Skip to main content

Cortex XSOAR Content Release Notes for version 21.4.1 (335635)#

Published on 27 April 2021#

Breaking Changes#

The following packs include breaking changes.


Rapid Breach Response Pack v1.6.1#

Playbooks#

New: Codecov Breach - Bash Uploader#

This playbook includes the following tasks:

  • Search for the Security Notice email sent from Codecov.

  • Collect indicators to be used in your threat hunting process.

  • Query network logs to detect related activity. Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

    More information: Codecov Security Notice

Codecov Breach - Bash Uploader#

Added panorama query to search for logs with related anti-spyware signatures

  • Data Exfiltration Traffic Detection
  • Malicious Modified Shell Script Detection

New: Armis Pack v1.0.0#

Classifiers#

Armis#
Armis - Incoming Mapper#

Maps incoming Armis alerts.

Armis - Classifier#

Classifies Armis alerts.

Incident Fields#

  • Armis Alert Description - Armis Alert Description
  • Armis Alert ID - Armis Alert ID
  • Armis Alert Severity - Armis Alert Severity
  • Armis Alert Status - Armis Alert Status
  • Armis Alert Type - Armis Alert Type
  • Armis Device IDs - Armis Device IDs
  • Armis Device Risk Level - Armis risk score for a device

Incident Types#

Armis Alert

Integrations#

Armis#

Use the Armis integration to search alerts and devices, tag and untag devices, and set alert statuses.

Layouts#

Armis Alert - Summary

Playbooks#

Armis Alert Enrichment#

Enrich Armis alerts with the devices in the context details.


New: PAN-OS Policy Optimizer Pack v1.0.0#

Integrations#

PAN-OS Policy Optimizer#

Automate your AppID Adoption by using this integration together with your Palo Alto Networks Next-Generation Firewall or Panorama.


New: PAN-OS to Cortex Data Lake Monitoring Pack v1.0.0 (Community Contributed)#

Incident Fields#

  • fwserials - Comma-separated list of PAN-OS Firewall serial numbers.
  • panosintegrationinstancename - The name of the PAN-OS integration instance.

Incident Types#

  • Cortex Data Lake Monitoring

  • PAN-OS logging to Cortex Data Lake - Action Required

Layouts#

  • Cortex Data Lake Monitoring
  • PAN-OS logging to Cortex Data Lake - Action Required

Playbooks#

PAN-OS logging to Cortex Data Lake - Action Required#

This playbook initiates the steps needed to investigate the PAN-OS logging to Cortex Data Lake problems.

PAN-OS to Cortex Data Lake Monitoring - Cron Job#

This playbook verifies that your firewalls sent logs to the Cortex Data Lake in the last 12 hours. An email notification will be sent if it's not the case. This playbook is designed to run as a job.

Scripts#

PANOStoCortexDataLakeMonitoring#

Verify that all firewalls successfully pushed logs to the Cortex Data Lake for the last 12 hours. It's an easy way to do monitoring of the firewall connection to Cortex Data Lake. You can use either a manual list of firewall serial numbers or a Panorama integration to get the list of equipment to monitor.


New: TOPdesk Pack v1.0.0#

Classifiers#

TOPdesk Incoming Mapper#

Maps incoming TOPdesk incidents fields.

Incident Fields#

  • TOPdesk Call Type
  • TOPdesk Caller Branch Name
  • TOPdesk Caller Name
  • TOPdesk Category
  • TOPdesk Creation Date
  • TOPdesk Creator
  • TOPdesk Duration
  • TOPdesk Entry Type
  • TOPdesk Impact
  • TOPdesk Line
  • TOPdesk MainIncident
  • TOPdesk Modification Date
  • TOPdesk Modifier
  • TOPdesk Number
  • TOPdesk Priority
  • TOPdesk Processing Status
  • TOPdesk Subcategory
  • TOPdesk Urgency

Incident Types#

TOPdesk Incident

Integrations#

TOPdesk#

TOPdesk’s Enterprise Service Management (ESM) software lets your service teams join forces and process requests from a single platform.

Layouts#

TOPdesk Incident


New: XSOAR Storage Pack v1.0.0 (Community Contributed)#

Integrations#

XSOAR Storage#

Facilitates the storage and retrieval of key/value pairs within XSOAR.


AWS - ACM Pack v1.0.3#

Integrations#

AWS - ACM#
  • Added support for GovCloud regions.
  • Updated the Docker image to: demisto/boto3py3:1.0.0.19032.

AWS - AccessAnalyzer (Beta) Pack v1.0.4#

Integrations#

AWS - AccessAnalyzer (Beta)#
  • Added support for GovCloud regions.
  • Updated the Docker image to: demisto/boto3py3:1.0.0.19032.

AWS - Athena (Beta) Pack v1.0.3#

Integrations#

AWS - Athena (Beta)#
  • Added support for GovCloud regions.
  • Updated the Docker image to: demisto/boto3py3:1.0.0.19031.

AWS - CloudTrail Pack v1.0.5#

Integrations#

AWS - CloudTrail#
  • Added support for GovCloud regions.
  • Updated the Docker image to: demisto/boto3:2.0.0.19034.

AWS - EC2 Pack v1.1.7#

Integrations#

AWS - EC2#
  • Added support for GovCloud regions.
  • Added 2 commands:
    • aws-ec2-allocate-hosts
    • aws-ec2-release-hosts
  • Updated the Docker image to: demisto/boto3:2.0.0.19155.

AWS - GuardDuty Pack v1.1.2#

Integrations#

AWS - GuardDuty#
  • Added 2 commands:
    • aws-gd-list-members
    • aws-gd-get-members
  • Fixed an issue where the aws-gd-get-findings command failed to execute.
  • Added support for GovCloud regions.
  • Updated the Docker image to: demisto/boto3:2.0.0.19034.

AWS - IAM Pack v1.0.2#

Integrations#

AWS - IAM#
  • Added support for GovCloud regions.
  • Updated the Docker image to: demisto/boto3:2.0.0.19034.

AWS - Lambda Pack v1.1.1#

Integrations#

AWS - Lambda#
  • Added support for GovCloud regions.
  • Updated the Docker image to: demisto/boto3py3:1.0.0.19032.

AWS - S3 Pack v1.0.5#

Integrations#

AWS - S3#
  • Added support for GovCloud regions.
  • Updated the Docker image to: demisto/boto3:2.0.0.19034.

AWS - Security Hub Pack v1.0.5#

Integrations#

AWS - Security Hub#
  • Added support for GovCloud regions.
  • Updated the Docker image to: demisto/boto3py3:1.0.0.19032.

AWS Feed Pack v1.1.2#

Integrations#

AWS Feed#
  • Internal code improvements.
  • Updated the Docker image to demisto/jmespath:1.0.0.19143.

AWS-NetworkFirewall Pack v1.0.1#

Integrations#

AWS Network Firewall#
  • Added support for GovCloud regions.
  • Updated the Docker image to: demisto/boto3py3:1.0.0.19032.

Abuse.ch SSL Blacklist Feed Pack v1.1.0#

Integrations#

abuse.ch SSL Blacklist Feed#

Added support for relations between indicators.


AbuseIPDB Pack v1.0.4#

Integrations#

AbuseIPDB#

Added the AbuseIPDB.IP.ISP output path to the following commands:

  • ip
  • abuseipdb-check-cidr-block

Advanced Filter Pack v1.1.2 (Community Contributed)#

Scripts#

ExtFilter#
  • Added the email-header: decode operator.
  • Added the regex: replace operator.
  • Fixed an issue where an error was raised for the decoded text that includes non-utf8 characters in base64: decode.
  • Added the is individually transformed with operator.
  • Added DT syntax support to refer to the current value, e.g., ${.name}.
  • Updated the Docker image to: demisto/python3:3.9.4.18682.

AlienVault Feed Pack v1.1.0#

Integrations#

AlienVault Reputation Feed#

Added support for relations between indicators.


AlienVault OTX Pack v1.0.4#

Integrations#

AlienVault OTX v2#
  • Fixed an issue where the url command failed with status code 404.
  • Updated the Docker image to: demisto/python3:3.9.2.18414,

Amazon DynamoDB Pack v1.0.5#

Integrations#

Amazon DynamoDB#
  • Fixed an issue where some commands would return a ParamValidationError error.
  • Added support for GovCloud regions.
  • Updated the Docker image to: demisto/boto3py3:1.0.0.19032.

Atlassian Jira Pack v1.3.2#

Integrations#

Atlassian Jira v2#
  • Breaking Change: Reverted a change that was introduced in version 1.2.1 as it was not compatible with Jira Server. The reporter argument in the jira-create-issue command was changed back to refer to the name of the reporter. Use the new reporter_id argument for specifying the reporter's account ID.
  • Added the reporter_id argument to the jira-create-issue command, which enables setting an issue reporter using the user's account ID in order to support changes in the Jira Cloud API.

AutoFocus Pack v1.1.17#

Integrations#

AutoFocus Daily Feed#
  • Added support to enable using the Cortex XSOAR Auto Focus API key.
  • Updated the Docker image to: demisto/python3:3.9.4.18682.
Palo Alto Networks AutoFocus v2#
  • Added support to enable using the Cortex XSOAR Auto Focus API key.
  • Updated the Docker image to: demisto/python3:3.9.4.18682.
AutoFocus Feed#
  • Added support to enable using the Cortex XSOAR Auto Focus API key.
  • Updated the Docker image to: demisto/python3:3.9.4.18682.

Bambenek Consulting Feed Pack v1.1.0#

Integrations#

Bambenek Consulting Feed#
  • Added support for relations between indicators.
  • Updated the Docker image to: demisto/python3:3.9.4.18682.

Base Pack v1.10.2#

Scripts#

DBotFindSimilarIncidentsByIndicators#

Fixed an issue where if you query an incident that does not exist, it will no longer cause an error.

DBotFindSimilarIncidents#

Fixed an issue in the return format of the DBotFindSimilarIncidents automation. The contents output will now be in JSON format.

CommonServerPython#
  • Added to CommandResults support for Polling Entry results, which enable integrations to run a polling sequence (server version 6.2.0+).
  • Added an option to search indicators according to server version.
  • Added support to enable using the AutoFocus API key (XSOAR server version 6.2.0+).
  • Added support for relations between indicators.
  • Maintenance and stability enhancements.
DBotPredictPhishingWords#
  • Updated the script to support the new version of the out-of-the-box model.
  • Added support for predicting multiple emails at once.
  • Updated the Docker image to: demisto/ml:1.0.0.19023.
GetIndicatorsByQuery#

Fixed an issue where searching more than 10K indicators failed when using ElasticSearch.

DBotMLFetchData#

Updated the Docker image to: demisto/fetch-data:1.0.0.19057.

DBotBuildPhishingClassifier#

Maintenance and stability enhancements.


BitSight Pack v1.0.2 (Community Contributed)#

Incident Fields#

Integrations#

BitSight for Security Performance Management#

Updated the Docker image to: demisto/python3:3.9.4.18682.

Layouts#

BitSight Findings

Breaking changes: Replaced all BitSight associated incident fields with their new names.

Mappers#

BitSight - Incoming Mapper#

Breaking changes: Replaced all BitSight associated incident fields with their new names.


BitcoinAbuse Feed Pack v1.0.2#

Integrations#

BitcoinAbuse Feed#

Updated the Docker image to: demisto/python3:3.9.4.18682.


BlockList DE Feed Pack v1.1.0#

Integrations#

Blocklist_de Feed#

Added support for relations between indicators.


BruteForce Feed Pack v1.1.0#

Integrations#

BruteForceBlocker Feed#

Added support for relations between indicators.


CSV Feed Pack v1.1.0#

Integrations#

CSV Feed#

Added support for relations between indicators.


Carbon Black Enterprise Response Pack v1.1.6#

Playbooks#

New: Carbon Black Response - Unisolate Endpoint#

This playbook unisolates sensors according to the sensor ID that is provided in the playbook input. (Available from Cortex XSOAR 5.5.0).


Cisco Secure Cloud Analytics (Stealthwatch Cloud) Pack v1.0.4#

Integrations#

Cisco Secure Cloud Analytics (Stealthwatch Cloud)#

Rebranded Stealthwatch Cloud to Cisco Secure Cloud Analytics (Stealthwatch Cloud)


Cisco Secure Network Analytics (Stealthwatch) Pack v1.0.1#

Integrations#

Cisco Secure Cloud Analytics (Stealthwatch Cloud)#
  • Rebranded Cisco Stealthwatch to Cisco Secure Network Analytics (Stealthwatch).
  • Updated the Docker image to demisto/python3:3.9.4.18682.

Cisco Threat Grid Pack v1.2.0#

Integrations#

New: Cisco Secure Malware Analytics Feed#

Secure Malware Analytics (formerly Threat Grid) combines advanced sandboxing with threat intelligence into one unified solution to protect organizations from malware. (Available from Cortex XSOAR 5.5.0).


Cloudflare Feed Pack v1.1.0#

Integrations#

Cloudflare Feed#

Added support for relations between indicators.


Cofense Intelligence Pack v1.0.1#

Integrations#

Cofense Intelligence#

Added support for the Source Reliability integration parameter.


Common Playbooks Pack v1.9.3#

Playbooks#

New: Unisolate Endpoint - Generic#

This playbook unisolates endpoints according to the endpoint ID or hostname that is provided by the playbook input. It currently supports the following integrations:

  • Carbon Black Response
  • Cortex XDR
  • Crowdstrike Falcon
  • FireEye HX
  • Cybereason

(Available from Cortex XSOAR 5.5.0).

Detonate File - Generic#

Fixed an issue where the playbook context outputs had duplicate values.


Common Scripts Pack v1.3.37#

Scripts#

UnEscapeURLs#

Added support for Proofpoint gov cloud addresses.

ParseEmailFiles#
  • Fixed an issue where emails containing an .ics attachment failed to parse.
  • Fixed an issue where Polish letters were parsed incorrectly.
  • Fix an issue where the automation failed to decode emails that contained utf-8 characters.
AssignAnalystToIncident#

Fixed an issue where the AssignAnalystToIncident command did not use the roles argument when the assignBy argument was set to: machine-learning/, top-user, less-busy-user.


CrowdStrike Falcon Pack v1.2.15#

Playbooks#

New: Crowdstrike Falcon - Unisolate Endpoint#

This playbook unisolates devices according to the device ID that is provided in the playbook input. (Available from Cortex XSOAR 5.5.0).


CrowdStrike Falcon Sandbox Pack v1.0.5#

Integrations#

CrowdStrike Falcon Sandbox#

Fixed an issue where no results were found when passing any file to the file argument in the crowdstrike-scan command.


Cybereason Pack v1.0.8#

Integrations#

Cybereason#

Fixed an issue where the cybereason-malop-processes command did not show the correct outputs.

Playbooks#

New: Unisolate Endpoint - Cybereason#

This playbook unisolates endpoints according to the hostname that is provided by the playbook input. (Available from Cortex XSOAR 5.5.0).


Cylance Protect Pack v1.0.3#

Playbooks#

getfile_sample_by_hash-_cylance_protect#

DEPRECATED. Use the Get File Sample By Hash - Cylance Protect v2 playbook instead.

Endpoint Enrichment - Cylance Protect v2#

Maintenance and stability enhancements.

Get File Sample By Hash - Cylance Protect#

Maintenance and stability enhancements.

Block File - Cylance Protect v2#

Maintenance and stability enhancements.

Get File Sample By Hash - Cylance Protect v2#

Maintenance and stability enhancements.


DShield Feed Pack v1.1.0#

Integrations#

DShield Feed#

Added support for relations between indicators.


EWS Pack v1.8.14#

Integrations#

O365 - Security And Compliance - Content Search (Beta)#

Added the following to the get-search-action command context and human readable output.

  • ItemCount
  • TotalSize
  • FailedCount

Email Communication Pack v1.3.7#

Classifiers#

New: MS Graph Mail - Classifier - Email Communication#

Classifies MS Graph Mail email messages.

Mappers#

New: MS Graph Mail - Incoming Mapper - Email Communication#

Maps incoming MS Graph Mail email message fields.

Scripts#

DisplayEmailHtml#
  • Fixed an issue where the script failed when an incident did not have the Email HTML field.
  • Updated the Docker image to: demisto/python3:3.9.4.18682.

Expanse v2 Pack v1.3.0#

Integrations#

Expanse v2#
  • Added support for the Expanse Services API.
  • Added the ability to create, list, and assign Point of Contacts to assets.
  • Updated the Docker image to: demisto/python3:3.9.4.18682.

Playbooks#

New: NSA - 5 Security Vulnerabilities Under Active Nation-State Attack#
  • Russian Foreign Intelligence Service (SVR) actors (also known as APT29, Cozy Bear, and The Dukes) frequently use publicly known vulnerabilities to conduct widespread scanning and exploitation. This playbook should be trigger manually and includes the following tasks:
  • Enrich related known CVEs reported in the US agencies alert.
  • Search for unpatched endpoints vulnerable to the exploits.
  • Search for vulnerable assets facing the internet using Expanse.

Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

More information: [Cyber Security Advisory] (https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF) (Available from Cortex XSOAR 6.0.0).


Export Indicators Pack v1.0.4#

Integrations#

Export Indicators Service#
  • Fixed an issue where the Export Indicators Service would occasionally export indicators with null values.
  • Updated the Docker image to: demisto/teams:1.0.0.19101.

Fastly Feed Pack v1.1.2#

Integrations#

Fastly Feed#

Internal code improvements.


FeodoTracker Feed Pack v1.1.0#

Integrations#

Feodo Tracker IP Blocklist Feed#
  • Added support for relations between indicators.
  • Updated the Docker image to: demisto/python3:3.9.4.18682.

FireEye HX Pack v1.0.10#

Playbooks#

New: FireEye HX - Unisolate Endpoint#

This playbook unisolates endpoints according to the hostname/endpoint ID that is provided by the playbook input. (Available from Cortex XSOAR 5.5.0).


GitHub Pack v1.2.0#

Integrations#

GitHub#
  • Added the GitHub-get-file-content command.
  • Added the Github-list-files command.
  • Added repository and organization arguments to the following commands:
    • GitHub-list-pr-files command.
    • Github-get-pull-request command.
  • Added the GitHub.Issue.Organization output to the following commands:
    • GitHub-create-issue
    • GitHub-close-issue
    • GitHub-update-issue
    • GitHub-list-all-issues
    • GitHub-search-issues

Gmail Pack v1.1.6#

Integrations#

Gmail#
  • Fixed an issue where the gmail-search-all-mailboxes command failed to run when disabled mailboxes existed.
  • Updated the Docker image to: demisto/google-api:1.0.0.18525.

Google Safe Browsing Pack v1.0.3#

Integrations#

Google Safe Browsing#
  • Added support for the Source Reliability integration parameter.
  • Fixed an issue where the API Key parameter was not encrypted.

HelloWorld Pack v1.2.3 (Community Contributed)#

Integrations#

HelloWorld Feed#

Maintenance and stability enhancements.


Intel471 Feed Pack v1.1.2#

Integrations#

Intel471 Malware Feed#
  • Internal code improvements.
  • Updated Docker image to demisto/jmespath:1.0.0.19143.
Intel471 Actors Feed#
  • Internal code improvements.
  • Updated Docker image to demisto/jmespath:1.0.0.19143.

JSON Feed Pack v1.1.2#

Integrations#

JSON Feed#
  • Added support for headers and POST data.
  • Updated Docker image to demisto/jmespath:1.0.0.19143.

MITRE ATT&CK Pack v1.1.11#

Integrations#

MITRE ATT&CK Feed#
  • Fixed an issue where searching more than 10K indicators failed when using ElasticSearch.
  • Updated the Docker image to: demisto/taxii2:1.0.0.18446.

Machine Learning Pack v1.2.6#

Scripts#

New: DBotPredictOutOfTheBoxV2#

Predict phishing incidents using the out-of-the-box pre-trained model.

DBotPredictOutOfTheBoxV2#

Updated the Docker image to: demisto/ml:1.0.0.19023.

New: DBotPredictIncidentsBatch#

Apply a trained ML model on multiple incidents at once, to compare how the incidents were labeled by analysts, as opposed to the predictions of the model. This script is aimed to help evaluate a trained model using past incidents.


Majestic Million Feed Pack v1.1.0#

Integrations#

Majestic Million Feed#

Added support for relations between indicators.


MalwareDomainList Feed Pack v1.1.0#

Integrations#

Malware Domain List Active IPs Feed#

Added support for relations between indicators.


Microsoft Graph Mail Pack v1.0.19#

Integrations#

Microsoft Graph Mail#
  • Added the reply-mail command. This command replies to an email using Graph Mail.
  • Updated the Docker image to: demisto/crypto:1.0.0.18288.

Microsoft Teams Pack v1.1.7#

Integrations#

Microsoft Teams#
  • Added the microsoft-teams-create-meeting command.
  • Updated the Docker image to: demisto/teams:1.0.0.19066.

Scripts#

New: ConfigureAzureApplicationAccessPolicy#

This script grants a user the permissions needed to create a Teams meeting. It connects to MS Teams, creating an application access policy to a chosen application and then grants a user permissions. (Available from Cortex XSOAR 5.5.0).


Nessus Pack v1.0.2#

Integrations#

Nessus#
  • Fixed the outputs of the nessus-scan-details command.
  • Maintenance and stability enhancements.

Okta Pack v2.1.8#

Integrations#

Okta IAM#
  • Fixed an issue where Okta blocked email accounts for newly created users.
  • Updated the Docker image to: demisto/python3:3.9.4.18682.

Mappers#

Okta IAM - App Sync (mapper)#

Added the IAM - App Update mapping.


PAN-OS to Cortex Data Lake Monitoring Pack v1.0.4 (Community Contributed)#

Playbooks#

PAN-OS to Cortex Data Lake Monitoring - Cron Job#
  • Fixed an issue with the playbook inputs.
  • Fixed an issue where an incorrect incident type was called.

Scripts#

PANOStoCortexDataLakeMonitoring#
  • Fixed an issue with the querying of the Cortex Data Lake table.
  • Fixed an issue in the managing of the Firewalls lists of Firewalls.

Palo Alto Networks Cortex XDR - Investigation and Response Pack v3.0.7#

Integrations#

Palo Alto Networks Cortex XDR - Investigation and Response#
  • Fixed a typo in the output of the xdr-get-incident-extra-data command.
  • Added the xdr-endpoint-scan-abort command which cancels the scan of selected endpoints.
  • Fixed an issue where the xdr-endpoint-scan command failed using some of its arguments.
  • Fixed an issue where the xdr-get-endpoints command failed using the alias argument.
  • Fixed an issue where the xdr-run-script command failed when it was called without the parameters argument.
  • Fixed an issue where closing incidents in batches failed to update the incidents in XDR when using the outgoing mirroring from XSOAR to XDR.
  • Fixed an issue where a timestamp misconfiguration caused incidents to not update when using the incoming mirroring from XDR to XSOAR.
  • Updated the Docker image to: demisto/python3:3.9.4.18682.

Playbooks#

New: Cortex XDR - Unisolate Endpoint#

This playbook unisolates endpoints according to the endpoint ID that is provided in the playbook input. (Available from Cortex XSOAR 5.5.0).


Palo Alto Networks PAN-OS EDL Management Pack v1.0.4#

Integrations#

Palo Alto Networks PAN-OS EDL Management (Deprecated)#

Updated the migration steps to the PAN-OS EDL Service integration.


Palo Alto Networks PAN-OS EDL Service Pack v1.0.14#

Integrations#

Palo Alto Networks PAN-OS EDL Service#
  • Updated the migration steps from the PAN-OS EDL Management integration.
  • Fixed an issue where a XSOAR indicator page was skipped.
  • Fixed an issue where IPv6 addresses were not exported properly.
  • Fixed an issue where searching more than 10K indicators failed when using ElasticSearch.

Palo Alto Networks Threat Vault Pack v1.0.3#

Integrations#

Palo Alto Networks Threat Vault#
  • Added support to enable using the Cortex XSOAR Auto Focus API key.
  • Updated the Docker image to: demisto/python3:3.9.4.18682.

Phish.AI Pack v1.0.1 (Partner Supported)#

Integrations#

Phish.AI (Deprecated)#

Deprecated. Partner has declared end-of-life for this product.

Playbooks#

Detonate URL - Phish.AI#

Deprecated. Partner has declared end-of-life for this product.


Plain Text Feed Pack v1.1.0#

Integrations#

Plain Text Feed#

Added support for relations between indicators.


Pulsedive Pack v1.0.2 (Community Contributed)#

Integrations#

Pulsedive#
  • Breaking Change: The following commands do not generate an error if no indicator is found.
    • ip
    • url
    • domain
  • Added an indicator even when no reputation was found.
  • Fixed the testing scenario for the integration test button.
  • Updated the Docker image to: demisto/python3:3.9.4.18682.

QualysFIM Pack v1.0.1#

Integrations#

Qualys FIM#
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/python3:3.9.4.18682.

Red Canary Pack v1.1.0#

Integrations#

Red Canary#

Updated the Docker image to: demisto/python3:3.9.4.18682


RubrikPolaris Pack v1.0.1 (Partner Supported)#

Integrations#

Rubrik Polaris#
  • Fixed an issue where the "Go to" links for the classifier and mapper in the integration instance settings didn't work after installation with the default values.
  • Changed the display name of the integration to Rubrik Radar.
  • Modified the Occurred incident field to accurately match the Last Updated field in a Radar Anomaly Event.

Layouts#

Rubrik Polaris Radar - Removed an extra Message field in the layout that would appear below the message table.


Sixgill Darkfeed - Annual Subscription Pack v2.0.0 (Partner Supported)#

Indicator Fields#

New: CVSS 2.0 Severity#

The CVE's severity level in CVSS 2.0 format.

New: CVSS 2.0 score#

The CVE's score level in CVSS 2.0 format.

New: CVSS 3.1 score#

The CVE's score level in CVSS 3.1 format.

New: CVSS 3.1 severity#

The CVE's severity level in CVSS 3.1 format.

New: External Id#

CVE ID.

New: NVD Last Modified Date#

The CVE's last modification date on the National Vulnerability Database.

New: NVD Link#

The link to the CVE's page on the National Vulnerability Database.

New: NVD Publication Date#

The CVE's publication date on the National Vulnerability Database.

New: NVD Vector - v 2.0#

The National Vulnerability Database vector - V2.0.

New: NVD Vector - v 3.1#

The National Vulnerability Database Vector - V3.1.

New: Previous level#

The CVE's previous DVE score level.

New: Sixgill - Previously Exploited Probability#

The probability that this CVE has been previously exploited.

New: Sixgill DVE Score - Current#

The current DVE rating of the CVE.

New: Sixgill DVE Score - Highest Ever#

The highest ever DVE score given to this CVE.

New: Sixgill DVE Score - Highest Ever Date#

The date on which the CVE reached its highest ever DVE score.

New: Sixgill_Event Action#

The event's action.

New: Sixgill_Event Datetime#

The date and time of the event.

New: Sixgill_Event Description#

The event's description.

New: Sixgill_Event Name#

The event's name.

New: Sixgill_Event Type#

The event's type.

Integrations#

New: Cybersixgill DVE Feed Threat Intelligence#

Leverage the power of Sixgill to supercharge Cortex XSOAR with real-time Threat Intelligence indicators. Get CVE Feed straight into the XSOAR platform. (Available from Cortex XSOAR 5.5.0).


Spamhaus Feed Pack v1.1.0#

Integrations#

Spamhaus Feed#

Added support for relations between indicators.


Splunk Pack v2.0.1#

Integrations#

SplunkPy#

Fixed an issue where headers containing spaces were not displayed in the human readable output of the splunk-search command.


StringifyArray Pack v1.0.1 (Community Contributed)#

Scripts#

StringifyArray#

Maintenance and stability enhancements.


ThreatExchange Pack v1.0.2#

Integrations#

ThreatExchange#

Added support for the Source Reliability integration parameter.


Tidy Pack v1.0.2#

Integrations#

Tidy#
  • Added the homebrew_taps argument to the tidy-homebrew command.
  • Updated the Docker image to: demisto/tidy:1.0.0.19163.

Playbooks#

Content developer setup#

Maintenance and stability enhancements.


Urlscan.io Pack v1.1.0#

Integrations#

urlscan.io#

Added support for relations between indicators.


VMware Pack v1.1.1#

Integrations#

VMware#

Fixed an issue where some responses were incorrectly parsed causing the vmware-get-vms command to fail.


VirusTotal Pack v2.0.4#

Integrations#

VirusTotal#

VirusTotal has been updated to VirusTotal v3. Use the updated version instead.

  • Added support for the Source Reliability integration parameter.
  • Fixed an issue where the Source Reliability integration parameter was not properly set.

VirusTotal - Private API Pack v1.0.7#

Integrations#

VirusTotal - Private API#

Fixed an issue in the vt-private-get-url-report command where querying an invalid URL would raise an error instead of displaying an indicative message in the War Room.


Whois Pack v1.2.2#

Integrations#

Whois#

Fixed an issue where the IP indicator type was associated instead of the CIDR indicator type in the FeedRelatedIndicators field.


iDefense Pack v3.0.3#

Integrations#

iDefense Feed#

Internal code improvements.


Assets#