Cortex XSOAR Content Release Notes for version 21.4.0 (325528)
#
Published on 13 April 2021#
Breaking ChangesThe following pack includes breaking changes: Palo Alto Networks BPA Pack v1.2.5
#
New: AlphaVantage Pack v1.0.0 (Community Contributed)#
Integrations#
AlphaVantageThis is an API to get a stock's history or current stock data.
#
Playbooks#
Notify Stock Above PriceThis playbook sends a message on Telegram when a stock price rises above a predefined price.
#
New: Asana Connect Pack v1.0.0 (Community Contributed)#
Integrations#
AsanaConnectThis integration uses Asana's Personal Access Tokens (PATs) to connect to projects tied to the Asana account. It enables you to create and access tasks in your projects.
#
New: Azure Storage Pack v1.0.0#
Integrations#
Azure StorageDeploy and manage storage accounts and blob services.
#
New: BitSight Pack v1.0.0 (Community Contributed)#
Classifiers#
BitSight - Classifier#
BitSight - Incoming Mapper#
Incident Fields- Affects Rating
- Assets
- Comments
- Evidence Key
- Related Findings
- Remaining Decay
- Risk Category
- Risk Vector
- Risk Vector Label
- Rolledup Observation Id
- Severity Category
- BitSight Tags
- Temporary Id
#
Incident TypesBitSight Findings
#
Integrations#
BitSight for Security Performance ManagementGets company GUID, details, findings, and creates incidents.
#
LayoutsBitSight Findings
#
New: DBot Truth Bombs Pack v1.0.0#
Integrations#
DBot Truth BombsYou thought you knew DBot... guess again! Here are some super secret facts about DBot we bet you didn't know.
#
Scripts#
FactAboutYouReveal some facts about yourself.
#
New: Google Cloud SCC Pack v1.0.0#
Classifiers#
GoogleCloudSCC - classifierClassifies Google Cloud SCC incidents
#
GoogleCloudSCC#
GoogleCloudSCC - Incoming MapperMaps incoming Google Cloud SCC incident fields.
#
Incident Fields- GoogleCloudSCC Asset DisplayName
- GoogleCloudSCC Finding Category
- GoogleCloudSCC Finding CreateTime
- GoogleCloudSCC Finding EventTime
- GoogleCloudSCC Finding ExternalURI
- GoogleCloudSCC Finding FirstDiscovered
- GoogleCloudSCC Finding MostRecentlySeen
- GoogleCloudSCC Finding Name
- GoogleCloudSCC Finding Parent
- GoogleCloudSCC Finding SourceProperties AccessMethod
- GoogleCloudSCC Finding SourceProperties Acked
- GoogleCloudSCC Finding SourceProperties ActivationTrigger
- GoogleCloudSCC Finding SourceProperties Alert
- GoogleCloudSCC Finding SourceProperties AlertType
- GoogleCloudSCC Finding SourceProperties App
- GoogleCloudSCC Finding SourceProperties AppCategory
- GoogleCloudSCC Finding SourceProperties AppSessionId
- GoogleCloudSCC Finding SourceProperties Browser
- GoogleCloudSCC Finding SourceProperties BrowserSessionId
- GoogleCloudSCC Finding SourceProperties Browser Version
- GoogleCloudSCC Finding SourceProperties CCI
- GoogleCloudSCC Finding SourceProperties CCL
- GoogleCloudSCC Finding SourceProperties ClientBytes
- GoogleCloudSCC Finding SourceProperties Count
- GoogleCloudSCC Finding SourceProperties Device
- GoogleCloudSCC Finding SourceProperties Domain
- GoogleCloudSCC Finding SourceProperties DstCountry
- GoogleCloudSCC Finding SourceProperties DstGeoipSrc
- GoogleCloudSCC Finding SourceProperties DstIP
- GoogleCloudSCC Finding SourceProperties DstLocation
- GoogleCloudSCC Finding SourceProperties DstRegion
- GoogleCloudSCC Finding SourceProperties DstTimezone
- GoogleCloudSCC Finding SourceProperties DstZipcode
- GoogleCloudSCC Finding SourceProperties EventType
- GoogleCloudSCC Finding SourceProperties ExceptionInstructions
- GoogleCloudSCC Finding SourceProperties ExposedService
- GoogleCloudSCC Finding SourceProperties HostName
- GoogleCloudSCC Finding SourceProperties ID
- GoogleCloudSCC Finding SourceProperties InsertionEpochTimestamp
- GoogleCloudSCC Finding SourceProperties LastApp
- GoogleCloudSCC Finding SourceProperties LastCountry
- GoogleCloudSCC Finding SourceProperties LastDevice
- GoogleCloudSCC Finding SourceProperties LastLocation
- GoogleCloudSCC Finding SourceProperties LastRegion
- GoogleCloudSCC Finding SourceProperties MfaDetails
- GoogleCloudSCC Finding SourceProperties NumBytes
- GoogleCloudSCC Finding SourceProperties OrganizationUnit
- GoogleCloudSCC Finding SourceProperties OrigTy
- GoogleCloudSCC Finding SourceProperties Page
- GoogleCloudSCC Finding SourceProperties PageDuration
- GoogleCloudSCC Finding SourceProperties PageEndtime
- GoogleCloudSCC Finding SourceProperties PageId
- GoogleCloudSCC Finding SourceProperties PageStarttime
- GoogleCloudSCC Finding SourceProperties ProfileId
- GoogleCloudSCC Finding SourceProperties ProjectId
- GoogleCloudSCC Finding SourceProperties ReactivationCount
- GoogleCloudSCC Finding SourceProperties ReqCnt
- GoogleCloudSCC Finding SourceProperties RespCnt
- GoogleCloudSCC Finding SourceProperties RiskLevel
- GoogleCloudSCC Finding SourceProperties RiskLevelId
- GoogleCloudSCC Finding SourceProperties ScannerName
- GoogleCloudSCC Finding SourceProperties ServerBytes
- GoogleCloudSCC Finding SourceProperties Severity
- GoogleCloudSCC Finding SourceProperties SeverityLevel
- GoogleCloudSCC Finding SourceProperties Site
- GoogleCloudSCC Finding SourceProperties SlcLatitude
- GoogleCloudSCC Finding SourceProperties SlcLongitute
- GoogleCloudSCC Finding SourceProperties SrcCountry
- GoogleCloudSCC Finding SourceProperties SrcGeoIpSrc
- GoogleCloudSCC Finding SourceProperties SrcLocation
- GoogleCloudSCC Finding SourceProperties SrcRegion
- GoogleCloudSCC Finding SourceProperties SrcTimezone
- GoogleCloudSCC Finding SourceProperties SrcZipcode
- GoogleCloudSCC Finding SourceProperties TenantName
- GoogleCloudSCC Finding SourceProperties Threshold
- GoogleCloudSCC Finding SourceProperties Timestamp
- GoogleCloudSCC Finding SourceProperties TrafficType
- GoogleCloudSCC Finding SourceProperties UrNormalized
- GoogleCloudSCC Finding SourceProperties User
- GoogleCloudSCC Finding SourceProperties UserAgent
- GoogleCloudSCC Finding SourceProperties UserGenerated
- GoogleCloudSCC Finding SourceProperties UserIP
- GoogleCloudSCC Finding SourceProperties UserKey
- GoogleCloudSCC Finding URL
- GoogleCloudSCC Overview
- GoogleCloudSCC Parent Resource ParentDisplayName
- GoogleCloudSCC Recommendation
- GoogleCloudSCC Resource Name
- GoogleCloudSCC Resource ParentDisplayName
- GoogleCloudSCC Resource ParentName
- GoogleCloudSCC Resource ProjectName
- GoogleCloudSCC Resource Project DisplayName
- GoogleCloudSCC Security Marks
#
Incident TypesGoogle Cloud SCC Finding
#
Integrations#
Google Cloud SCCSecurity Command Center is a security and risk management platform for Google Cloud. Security Command Center enables you to understand your security and data attack surface by providing asset inventory and discovery, identifying vulnerabilities and threats, and helping you mitigate and remediate risks across an organization. This integration helps you to perform tasks related to findings and assets.
#
LayoutsGoogle Cloud SCC Finding - Summary
#
New: Kaspersky Security Center Pack v1.0.0#
Integrations#
Kaspersky Security Center (Beta)Manages endpoints and groups through the Kaspersky Security Center.
#
New: MapPattern Pack v1.0.0 (Community Contributed)#
Scripts#
MapPatternThis transformer takes in a value and transform it based on multiple condition expressions (wildcard, regex, etc) defined in a JSON dictionary structure. The transformer returns the value matched to a pattern according to the priority. When unmatched or the input value is structured (dict or list), it returns the input value.
#
New: OpenCTI Pack v1.0.0#
Integrations#
OpenCTIManages indicators from OpenCTI. Compatible with OpenCTI 4.X API version.
#
Playbooks#
OpenCTI Create IndicatorCreates an indicator at OpenCTI.
#
New: Random Images, Videos and Audio Pack v1.0.0 (Community Contributed)#
Scripts#
RandomPhotoNasaThis automation script pulls a random image from https://images.nasa.gov based on the search parameter provided. If the script is used within a widget, it outputs an image in markdown format. If it is used anywhere else, it outputs an image in markdown format and its context data.
#
New: Screenshot Machine Pack v1.0.0 (Community Contributed)#
Integrations#
Screenshot MachineTakes Web screenshots with Screenshot Machine API.
#
New: StringifyArray Pack v1.0.0 (Community Contributed)#
Scripts#
StringifyArrayReturns the string encoded with JSON for the whole array.
#
New: TheHive Project Pack v1.0.0 (Community Contributed)#
Classifiers#
TheHive - ClassifierDefault classifier for TheHive Project cases.
#
TheHive - Incoming MapperDefault incoming mapper for TheHive Project cases.
#
TheHive - Outgoing MapperDefault outbound mapping for TheHive Project cases.
#
Incident Fields- TheHive Case PAP
- TheHive Case Resolution Status
- TheHive Case Status
- TheHive Case Summary
- TheHive Case TLP
- TheHive Flag
- TheHive Observables
- TheHive Tasks
#
Incident TypesTheHive
#
Integrations#
TheHive ProjectIntegration with TheHive Project Security Incident Response Platform.
#
LayoutsTheHive layout (custom)
#
AWS - EC2 Pack v1.1.5#
Integrations#
AWS - EC2- Added the aws-ec2-revoke-security-group-egress-rule command.
- Updated the Docker image to: demisto/boto3:2.0.0.18824.
#
AWS - SQS Pack v1.0.1#
Integrations#
AWS - SQS- Internal code improvements.
- Updated the Docker image to: demisto/boto3:2.0.0.18652.
#
Active Directory Query Pack v1.1.9#
Integrations#
Active Directory Query v2- Internal code improvements.
- Updated the Docker image to: demisto/ldap:1.0.0.17947.
#
Scripts#
IAMInitADUser- Updated the automation to accommodate the changes in the Identity Lifecycle Management user synchronization flow.
- Updated the Docker image to: demisto/python3:3.9.2.17957.
#
Alexa Rank Indicator Pack v1.1.2#
Integrations#
Alexa Rank IndicatorAdded support for the Source Reliability integration parameter.
#
AlienVault OTX Pack v1.0.3#
Integrations#
AlienVault OTX v2- Added support for the Source Reliability integration parameter.
- Updated the Docker image to: demisto/python3:3.9.2.17957
#
Anomali Enterprise Pack v1.0.2#
Integrations#
Anomali Match- The job_id argument in the anomali-enterprise-retro-forensic-search-results command now supports a list of IDs.
- Updated the Docker image to: demisto/python3:3.9.2.17957.
#
Asana Connect Pack v1.0.1 (Community Contributed)#
Integrations#
New: AsanaConnectUses Asana Personal Access Tokens (PATs) to connect to projects tied to the Asana account. (Available from Cortex XSOAR 6.0.0).
#
Atlassian Jira Pack v1.3.1#
Incident Fields- Jira Description
- Jira Attachments
- Jira Priority
- Jira Transitions
- Jira Summary
- Jira Status
- Created Time
- Jira Due Date
- Jira Reporter Name
- Jira Reporter Email
- Jira Labels
#
Incident Types#
Integrations#
Atlassian Jira v2- Added the mirror out functionality.
- Added the following parameters to the integration setup:
- fetch_comments
- fetch_attachments
- Added the following parameters to the mirror in functionality:
- comments
- attachments
- Added mirror in and mirror out documentation.
- Added the mirror in and out capability for Jira custom fields.
- Added the jira-list-transitions command, which lists all possible transitions for a given ticket.
- Added the jira-get-comments command, which returns the comments added for a given ticket.
- Fixed an issue in the jira-create-issue command where the issueJson parameter was not working correctly.
#
Layouts Containers#
New: Jira Incident LayoutAdded an incident layout to the content pack.
#
Mappers#
classifier-mapper-incoming-JiraV2Added new fields to the integration incoming mapper.
#
New: classifier-mapper-outgoing-JiraAdded the Jira V2 mirror out classifier. (Available from Cortex XSOAR 6.0.0).
#
Scripts#
New: script-JiraChangeTransitionChanges a ticket's status using the transition field.
#
New: script-JiraListTransitionLists all possible transitions for a ticket.
#
AutoFocus Pack v1.1.16#
Integrations#
Palo Alto Networks AutoFocus v2- Added support for additional context outputs for the following commands:
- ip
- url
- domain
- Updated the Docker image to: demisto/python3:3.9.2.17957.
#
Azure Kubernetes Services Pack v1.0.3#
Integrations#
Azure Kubernetes Services (Beta)Added the Azure AD endpoint integration parameter to support different national clouds.
#
Azure Log Analytics Pack v1.0.8#
Integrations#
Azure Log Analytics (Beta)Added support for the cache to be updated automatically when the token expires.
#
Azure Network Security Groups Pack v1.0.3#
Integrations#
Azure Network Security Groups- Added the Azure AD endpoint integration parameter to support different national clouds.
- Updated the Docker image to: demisto/crypto:1.0.0.17856.
#
Azure SQL Management (Beta) Pack v1.0.4#
Integrations#
Azure SQL Management (Beta)Added the Azure AD endpoint integration parameter to support different national clouds.
#
Azure WAF Pack v1.0.4#
Integrations#
Azure Web Application Firewall- Added the Azure AD endpoint integration parameter to support different national clouds.
- Updated the Docker image to: demisto/crypto:1.0.0.17856.
#
AzureSentinel Pack v1.0.9#
Integrations#
Azure Sentinel (Beta)Added support for cache to be updated automatically when the token expires.
#
Base Pack v1.8.5#
Scripts#
CommonServerPython- Added the FeedRelatedIndicators class which implements an interface for "FeedRelatedIndicators" extensions.
- Added the feed_related_indicators and the malware_family arguments to the following classes:
- IP
- URL
- File
- Domain
- Added the tags argument to the following classes:
- IP
- URL
- Added the organization_name and organization_type arguments to the IP class.
- Fixed an issue in BaseClient, which caused the request to ignore REQUEST_CA_BUNDLE when proxy was set to false.
- Modified the BaseClient._http_request function to mount the retry HTTP adapter to the session only if the number of retries was specified.
- Fixed an issue in the Common class, which caused a failure while using to_context on a list of FeedRelatedIndicators objects.
- Improved the error handling in the incoming mirroring flow.
#
New: DrawRelatedIncidentsCanvasDraw incidents and indicators on the canvas to map and visualize their connections.
#
DBotPredictPhishingWordsMade improvements to make this script easier to run from the Playground.
#
SanePdfReports- Added support for automatic page breaks in reports:
- Charts will now automatically drop to a new page (including the header) if there is not enough space in the current page.
- Table rows and section fields will now drop to a new page in order to prevent text from splitting between pages.
- When a table widget spans across several pages, the column's header will repeat in each page.
- Updated the Docker image to: demisto/sane-pdf-reports:1.0.0.18186.
#
BitSight Pack v1.0.1 (Community Contributed)#
Incident Fields#
Layouts Containers#
BitSight FindingsReplaced Tags with Bitsight Tags.
#
Mappers#
BitSight - Incoming MapperReplaced Tags with Bitsight Tags.
#
BlockList DE Feed Pack v1.0.6#
Integrations#
Blocklist_de FeedFixed an issue where the Tags parameter defined in the feed instance configuration was not associated with an indicator field.
#
Box Pack v2.1.2#
Integrations#
Box v2Updated the Docker image to: demisto/pyjwt3:1.0.0.16907.
#
BruteForce Feed Pack v1.0.6#
Integrations#
BruteForceBlocker FeedFixed an issue where the Tags parameter defined in the feed instance configuration was not associated with an indicator field.
#
Campaign Pack v1.0.1#
Scripts#
FindEmailCampaign- Added EmailCampaign.incidents.recipients output, which specifies the email addresses of the recipients of the incident found in the campaign.
- Added the EmailCampaign.incidents.recipientsdomain output, which specifies the domains of the recipients of the incidents found in the campaign.
#
CheckPhish Pack v1.0.2#
Integrations#
CheckPhishAdded support for the Source Reliability integration parameter.
#
Cisco Umbrella Investigate Pack v1.0.3#
Integrations#
Cisco Umbrella InvestigateAdded support for the Source Reliability integration parameter.
#
Cloudflare Feed Pack v1.0.6#
Integrations#
Cloudflare FeedFixed an issue where the Tags parameter defined in the feed instance configuration was not associated with an indicator field.
#
Common Playbooks Pack v1.9.1#
Playbooks#
Block File - Generic v2Added "Skip this branch if this automation/playbook is unavailable" option to the Cortex XDR - Block File sub-playbook.
#
Common Scripts Pack v1.3.33#
Scripts#
SearchIncidentsV2- Fixed an issue where the value of an incident ID was an integer and would raise a TypeError exception.
- Updated the Docker image to: demisto/python3:3.9.2.17957.
#
DeleteContextFixed an issue where unrelated data was stored in the InsightCache indicator while using KeysToKeep in order to keep DBotScore data in the context.
#
ParseEmailFilesFixed an issue where the script failed to parse an email containing Polish characters.
#
Cortex Data Lake Pack v1.3.1#
Integrations#
Cortex Data Lake- Fixed an issue where the transform_results argument in the cdl-query-logs command did not work as expected.
- Updated the Docker image to: demisto/python_pancloud_v2:1.0.0.18452.
#
Cymulate Pack v2.0.0 (Partner Supported)#
Classifiers#
Cymulate_v2 - ClassificationDefault Classification for Cymulate.
#
Incident Fields- Cymulate Description
- Cymulate Input
- Cymulate Last Action
- Cymulate Mitigation Details
- Cymulate Module
- Cymulate Source
- Cymulate Source Email Address
- Cymulate Status
- Cymulate Template Name
- Cymulate Test Case
- Cymulate URL
- Cymulate Attack Vector
- Cymulate Analysis
- Cymulate Cymulate Attack Type
- Cymulate Agentless
#
Incident Types#
Integrations#
Cymulate v2- New Cymulate integration. This new integration allows users to start and stop attack assessments, and get their status.
- New fetch incident parameter that allows retrieving incidents from all modules selected by the user in the configuration page.
#
LayoutsCymulate Immediate Threats - Default Layout for Cymulate Immediate Threats.
#
Layouts Containers#
Cymulate LayoutDefault Layout Container for Cymulate.
#
Mappers#
Cymulate_v2 - Incoming MapperDefault Mapping for Cymulate.
#
Playbooks#
Cymulate Immediate ThreatsUpdated to match Cymulate v2.
#
DShield Feed Pack v1.0.6#
Integrations#
DShield FeedFixed an issue where the Tags parameter defined in the feed instance configuration was not associated with an indicator field.
#
EWS Pack v1.8.13#
Integrations#
O365 - Security And Compliance - Content Search (beta)- General documentation improvements.
- Fixed an issue where the o365-sc-new-search-action command failed with no indicative error.
- Fixed an issue where the get-search-action command would not return results in the context and War Room entry for the purge action type.
- Updated the Docker image to demisto/powershell-ubuntu:7.1.1.16151.
#
Playbooks#
O365 - Security And Compliance - Search And DeleteFixed an issue where the Remove search action task failed when no emails were found.
#
Expanse (Deprecated) Pack v1.2.0 (Partner Supported)#
Integrations#
Expanse (Deprecated)- This integration is deprecated. Use the Expanse V2 integration instead.
- Updated the Docker image to: demisto/python3:3.9.2.18414.
#
Expanse v2 Pack v1.1.0#
Integrations#
Expanse v2- Added the expanse-get-domains-for-certificate command. It returns all domains which were seen with the specified certificate.
- Updated the Docker image to: demisto/python3:3.9.2.18414.
#
Feed OpenCTI Pack v2.0.0#
Integrations#
OpenCTI Feed 3.X- Changed the display name from
OpenCTI Feed
toOpenCTI Feed 3.X
. - Improved the description and documentation.
- Updated the Docker image to: demisto/opencti:1.0.0.12410.
#
New: OpenCTI Feed 4.XIngests indicators from the OpenCTI feed. Compatible with OpenCTI 4.X API version. (Available from Cortex XSOAR 5.5.0).
#
Playbooks#
New: OpenCTI Create IndicatorCreates indicators in OpenCTI. (Available from Cortex XSOAR 5.0.0).
#
FeodoTracker Feed Pack v1.0.9#
Integrations#
Feodo Tracker Hashes Feed (Deprecated)Fixed an issue where the Tags parameter defined in the feed instance configuration was not associated with an indicator field.
#
GitHub Pack v1.1.10#
Integrations#
GitHubUpdated the Docker image to: demisto/pyjwt3:1.0.0.16907.
#
Google Vault Pack v1.0.3#
Integrations#
Google Vault- Added support for pagination when fetching matters by state.
- Updated the Docker image to: demisto/gvault:1.0.0.18527
#
GuardiCore Pack v1.0.1#
Integrations#
GuardiCore- Fixed an issue where failing to log out from the product did not raise a meaningful error.
- Added the following arguments to the guardicore-get-incidents command:
- from_time
- to_time
#
HelloWorld Pack v1.2.2 (Community Contributed)#
Integrations#
New: HelloWorld Feed- Created the HelloWorld Feed integration template.
- Updated the Docker image to: demisto/python3:3.9.1.15759.
#
IBM QRadar Pack v2.0.0#
Incident TypesQradar Generic - Assigned the QRadar Generic playbook as the default playbook for this incident type.
#
Integrations#
IBM QRadar v2- Added the supported API versions to the QRadar v2 description.
- Updated the Docker image to: demisto/python3:3.9.2.18414.
#
New: IBM QRadar v3IBM QRadar SIEM helps security teams accurately detect and prioritize threats across the enterprise. Supports API versions 10.1 and above. Provides intelligent insights that enable teams to respond quickly to reduce the impact of incidents.
#
Mappers#
QRadar - Generic Incoming Mapper- Added mapping for the severity field based on the offense magnitude value. The XSOAR incident severity field values range is 0-4 where:
0 - Informational
1 - Low
2 - Medium
3 - High
4 - Critical
A scale is required to translate the value of the magnitude field to a valid incident severity value. The default scale is: 1,1,1,2,2,2,2,3,3,3.
The meaning of the default scale is that values with a magnitude of 1-3 will be translated to low severity (positions 1-3 in the scale), values 4-7 will be translated to medium severity (positions 4-7 in the scale) and values 8-10 will be translated to high severity (positions 8-10 in the scale). - Added mapping to the mirroring parameters.
#
Playbooks#
QRadar Indicator Hunting V2Fixed MD5 hash search.
#
QRadar GenericThe default playbook for working with the QRadar V2 integration for basic SIEM/SOC operations.
#
IBM Resilient Systems Pack v1.0.5#
Integrations#
IBM Resilient Systems- Fixed an issue where the password parameter was not encrypted in the logs.
- Updated the Docker image to: demisto/resilient:1.0.0.17061.
#
IBM X-Force Exchange Pack v1.0.8#
Integrations#
IBM X-Force Exchange v2- Added support for the Source Reliability integration parameter.
- Updated the Docker image to: demisto/python3:3.9.2.17957.
#
Imperva WAF Pack v1.0.1#
Integrations#
Imperva WAFUpdated the Docker image to: demisto/python3:3.9.2.17957.
#
Infinipoint Pack v1.0.6 (Partner Supported)#
Integrations#
InfinipointUpdated the Docker image to: demisto/pyjwt3:1.0.0.16907.
#
Ipinfo Pack v1.0.2#
Integrations#
ipinfoAdded support for additional context outputs in the ip command.
#
Jamf Pack v1.0.1#
Integrations#
jamfAdded to the description a note regarding the limitation of the API version used.
#
Machine Learning Pack v1.2.3#
Scripts#
ImportMLModelAdded the modelStoreType argument, which enables importing an ML model as a list.
#
Maltiverse Pack v1.0.3#
Integrations#
Maltiverse- Added support for the Source Reliability integration parameter.
- Updated the Docker image to: demisto/python3:3.9.2.17246.
#
MalwareDomainList Feed Pack v1.0.6#
Integrations#
Malware Domain List Active IPs FeedFixed an issue where the Tags parameter defined in the feed instance configuration was not associated with an indicator field.
#
McAfee ESM Pack v1.1.5#
Integrations#
McAfee ESM v2- Internal code improvements.
- Updated the Docker image to: demisto/python3:3.9.2.17957.
#
Microsoft Graph API Pack v1.0.3#
Integrations#
Microsoft Graph API- Added the Azure AD endpoint integration parameter to support different national clouds.
- Updated the Docker image to: demisto/crypto:1.0.0.17856.
#
Microsoft Graph Applications Pack v1.0.3#
Integrations#
Microsoft Graph Applications- Added the Azure AD endpoint integration parameter to support different national clouds.
- Updated the Docker image to: demisto/crypto:1.0.0.17856.
#
Microsoft Graph Identity & Access Pack v1.0.3#
Integrations#
Microsoft Graph Identity & Access- Added the Azure AD endpoint integration parameter to support different national clouds.
- Updated the Docker image to: demisto/crypto:1.0.0.17856.
#
Microsoft Graph Mail Single User Pack v1.0.14#
Integrations#
Microsoft Graph Mail Single User- Added support for the cache to be updated automatically when the token expires.
- Updated the Docker image to: demisto/crypto:1.0.0.18288
#
Microsoft Management Activity API (O365/Azure Events) Pack v1.1.10#
Integrations#
Microsoft Management Activity API (O365 Azure Events)- Added support for the cache to be updated automatically when the token expires.
- Updated the Docker image to: demisto/pyjwt3:1.0.0.16907.
#
Microsoft Teams Pack v1.1.5#
Integrations#
Microsoft Teams Management- Added the Azure AD endpoint integration parameter to support different national clouds.
- Updated the Docker image to: demisto/crypto:1.0.0.17856.
#
Microsoft TeamsAdded support for the cache to be updated automatically when the token expires.
#
Netskope Pack v1.0.1#
Integrations#
NetskopeFixed an issue where long Alert IDs were rounded down.
#
Palo Alto Networks BPA Pack v1.2.5#
Integrations#
Palo Alto Networks BPA- Added the timeout argument to the pan-os-bpa-submit-job command.
- Updated the Docker image to: demisto/python3:3.9.2.17957.
#
Palo Alto Networks Cortex XDR - Investigation and Response Pack v3.0.1#
Integrations#
Palo Alto Networks Cortex XDR - Investigation and Response- Breaking Change: The xdr-endpoint-scan command will not scan all the endpoints when no filter is given, but only when the argument all is marked as true.
- Updated the Docker image to: demisto/python3:3.9.2.17957.
#
Playbooks#
Cortex XDR - Block FileThe playbook now checks if the integration is available.
#
Palo Alto Networks PAN-OS EDL Service Pack v1.0.10#
Integrations#
Palo Alto Networks PAN-OS EDL Service- Added printing to the server log when an exception is raised, and fixed caching of indicators.
- Updated the Docker image to the latest version.
#
Palo Alto Networks WildFire Pack v1.3.3#
Integrations#
Palo Alto Networks WildFire v2- Fixed an issue that it is unable to create reports when there is no report for any of the file hashes.
- Added support for additional context outputs in the file command.
- Added support for the new -104 status added by Wildfire for the following commands:
- wildfire-get-verdict
- wildfire-get-verdicts
- Updated the Docker image to: demisto/python3:3.9.2.17957.
#
PhishLabs Pack v1.0.1#
Integrations#
PhishLabs IOC EIR- Added support for the Source Reliability integration parameter.
- Updated the Docker image to: demisto/python3:3.9.2.17957.
#
PhishLabs IOC- Added support for the Source Reliability integration parameter.
- Updated the Docker image to: demisto/python3:3.9.2.17957.
#
Plain Text Feed Pack v1.0.7#
Integrations#
Plain Text FeedFixed an issue where the Tags parameter defined in the feed instance configuration was not associated with an indicator field.
#
RSA Archer Pack v1.1.14#
Integrations#
RSA Archer v2- Added error handling to the archer-update-record command when the fieldsToValues argument does not match the requirements.
- Updated the update session function to better handle errors when a provided URL is invalid and the session fails to create.
- Updated the Docker image to: demisto/python3:3.9.2.17957.
#
Recorded Future Pack v1.0.3#
Integrations#
Recorded FutureAdded support for additional context outputs to the following commands:
- ip
- url
- file
- domain
#
Server Message Block (SMB) Pack v2.0.1#
Integrations#
Server Message Block (SMB) v2Fixed an issue where the client_guid parameter was not handled properly.
#
Slack Pack v1.3.17#
Integrations#
Slack v2- Fixed an issue where inviting a user to a channel to which they already belong caused the slack-invite-to-channel command to fail.
- Updated the Docker image to: demisto/slack:1.0.0.18207
#
Spamhaus Feed Pack v1.0.6#
Integrations#
Spamhaus FeedFixed an issue where the Tags parameter defined in the feed instance configuration was not associated with an indicator field.
#
Splunk Pack v2.0.0#
Integrations#
SplunkPy- Changed the default fetch query for the fetch-incidents functionality.
- Added an enrichment mechanism for fetched notables.
- Added support for incoming incident mirroring from a remote Splunk server. (Supported from Cortex XSOAR version 6.0.0).
- Added support for outgoing incident mirroring to a remote Splunk server. (Supported from Cortex XSOAR version 6.0.0).
- Added support for the Mirror incoming incidents integration parameter that is used to allow incoming mirroring of fetched incidents.
- Added support for the Close Mirrored XSOAR Incident integration parameter that is used for closing a mirrored XSOAR incident if the corresponding notable was closed on Splunk Server.
- Updated the Docker image to: demisto/splunksdk:1.0.0.18173.
#
Mappers#
Splunk - Incoming MapperAdded support for incoming and outgoing mirroring.
#
Tenable.sc Pack v1.0.1#
Integrations#
Tenable.scFixed an issue where the tenable-sc-get-scan-report command failed due to invalid key parsing.
#
TheHive Project Pack v1.1.0 (Community Contributed)#
Incident Fields- TheHive Observables - The field is editable.
- TheHive Tasks - The field is editable.
#
Integrations#
TheHive Project- Added support for the get-modified-remote-data command.
- Updated the Docker image to: demisto/python3:3.9.2.18414.
#
ThreatConnect Pack v2.0.14#
Integrations#
ThreatConnect v2Added the indicator attributes to the outputs of the tc-get-indicator command.
#
ThreatMiner Pack v1.0.3#
Integrations#
ThreatMinerAdded support for the Source Reliability integration parameter.
#
URLhaus Pack v1.0.2#
Integrations#
URLhaus- Added support for the Source Reliability integration parameter.
- Updated the Docker image to: demisto/python3:3.9.2.17957.
#
Uptycs Pack v1.0.5 (Partner Supported)#
Integrations#
UptycsUpdated the Docker image to: demisto/uptycs:1.0.0.18207.
#
Urlscan.io Pack v1.0.9#
Integrations#
urlscan.io- Added support for the Source Reliability integration parameter.
- Added support for additional context outputs in the url command.
#
VirusTotal Pack v2.0.1#
Classifiers#
Integrations#
New: VirusTotal (API v3)Analyzes suspicious hashes, URLs, domains, and IP addresses. (Available from Cortex XSOAR 5.5.0).
#
New: VirusTotal - Premium (API v3)Analyzes retro hunts, reads live hunt notifications, and downloads files from VirusTotal.
#
Mappers#
New: VirusTotal Intelligence LiveHunt Notification#
Playbooks#
New: Detonate File - VirusTotal (API v3)Detonate a file through VirusTotal (API v3) integration.
#
New: Detonate URL - VirusTotal (API v3)Detonates a URL through VirusTotal (API v3) integration.
#
New: Create Zip from VirusTotalCreates a zip file from the given hashes that exist in VirusTotal.
#
Whois Pack v1.2.1#
Integrations#
Whois- Fixed an issue where not selecting an initial value for the Source Reliability integration parameter caused the integration to fail.
- Added the ip command to enrich IP addresses.
- Added support for additional context outputs in the domain command.
- Maintenance and stability enhancements.
- Updated the Docker image to: demisto/ippysocks:1.0.0.18080.
#
Windows Remote Management Pack v1.0.3#
Integrations#
Windows Remote Management (Beta)Added documentation for the integration.
#
Workday Pack v1.1.0#
Integrations#
Workday IAM- Added the deactivation_date_field parameter, which specifies which field in the Workday report determines when to trigger a termination event for deactivated employees.
- Added the days_before_hire_to_sync parameter, which determines when to sync employees from Workday.
- Added the days_before_hire_to_enable_ad parameter, which determines when to enable the Active Directory accounts of employees.
- Improved the implementation of the fetch-incidents command.
- Updated the Docker image to: demisto/python3:3.9.2.17957.
#
Mappers#
IAM Sync User - WorkdayAdded a mapping for the new IAM - AD User Activation incident type.
#
Assets- Download Content Zip (Cortex XSOAR 5.5 and earlier): content_new.zip
- Download Marketplace Packs (Cortex XSOAR 6.0 and later): content_marketplace_packs.zip
- Browse the Source Code: Content Repo @ 21.4.0