Cortex XSOAR Content Release Notes for version 21.5.1 (363406)
#
Published on 25 May 2021#
Breaking ChangesThe following packs include breaking changes.
#
New: Confluera Pack v1.0.0 (Partner Supported)#
Dashboards#
Confluera DashboardConfluera Iqhub Dashboard
#
Incident TypesConfluera Incident
#
Integrations#
ConflueraFetches real time data (detections and progressions) from Confluera.
#
LayoutsConfluera Layout (Available from Cortex XSOAR 6.0.0).
#
Playbooks#
IQ-HUB AutomationThis playbook retrieves real-time detections and progressions data generated by events on different systems present in the network.
#
Reports#
IQ-Hub ReportConfluera Iqhub report
#
Scripts#
ConflueraDetectionsCountLogs detections count.
#
ConflueraDetectionsDataLogs detections data (detection vs risk-contribution).
#
ConflueraDetectionsDataWarroomLogs detections data (detection vs risk-contribution).
#
ConflueraDetectionsSummaryLogs detections data (categories of detections).
#
ConflueraDetectionsSummaryWarroomLogs detections data (categories of detections).
#
ConflueraProgressionsCountLogs progressions count
#
ConflueraProgressionsDataLogs progressions data (progression vs risk-score).
#
ConflueraProgressionsDataWarroomLogs progressions data (progression vs risk-score).
#
IqHubLogLogs detection and progression count with respective links to Confluera's IQ-Hub portal in tabular format.
#
Widgets#
Confluera Detections CountLogs detections count.
#
Confluera Detections DataLogs detections data (detection vs risk-contribution).
#
Confluera Detections SummaryLogs detections data (categories of detections).
#
IQ-HUB LogLogs detections and progression counts along with respective links to Confluera Iq-Hub portal.
#
Confluera Progressions CountLogs progressions count.
#
Confluera Progressions DataLogs progressions data (progression vs risk-score).
#
New: Group-IB Threat Intelligence & Attribution Pack v1.0.0 (Partner Supported)#
Classifiers#
Group-IB Threat Intelligence & Attribution (classifier)#
Group-IB Threat Intelligence & Attribution (mapper)#
Incident Fields- GIB CVV
- GIB Card Issuer
- GIB Card Number
- GIB Card Type
- GIB Card Valid Thru
- GIB Compromised Login
- GIB Data Hash
- GIB Date Compromised
- GIB Date Created
- GIB Date of Detection
- GIB Downloaded From
- GIB Drop Email
- GIB Drop Email Domain
- GIB ID
- GIB Inject Dump
- GIB Inject MD5
- GIB Leaked Data
- GIB Leaked File Name
- GIB Link List
- GIB Malware Name
- GIB Matches
- GIB Password
- GIB Payment System
- GIB Phishing Date Blocked
- GIB Phishing Kit Emails
- GIB Phishing Kit Hash
- GIB Phishing Status
- GIB Portal Link
- GIB Related Indicators Data
- GIB Repository
- GIB Revisions
- GIB Severity
- GIB Source
- GIB Target Brand
- GIB Target Category
- GIB Target Domain
- GIB Threat Actor ID
- GIB Threat Actor Name
- GIB Threat Actor is APT
- GIB Victim IP
#
Incident Types- GIB Brand Protection Phishing
- GIB Brand Protection Phishing Kit
- GIB Compromised Account
- GIB Compromised Card
- GIB OSI Git Leak
- GIB OSI Public Leak
- GIB Targeted Malware
#
Indicator Fields#
GIB CVSS Vector#
GIB Collection#
GIB Date Compromised#
GIB File Name#
GIB ID#
GIB Malware Name#
GIB Phishing Title#
GIB Proxy Anonymous#
GIB Proxy Port#
GIB Software Mixed#
GIB Target Brand#
GIB Target Category#
GIB Target Domain#
GIB Threat Actor ID#
GIB Threat Actor Name#
GIB Threat Actor is APT#
Indicator Types- reputation-GIB_Compromised_IMEI
- reputation-GIB_Compromised_Mule
- reputation-GIB_Victim_IP
#
Integrations#
Group-IB Threat Intelligence & AttributionGets incidents directly into Cortex XSOAR. The list of included collections are:
- Compromised Accounts
- Compromised Cards
- Brand Protection Phishing
- Brand Protection Phishing Kit
- OSI Git Leak
- OSI Public Leak
- Targeted Malware
#
Group-IB Threat Intelligence & Attribution FeedUse Group-IB Threat Intelligence & Attribution Feed integration to fetch IOCs from various Group-IB collections.
#
LayoutsThe layouts are available from Cortex XSOAR 6.0.0.
- GIB Brand Protection Phishing Kit Layout
- GIB Brand Protection Phishing Layout
- GIB Compromised Account Layout
- GIB Compromised Card Layout
- GIB Compromised IMEI Layout
- GIB Compromised Mule Layout
- GIB OSI Git Leak Layout
- GIB OSI Public Leak Layout
- GIB Targeted Malware Layout
- GIB Victim IP Layout
#
Playbooks#
Incident Postprocessing - Group-IB Threat Intelligence & AttributionObtains additional information on the threat actor involved in the incident and associates related indicators to the incident.
#
New: Netscout Arbor Sightline Pack v1.0.0#
Classifiers#
Netscout Arbor Sightline - Incoming Mapper#
Incident FieldsNetscout Arbor Sightline Alert Type
#
Incident TypesNetscout Arbor Sightline Alert
#
Integrations#
Netscout Arbor Sightline (Peakflow)DDoS protection and network visibility.
#
LayoutsNetscout Arbor Sightline Alert - (Available from Cortex XSOAR 6.0.0).
#
New: Quantum Security Systems Pack v1.0.0 (Partner Supported)#
Classifiers#
QSS ClassifierClassifies QSS SOC Monitoring cases based on category classification.
#
QSS MapperMaps incoming QSS SOC Monitoring cases fields.
#
Incident Fields- QSS Case Acknowledged
- QSS Case Assets
- QSS Case Assignee
- QSS Case Category
- QSS Case Created By
- QSS Case Creation Date
- QSS Case Description
- QSS Case False Positive
- QSS Case ID
- QSS Case IOCs
- QSS Case Last Update
- QSS Case Notes
- QSS Case Number
- QSS Case Severity
- QSS Case Status
- QSS Case Sub Category
- QSS Case TLP
- QSS Case Tags
- QSS Case Title
- QSS Custom Attribute
#
Incident TypesQSS SOC Monitoring
#
Integrations#
QSSQSS integration fetches Cases from Q-SCMP and adds new cases automatically through Cortex XSOAR.
#
LayoutsQSS SOC Monitoring Layout - (Available from Cortex XSOAR 6.0.0).
#
New: SendGrid Pack v1.0.0 (Community Contributed)#
Integrations#
SendGridSendGrid provides a cloud-based service that assists businesses with email delivery. It allows companies to track email opens, unsubscribes, bounces, and spam reports. Our SendGrid pack utilizes these SendGrid use cases to help you send and manage your emails.
#
New: TrustwaveSEG Pack v1.0.0#
Integrations#
Trustwave Secure Email GatewayTrustwave SEG is a secure messaging solution that protects businesses and users from email-borne threats, including phishing, blended threats, and spam. Trustwave Secure Email Gateway also delivers improved policy enforcement and data leakage prevention.
#
New: XSOAR Lab Updates Pack v1.0.0 (Community Contributed)#
Playbooks#
NewPacksNotifierSends updates on newly released packs to the Slack channel.
#
Scripts#
BuildSlackBlocksFromIndexExtracts index.zip and filters packs that are new since the last run. Builds the Slack message for the new packs.
#
New: iLert Pack v1.0.0 (Partner Supported)#
Integrations#
iLertAlerts and notifies users.
#
Advanced Filter Pack v1.1.3 (Community Contributed)#
Scripts#
ExtFilterAdded the is collectively transformed with operator.
#
Analyst1 Pack v1.0.7 (Partner Supported)#
Playbooks#
Illuminate Integration DemonstrationUpdated with the "deprecated" field.
#
AutoFocus Pack v1.2.0#
Integrations#
Palo Alto Networks AutoFocus v2Added the polling argument to the following commands:
autofocus-search-samples
autofocus-search-sessions
autofocus-top-tags-search
When polling is used, the command will try to return the results. The new argument allows users to search autofocus with a single command and does not require the GenericPolling Playbook.
Updated the Docker image from: 3.9.4.18682 to 3.9.5.20070.
#
Base Pack v1.11.0#
Scripts#
GetIncidentsByQuery- Improved implementation of the script in order to consume less memory.
- Updated the Docker image to: demisto/python3:3.9.4.18682.
#
SearchIndicatorRelationshipsMaintenance and stability enhancements.
#
DeleteIndicatorRelationshipsMaintenance and stability enhancements.
#
CreateIndicatorRelationshipMaintenance and stability enhancements.
#
CommonServerPython- Breaking Change: Fixed an issue where using the Email context indicator class created the context with the wrong prefix ('EMAIL' instead of 'Email'). Note: This is a backward compatibility break for the email command in the IPQualityScore and Threat Crowd v2 integrations
- Added the entry_type field to the CommandResults constructor. None defaults to EntryType.NOTE, as it did before adding this argument.
- Added the ScheduledCommand class - to be used with CommandResults.scheduled_command to configure the command to poll.
- Maintenance and stability enhancements.
#
New: DBotTrainClusteringTrain clustering model on any incidents type.
#
Campaign Pack v1.1.0#
Scripts#
FindEmailCampaignAdded the ability to store additional data in the output context. Now the fields specified in the fieldsToDisplay arguments will also be available in the output context.
#
Carbon Black Endpoint Standard Pack v2.0.0#
Classifiers#
New: Carbon Black Endpoint StandardCarbon Black Endpoint Standard Classifier (Available from Cortex XSOAR 5.5.0).
#
Incident Fields- Carbon Black ES Alert Severity
- Carbon Black ES First Event Time
- Carbon Black ES IOC Hit
- Carbon Black ES IOC Id
- Carbon Black ES Last Event Time
- Carbon Black ES Process Id
- Carbon Black ES Process Name
- Carbon Black ES Report Name
- Carbon Black ES Reputation
- Carbon Black ES Target Value
- Carbon Black ES Threat Category
- Carbon Black ES Threat Id
- Carbon Black ES Vector
- Carbon Black ES Report ID
#
Incident TypesNew: Carbon Black Endpoint Standard Incident
#
Integrations#
VMware Carbon Black Endpoint Standard (Deprecated)VMware Carbon Black Endpoint Standard (formerly known as Carbon Black Defense) is a next-generation antivirus + EDR in one cloud-delivered platform that stops commodity malware, advanced malware, non-malware attacks, and ransomware. (Available from Cortex XSOAR 5.5.0).
#
Layouts- New: Carbon Black Endpoint Standard Incoming Layout
- Carbon Black Endpoint Standard Layout (layouts container) (Available from Cortex XSOAR 6.0.0)
- Carbon Black Endpoint Standard Layout (layout details) (Available from Cortex XSOAR 5.5.0)
#
Mappers#
New: Carbon Black Endpoint Standard Incoming MapperCarbon Black Endpoint Standard Mapper (Available from Cortex XSOAR 6.0.0).
#
Playbooks#
New: Carbon Black Endpoint Standard Find Event DetailsReceives event IDs and returns details about the event.
#
New: Carbon Black Endpoint Standard Find EventsFinds events using a search query (or device_id, etc.). It returns a list of events with general information. For detailed information about an event, use the find event details playbook with an event ID.
#
New: Carbon Black Endpoint Standard Find ProcessesFinds processes using a search query (or device_id, etc.). It returns a list of processes.
#
Cisco Threat Grid Pack v1.2.3#
Integrations#
Cisco Threat Grid- Fixed an issue where the threat-grid-get-analysis-iocs command returned an error in case there were no indicators, or indicators without a score.
- Fixed an issue where the threat-grid-get-samples command did not use filters correctly.
#
Common Playbooks Pack v1.9.6#
Playbooks#
Extract Indicators From File - Generic v2Fixed an issue where the playbook was failing when running on .xlsb files.
#
Dedup - Generic v2Updated playbook to include the deprecated field.
#
Common Scripts Pack v1.3.51#
Scripts#
IsMaliciousIndicatorFoundFixed an issue where malicious domains were ignored.
#
FindSimilarIncidentsImprove query performance when using the hoursBack flag.
#
ExampleJSScriptChanged the http example to work with http://www.paloaltonetworks.com.
#
EmailAskUserResponseFixed an issue where the script failed to parse the response in case the email had an image embedded in it.
#
New: ExtractEmailV2- Formatting script that verifies that an email address is valid and only returns the address if it is valid. (Available from Cortex XSOAR 5.5.0).
- Maintenance and stability enhancements.
#
GetIndicatorDBotScoreFixed an issue where the vendor score was ignored.
#
PcapHTTPExtractor- Fixed an issue where the automation failed to extract pcap files.
- Updated the Docker image to: demisto/pcap-http-extractor:1.0.0.20132.
#
Common Types Pack v2.9.4#
Incident Fields- Tags
- Alert Category
- Policy ID
- Last Update Time
- Device Username
- Comment
- Changed
- Description
- Classification
- Is Active
#
Indicator Fields#
DescriptionCreated an association between the Description field and the following fields:
- Campaign
- Course of Action
- Infrastructure
- Intrusion Set
#
Primary MotivationCreated an association between the Primary Motivation field and the Intrusion Set field.
#
STIX IDCreated an association between the STIX ID field and the following fields:
- Campaign
- Course of Action
- Infrastructure
- Intrusion Set
#
New Indicator Fields- Resource Level
- Secondary Motivations
- Goals
- Kill Chain Phases
- Action
- Aliases
- Infrastructure Types
- Objective
#
Indicator TypesIntrusion Set
urlRep - Added support for apostrophes when extracting URL.
emailRep
- Added the ExtractEmailV2 formatting script.
- Maintenance and stability enhancements.
#
LayoutsNew: Infrastructure - Added a new layout for Infrastructure indicator type.
New: Campaign - Added a new layout for Campaign indicator type.
New: Course of Action - Added a new layout for Course of Action indicator type.
New: Intrusion Set - Added a new layout for Intrusion Set indicator type.
#
Cylance Protect Pack v1.0.6#
Integrations#
Cylance Protect v2Fixed an issue where the DBotScore and File context data was not parsed correctly for the following commands:
- cylance-protect-get-device-threats
- cylance-protect-get-threats
- cylance-protect-get-list
- cylance-protect-download-threat
#
Playbooks#
Get File Sample By Hash - Cylance ProtectPlaybook was updated with the deprecated field.
#
Deprecated Content Pack v1.6.9#
Playbooks#
Account EnrichmentPlaybook was updated with the deprecated field.
#
Account Enrichment - GenericPlaybook was updated with the deprecated field.
#
Account Enrichment - Generic v2Playbook was updated with the deprecated field.
#
Add Indicator to Miner - Palo Alto MineMeldPlaybook was updated with the deprecated field.
#
Block File - GenericPlaybook was updated with the deprecated field.
#
Block IP - GenericPlaybook was updated with the deprecated field.
#
Block Indicators - GenericPlaybook was updated with the deprecated field.
#
Calculate Severity - Critical assetsPlaybook was updated with the deprecated field.
#
Calculate Severity - GenericPlaybook was updated with the deprecated field.
#
Carbon Black Rapid IOC HuntingPlaybook was updated with the deprecated field.
#
Checkpoint Firewall Configuration Backup PlaybookPlaybook was updated with the deprecated field.
#
CrowdStrike Rapid IOC HuntingPlaybook was updated with the deprecated field.
#
DBot Create Phishing ClassifierPlaybook was updated with the deprecated field.
#
DBot Create Phishing Classifier JobPlaybook was updated with the deprecated field.
#
DeDup incidentsPlaybook was updated with the deprecated field.
#
DeDup incidents - MLPlaybook was updated with the deprecated field.
#
Dedup - GenericPlaybook was updated with the deprecated field.
#
Demisto Self-Defense - Account policy monitoring playbookPlaybook was updated with the deprecated field.
#
Domain Enrichment - GenericPlaybook was updated with the deprecated field.
#
Email Address Enrichment - GenericPlaybook was updated with the deprecated field.
#
Email Address Enrichment - Generic v2Playbook was updated with the deprecated field.
#
Endpoint Enrichment - GenericPlaybook was updated with the deprecated field.
#
Endpoint Enrichment - Generic v2Playbook was updated with the deprecated field.
#
Endpoint data collectionPlaybook was updated with the deprecated field.
#
Enrich DXL with ATD verdictPlaybook was updated with the deprecated field.
#
Enrich McAfee DXL using 3rd party sandboxPlaybook was updated with the deprecated field.
#
Enrichment PlaybookPlaybook was updated with the deprecated field.
#
Entity Enrichment - GenericPlaybook was updated with the deprecated field.
#
ExtraHop - Ticket TrackingPlaybook was updated with the deprecated field.
#
Extract Indicators - GenericPlaybook was updated with the deprecated field.
#
Extract Indicators From File - GenericPlaybook was updated with the deprecated field.
#
Failed Login Playbook - Slack v2Playbook was updated with the deprecated field.
#
Failed Login Playbook With SlackPlaybook was updated with the deprecated field.
#
File Enrichment - GenericPlaybook was updated with the deprecated field.
#
Get File Sample By Hash - GenericPlaybook was updated with the deprecated field.
#
Get Mails By Folder PathesPlaybook was updated with the deprecated field.
#
Hunt Extracted HashesPlaybook was updated with the deprecated field.
#
Hunt for bad IOCsPlaybook was updated with the deprecated field.
#
Hunting C&C Communication PlaybookPlaybook was updated with the deprecated field.
#
IP Enrichment - GenericPlaybook was updated with the deprecated field.
#
Incident EnrichmentPlaybook was updated with the deprecated field.
#
Malware Investigation - GenericPlaybook was updated with the deprecated field.
#
Malware Investigation - Generic - SetupPlaybook was updated with the deprecated field.
#
Malware Playbook - ManualPlaybook was updated with the deprecated field.
#
McAfee ePO Endpoint Compliance PlaybookPlaybook was updated with the deprecated field.
#
McAfee ePO Endpoint Connectivity Diagnostics PlaybookPlaybook was updated with the deprecated field.
#
McAfee ePO Repository Compliance PlaybookPlaybook was updated with the deprecated field.
#
PAN-OS - Block IP and URL - External Dynamic ListPlaybook was updated with the deprecated field.
#
PAN-OS EDL SetupPlaybook was updated with the deprecated field.
#
PAN-OS EDL Setup v2Playbook was updated with the deprecated field.
#
PANW - Hunting and threat detection by indicator typePlaybook was updated with the deprecated field.
#
PANW - Hunting and threat detection by indicator type V2Playbook was updated with the deprecated field.
#
Palo Alto Networks - Endpoint Malware Investigation v2Playbook was updated with the deprecated field.
#
PanoramaCommitConfigurationPlaybook was updated with the deprecated field.
#
PanoramaQueryTrafficLogsPlaybook was updated with the deprecated field.
#
Phishing Investigation - GenericPlaybook was updated with the deprecated field.
#
Phishing Playbook - AutomatedPlaybook was updated with the deprecated field.
#
Process EmailPlaybook was updated with the deprecated field.
#
Process Email - Add custom fieldsPlaybook was updated with the deprecated field.
#
QRadar - Get offense correlationsPlaybook was updated with the deprecated field.
#
Rapid IOC Hunting PlaybookPlaybook was updated with the deprecated field.
#
Search Endpoints By Hash - Carbon Black ResponsePlaybook was updated with the deprecated field.
#
Search Endpoints By Hash - GenericPlaybook was updated with the deprecated field.
#
URL Enrichment - GenericPlaybook was updated with the deprecated field.
#
Vulnerability Handling - Qualys- Playbook was updated with the deprecated field.
- Added custom fields to default layout.
#
EWS Pack v1.8.17#
Integrations#
EWS O365- Fixed an issue where item IDs did not appear in the output table.
- Updated the Docker image to: demisto/py3ews:1.0.0.19794.
#
Endace Pack v1.1.2 (Partner Supported)#
Playbooks#
Endace Search Archive Download PCAPPlaybook was updated with the deprecated field.
#
Endace Search Archive and DownloadPlaybook was updated with the deprecated field.
#
Expanse v2 Pack v1.4.1#
Integrations#
Expanse v2- Maintenance and stability enhancements.
- Updated the Docker image to: demisto/python3:3.9.4.19537.
#
Export Indicators Pack v1.0.6#
Integrations#
Export Indicators Service- Fixed an issue where the long-running instance failed to start.
- Updated the Docker image to: demisto/teams:1.0.0.19340.
#
GitHub Pack v1.2.7#
Integrations#
GitHub- Added the following commands:
- GitHub-list-team-members
- Github-get-check-run to get PR check-run details.
- GitHub-list-branch-pull-requests
- Added the ability to fetch pull requests as incidents.
#
Google Safe Browsing Pack v2.0.1#
Integrations#
Google Safe Browsing v2- Fixed an issue where the url command returned an error where no results were found.
- Updated the Docker image to: demisto/python3:3.9.5.20070.
#
GreyNoise Pack v1.0.2 (Partner Supported)#
Integrations#
GreyNoiseAdded the GreyNoise Community integration
#
IBM QRadar Pack v2.0.5#
Playbooks#
QRadar Indicator HuntingPlaybook was updated with the "deprecated" field.
#
Infoblox Pack v1.0.3#
Integrations#
InfobloxUpdated the integration README and detailed description.
#
Intel471 Feed Pack v1.2.1 (Partner Supported)#
Integrations#
Intel471 Malware Feed- Updated feed images.
- Documentation and metadata improvements.
#
Intel471 Intel471 Actors Feed- Updated feed images.
- Documentation and metadata improvements.
#
Ipinfo Pack v2.0.0#
Integrations#
ipinfoReplaced with IPinfo v2. See IPinfo v2 below for the list of new features and improvements.
#
New: IPinfo v2Use the IPinfo.io API to get data about an IP address.
- Improved data parsing to context.
- Allows setting source reliability.
- Allows using an API token from credentials.
- Allows setting a base URL.
- Enriches data with IP-hostname relationships.
#
MISP Pack v1.0.9#
Integrations#
MISP v2- Fixed an issue where the integration failed on a TypeError.
- Added the misp-search-attributes command that enables the user to search in MISP according to the defined attributes.
- Fixed an issue in the misp-search-attributes command, where the raw-response from MISP was modified.
#
Manage Engine Service Desk Plus Pack v2.0.0#
Integrations#
Service Desk Plus- Added support for on-premises Service Desk Plus requests.
- Updated the Docker image to: demisto/python3:3.9.4.19537.
#
Manage Engine Service Desk Plus (On-Premise) Pack v1.0.1#
Integrations#
Service Desk Plus (On-Premise) (Deprecated)- This integration is now deprecated. Use the Service Desk Plus pack instead.
- Updated the Docker image to: demisto/python3:3.9.4.19537.
#
Microsoft Cloud App Security Pack v1.0.17#
Integrations#
Microsoft Cloud App SecurityFixed an issue where an incorrect example was given for the custom_filter integration parameter.
#
Microsoft Teams Pack v1.1.8#
Integrations#
Microsoft Teams- Improved handling of failures in deserializing objects from the integration cache.
- Updated the Docker image to: demisto/teams:1.0.0.19340.
#
PCAP Analysis Pack v2.4.0#
LayoutsPCAP Analysis Incident - Added a new section to show the carved extracted files.
#
Playbooks#
PCAP File Carving- Checks whether to perform auto enrichment to carved files using the playbook input.
- Extended playbook file outputs.
#
Palo Alto Networks Cortex XDR - Investigation and Response Pack v3.0.11#
Incident FieldsXDR Similar Incidents
#
LayoutsCortex XDR Incident - Updated the layout with a new section for similar incidents.
#
Playbooks#
Cortex XDR incident handling v3Added a new machine learning script to search for similar incidents by shared incident fields and indicators.
#
Palo Alto Networks PAN-OS EDL Service Pack v2.0.0#
Integrations#
Palo Alto Networks PAN-OS EDL Service- New: Support for using NGINX as a front-end reverse proxy. NGINX now runs within the Docker container and handles caching and direct handling of incoming requests.
- Updated the Docker image to: demisto/flask-nginx:1.0.0.20328.
#
Palo Alto Networks WildFire Pack v1.3.4#
Integrations#
Palo Alto Networks WildFire v2- Fixed an issue where the integration failed due to a "local variable 'url' referenced before assignment" error.
- Updated the Docker image to: demisto/python3:3.9.5.20070.
#
Perch Pack v1.0.2#
Integrations#
PerchMaintenance and stability enhancements.
#
Phish.AI Pack v1.0.2 (Partner Supported)#
Playbooks#
Detonate URL - Phish.AIPlaybook was updated with the "deprecated" field.
#
Proofpoint Threat Response (Beta) Pack v1.0.3#
Integrations#
Proofpoint Threat Response (Beta)- Fixed an issue where duplicate incidents were created and incidents were missing.
- Added the following parameters:
- fetch_limit
- fetch_delta
- Updated the first_fetch parameter to relative time.
#
Rasterize Pack v1.0.8#
Integrations#
Rasterize- Maintenance and stability enhancements.
- Updated the Docker image to: demisto/chromium:1.0.0.19696.
#
Recorded Future Feed Pack v1.0.9#
Integrations#
Recorded Future RiskList Feed- Fixed an issue where the fetch-indicators command would not fetch all the indicators.
- Updated the Docker image to: demisto/python3:3.9.5.20070.
#
ServiceNow Pack v2.1.22#
Integrations#
ServiceNow v2Fixed an issue where setting the system_params argument to "sysparm_exclude_reference_link=true" caused an error in the command servicenow-query-tickets command.
#
SlashNext Phishing Incident Response - Annual Subscription (Direct Subscription) Pack v1.2.0 (Partner Supported)#
Playbooks#
New: Abuse Inbox Management Detect & RespondWhen combined with SlashNext Inbox Abuse Management Protection playbook, this playbook fully automates the identification and remediation of phishing emails found in Microsoft 365 user inboxes. Using the indicators of compromise, URL, domain, and IP found in the original email, it searches and remediates other emails containing the same IOCs.
#
New: Online Brand Protection Detect and RespondAnalyzes the domains and URLs in suspicious emails, reported by end users, to determine if the phishing campaign is impersonating your company’s brand. Playbook can then trigger a domain take down email, with forensic evidence, to a target address.
#
New: Abuse Inbox Management ProtectionAnalyzes the URLs, domains, and IPs in suspicious emails, reported by end users, and returns a binary verdict (malicious or benign) and forensic information including screenshot of attack page, threat name and type, threat status, and first/last seen date.
#
Scripts#
New: BrandImpersonationDetectionAnalyzes the forensic data to detect brand impersonation attacks. Modify this file with the attributes associated with your company’s brand.
#
TCPIPUtils (Deprecated) Pack v1.0.1#
Integrations#
TCPIPUtils (Deprecated)Deprecated the integration because the service is no longer functional.
#
TIM - Indicator Auto-Processing Pack v1.1.7#
Playbooks#
TIM - Run Enrichment For Url IndicatorsFixed an issue where the playbook input descriptions were incorrect.
#
TIM - Run Enrichment For Domain IndicatorsFixed an issue where the playbook input descriptions were incorrect.
#
TIM - Run Enrichment For Hash IndicatorsFixed an issue where the playbook input descriptions were incorrect.
#
TIM - Run Enrichment For IP IndicatorsFixed an issue where the playbook input descriptions were incorrect.
#
Telegram (Beta) Pack v1.0.2#
Integrations#
Telegram (Beta)Added the proxy integration parameter.
#
Threat Crowd Pack v2.0.1#
Integrations#
Threat Crowd (Deprecated)Deprecated. Use the Threat Crowd v2 integration instead.
#
New: Threat Crowd v2- Breaking Changes: Changed the following command names from the deprecated integration:
- threat-crowd-ip is now ip
- threat-crowd-file is now file
- threat-crowd-email is now email
- threat-crowd-domain is now domain
- Query Threat Crowd for reports. (Available from Cortex XSOAR 5.0.0).
#
Threat Crowd v2Maintenance and stability enhancements.
#
Trend Micro Deep Discovery Analyzer Pack v1.0.1#
Integrations#
Trend Micro Deep Discovery Analyzer (Beta)Fixed an issue where the integration occasionally failed due to an empty Host header.
#
Urlscan.io Pack v1.1.6#
Integrations#
urlscan.ioBreaking Change: The integration has been changed to no longer use Lists to establish relationships.
#
VirusTotal Pack v2.1.0#
Integrations#
VirusTotal - Premium (API v3)Updated the Docker image to: demisto/python3:3.9.5.20070.
#
VirusTotal (API v3)- Added support for relationships.
- Updated the Docker image to: demisto/python3:3.9.5.20070.
#
VirusTotalFixed an issue where the file command failed when sending a list of file hashes where some of them were undefined.
#
Assets- Download Content Zip (Cortex XSOAR 5.5 and earlier): content_new.zip
- Download Marketplace Packs (Cortex XSOAR 6.0 and later): content_marketplace_packs.zip
- Browse the Source Code: Content Repo @ 21.5.1