#

Okta IAM - App Sync (classifier)#

Added a classification from user profile update events in Okta to the IAM - App Update incident type (used in the Identity Lifecycle Management pack).

Integrations#

Okta IAM#
  • Added the okta-iam-list-user-applications command.
  • Added support for fetching update user profile events.

Assets#