Skip to main content

Cortex XSOAR Content Release Notes for version 21.5.0 (350701)#

Published on 11 May 2021#

Breaking Changes#

The following packs includes breaking changes:

New: G Suite Security Alert Center Pack v1.0.0#

Classifiers#

G Suite Security Alert Center - Mapper#

Maps incoming G Suite Security Alert Center incident fields.

G Suite Security Alert Center - Classifier#

Classifies G Suite Security Alert Center Incidents.

G Suite Security Alert Center#

Incident Fields#

  • GSuiteSAC Alert ID - The unique identifier for the alert.
  • GSuiteSAC Alert Severity - The severity value of the alert.
  • GSuiteSAC Alert Source - A unique identifier for the system that reported the alert.
  • GSuiteSAC Alert Status - The current status of the alert.
  • GSuiteSAC Alert Type - The type of the alert.
  • GSuiteSAC Create Time - The time the alert was created.
  • GSuiteSAC Customer ID - The unique identifier of the Google account of the customer.
  • GSuiteSAC Deleted - True if the alert is marked for deletion.
  • GSuiteSAC End Time - The time the event that caused the alert ceased being active.
  • GSuiteSAC Etag - Etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of an alert from overwriting each other.
  • GSuiteSAC Feedback Create Time - The time the feedback was created.
  • GSuiteSAC Feedback Email - The email of the user that provided the feedback.
  • GSuiteSAC Feedback ID - The unique identifier for the feedback.
  • GSuiteSAC Feedback Type - The type of the feedback.
  • GSuiteSAC Security Investigation Tool Link - An optional Security Investigation Tool query for the alert.
  • GSuiteSAC Start Time - The time the event that caused the alert was started or detected.
  • GSuiteSAC Update Time - The time the alert was last updated.

Incident Types#

G Suite Security Alert Center

Integrations#

G Suite Security Alert Center#

G Suite Security Alert Center allows users to fetch different alert types such as Suspicious login, Device compromised, Leaked password, and more. Users can delete or recover a single alert or a batch of alerts and retrieve the alert's metadata. This integration allows users to provide feedback for alerts and fetch existing feedback for a particular alert.

Layouts#

  • G Suite Security Alert Center - Summary
  • G Suite Security Alert Center (Available from Cortex XSOAR 6.0.0).

New: IPQualityScore (IPQS) Threat Risk Scoring Pack v1.0.0 (Partner Supported)#

Integrations#

IPQualityScore#

Proactively prevent fraud.


New: JSON Sample Incident Generator Pack v1.0.0 (Community Contributed)#

Integrations#

JSON Sample Incident Generator#

A utility for testing incident fetching with mock JSON data.


New: TIM Campaign Tracking Pack v1.0.0 (Community Contributed)#

Incident Fields#

  • TIM Campaign Threat Alias
  • TIM Campaign Threat Detected
  • TIM Campaign Threat Goals
  • TIM Campaign Threat Motivation

Incident Types#

TIM - Campaign

Layouts#

TIM - Campaign (Available from Cortex XSOAR 6.0.0).

Playbooks#

TIM - Intel Tracking#
  • Track threat actors and campaigns by uploading threat intelligence in the form of briefs and IOCs.
  • Add notes and find IOCs in related incidents.

New: Trello Pack v1.0.0 (Community Contributed)#

Classifiers#

Trello - Incoming Mapper#

Incident Fields#

  • Trello Board ID
  • Trello Board Name
  • Trello Card ID
  • Trello Card URL
  • Trello Created By
  • Trello Details
  • Trello List ID
  • Trello List Name
  • Trello SLA

Incident Types#

Trello

Integrations#

Trello#

Interact with the Trello task manager.

Layouts#

Trello (Available from Cortex XSOAR 6.0.0).

Playbooks#

Trello - Generic#

A generic extract and enrichment playbook for incidents based on Trello card data.

Trello Set Severity#

Updates the severity of a Trello card by setting, and creates if required, a Trello label.


ARIAPacketIntelligence Pack v2.0.1 (Partner Supported)#

Integrations#

ARIA Packet Intelligence#

Maintenance and stability enhancements.


AWS - ACM Pack v1.0.4#

Integrations#

AWS - ACM#

Maintenance and stability enhancements.


AWS - CloudWatchLogs Pack v1.1.0#

Integrations#

AWS - CloudWatchLogs#
  • Internal code improvements.
  • Updated the Docker image to: demisto/boto3:2.0.0.19297.

AWS - EC2 Pack v1.1.8#

Integrations#

AWS - EC2#
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/boto3:2.0.0.19717.

AWS - Route53 Pack v1.1.0#

Integrations#

AWS - Route53#
  • Internal code improvements.
  • Updated the Docker image to: demisto/boto3:2.0.0.19411.

AWS - SQS Pack v1.1.0#

Integrations#

AWS - SQS#
  • Added support for the following fields in the instance configuration:
    • access key
    • secret key
  • Updated the Docker image to: demisto/boto3:2.0.0.19411.

AWS Feed Pack v1.1.3#

Integrations#

AWS Feed#

Internal code improvements.


AWS Sagemaker Pack v1.1.0#

Integrations#

AWS Sagemaker#
  • Internal code improvements.
  • Updated the Docker image to: demisto/boto3:2.0.0.19411.

Abuse.ch SSL Blacklist Feed Pack v1.1.1#

Integrations#

abuse.ch SSL Blacklist Feed#

Maintenance and stability enhancements.


Active Directory Query Pack v1.1.11#

Integrations#

Active Directory Query v2#
  • Improved error handling in the following commands:
    • iam-get-user
    • iam-create-user
    • iam-update-user
    • iam-disable-user
  • Fixed an issue where the ad-get-computer command outputted "null" values when no results were found.
  • Updated the Docker image to: demisto/ldap:1.0.0.19143.

Scripts#

IAMInitADUser#
  • Improved error handling for commands called from this script.
  • Updated the Docker image to: demisto/python3:3.9.4.18682.

AlienVault Feed Pack v1.1.1#

Integrations#

AlienVault Reputation Feed#

Maintenance and stability enhancements.


AlienVault OTX Pack v1.1.1#

Integrations#

AlienVault OTX v2#
  • Fixed an issue where the url command returned no matches in a list including some URLs with status code 404.
  • Added support for relations between indicators.
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/python3:3.9.4.18682.

Anomali ThreatStream Pack v1.1.1#

Integrations#

Anomali ThreatStream v2#
  • Fixed an issue where the tags information was missing from the context outputs of the following commands:
    • ip
    • domain
    • file
    • url
    • threatstream-email-reputation
  • Updated the Docker image to: demisto/emoji:1.0.0.18288

Ansible Powered Integrations Pack v1.0.1 (Community Contributed)#

Integrations#

OpenSSL#
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/ansible-runner:1.0.0.19562.
Microsoft Windows#
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/ansible-runner:1.0.0.19562.

Ansible Tower Pack v1.0.2#

Integrations#

Ansible Tower#

Maintenance and stability enhancements.


Atlassian IAM Pack v1.0.1#

Integrations#

Atlassian IAM#

Added a new error type to the IAMErrors class.


Axonius Pack v1.0.3 (Partner Supported)#

Integrations#

Axonius#

Updated the Docker image to: demisto/axonius:1.0.0.19245.


Azure Log Analytics Pack v1.0.9#

Integrations#

Azure Log Analytics (Beta)#

Documentation and metadata improvements.


Azure Security Center Pack v1.1.9#

Integrations#

Azure Security Center v2#
  • Added the subscription_id argument to the azure-sc-get-alert command to get an alert that is associated with a given subscription.
  • Updated the Docker image to: demisto/crypto:1.0.0.19032.

AzureSentinel Pack v1.0.10#

Integrations#

Azure Sentinel (Beta)#

Documentation and metadata improvements.


Bambenek Consulting Feed Pack v1.1.1#

Integrations#

Bambenek Consulting Feed#

Maintenance and stability enhancements.


Base Pack v1.10.23#

Scripts#

CommonServerPython#
  • Fixed an unnecessary error that was raised when searching indicators.
  • Updated the context key relationships from Relations to Relationships.
  • Improved support for relations between indicators.
  • Added the following optional fields to the Endpoint indicator:
    • Status
    • Vendor
    • IsIsolated
  • Improved implementation of the return_results method in order to handle a list of mixed result objects.
  • Added new classes to the Common class:
    • ThreatTypes
    • Publications
    • CommunityNotes
  • Added arguments to the following classes:
    • IP
    • URL
    • File
    • Domain
  • Fixed an issue in the Common class, which would cause a failure while using to_context on a list of FeedRelatedIndicators objects.
  • Fixed a bug where indicators were duplicated in server version 6.1.0 or higher when using search indicators.
  • Added the filter_fields parameter in the IndicatorsSearcher class. The parameter accepts comma-separated fields by which to filter (e.g., "name,type").
  • Maintenance and stability enhancements.
ValidateContent#
  • Increased the timeout for the script to 10 minutes.
  • Added support to run validation on single content items of all types.
  • Updated the Docker image to: demisto/xsoar-tools:1.0.0.19258.
StixParser#
  • Fixed an issue where the script occasionally failed to parse IPv6 indicators.
  • Updated the Docker image to: demisto/stix:1.0.0.19265.
FindSimilarIncidentsByText#

Maintenance and stability enhancements.

DBotFindSimilarIncidents#
  • Removes duplicates for nested fields.
  • Allows the user to use multi-select fields.
DBotMLFetchData#

Maintenance and stability enhancements.

DBotPreProcessTextData#

Added text preprocessing stage when applied on multiple inputs.

DBotPredictPhishingWords#

Updated preprocessing stage to be compatible with training.

New: CreateIndicatorRelationship#

Creates relationships between indicators. (Available from Cortex XSOAR 6.2.0).

New: SearchIndicatorRelationships#

Searches for relationships according to given arguments. (Available from Cortex XSOAR 6.2.0).

New: DeleteIndicatorRelationships#

Deletes a relationship between indicator objects based on the relationship ID. (Available from Cortex XSOAR 6.2.0).

CreateIndicatorRelationship#

Maintenance and stability enhancements.


BitcoinAbuse Feed Pack v1.0.3#

Integrations#

BitcoinAbuse Feed#

Maintenance and stability enhancements.


BlockList DE Feed Pack v1.1.1#

Integrations#

Blocklist_de Feed#

Maintenance and stability enhancements.


Blueliv (Beta) Pack v1.0.1#

Integrations#

Blueliv (Beta)#

Maintenance and stability enhancements.


BruteForce Feed Pack v1.1.1#

Integrations#

BruteForceBlocker Feed#

Maintenance and stability enhancements.


CSV Feed Pack v1.1.1#

Integrations#

CSV Feed#

Maintenance and stability enhancements.


Carbon Black Enterprise Response Pack v1.1.7#

Integrations#

VMware Carbon Black EDR#

Fixed an issue where the cb-sensor-info command returned an incorrect isolated status.


Cisco Threat Grid Pack v1.2.1#

Integrations#

Cisco Threat Grid#

Fixed an issue where empty HTTP responses were not handled correctly in the threat-grid-get-video-by-id command.


Cisco Umbrella Investigate Pack v1.0.4#

Integrations#

Cisco Umbrella Investigate#

Maintenance and stability enhancements.


CiscoFirepower Pack v1.0.4#

Integrations#

Cisco Firepower#
  • Added 2 commands:
    • ciscofp-get-url-groups-object
    • ciscofp-update-url-groups-objects
  • Added the container_uuid argument to the ciscofp-get-deployable-devices command.
  • Updated argument descriptions.
  • Updated the Docker image to: demisto/python3:3.9.4.19537.

Cloudflare Feed Pack v1.1.1#

Integrations#

Cloudflare Feed#

Maintenance and stability enhancements.


Common Playbooks Pack v1.9.4#

Playbooks#

Dedup - Generic v2#

Maintenance and stability enhancements.

Get File Sample From Path - Generic V2#

Maintenance and stability enhancements.

Get File Sample By Hash - Generic v3#

Maintenance and stability enhancements.


Common Scripts Pack v1.3.42#

Scripts#

GetIndicatorDBotScore#

Breaking Change: Support for multiple indicators is no longer available as a comma-separated string.

FeedRelatedIndicatorsWidget#
  • Fixed an issue where searching more than 10K indicators failed when using ElasticSearch.
  • Updated the Docker image to: demisto/python3:3.9.4.18682.
DBotAverageScore#

Fixed an issue where the average score calculation failed when an indicator had only one DbotScore entry.

GetDuplicatesMlv2#

Maintenance and stability enhancements.

FindSimilarIncidents#

Maintenance and stability enhancements.

StixCreator#

Improved implementation of the script in order to support future reputation options.


CrowdStrike Falcon Pack v1.2.16#

Integrations#

CrowdStrike Falcon#
  • Added the endpoint command.
  • Added Endpoint context output to the cs-falcon-search-devices command.
  • Updated the Docker image to: demisto/python3:3.9.4.18682.

Cyberint Pack v1.0.6 (Partner Supported)#

Integrations#

Cyberint#
  • Retrieves alert attachments, screenshots, CSV and expert analysis reports.
  • Adds attachments to the fetch incidents parameter.

Layouts Containers#

Cyberint Incident Layout#

Improved Cyberint Incident Layout coverage.


Cylance Protect Pack v1.0.4#

Integrations#

Cylance Protect v2#

Maintenance and stability enhancements.


Cyren Threat InDepth Threat Intelligence Pack v1.5.2 (Partner Supported)#

Integrations#

Cyren Threat InDepth Threat Intelligence Feed#

Documentation and metadata improvements.

Scripts#

CyrenThreatInDepthRenderRelated#
  • Fixed an issue where searching more than 10K indicators failed when using ElasticSearch.
  • Updated the Docker image to: demisto/python3:3.9.4.18682.

DHS Feed Pack v1.0.1#

Integrations#

DHS Feed#

Maintenance and stability enhancements.


DShield Feed Pack v1.1.1#

Integrations#

DShield Feed#

Maintenance and stability enhancements.


Deprecated Content Pack v1.6.8#

Integrations#

Azure Security Center (Deprecated)#

Maintenance and stability enhancements.


EWS Pack v1.8.16#

Integrations#

EWS O365#
  • Fixed an issue where some attachments were incorrectly parsed causing the fetch-incidents command to fail.
  • Updated the Docker image to: demisto/py3ews:1.0.0.19245.
O365 - Security And Compliance - Content Search (beta)#

Documentation and metadata improvements.


Exabeam Pack v2.1.0#

Integrations#

Exabeam#
  • Added the following commands:
    • exabeam-get-notable-assets
    • exabeam-get-notable-sequence-details
    • exabeam-get-notable-session-details
    • exabeam-get-sequence-eventtypes
  • Updated the Docker image to: demisto/python3:3.9.4.19537.

Expanse v2 Pack v1.4.0#

Integrations#

Expanse v2#
  • Fixed an issue where searching more than 10K indicators failed when using ElasticSearch.
  • Updated the User-Agent header version.

Playbooks#

New: Expanse VM Enrich#

Verifies that all assets found by Expanse are being scanned by a vulnerability management tool. (Available from Cortex XSOAR 6.0.0).


Export Indicators Pack v1.0.5#

Integrations#

Export Indicators Service#
  • Fixed an issue where searching more than 10K indicators failed when using ElasticSearch.
  • Updated the Docker image to: demisto/teams:1.0.0.19245.

Fastly Feed Pack v1.1.3#

Integrations#

Fastly Feed#

Internal code improvements.


FeodoTracker Feed Pack v1.1.2#

Integrations#

Feodo Tracker IP Blocklist Feed#
  • General documentation improvements.
  • Maintenance and stability enhancements.

Fidelis Elevate Network Pack v1.0.2#

Integrations#

Fidelis Elevate Network#

Fixed an issue where decoding non-ASCII characters caused the fetch-incidents command to fail.


FireEye HX Pack v1.0.11#

Integrations#

FireEye HX#

Maintenance and stability enhancements.


Flashpoint Pack v1.1.1 (Partner Supported)#

Integrations#

Flashpoint#
  • Added support for relationships between indicators.
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/python3:3.9.4.18682.

Genians Pack v1.0.3 (Partner Supported)#

Integrations#

Genians#

Maintenance and stability enhancements.


GitHub Pack v1.2.4#

Integrations#

GitHub#
  • Added the GitHub-search-code command.
  • Fixed an issue in which the GitHub-search-issues command did not return more than 30 results even if the limit argument was higher.
  • Changed the maximum allowed value of the limit argument in the GitHub-search-issues command from 200 to 100 per GitHub limitation.
  • Added the branch argument to the Github-list-files command.
  • Added the SHA output to the Github-list-files command.
  • Updated the Docker image to: demisto/pyjwt3:1.0.0.19245.
GitHub IAM#
  • Added a new error type to the IAMErrors class.
  • Updated the Docker image to: demisto/python3:3.9.4.18682.

Google Cloud Compute Pack v1.0.2#

Integrations#

Google Cloud Compute#

Maintenance and stability enhancements.


Google Cloud Storage Pack v1.0.1#

Integrations#

Google Cloud Storage#
  • Added the Default Bucket integration parameter.
  • Updated the Docker image to: demisto/google-cloud-storage:1.0.0.19522.

Google Safe Browsing Pack v2.0.0#

Integrations#

New: Google Safe Browsing v2#

Added the Google Safe Browsing v2 integration. This integration is backwards compatible.

Google Safe Browsing (Deprecated)#

This integration is now deprecated. Use the Google Safe Browsing v2 integration instead.


GreyNoise Pack v1.0.1 (Partner Supported)#

Integrations#

GreyNoise#
  • Added the greynoise-riot command.
  • Updated the Docker image to: demisto/greynoise:1.0.0.19143.

Hello World IAM Pack v1.0.3#

Integrations#

Hello World IAM#

Added a new error type to the IAMErrors class.


IBM QRadar Pack v2.0.4#

Integrations#

IBM QRadar v2#
  • Added an error message when running the test-module command with the integration parameters longRunning set to True and limit set to None, which is not a supported configuration.
  • Fixed an issue where searching more than 10K indicators failed when using ElasticSearch.
  • Updated the Docker image to: demisto/python3:3.9.4.18682.
IBM QRadar v3#
  • Fixed an issue where the integration returned an invalid LinkToOffense result for offenses.
  • Fixed an issue where searching more than 10K indicators failed when using ElasticSearch.
  • Updated the Docker image to: demisto/python3:3.9.4.18682.
IBM QRadar#
  • Fixed an issue where searching more than 10K indicators failed when using ElasticSearch.
  • Maintenance and stability enhancements.

IBM X-Force Exchange Pack v1.1.1#

Integrations#

IBM X-Force Exchange v2#
  • Added support for relations between indicators for the file command.
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/python3:3.9.4.18682.

Intel471 Feed Pack v1.1.4#

Integrations#

Intel471 Actors Feed#
  • Fixed an issue where the fetch-indicators command had an incorrect default value for indicator type.
  • Internal code improvements.
Intel471 Malware Feed#

Internal code improvements.


Intezer Pack v1.1.0 (Partner Supported)#

Integrations#

Intezer v2#
  • Added the ability to get the latest available report for a file.
  • Print the analysis ID so it can be used on manual cases.

Playbooks#

Intezer - Analyze by hash#

Change the file size to 150 MB.

Intezer - Analyze Uploaded file#

Change the file size to 150 MB.


JSON Feed Pack v1.1.3#

Integrations#

JSON Feed#
  • Breaking Change: The integration now validates that both configuration parameters: Indicator Type and Auto detect indicator type are not set. You may set only one of the configuration parameters at a time. Previously, if both were set, Auto detect indicator type was used and Indicator Type was silently ignored.
  • Added the Include indicator type for mapping configuration option. When using a custom classifier and mapper with this feed, use this option to include the indicator type in the raw JSON used for classification and mapping.

Kafka Pack v1.0.3#

Integrations#

Kafka v2#
  • Added the Max number of bytes per message integration parameter.
  • Updated the Docker image to: demisto/pykafka:1.0.0.19034.

MISP Pack v1.0.6#

Integrations#

MISP v2#
  • Fixed an issue where the vendor's name was not properly set in the following commands.
    • file
    • ip
    • url
  • Updated the Docker image to: demisto/pymisp:1.0.0.19190.

MITRE ATT&CK Pack v1.1.12#

Integrations#

MITRE ATT&CK Feed#

Fixed an issue where searching more than 10K indicators failed when using ElasticSearch in the mitre-reputation command.

Scripts#

MITREIndicatorsByOpenIncidents#
  • Fixed an issue where searching more than 10K indicators failed when using ElasticSearch.
  • Updated the Docker image to: demisto/python3:3.9.4.18682.

Machine Learning Pack v1.2.8#

Scripts#

DBotPredictOutOfTheBoxV2#
  • Updated the out-of-the-box model version.
  • Added a mechanism to update the out-of-the-box model when a newer version is released.
DBotPredictIncidentsBatch#

Maintenance and stability enhancements.


Majestic Million Feed Pack v1.1.1#

Integrations#

Majestic Million Feed#

Maintenance and stability enhancements.


MalwareDomainList Feed Pack v1.1.1#

Integrations#

Malware Domain List Active IPs Feed#

Maintenance and stability enhancements.


MaxMind GeoIP2 Pack v1.0.1#

Integrations#

MaxMind GeoIP2#

Maintenance and stability enhancements.


Microsoft Cloud App Security Pack v1.0.16#

Integrations#

Microsoft Cloud App Security#
  • Fixed an issue where the custom_filter argument was ignored in the microsoft-cas-alerts-list command.
  • Updated the Docker image to: demisto/python3:3.9.4.18682.

Microsoft Graph Mail Pack v1.0.20#

Integrations#

Microsoft Graph Mail#
  • Fixed an issue where fetch incidents didn't work properly after changing the mailbox to fetch.
  • Updated the Docker image to: demisto/crypto:1.0.0.19032.

Microsoft Graph Mail Single User Pack v1.0.15#

Integrations#

Microsoft Graph Mail Single User#

Documentation and metadata improvements.


Microsoft Graph User Pack v1.3.9#

Integrations#

Microsoft Graph User#

Documentation and metadata improvements.


Microsoft Management Activity API (O365/Azure Events) Pack v1.1.11#

Integrations#

Microsoft Management Activity API (O365 Azure Events)#

Documentation and metadata improvements.


Netcraft Pack v1.0.1#

Integrations#

Netcraft#

Maintenance and stability enhancements.


OTRS Service Management XSOAR Pack Pack v1.0.3#

Integrations#

OTRS#

Maintenance and stability enhancements.


Okta Pack v2.1.9#

Integrations#

Okta IAM#

Added a new error type to the IAMErrors class.


PAN-OS Pack v1.6.16#

Integrations#

Palo Alto Networks PAN-OS#
  • Added 2 commands:
    • panorama-install-file-content-update
    • panorama-upload-content-update-file
  • Updated the Docker image to: demisto/python3:3.9.4.18682.

Playbooks#

panorama_content_update_test#

Pulls the Panorama content update file from the shared SMB folder, uploads it to the Panorama server, and installs it. It also uploads the content file to the SCP folder for future use of the Panorama Device Deployment content updates engine which can be scheduled to pull the files automatically from the SCP server.


PagerDuty Pack v1.0.5#

Integrations#

PagerDuty v2#

Maintenance and stability enhancements.


Palo Alto Networks Cortex XDR - Investigation and Response Pack v3.0.10#

Dashboards#

New: Cortex XDR#

(Available from Cortex XSOAR 6.0.0).

Incident Fields#

  • XDR Users
  • XDR Alert Category
  • XDR File Name
  • XDR Alert Name
  • XDR MITRE Techniques
  • XDR MITRE Tactics
  • XDR File SHA256

Integrations#

Cortex XDR - IOC#
  • Fixed an issue where searching more than 10K indicators failed when using ElasticSearch.
  • Updated the Docker image to: demisto/python3:3.9.4.18682.
Palo Alto Networks Cortex XDR - Investigation and Response#
  • Added the endpoint command.
  • Added Endpoint context output to the xdr-get-endpoints command.

Mappers#

XDR - Incoming Mapper#

Updated mapping for Cortex XDR dashboard and widgets.

Scripts#

New: XDRConnectedEndpoints#

The widget returns the number of connected endpoints using the xdr-get-endpoints command. (Available from Cortex XSOAR 6.0.0).

New: XDRDisconnectedEndpoints#

The widget returns the number of disconnected endpoints using the xdr-get-endpoints command. (Available from Cortex XSOAR 6.0.0).

Widgets#

New: Cortex XDR Active Medium Severity Incidents#

(Available from Cortex XSOAR 6.0.0).

New: Cortex XDR Top 10 Alerts#

(Available from Cortex XSOAR 6.0.0).

New: Cortex XDR Unassigned Incidents#

(Available from Cortex XSOAR 6.0.0).

New: Cortex XDR Top 10 MITRE Techniques#

(Available from Cortex XSOAR 6.0.0).

New: Cortex XDR Top 10 File SHA256#

(Available from Cortex XSOAR 6.0.0).

New: Cortex XDR Active High Severity Incidents#

(Available from Cortex XSOAR 6.0.0).

New: Cortex XDR Active Low Severity Incidents#

(Available from Cortex XSOAR 6.0.0).

New: Cortex XDR Unique Host Count In Active Incidents#

(Available from Cortex XSOAR 6.0.0).

New: Cortex XDR Top 10 Hosts#

(Available from Cortex XSOAR 6.0.0).

New: Cortex XDR Unique User Count In Active Incidents#

(Available from Cortex XSOAR 6.0.0).

New: Cortex XDR Closed Incidents#

(Available from Cortex XSOAR 6.0.0).

New: Cortex XDR Top 10 Categories#

(Available from Cortex XSOAR 6.0.0).

New: Cortex XDR Top 10 Users#

(Available from Cortex XSOAR 6.0.0).

New: Cortex XDR Disconnected Endpoints#

(Available from Cortex XSOAR 6.0.0).

New: Cortex XDR Closed Device Control Violations#

(Available from Cortex XSOAR 6.0.0).

New: Cortex XDR Top 10 files#

(Available from Cortex XSOAR 6.0.0).

New: Cortex XDR Top 10 MITRE Tactics#

(Available from Cortex XSOAR 6.0.0).

New: Cortex XDR Active Device Control Violations Incidents#

(Available from Cortex XSOAR 6.0.0).

New: Cortex XDR Connected Endpoints#

(Available from Cortex XSOAR 6.0.0).


Palo Alto Networks PAN-OS EDL Service Pack v1.0.15#

Integrations#

Palo Alto Networks PAN-OS EDL Service#
  • Maintenance and stability enhancements.
  • Updated the Docker image from: 1.0.0.16907 to 1.0.0.19340.

Palo Alto Networks Traps Pack v1.0.4#

Integrations#

Palo Alto Traps ESM (Beta)#

Maintenance and stability enhancements.


Plain Text Feed Pack v1.1.1#

Integrations#

Plain Text Feed#

Maintenance and stability enhancements.


Popular Cybersecurity News Pack v1.0.1 (Community Contributed)#

Integrations#

Popular News#
  • Fixed an issue where the job failed due to mishandling of the context.
  • Updated the Docker image to: demisto/bs4:1.0.0.19034.

RSA Archer Pack v1.1.15#

Integrations#

RSA Archer v2#
  • Added the argument levelId to the following commands:
    • archer-create-record
    • archer-search-records
    • archer-update-record
  • Updated the Docker image to: demisto/python3:3.9.4.18682.

Scripts#

ArcherCreateIncidentExample#

Updated the Docker image to: demisto/python3:3.9.4.18682.


RSA NetWitness v11.1 Pack v1.0.2#

Integrations#

RSA NetWitness v11.1#

Fixed an issue where an empty response caused the fetch-incidents command to fail.


Rapid Breach Response Pack v1.6.3#

Playbooks#

Codecov Breach - Bash Uploader#

Added a task to find any use of Codecov bash uploader in specified Github repositories.

CVE-2021-22893 - Pulse Connect Secure RCE#

On April 20th, a new Remote Code Execution vulnerability in Pulse Connect Secure was disclosed. The reference number for the vulnerability is CVE-2021-22893 with the CVSS Score of 10.0. This playbook should be trigger manually and includes the following tasks:

  • Enriches related known CVEs and malware hashes used by the suspected APT actor.
  • Searches for unpatched endpoints vulnerable to the exploits.
  • Searches network facing systems using Expanse for relevant issues.
  • Indicators and known webshells hunting using SIEM products.
  • Blocks indicators automatically or manually.
  • Provides different mitigations that have been publicly published such as:
    • Patches
    • Workarounds
    • Yara and Snort rules

Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

More information: Exploitation of Pulse Connect Secure Vulnerabilities


RecordedFuture v2 Pack v1.1.1 (Partner Supported)#

Integrations#

Recorded Future v2#
  • Added CPE information and related links to the outputs of the recordedfuture-intelligence command.
  • Updated the Docker image to: demisto/python3:3.9.4.19537.

Salesforce Pack v1.0.6#

Integrations#

Salesforce IAM#

Added a new error type to the IAMErrors class.


SentinelOne Pack v2.0.0#

Integrations#

SentinelOne v2#
  • Breaking Change: in the following commands due to changes in the SentinelOne API:
    • sentinelone-get-hash - Removed the SentinelOne.Hash.Classification and the SentinelOne.Hash.Classification Source command outputs.
    • sentinelone-threat-summary - Added new command outputs. This command is executable for API version 2.1 only.
    • sentinelone-list-agents and sentinelone-get-agent - Fixed a typo in the IsDecommissioned output.
  • Added the api_version integration parameter to support both SentinelOne API versions: 2.0 and 2.1.
  • You can now provide a comma-separated list of agent IDs as the agent_id argument in the sentinelone-get-agent command.
  • Added the following outputs to the sentinelone-get-threats command:
    • SentinelOne.Threat.FileSha256 - Provides the SHA256 hash of the file content.
    • SentinelOne.Threat.ConfidenceLevel - Provides the SentinelOne threat confidence level.
    • SentinelOne.Threat.ClassificationSource - Provides the source of the threat classification.
  • Fixed an issue where the sentinelone-get-processes command returned all event types rather than the process type.
  • Fixed an issue where the sentinelone-uninstall-agent command would shutdown an agent instead of uninstall it.
  • Updated the Docker image to: demisto/python3:3.9.4.18682.

ServiceNow Pack v2.1.21#

Integrations#

ServiceNow v2#
  • Fixed an issue where an incorrect error occurred when running the servicenow-create-ticket command.
  • Updated the Docker image to: demisto/python3:3.9.4.18682.
ServiceNow IAM#

Added a new error type to the IAMErrors class.


Slack Pack v1.3.19#

Integrations#

Slack v2#
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/slack:1.0.0.19258.
Slack IAM#

Added a new error type to the IAMErrors class.


Spamhaus Feed Pack v1.1.1#

Integrations#

Spamhaus Feed#

Maintenance and stability enhancements.


Splunk Pack v2.0.2#

Integrations#

SplunkPy#
  • Improved implementation of the splunk-kv-store-collection-add-entries command to upload a list of entries.
  • Updated the Docker image to: demisto/splunksdk:1.0.0.19034.

Symantec Advanced Threat Protection Pack v1.1.3#

Integrations#

Symantec Advanced Threat Protection#
  • Fixed an issue where the fetch-incident process did not work properly when the integration parameter Incident data source was set to events type.

TAXII Server Pack v1.0.4#

Integrations#

TAXII Server#
  • Changed the empty host parameter to 0.0.0.0 for WSGIServer creation.
  • Fixed an issue where searching more than 10K indicators failed when using ElasticSearch.
  • Fixed an issue where a new Docker image caused the integration to fail.
  • Updated the Docker image to: demisto/taxii-server:1.0.0.19454.

TheHive Project Pack v1.1.1 (Community Contributed)#

Integrations#

TheHive Project#
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/python3:3.9.4.19537.

Thinkst Canary Pack v1.0.2#

Integrations#

Thinkst Canary#

Maintenance and stability enhancements.


Threat Intelligence Management Pack v1.0.2#

Scripts#

ThreatIntelManagementGetIncidentsPerFeed#
  • Fixed an issue where searching more than 10K indicators failed when using ElasticSearch.
  • Updated the Docker image to: demisto/python3:3.9.4.18682.

Tidy Pack v1.0.3#

Integrations#

Tidy#
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/tidy:1.0.0.19274.

Playbooks#

Content developer setup#

Maintenance and stability enhancements.


Trello Pack v1.0.1 (Community Contributed)#

Integrations#

Trello#

Maintenance and stability enhancements.


URLhaus Pack v1.0.3#

Integrations#

URLhaus#
  • Fixed an issue where the url command occasionally failed.
  • Updated the Docker image to: demisto/python3:3.9.4.18682.

Urlscan.io Pack v1.1.5#

Integrations#

urlscan.io#
  • Breaking Change: Updated the context key of relationships from Relations to Relationships.
  • Added verbose integration description.
  • Maintenance and stability enhancements.

Scripts#

UrlscanGetHttpTransactions#

Updated comment.


VMRay Pack v1.0.1#

Integrations#

VMRay#
  • Fixed an issue where the error message was not clear when uploading a file which was previously analyzed without the reanalyze argument in the vmray-upload-sample command.
  • Updated the Docker image to: demisto/python:2.7.18.18413.

VirusTotal Pack v2.0.5#

Integrations#

VirusTotal - Premium (API v3)#

Maintenance and stability enhancements.


Whois Pack v1.2.3#

Integrations#

Whois#

Fixed an issue where the following commands had malformed DBotScore outputs.

  • whois
  • domain

Workday Pack v1.1.1#

Integrations#

Workday IAM#
  • Fixed an issue where searching more than 10K indicators failed when using ElasticSearch.
  • Updated the Docker image to: demisto/python3:3.9.4.18682.

Zscaler Pack v1.1.3#

Integrations#

Zscaler#

Fixed an issue where the zscaler-get-categories command failed on KeyError.


iDefense Pack v3.0.4#

Integrations#

iDefense Feed#

Internal code improvements.


Assets#