Skip to main content

Cortex XSOAR Content Release Notes for version 21.4.0 (325528)#

Published on 13 April 2021#

Breaking Changes#

The following pack includes breaking changes: Palo Alto Networks BPA Pack v1.2.5

New: AlphaVantage Pack v1.0.0 (Community Contributed)#

Integrations#

AlphaVantage#

This is an API to get a stock's history or current stock data.

Playbooks#

Notify Stock Above Price#

This playbook sends a message on Telegram when a stock price rises above a predefined price.


New: Asana Connect Pack v1.0.0 (Community Contributed)#

Integrations#

AsanaConnect#

This integration uses Asana's Personal Access Tokens (PATs) to connect to projects tied to the Asana account. It enables you to create and access tasks in your projects.


New: Azure Storage Pack v1.0.0#

Integrations#

Azure Storage#

Deploy and manage storage accounts and blob services.


New: BitSight Pack v1.0.0 (Community Contributed)#

Classifiers#

BitSight - Classifier#
BitSight - Incoming Mapper#

Incident Fields#

  • Affects Rating
  • Assets
  • Comments
  • Evidence Key
  • Related Findings
  • Remaining Decay
  • Risk Category
  • Risk Vector
  • Risk Vector Label
  • Rolledup Observation Id
  • Severity Category
  • BitSight Tags
  • Temporary Id

Incident Types#

BitSight Findings

Integrations#

BitSight for Security Performance Management#

Gets company GUID, details, findings, and creates incidents.

Layouts#

BitSight Findings


New: DBot Truth Bombs Pack v1.0.0#

Integrations#

DBot Truth Bombs#

You thought you knew DBot... guess again! Here are some super secret facts about DBot we bet you didn't know.

Scripts#

FactAboutYou#

Reveal some facts about yourself.


New: Google Cloud SCC Pack v1.0.0#

Classifiers#

GoogleCloudSCC - classifier#

Classifies Google Cloud SCC incidents

GoogleCloudSCC#
GoogleCloudSCC - Incoming Mapper#

Maps incoming Google Cloud SCC incident fields.

Incident Fields#

  • GoogleCloudSCC Asset DisplayName
  • GoogleCloudSCC Finding Category
  • GoogleCloudSCC Finding CreateTime
  • GoogleCloudSCC Finding EventTime
  • GoogleCloudSCC Finding ExternalURI
  • GoogleCloudSCC Finding FirstDiscovered
  • GoogleCloudSCC Finding MostRecentlySeen
  • GoogleCloudSCC Finding Name
  • GoogleCloudSCC Finding Parent
  • GoogleCloudSCC Finding SourceProperties AccessMethod
  • GoogleCloudSCC Finding SourceProperties Acked
  • GoogleCloudSCC Finding SourceProperties ActivationTrigger
  • GoogleCloudSCC Finding SourceProperties Alert
  • GoogleCloudSCC Finding SourceProperties AlertType
  • GoogleCloudSCC Finding SourceProperties App
  • GoogleCloudSCC Finding SourceProperties AppCategory
  • GoogleCloudSCC Finding SourceProperties AppSessionId
  • GoogleCloudSCC Finding SourceProperties Browser
  • GoogleCloudSCC Finding SourceProperties BrowserSessionId
  • GoogleCloudSCC Finding SourceProperties Browser Version
  • GoogleCloudSCC Finding SourceProperties CCI
  • GoogleCloudSCC Finding SourceProperties CCL
  • GoogleCloudSCC Finding SourceProperties ClientBytes
  • GoogleCloudSCC Finding SourceProperties Count
  • GoogleCloudSCC Finding SourceProperties Device
  • GoogleCloudSCC Finding SourceProperties Domain
  • GoogleCloudSCC Finding SourceProperties DstCountry
  • GoogleCloudSCC Finding SourceProperties DstGeoipSrc
  • GoogleCloudSCC Finding SourceProperties DstIP
  • GoogleCloudSCC Finding SourceProperties DstLocation
  • GoogleCloudSCC Finding SourceProperties DstRegion
  • GoogleCloudSCC Finding SourceProperties DstTimezone
  • GoogleCloudSCC Finding SourceProperties DstZipcode
  • GoogleCloudSCC Finding SourceProperties EventType
  • GoogleCloudSCC Finding SourceProperties ExceptionInstructions
  • GoogleCloudSCC Finding SourceProperties ExposedService
  • GoogleCloudSCC Finding SourceProperties HostName
  • GoogleCloudSCC Finding SourceProperties ID
  • GoogleCloudSCC Finding SourceProperties InsertionEpochTimestamp
  • GoogleCloudSCC Finding SourceProperties LastApp
  • GoogleCloudSCC Finding SourceProperties LastCountry
  • GoogleCloudSCC Finding SourceProperties LastDevice
  • GoogleCloudSCC Finding SourceProperties LastLocation
  • GoogleCloudSCC Finding SourceProperties LastRegion
  • GoogleCloudSCC Finding SourceProperties MfaDetails
  • GoogleCloudSCC Finding SourceProperties NumBytes
  • GoogleCloudSCC Finding SourceProperties OrganizationUnit
  • GoogleCloudSCC Finding SourceProperties OrigTy
  • GoogleCloudSCC Finding SourceProperties Page
  • GoogleCloudSCC Finding SourceProperties PageDuration
  • GoogleCloudSCC Finding SourceProperties PageEndtime
  • GoogleCloudSCC Finding SourceProperties PageId
  • GoogleCloudSCC Finding SourceProperties PageStarttime
  • GoogleCloudSCC Finding SourceProperties ProfileId
  • GoogleCloudSCC Finding SourceProperties ProjectId
  • GoogleCloudSCC Finding SourceProperties ReactivationCount
  • GoogleCloudSCC Finding SourceProperties ReqCnt
  • GoogleCloudSCC Finding SourceProperties RespCnt
  • GoogleCloudSCC Finding SourceProperties RiskLevel
  • GoogleCloudSCC Finding SourceProperties RiskLevelId
  • GoogleCloudSCC Finding SourceProperties ScannerName
  • GoogleCloudSCC Finding SourceProperties ServerBytes
  • GoogleCloudSCC Finding SourceProperties Severity
  • GoogleCloudSCC Finding SourceProperties SeverityLevel
  • GoogleCloudSCC Finding SourceProperties Site
  • GoogleCloudSCC Finding SourceProperties SlcLatitude
  • GoogleCloudSCC Finding SourceProperties SlcLongitute
  • GoogleCloudSCC Finding SourceProperties SrcCountry
  • GoogleCloudSCC Finding SourceProperties SrcGeoIpSrc
  • GoogleCloudSCC Finding SourceProperties SrcLocation
  • GoogleCloudSCC Finding SourceProperties SrcRegion
  • GoogleCloudSCC Finding SourceProperties SrcTimezone
  • GoogleCloudSCC Finding SourceProperties SrcZipcode
  • GoogleCloudSCC Finding SourceProperties TenantName
  • GoogleCloudSCC Finding SourceProperties Threshold
  • GoogleCloudSCC Finding SourceProperties Timestamp
  • GoogleCloudSCC Finding SourceProperties TrafficType
  • GoogleCloudSCC Finding SourceProperties UrNormalized
  • GoogleCloudSCC Finding SourceProperties User
  • GoogleCloudSCC Finding SourceProperties UserAgent
  • GoogleCloudSCC Finding SourceProperties UserGenerated
  • GoogleCloudSCC Finding SourceProperties UserIP
  • GoogleCloudSCC Finding SourceProperties UserKey
  • GoogleCloudSCC Finding URL
  • GoogleCloudSCC Overview
  • GoogleCloudSCC Parent Resource ParentDisplayName
  • GoogleCloudSCC Recommendation
  • GoogleCloudSCC Resource Name
  • GoogleCloudSCC Resource ParentDisplayName
  • GoogleCloudSCC Resource ParentName
  • GoogleCloudSCC Resource ProjectName
  • GoogleCloudSCC Resource Project DisplayName
  • GoogleCloudSCC Security Marks

Incident Types#

Google Cloud SCC Finding

Integrations#

Google Cloud SCC#

Security Command Center is a security and risk management platform for Google Cloud. Security Command Center enables you to understand your security and data attack surface by providing asset inventory and discovery, identifying vulnerabilities and threats, and helping you mitigate and remediate risks across an organization. This integration helps you to perform tasks related to findings and assets.

Layouts#

Google Cloud SCC Finding - Summary


New: Kaspersky Security Center Pack v1.0.0#

Integrations#

Kaspersky Security Center (Beta)#

Manages endpoints and groups through the Kaspersky Security Center.


New: MapPattern Pack v1.0.0 (Community Contributed)#

Scripts#

MapPattern#

This transformer takes in a value and transform it based on multiple condition expressions (wildcard, regex, etc) defined in a JSON dictionary structure. The transformer returns the value matched to a pattern according to the priority. When unmatched or the input value is structured (dict or list), it returns the input value.


New: OpenCTI Pack v1.0.0#

Integrations#

OpenCTI#

Manages indicators from OpenCTI. Compatible with OpenCTI 4.X API version.

Playbooks#

OpenCTI Create Indicator#

Creates an indicator at OpenCTI.


New: Random Images, Videos and Audio Pack v1.0.0 (Community Contributed)#

Scripts#

RandomPhotoNasa#

This automation script pulls a random image from https://images.nasa.gov based on the search parameter provided. If the script is used within a widget, it outputs an image in markdown format. If it is used anywhere else, it outputs an image in markdown format and its context data.


New: Screenshot Machine Pack v1.0.0 (Community Contributed)#

Integrations#

Screenshot Machine#

Takes Web screenshots with Screenshot Machine API.


New: StringifyArray Pack v1.0.0 (Community Contributed)#

Scripts#

StringifyArray#

Returns the string encoded with JSON for the whole array.


New: TheHive Project Pack v1.0.0 (Community Contributed)#

Classifiers#

TheHive - Classifier#

Default classifier for TheHive Project cases.

TheHive - Incoming Mapper#

Default incoming mapper for TheHive Project cases.

TheHive - Outgoing Mapper#

Default outbound mapping for TheHive Project cases.

Incident Fields#

  • TheHive Case PAP
  • TheHive Case Resolution Status
  • TheHive Case Status
  • TheHive Case Summary
  • TheHive Case TLP
  • TheHive Flag
  • TheHive Observables
  • TheHive Tasks

Incident Types#

TheHive

Integrations#

TheHive Project#

Integration with TheHive Project Security Incident Response Platform.

Layouts#

TheHive layout (custom)


AWS - EC2 Pack v1.1.5#

Integrations#

AWS - EC2#
  • Added the aws-ec2-revoke-security-group-egress-rule command.
  • Updated the Docker image to: demisto/boto3:2.0.0.18824.

AWS - SQS Pack v1.0.1#

Integrations#

AWS - SQS#
  • Internal code improvements.
  • Updated the Docker image to: demisto/boto3:2.0.0.18652.

Active Directory Query Pack v1.1.9#

Integrations#

Active Directory Query v2#
  • Internal code improvements.
  • Updated the Docker image to: demisto/ldap:1.0.0.17947.

Scripts#

IAMInitADUser#
  • Updated the automation to accommodate the changes in the Identity Lifecycle Management user synchronization flow.
  • Updated the Docker image to: demisto/python3:3.9.2.17957.

Alexa Rank Indicator Pack v1.1.2#

Integrations#

Alexa Rank Indicator#

Added support for the Source Reliability integration parameter.


AlienVault OTX Pack v1.0.3#

Integrations#

AlienVault OTX v2#
  • Added support for the Source Reliability integration parameter.
  • Updated the Docker image to: demisto/python3:3.9.2.17957

Anomali Enterprise Pack v1.0.2#

Integrations#

Anomali Match#
  • The job_id argument in the anomali-enterprise-retro-forensic-search-results command now supports a list of IDs.
  • Updated the Docker image to: demisto/python3:3.9.2.17957.

Asana Connect Pack v1.0.1 (Community Contributed)#

Integrations#

New: AsanaConnect#

Uses Asana Personal Access Tokens (PATs) to connect to projects tied to the Asana account. (Available from Cortex XSOAR 6.0.0).


Atlassian Jira Pack v1.3.1#

Incident Fields#

  • Jira Description
  • Jira Attachments
  • Jira Priority
  • Jira Transitions
  • Jira Summary
  • Jira Status
  • Created Time
  • Jira Due Date
  • Jira Reporter Name
  • Jira Reporter Email
  • Jira Labels

Incident Types#

Integrations#

Atlassian Jira v2#
  • Added the mirror out functionality.
  • Added the following parameters to the integration setup:
    • fetch_comments
    • fetch_attachments
  • Added the following parameters to the mirror in functionality:
    • comments
    • attachments
  • Added mirror in and mirror out documentation.
  • Added the mirror in and out capability for Jira custom fields.
  • Added the jira-list-transitions command, which lists all possible transitions for a given ticket.
  • Added the jira-get-comments command, which returns the comments added for a given ticket.
  • Fixed an issue in the jira-create-issue command where the issueJson parameter was not working correctly.

Layouts Containers#

New: Jira Incident Layout#

Added an incident layout to the content pack.

Mappers#

classifier-mapper-incoming-JiraV2#

Added new fields to the integration incoming mapper.

New: classifier-mapper-outgoing-Jira#

Added the Jira V2 mirror out classifier. (Available from Cortex XSOAR 6.0.0).

Scripts#

New: script-JiraChangeTransition#

Changes a ticket's status using the transition field.

New: script-JiraListTransition#

Lists all possible transitions for a ticket.


AutoFocus Pack v1.1.16#

Integrations#

Palo Alto Networks AutoFocus v2#
  • Added support for additional context outputs for the following commands:
    • ip
    • url
    • domain
  • Updated the Docker image to: demisto/python3:3.9.2.17957.

Azure Kubernetes Services Pack v1.0.3#

Integrations#

Azure Kubernetes Services (Beta)#

Added the Azure AD endpoint integration parameter to support different national clouds.


Azure Log Analytics Pack v1.0.8#

Integrations#

Azure Log Analytics (Beta)#

Added support for the cache to be updated automatically when the token expires.


Azure Network Security Groups Pack v1.0.3#

Integrations#

Azure Network Security Groups#
  • Added the Azure AD endpoint integration parameter to support different national clouds.
  • Updated the Docker image to: demisto/crypto:1.0.0.17856.

Azure SQL Management (Beta) Pack v1.0.4#

Integrations#

Azure SQL Management (Beta)#

Added the Azure AD endpoint integration parameter to support different national clouds.


Azure WAF Pack v1.0.4#

Integrations#

Azure Web Application Firewall#
  • Added the Azure AD endpoint integration parameter to support different national clouds.
  • Updated the Docker image to: demisto/crypto:1.0.0.17856.

AzureSentinel Pack v1.0.9#

Integrations#

Azure Sentinel (Beta)#

Added support for cache to be updated automatically when the token expires.


Base Pack v1.8.5#

Scripts#

CommonServerPython#
  • Added the FeedRelatedIndicators class which implements an interface for "FeedRelatedIndicators" extensions.
  • Added the feed_related_indicators and the malware_family arguments to the following classes:
    • IP
    • URL
    • File
    • Domain
  • Added the tags argument to the following classes:
    • IP
    • URL
  • Added the organization_name and organization_type arguments to the IP class.
  • Fixed an issue in BaseClient, which caused the request to ignore REQUEST_CA_BUNDLE when proxy was set to false.
  • Modified the BaseClient._http_request function to mount the retry HTTP adapter to the session only if the number of retries was specified.
  • Fixed an issue in the Common class, which caused a failure while using to_context on a list of FeedRelatedIndicators objects.
  • Improved the error handling in the incoming mirroring flow.
New: DrawRelatedIncidentsCanvas#

Draw incidents and indicators on the canvas to map and visualize their connections.

DBotPredictPhishingWords#

Made improvements to make this script easier to run from the Playground.

SanePdfReports#
  • Added support for automatic page breaks in reports:
    • Charts will now automatically drop to a new page (including the header) if there is not enough space in the current page.
    • Table rows and section fields will now drop to a new page in order to prevent text from splitting between pages.
    • When a table widget spans across several pages, the column's header will repeat in each page.
  • Updated the Docker image to: demisto/sane-pdf-reports:1.0.0.18186.

BitSight Pack v1.0.1 (Community Contributed)#

Incident Fields#

Layouts Containers#

BitSight Findings#

Replaced Tags with Bitsight Tags.

Mappers#

BitSight - Incoming Mapper#

Replaced Tags with Bitsight Tags.


BlockList DE Feed Pack v1.0.6#

Integrations#

Blocklist_de Feed#

Fixed an issue where the Tags parameter defined in the feed instance configuration was not associated with an indicator field.


Box Pack v2.1.2#

Integrations#

Box v2#

Updated the Docker image to: demisto/pyjwt3:1.0.0.16907.


BruteForce Feed Pack v1.0.6#

Integrations#

BruteForceBlocker Feed#

Fixed an issue where the Tags parameter defined in the feed instance configuration was not associated with an indicator field.


Campaign Pack v1.0.1#

Scripts#

FindEmailCampaign#
  • Added EmailCampaign.incidents.recipients output, which specifies the email addresses of the recipients of the incident found in the campaign.
  • Added the EmailCampaign.incidents.recipientsdomain output, which specifies the domains of the recipients of the incidents found in the campaign.

CheckPhish Pack v1.0.2#

Integrations#

CheckPhish#

Added support for the Source Reliability integration parameter.


Cisco Umbrella Investigate Pack v1.0.3#

Integrations#

Cisco Umbrella Investigate#

Added support for the Source Reliability integration parameter.


Cloudflare Feed Pack v1.0.6#

Integrations#

Cloudflare Feed#

Fixed an issue where the Tags parameter defined in the feed instance configuration was not associated with an indicator field.


Common Playbooks Pack v1.9.1#

Playbooks#

Block File - Generic v2#

Added "Skip this branch if this automation/playbook is unavailable" option to the Cortex XDR - Block File sub-playbook.


Common Scripts Pack v1.3.33#

Scripts#

SearchIncidentsV2#
  • Fixed an issue where the value of an incident ID was an integer and would raise a TypeError exception.
  • Updated the Docker image to: demisto/python3:3.9.2.17957.
DeleteContext#

Fixed an issue where unrelated data was stored in the InsightCache indicator while using KeysToKeep in order to keep DBotScore data in the context.

ParseEmailFiles#

Fixed an issue where the script failed to parse an email containing Polish characters.


Cortex Data Lake Pack v1.3.1#

Integrations#

Cortex Data Lake#
  • Fixed an issue where the transform_results argument in the cdl-query-logs command did not work as expected.
  • Updated the Docker image to: demisto/python_pancloud_v2:1.0.0.18452.

Cymulate Pack v2.0.0 (Partner Supported)#

Classifiers#

Cymulate_v2 - Classification#

Default Classification for Cymulate.

Incident Fields#

  • Cymulate Description
  • Cymulate Input
  • Cymulate Last Action
  • Cymulate Mitigation Details
  • Cymulate Module
  • Cymulate Source
  • Cymulate Source Email Address
  • Cymulate Status
  • Cymulate Template Name
  • Cymulate Test Case
  • Cymulate URL
  • Cymulate Attack Vector
  • Cymulate Analysis
  • Cymulate Cymulate Attack Type
  • Cymulate Agentless

Incident Types#

Integrations#

Cymulate v2#
  • New Cymulate integration. This new integration allows users to start and stop attack assessments, and get their status.
  • New fetch incident parameter that allows retrieving incidents from all modules selected by the user in the configuration page.

Layouts#

Cymulate Immediate Threats - Default Layout for Cymulate Immediate Threats.

Layouts Containers#

Cymulate Layout#

Default Layout Container for Cymulate.

Mappers#

Cymulate_v2 - Incoming Mapper#

Default Mapping for Cymulate.

Playbooks#

Cymulate Immediate Threats#

Updated to match Cymulate v2.


DShield Feed Pack v1.0.6#

Integrations#

DShield Feed#

Fixed an issue where the Tags parameter defined in the feed instance configuration was not associated with an indicator field.


EWS Pack v1.8.13#

Integrations#

O365 - Security And Compliance - Content Search (beta)#
  • General documentation improvements.
  • Fixed an issue where the o365-sc-new-search-action command failed with no indicative error.
  • Fixed an issue where the get-search-action command would not return results in the context and War Room entry for the purge action type.
  • Updated the Docker image to demisto/powershell-ubuntu:7.1.1.16151.

Playbooks#

O365 - Security And Compliance - Search And Delete#

Fixed an issue where the Remove search action task failed when no emails were found.


Expanse (Deprecated) Pack v1.2.0 (Partner Supported)#

Integrations#

Expanse (Deprecated)#
  • This integration is deprecated. Use the Expanse V2 integration instead.
  • Updated the Docker image to: demisto/python3:3.9.2.18414.

Expanse v2 Pack v1.1.0#

Integrations#

Expanse v2#
  • Added the expanse-get-domains-for-certificate command. It returns all domains which were seen with the specified certificate.
  • Updated the Docker image to: demisto/python3:3.9.2.18414.

Feed OpenCTI Pack v2.0.0#

Integrations#

OpenCTI Feed 3.X#
  • Changed the display name from OpenCTI Feed to OpenCTI Feed 3.X.
  • Improved the description and documentation.
  • Updated the Docker image to: demisto/opencti:1.0.0.12410.
New: OpenCTI Feed 4.X#

Ingests indicators from the OpenCTI feed. Compatible with OpenCTI 4.X API version. (Available from Cortex XSOAR 5.5.0).

Playbooks#

New: OpenCTI Create Indicator#

Creates indicators in OpenCTI. (Available from Cortex XSOAR 5.0.0).


FeodoTracker Feed Pack v1.0.9#

Integrations#

Feodo Tracker Hashes Feed (Deprecated)#

Fixed an issue where the Tags parameter defined in the feed instance configuration was not associated with an indicator field.


GitHub Pack v1.1.10#

Integrations#

GitHub#

Updated the Docker image to: demisto/pyjwt3:1.0.0.16907.


Google Vault Pack v1.0.3#

Integrations#

Google Vault#
  • Added support for pagination when fetching matters by state.
  • Updated the Docker image to: demisto/gvault:1.0.0.18527

GuardiCore Pack v1.0.1#

Integrations#

GuardiCore#
  • Fixed an issue where failing to log out from the product did not raise a meaningful error.
  • Added the following arguments to the guardicore-get-incidents command:
    • from_time
    • to_time

HelloWorld Pack v1.2.2 (Community Contributed)#

Integrations#

New: HelloWorld Feed#
  • Created the HelloWorld Feed integration template.
  • Updated the Docker image to: demisto/python3:3.9.1.15759.

IBM QRadar Pack v2.0.0#

Incident Types#

Qradar Generic - Assigned the QRadar Generic playbook as the default playbook for this incident type.

Integrations#

IBM QRadar v2#
  • Added the supported API versions to the QRadar v2 description.
  • Updated the Docker image to: demisto/python3:3.9.2.18414.
New: IBM QRadar v3#

IBM QRadar SIEM helps security teams accurately detect and prioritize threats across the enterprise. Supports API versions 10.1 and above. Provides intelligent insights that enable teams to respond quickly to reduce the impact of incidents.

Mappers#

QRadar - Generic Incoming Mapper#
  • Added mapping for the severity field based on the offense magnitude value. The XSOAR incident severity field values range is 0-4 where:
    0 - Informational
    1 - Low
    2 - Medium
    3 - High
    4 - Critical

    A scale is required to translate the value of the magnitude field to a valid incident severity value. The default scale is: 1,1,1,2,2,2,2,3,3,3.
    The meaning of the default scale is that values with a magnitude of 1-3 will be translated to low severity (positions 1-3 in the scale), values 4-7 will be translated to medium severity (positions 4-7 in the scale) and values 8-10 will be translated to high severity (positions 8-10 in the scale).
  • Added mapping to the mirroring parameters.

Playbooks#

QRadar Indicator Hunting V2#

Fixed MD5 hash search.

QRadar Generic#

The default playbook for working with the QRadar V2 integration for basic SIEM/SOC operations.


IBM Resilient Systems Pack v1.0.5#

Integrations#

IBM Resilient Systems#
  • Fixed an issue where the password parameter was not encrypted in the logs.
  • Updated the Docker image to: demisto/resilient:1.0.0.17061.

IBM X-Force Exchange Pack v1.0.8#

Integrations#

IBM X-Force Exchange v2#
  • Added support for the Source Reliability integration parameter.
  • Updated the Docker image to: demisto/python3:3.9.2.17957.

Imperva WAF Pack v1.0.1#

Integrations#

Imperva WAF#

Updated the Docker image to: demisto/python3:3.9.2.17957.


Infinipoint Pack v1.0.6 (Partner Supported)#

Integrations#

Infinipoint#

Updated the Docker image to: demisto/pyjwt3:1.0.0.16907.


Ipinfo Pack v1.0.2#

Integrations#

ipinfo#

Added support for additional context outputs in the ip command.


Jamf Pack v1.0.1#

Integrations#

jamf#

Added to the description a note regarding the limitation of the API version used.


Machine Learning Pack v1.2.3#

Scripts#

ImportMLModel#

Added the modelStoreType argument, which enables importing an ML model as a list.


Maltiverse Pack v1.0.3#

Integrations#

Maltiverse#
  • Added support for the Source Reliability integration parameter.
  • Updated the Docker image to: demisto/python3:3.9.2.17246.

MalwareDomainList Feed Pack v1.0.6#

Integrations#

Malware Domain List Active IPs Feed#

Fixed an issue where the Tags parameter defined in the feed instance configuration was not associated with an indicator field.


McAfee ESM Pack v1.1.5#

Integrations#

McAfee ESM v2#
  • Internal code improvements.
  • Updated the Docker image to: demisto/python3:3.9.2.17957.

Microsoft Graph API Pack v1.0.3#

Integrations#

Microsoft Graph API#
  • Added the Azure AD endpoint integration parameter to support different national clouds.
  • Updated the Docker image to: demisto/crypto:1.0.0.17856.

Microsoft Graph Applications Pack v1.0.3#

Integrations#

Microsoft Graph Applications#
  • Added the Azure AD endpoint integration parameter to support different national clouds.
  • Updated the Docker image to: demisto/crypto:1.0.0.17856.

Microsoft Graph Identity & Access Pack v1.0.3#

Integrations#

Microsoft Graph Identity & Access#
  • Added the Azure AD endpoint integration parameter to support different national clouds.
  • Updated the Docker image to: demisto/crypto:1.0.0.17856.

Microsoft Graph Mail Single User Pack v1.0.14#

Integrations#

Microsoft Graph Mail Single User#
  • Added support for the cache to be updated automatically when the token expires.
  • Updated the Docker image to: demisto/crypto:1.0.0.18288

Microsoft Management Activity API (O365/Azure Events) Pack v1.1.10#

Integrations#

Microsoft Management Activity API (O365 Azure Events)#
  • Added support for the cache to be updated automatically when the token expires.
  • Updated the Docker image to: demisto/pyjwt3:1.0.0.16907.

Microsoft Teams Pack v1.1.5#

Integrations#

Microsoft Teams Management#
  • Added the Azure AD endpoint integration parameter to support different national clouds.
  • Updated the Docker image to: demisto/crypto:1.0.0.17856.
Microsoft Teams#

Added support for the cache to be updated automatically when the token expires.


Netskope Pack v1.0.1#

Integrations#

Netskope#

Fixed an issue where long Alert IDs were rounded down.


Palo Alto Networks BPA Pack v1.2.5#

Integrations#

Palo Alto Networks BPA#
  • Added the timeout argument to the pan-os-bpa-submit-job command.
  • Updated the Docker image to: demisto/python3:3.9.2.17957.

Palo Alto Networks Cortex XDR - Investigation and Response Pack v3.0.1#

Integrations#

Palo Alto Networks Cortex XDR - Investigation and Response#
  • Breaking Change: The xdr-endpoint-scan command will not scan all the endpoints when no filter is given, but only when the argument all is marked as true.
  • Updated the Docker image to: demisto/python3:3.9.2.17957.

Playbooks#

Cortex XDR - Block File#

The playbook now checks if the integration is available.


Palo Alto Networks PAN-OS EDL Service Pack v1.0.10#

Integrations#

Palo Alto Networks PAN-OS EDL Service#
  • Added printing to the server log when an exception is raised, and fixed caching of indicators.
  • Updated the Docker image to the latest version.

Palo Alto Networks WildFire Pack v1.3.3#

Integrations#

Palo Alto Networks WildFire v2#
  • Fixed an issue that it is unable to create reports when there is no report for any of the file hashes.
  • Added support for additional context outputs in the file command.
  • Added support for the new -104 status added by Wildfire for the following commands:
    • wildfire-get-verdict
    • wildfire-get-verdicts
  • Updated the Docker image to: demisto/python3:3.9.2.17957.

PhishLabs Pack v1.0.1#

Integrations#

PhishLabs IOC EIR#
  • Added support for the Source Reliability integration parameter.
  • Updated the Docker image to: demisto/python3:3.9.2.17957.
PhishLabs IOC#
  • Added support for the Source Reliability integration parameter.
  • Updated the Docker image to: demisto/python3:3.9.2.17957.

Plain Text Feed Pack v1.0.7#

Integrations#

Plain Text Feed#

Fixed an issue where the Tags parameter defined in the feed instance configuration was not associated with an indicator field.


RSA Archer Pack v1.1.14#

Integrations#

RSA Archer v2#
  • Added error handling to the archer-update-record command when the fieldsToValues argument does not match the requirements.
  • Updated the update session function to better handle errors when a provided URL is invalid and the session fails to create.
  • Updated the Docker image to: demisto/python3:3.9.2.17957.

Recorded Future Pack v1.0.3#

Integrations#

Recorded Future#

Added support for additional context outputs to the following commands:

  • ip
  • url
  • file
  • domain

Server Message Block (SMB) Pack v2.0.1#

Integrations#

Server Message Block (SMB) v2#

Fixed an issue where the client_guid parameter was not handled properly.


Slack Pack v1.3.17#

Integrations#

Slack v2#
  • Fixed an issue where inviting a user to a channel to which they already belong caused the slack-invite-to-channel command to fail.
  • Updated the Docker image to: demisto/slack:1.0.0.18207

Spamhaus Feed Pack v1.0.6#

Integrations#

Spamhaus Feed#

Fixed an issue where the Tags parameter defined in the feed instance configuration was not associated with an indicator field.


Splunk Pack v2.0.0#

Integrations#

SplunkPy#
  • Changed the default fetch query for the fetch-incidents functionality.
  • Added an enrichment mechanism for fetched notables.
  • Added support for incoming incident mirroring from a remote Splunk server. (Supported from Cortex XSOAR version 6.0.0).
  • Added support for outgoing incident mirroring to a remote Splunk server. (Supported from Cortex XSOAR version 6.0.0).
  • Added support for the Mirror incoming incidents integration parameter that is used to allow incoming mirroring of fetched incidents.
  • Added support for the Close Mirrored XSOAR Incident integration parameter that is used for closing a mirrored XSOAR incident if the corresponding notable was closed on Splunk Server.
  • Updated the Docker image to: demisto/splunksdk:1.0.0.18173.

Mappers#

Splunk - Incoming Mapper#

Added support for incoming and outgoing mirroring.


Tenable.sc Pack v1.0.1#

Integrations#

Tenable.sc#

Fixed an issue where the tenable-sc-get-scan-report command failed due to invalid key parsing.


TheHive Project Pack v1.1.0 (Community Contributed)#

Incident Fields#

  • TheHive Observables - The field is editable.
  • TheHive Tasks - The field is editable.

Integrations#

TheHive Project#
  • Added support for the get-modified-remote-data command.
  • Updated the Docker image to: demisto/python3:3.9.2.18414.

ThreatConnect Pack v2.0.14#

Integrations#

ThreatConnect v2#

Added the indicator attributes to the outputs of the tc-get-indicator command.


ThreatMiner Pack v1.0.3#

Integrations#

ThreatMiner#

Added support for the Source Reliability integration parameter.


URLhaus Pack v1.0.2#

Integrations#

URLhaus#
  • Added support for the Source Reliability integration parameter.
  • Updated the Docker image to: demisto/python3:3.9.2.17957.

Uptycs Pack v1.0.5 (Partner Supported)#

Integrations#

Uptycs#

Updated the Docker image to: demisto/uptycs:1.0.0.18207.


Urlscan.io Pack v1.0.9#

Integrations#

urlscan.io#
  • Added support for the Source Reliability integration parameter.
  • Added support for additional context outputs in the url command.

VirusTotal Pack v2.0.1#

Classifiers#

Integrations#

New: VirusTotal (API v3)#

Analyzes suspicious hashes, URLs, domains, and IP addresses. (Available from Cortex XSOAR 5.5.0).

New: VirusTotal - Premium (API v3)#

Analyzes retro hunts, reads live hunt notifications, and downloads files from VirusTotal.

Mappers#

New: VirusTotal Intelligence LiveHunt Notification#

Playbooks#

New: Detonate File - VirusTotal (API v3)#

Detonate a file through VirusTotal (API v3) integration.

New: Detonate URL - VirusTotal (API v3)#

Detonates a URL through VirusTotal (API v3) integration.

New: Create Zip from VirusTotal#

Creates a zip file from the given hashes that exist in VirusTotal.


Whois Pack v1.2.1#

Integrations#

Whois#
  • Fixed an issue where not selecting an initial value for the Source Reliability integration parameter caused the integration to fail.
  • Added the ip command to enrich IP addresses.
  • Added support for additional context outputs in the domain command.
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/ippysocks:1.0.0.18080.

Windows Remote Management Pack v1.0.3#

Integrations#

Windows Remote Management (Beta)#

Added documentation for the integration.


Workday Pack v1.1.0#

Integrations#

Workday IAM#
  • Added the deactivation_date_field parameter, which specifies which field in the Workday report determines when to trigger a termination event for deactivated employees.
  • Added the days_before_hire_to_sync parameter, which determines when to sync employees from Workday.
  • Added the days_before_hire_to_enable_ad parameter, which determines when to enable the Active Directory accounts of employees.
  • Improved the implementation of the fetch-incidents command.
  • Updated the Docker image to: demisto/python3:3.9.2.17957.

Mappers#

IAM Sync User - Workday#

Added a mapping for the new IAM - AD User Activation incident type.


Assets#