Skip to main content

Cortex XSOAR Content Release Notes for version 21.5.1 (363406)#

Published on 25 May 2021#

Breaking Changes#

The following packs include breaking changes.

New: Confluera Pack v1.0.0 (Partner Supported)#

Dashboards#

Confluera Dashboard#

Confluera Iqhub Dashboard

Incident Types#

Confluera Incident

Integrations#

Confluera#

Fetches real time data (detections and progressions) from Confluera.

Layouts#

Confluera Layout (Available from Cortex XSOAR 6.0.0).

Playbooks#

IQ-HUB Automation#

This playbook retrieves real-time detections and progressions data generated by events on different systems present in the network.

Reports#

IQ-Hub Report#

Confluera Iqhub report

Scripts#

ConflueraDetectionsCount#

Logs detections count.

ConflueraDetectionsData#

Logs detections data (detection vs risk-contribution).

ConflueraDetectionsDataWarroom#

Logs detections data (detection vs risk-contribution).

ConflueraDetectionsSummary#

Logs detections data (categories of detections).

ConflueraDetectionsSummaryWarroom#

Logs detections data (categories of detections).

ConflueraProgressionsCount#

Logs progressions count

ConflueraProgressionsData#

Logs progressions data (progression vs risk-score).

ConflueraProgressionsDataWarroom#

Logs progressions data (progression vs risk-score).

IqHubLog#

Logs detection and progression count with respective links to Confluera's IQ-Hub portal in tabular format.

Widgets#

Confluera Detections Count#

Logs detections count.

Confluera Detections Data#

Logs detections data (detection vs risk-contribution).

Confluera Detections Summary#

Logs detections data (categories of detections).

IQ-HUB Log#

Logs detections and progression counts along with respective links to Confluera Iq-Hub portal.

Confluera Progressions Count#

Logs progressions count.

Confluera Progressions Data#

Logs progressions data (progression vs risk-score).


New: Group-IB Threat Intelligence & Attribution Pack v1.0.0 (Partner Supported)#

Classifiers#

Group-IB Threat Intelligence & Attribution (classifier)#
Group-IB Threat Intelligence & Attribution (mapper)#

Incident Fields#

  • GIB CVV
  • GIB Card Issuer
  • GIB Card Number
  • GIB Card Type
  • GIB Card Valid Thru
  • GIB Compromised Login
  • GIB Data Hash
  • GIB Date Compromised
  • GIB Date Created
  • GIB Date of Detection
  • GIB Downloaded From
  • GIB Drop Email
  • GIB Drop Email Domain
  • GIB ID
  • GIB Inject Dump
  • GIB Inject MD5
  • GIB Leaked Data
  • GIB Leaked File Name
  • GIB Link List
  • GIB Malware Name
  • GIB Matches
  • GIB Password
  • GIB Payment System
  • GIB Phishing Date Blocked
  • GIB Phishing Kit Emails
  • GIB Phishing Kit Hash
  • GIB Phishing Status
  • GIB Portal Link
  • GIB Related Indicators Data
  • GIB Repository
  • GIB Revisions
  • GIB Severity
  • GIB Source
  • GIB Target Brand
  • GIB Target Category
  • GIB Target Domain
  • GIB Threat Actor ID
  • GIB Threat Actor Name
  • GIB Threat Actor is APT
  • GIB Victim IP

Incident Types#

  • GIB Brand Protection Phishing
  • GIB Brand Protection Phishing Kit
  • GIB Compromised Account
  • GIB Compromised Card
  • GIB OSI Git Leak
  • GIB OSI Public Leak
  • GIB Targeted Malware

Indicator Fields#

GIB CVSS Vector#
GIB Collection#
GIB Date Compromised#
GIB File Name#
GIB ID#
GIB Malware Name#
GIB Phishing Title#
GIB Proxy Anonymous#
GIB Proxy Port#
GIB Software Mixed#
GIB Target Brand#
GIB Target Category#
GIB Target Domain#
GIB Threat Actor ID#
GIB Threat Actor Name#
GIB Threat Actor is APT#

Indicator Types#

  • reputation-GIB_Compromised_IMEI
  • reputation-GIB_Compromised_Mule
  • reputation-GIB_Victim_IP

Integrations#

Group-IB Threat Intelligence & Attribution#

Gets incidents directly into Cortex XSOAR. The list of included collections are:

  • Compromised Accounts
  • Compromised Cards
  • Brand Protection Phishing
  • Brand Protection Phishing Kit
  • OSI Git Leak
  • OSI Public Leak
  • Targeted Malware
Group-IB Threat Intelligence & Attribution Feed#

Use Group-IB Threat Intelligence & Attribution Feed integration to fetch IOCs from various Group-IB collections.

Layouts#

The layouts are available from Cortex XSOAR 6.0.0.

  • GIB Brand Protection Phishing Kit Layout
  • GIB Brand Protection Phishing Layout
  • GIB Compromised Account Layout
  • GIB Compromised Card Layout
  • GIB Compromised IMEI Layout
  • GIB Compromised Mule Layout
  • GIB OSI Git Leak Layout
  • GIB OSI Public Leak Layout
  • GIB Targeted Malware Layout
  • GIB Victim IP Layout

Playbooks#

Incident Postprocessing - Group-IB Threat Intelligence & Attribution#

Obtains additional information on the threat actor involved in the incident and associates related indicators to the incident.


New: Netscout Arbor Sightline Pack v1.0.0#

Classifiers#

Netscout Arbor Sightline - Incoming Mapper#

Incident Fields#

Netscout Arbor Sightline Alert Type

Incident Types#

Netscout Arbor Sightline Alert

Integrations#

Netscout Arbor Sightline (Peakflow)#

DDoS protection and network visibility.

Layouts#

Netscout Arbor Sightline Alert - (Available from Cortex XSOAR 6.0.0).


New: Quantum Security Systems Pack v1.0.0 (Partner Supported)#

Classifiers#

QSS Classifier#

Classifies QSS SOC Monitoring cases based on category classification.

QSS Mapper#

Maps incoming QSS SOC Monitoring cases fields.

Incident Fields#

  • QSS Case Acknowledged
  • QSS Case Assets
  • QSS Case Assignee
  • QSS Case Category
  • QSS Case Created By
  • QSS Case Creation Date
  • QSS Case Description
  • QSS Case False Positive
  • QSS Case ID
  • QSS Case IOCs
  • QSS Case Last Update
  • QSS Case Notes
  • QSS Case Number
  • QSS Case Severity
  • QSS Case Status
  • QSS Case Sub Category
  • QSS Case TLP
  • QSS Case Tags
  • QSS Case Title
  • QSS Custom Attribute

Incident Types#

QSS SOC Monitoring

Integrations#

QSS#

QSS integration fetches Cases from Q-SCMP and adds new cases automatically through Cortex XSOAR.

Layouts#

QSS SOC Monitoring Layout - (Available from Cortex XSOAR 6.0.0).


New: SendGrid Pack v1.0.0 (Community Contributed)#

Integrations#

SendGrid#

SendGrid provides a cloud-based service that assists businesses with email delivery. It allows companies to track email opens, unsubscribes, bounces, and spam reports. Our SendGrid pack utilizes these SendGrid use cases to help you send and manage your emails.


New: TrustwaveSEG Pack v1.0.0#

Integrations#

Trustwave Secure Email Gateway#

Trustwave SEG is a secure messaging solution that protects businesses and users from email-borne threats, including phishing, blended threats, and spam. Trustwave Secure Email Gateway also delivers improved policy enforcement and data leakage prevention.


New: XSOAR Lab Updates Pack v1.0.0 (Community Contributed)#

Playbooks#

NewPacksNotifier#

Sends updates on newly released packs to the Slack channel.

Scripts#

BuildSlackBlocksFromIndex#

Extracts index.zip and filters packs that are new since the last run. Builds the Slack message for the new packs.


New: iLert Pack v1.0.0 (Partner Supported)#

Integrations#

iLert#

Alerts and notifies users.


Advanced Filter Pack v1.1.3 (Community Contributed)#

Scripts#

ExtFilter#

Added the is collectively transformed with operator.


Analyst1 Pack v1.0.7 (Partner Supported)#

Playbooks#

Illuminate Integration Demonstration#

Updated with the "deprecated" field.


AutoFocus Pack v1.2.0#

Integrations#

Palo Alto Networks AutoFocus v2#
  • Added the polling argument to the following commands:

    • autofocus-search-samples

    • autofocus-search-sessions

    • autofocus-top-tags-search

      When polling is used, the command will try to return the results. The new argument allows users to search autofocus with a single command and does not require the GenericPolling Playbook.

  • Updated the Docker image from: 3.9.4.18682 to 3.9.5.20070.


Base Pack v1.11.0#

Scripts#

GetIncidentsByQuery#
  • Improved implementation of the script in order to consume less memory.
  • Updated the Docker image to: demisto/python3:3.9.4.18682.
SearchIndicatorRelationships#

Maintenance and stability enhancements.

DeleteIndicatorRelationships#

Maintenance and stability enhancements.

CreateIndicatorRelationship#

Maintenance and stability enhancements.

CommonServerPython#
  • Breaking Change: Fixed an issue where using the Email context indicator class created the context with the wrong prefix ('EMAIL' instead of 'Email'). Note: This is a backward compatibility break for the email command in the IPQualityScore and Threat Crowd v2 integrations
  • Added the entry_type field to the CommandResults constructor. None defaults to EntryType.NOTE, as it did before adding this argument.
  • Added the ScheduledCommand class - to be used with CommandResults.scheduled_command to configure the command to poll.
  • Maintenance and stability enhancements.
New: DBotTrainClustering#

Train clustering model on any incidents type.


Campaign Pack v1.1.0#

Scripts#

FindEmailCampaign#

Added the ability to store additional data in the output context. Now the fields specified in the fieldsToDisplay arguments will also be available in the output context.


Carbon Black Endpoint Standard Pack v2.0.0#

Classifiers#

New: Carbon Black Endpoint Standard#

Carbon Black Endpoint Standard Classifier (Available from Cortex XSOAR 5.5.0).

Incident Fields#

  • Carbon Black ES Alert Severity
  • Carbon Black ES First Event Time
  • Carbon Black ES IOC Hit
  • Carbon Black ES IOC Id
  • Carbon Black ES Last Event Time
  • Carbon Black ES Process Id
  • Carbon Black ES Process Name
  • Carbon Black ES Report Name
  • Carbon Black ES Reputation
  • Carbon Black ES Target Value
  • Carbon Black ES Threat Category
  • Carbon Black ES Threat Id
  • Carbon Black ES Vector
  • Carbon Black ES Report ID

Incident Types#

New: Carbon Black Endpoint Standard Incident

Integrations#

VMware Carbon Black Endpoint Standard (Deprecated)#

VMware Carbon Black Endpoint Standard (formerly known as Carbon Black Defense) is a next-generation antivirus + EDR in one cloud-delivered platform that stops commodity malware, advanced malware, non-malware attacks, and ransomware. (Available from Cortex XSOAR 5.5.0).

Layouts#

  • New: Carbon Black Endpoint Standard Incoming Layout
  • Carbon Black Endpoint Standard Layout (layouts container) (Available from Cortex XSOAR 6.0.0)
  • Carbon Black Endpoint Standard Layout (layout details) (Available from Cortex XSOAR 5.5.0)

Mappers#

New: Carbon Black Endpoint Standard Incoming Mapper#

Carbon Black Endpoint Standard Mapper (Available from Cortex XSOAR 6.0.0).

Playbooks#

New: Carbon Black Endpoint Standard Find Event Details#

Receives event IDs and returns details about the event.

New: Carbon Black Endpoint Standard Find Events#

Finds events using a search query (or device_id, etc.). It returns a list of events with general information. For detailed information about an event, use the find event details playbook with an event ID.

New: Carbon Black Endpoint Standard Find Processes#

Finds processes using a search query (or device_id, etc.). It returns a list of processes.


Cisco Threat Grid Pack v1.2.3#

Integrations#

Cisco Threat Grid#
  • Fixed an issue where the threat-grid-get-analysis-iocs command returned an error in case there were no indicators, or indicators without a score.
  • Fixed an issue where the threat-grid-get-samples command did not use filters correctly.

Common Playbooks Pack v1.9.6#

Playbooks#

Extract Indicators From File - Generic v2#

Fixed an issue where the playbook was failing when running on .xlsb files.

Dedup - Generic v2#

Updated playbook to include the deprecated field.


Common Scripts Pack v1.3.51#

Scripts#

IsMaliciousIndicatorFound#

Fixed an issue where malicious domains were ignored.

FindSimilarIncidents#

Improve query performance when using the hoursBack flag.

ExampleJSScript#

Changed the http example to work with http://www.paloaltonetworks.com.

EmailAskUserResponse#

Fixed an issue where the script failed to parse the response in case the email had an image embedded in it.

New: ExtractEmailV2#
  • Formatting script that verifies that an email address is valid and only returns the address if it is valid. (Available from Cortex XSOAR 5.5.0).
  • Maintenance and stability enhancements.
GetIndicatorDBotScore#

Fixed an issue where the vendor score was ignored.

PcapHTTPExtractor#
  • Fixed an issue where the automation failed to extract pcap files.
  • Updated the Docker image to: demisto/pcap-http-extractor:1.0.0.20132.

Common Types Pack v2.9.4#

Incident Fields#

  • Tags
  • Alert Category
  • Policy ID
  • Last Update Time
  • Device Username
  • Comment
  • Changed
  • Description
  • Classification
  • Is Active

Indicator Fields#

Description#

Created an association between the Description field and the following fields:

  • Campaign
  • Course of Action
  • Infrastructure
  • Intrusion Set
Primary Motivation#

Created an association between the Primary Motivation field and the Intrusion Set field.

STIX ID#

Created an association between the STIX ID field and the following fields:

  • Campaign
  • Course of Action
  • Infrastructure
  • Intrusion Set
New Indicator Fields#
  • Resource Level
  • Secondary Motivations
  • Goals
  • Kill Chain Phases
  • Action
  • Aliases
  • Infrastructure Types
  • Objective

Indicator Types#

  • Intrusion Set

  • urlRep - Added support for apostrophes when extracting URL.

  • emailRep

    • Added the ExtractEmailV2 formatting script.
    • Maintenance and stability enhancements.

Layouts#

  • New: Infrastructure - Added a new layout for Infrastructure indicator type.

  • New: Campaign - Added a new layout for Campaign indicator type.

  • New: Course of Action - Added a new layout for Course of Action indicator type.

  • New: Intrusion Set - Added a new layout for Intrusion Set indicator type.


Cylance Protect Pack v1.0.6#

Integrations#

Cylance Protect v2#

Fixed an issue where the DBotScore and File context data was not parsed correctly for the following commands:

  • cylance-protect-get-device-threats
  • cylance-protect-get-threats
  • cylance-protect-get-list
  • cylance-protect-download-threat

Playbooks#

Get File Sample By Hash - Cylance Protect#

Playbook was updated with the deprecated field.


Deprecated Content Pack v1.6.9#

Playbooks#

Account Enrichment#

Playbook was updated with the deprecated field.

Account Enrichment - Generic#

Playbook was updated with the deprecated field.

Account Enrichment - Generic v2#

Playbook was updated with the deprecated field.

Add Indicator to Miner - Palo Alto MineMeld#

Playbook was updated with the deprecated field.

Block File - Generic#

Playbook was updated with the deprecated field.

Block IP - Generic#

Playbook was updated with the deprecated field.

Block Indicators - Generic#

Playbook was updated with the deprecated field.

Calculate Severity - Critical assets#

Playbook was updated with the deprecated field.

Calculate Severity - Generic#

Playbook was updated with the deprecated field.

Carbon Black Rapid IOC Hunting#

Playbook was updated with the deprecated field.

Checkpoint Firewall Configuration Backup Playbook#

Playbook was updated with the deprecated field.

CrowdStrike Rapid IOC Hunting#

Playbook was updated with the deprecated field.

DBot Create Phishing Classifier#

Playbook was updated with the deprecated field.

DBot Create Phishing Classifier Job#

Playbook was updated with the deprecated field.

DeDup incidents#

Playbook was updated with the deprecated field.

DeDup incidents - ML#

Playbook was updated with the deprecated field.

Dedup - Generic#

Playbook was updated with the deprecated field.

Demisto Self-Defense - Account policy monitoring playbook#

Playbook was updated with the deprecated field.

Domain Enrichment - Generic#

Playbook was updated with the deprecated field.

Email Address Enrichment - Generic#

Playbook was updated with the deprecated field.

Email Address Enrichment - Generic v2#

Playbook was updated with the deprecated field.

Endpoint Enrichment - Generic#

Playbook was updated with the deprecated field.

Endpoint Enrichment - Generic v2#

Playbook was updated with the deprecated field.

Endpoint data collection#

Playbook was updated with the deprecated field.

Enrich DXL with ATD verdict#

Playbook was updated with the deprecated field.

Enrich McAfee DXL using 3rd party sandbox#

Playbook was updated with the deprecated field.

Enrichment Playbook#

Playbook was updated with the deprecated field.

Entity Enrichment - Generic#

Playbook was updated with the deprecated field.

ExtraHop - Ticket Tracking#

Playbook was updated with the deprecated field.

Extract Indicators - Generic#

Playbook was updated with the deprecated field.

Extract Indicators From File - Generic#

Playbook was updated with the deprecated field.

Failed Login Playbook - Slack v2#

Playbook was updated with the deprecated field.

Failed Login Playbook With Slack#

Playbook was updated with the deprecated field.

File Enrichment - Generic#

Playbook was updated with the deprecated field.

Get File Sample By Hash - Generic#

Playbook was updated with the deprecated field.

Get Mails By Folder Pathes#

Playbook was updated with the deprecated field.

Hunt Extracted Hashes#

Playbook was updated with the deprecated field.

Hunt for bad IOCs#

Playbook was updated with the deprecated field.

Hunting C&C Communication Playbook#

Playbook was updated with the deprecated field.

IP Enrichment - Generic#

Playbook was updated with the deprecated field.

Incident Enrichment#

Playbook was updated with the deprecated field.

Malware Investigation - Generic#

Playbook was updated with the deprecated field.

Malware Investigation - Generic - Setup#

Playbook was updated with the deprecated field.

Malware Playbook - Manual#

Playbook was updated with the deprecated field.

McAfee ePO Endpoint Compliance Playbook#

Playbook was updated with the deprecated field.

McAfee ePO Endpoint Connectivity Diagnostics Playbook#

Playbook was updated with the deprecated field.

McAfee ePO Repository Compliance Playbook#

Playbook was updated with the deprecated field.

PAN-OS - Block IP and URL - External Dynamic List#

Playbook was updated with the deprecated field.

PAN-OS EDL Setup#

Playbook was updated with the deprecated field.

PAN-OS EDL Setup v2#

Playbook was updated with the deprecated field.

PANW - Hunting and threat detection by indicator type#

Playbook was updated with the deprecated field.

PANW - Hunting and threat detection by indicator type V2#

Playbook was updated with the deprecated field.

Palo Alto Networks - Endpoint Malware Investigation v2#

Playbook was updated with the deprecated field.

PanoramaCommitConfiguration#

Playbook was updated with the deprecated field.

PanoramaQueryTrafficLogs#

Playbook was updated with the deprecated field.

Phishing Investigation - Generic#

Playbook was updated with the deprecated field.

Phishing Playbook - Automated#

Playbook was updated with the deprecated field.

Process Email#

Playbook was updated with the deprecated field.

Process Email - Add custom fields#

Playbook was updated with the deprecated field.

QRadar - Get offense correlations#

Playbook was updated with the deprecated field.

Rapid IOC Hunting Playbook#

Playbook was updated with the deprecated field.

Search Endpoints By Hash - Carbon Black Response#

Playbook was updated with the deprecated field.

Search Endpoints By Hash - Generic#

Playbook was updated with the deprecated field.

URL Enrichment - Generic#

Playbook was updated with the deprecated field.

Vulnerability Handling - Qualys#
  • Playbook was updated with the deprecated field.
  • Added custom fields to default layout.

EWS Pack v1.8.17#

Integrations#

EWS O365#
  • Fixed an issue where item IDs did not appear in the output table.
  • Updated the Docker image to: demisto/py3ews:1.0.0.19794.

Endace Pack v1.1.2 (Partner Supported)#

Playbooks#

Endace Search Archive Download PCAP#

Playbook was updated with the deprecated field.

Endace Search Archive and Download#

Playbook was updated with the deprecated field.


Expanse v2 Pack v1.4.1#

Integrations#

Expanse v2#
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/python3:3.9.4.19537.

Export Indicators Pack v1.0.6#

Integrations#

Export Indicators Service#
  • Fixed an issue where the long-running instance failed to start.
  • Updated the Docker image to: demisto/teams:1.0.0.19340.

GitHub Pack v1.2.7#

Integrations#

GitHub#
  • Added the following commands:
    • GitHub-list-team-members
    • Github-get-check-run to get PR check-run details.
    • GitHub-list-branch-pull-requests
  • Added the ability to fetch pull requests as incidents.

Google Safe Browsing Pack v2.0.1#

Integrations#

Google Safe Browsing v2#
  • Fixed an issue where the url command returned an error where no results were found.
  • Updated the Docker image to: demisto/python3:3.9.5.20070.

GreyNoise Pack v1.0.2 (Partner Supported)#

Integrations#

GreyNoise#

Added the GreyNoise Community integration


IBM QRadar Pack v2.0.5#

Playbooks#

QRadar Indicator Hunting#

Playbook was updated with the "deprecated" field.


Infoblox Pack v1.0.3#

Integrations#

Infoblox#

Updated the integration README and detailed description.


Intel471 Feed Pack v1.2.1 (Partner Supported)#

Integrations#

Intel471 Malware Feed#
  • Updated feed images.
  • Documentation and metadata improvements.
Intel471 Intel471 Actors Feed#
  • Updated feed images.
  • Documentation and metadata improvements.

Ipinfo Pack v2.0.0#

Integrations#

ipinfo#

Replaced with IPinfo v2. See IPinfo v2 below for the list of new features and improvements.

New: IPinfo v2#

Use the IPinfo.io API to get data about an IP address.

  • Improved data parsing to context.
  • Allows setting source reliability.
  • Allows using an API token from credentials.
  • Allows setting a base URL.
  • Enriches data with IP-hostname relationships.

MISP Pack v1.0.9#

Integrations#

MISP v2#
  • Fixed an issue where the integration failed on a TypeError.
  • Added the misp-search-attributes command that enables the user to search in MISP according to the defined attributes.
  • Fixed an issue in the misp-search-attributes command, where the raw-response from MISP was modified.

Manage Engine Service Desk Plus Pack v2.0.0#

Integrations#

Service Desk Plus#
  • Added support for on-premises Service Desk Plus requests.
  • Updated the Docker image to: demisto/python3:3.9.4.19537.

Manage Engine Service Desk Plus (On-Premise) Pack v1.0.1#

Integrations#

Service Desk Plus (On-Premise) (Deprecated)#
  • This integration is now deprecated. Use the Service Desk Plus pack instead.
  • Updated the Docker image to: demisto/python3:3.9.4.19537.

Microsoft Cloud App Security Pack v1.0.17#

Integrations#

Microsoft Cloud App Security#

Fixed an issue where an incorrect example was given for the custom_filter integration parameter.


Microsoft Teams Pack v1.1.8#

Integrations#

Microsoft Teams#
  • Improved handling of failures in deserializing objects from the integration cache.
  • Updated the Docker image to: demisto/teams:1.0.0.19340.

PCAP Analysis Pack v2.4.0#

Layouts#

PCAP Analysis Incident - Added a new section to show the carved extracted files.

Playbooks#

PCAP File Carving#
  • Checks whether to perform auto enrichment to carved files using the playbook input.
  • Extended playbook file outputs.

Palo Alto Networks Cortex XDR - Investigation and Response Pack v3.0.11#

Incident Fields#

XDR Similar Incidents

Layouts#

Cortex XDR Incident - Updated the layout with a new section for similar incidents.

Playbooks#

Cortex XDR incident handling v3#

Added a new machine learning script to search for similar incidents by shared incident fields and indicators.


Palo Alto Networks PAN-OS EDL Service Pack v2.0.0#

Integrations#

Palo Alto Networks PAN-OS EDL Service#
  • New: Support for using NGINX as a front-end reverse proxy. NGINX now runs within the Docker container and handles caching and direct handling of incoming requests.
  • Updated the Docker image to: demisto/flask-nginx:1.0.0.20328.

Palo Alto Networks WildFire Pack v1.3.4#

Integrations#

Palo Alto Networks WildFire v2#
  • Fixed an issue where the integration failed due to a "local variable 'url' referenced before assignment" error.
  • Updated the Docker image to: demisto/python3:3.9.5.20070.

Perch Pack v1.0.2#

Integrations#

Perch#

Maintenance and stability enhancements.


Phish.AI Pack v1.0.2 (Partner Supported)#

Playbooks#

Detonate URL - Phish.AI#

Playbook was updated with the "deprecated" field.


Proofpoint Threat Response (Beta) Pack v1.0.3#

Integrations#

Proofpoint Threat Response (Beta)#
  • Fixed an issue where duplicate incidents were created and incidents were missing.
  • Added the following parameters:
    • fetch_limit
    • fetch_delta
  • Updated the first_fetch parameter to relative time.

Rasterize Pack v1.0.8#

Integrations#

Rasterize#
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/chromium:1.0.0.19696.

Recorded Future Feed Pack v1.0.9#

Integrations#

Recorded Future RiskList Feed#
  • Fixed an issue where the fetch-indicators command would not fetch all the indicators.
  • Updated the Docker image to: demisto/python3:3.9.5.20070.

ServiceNow Pack v2.1.22#

Integrations#

ServiceNow v2#

Fixed an issue where setting the system_params argument to "sysparm_exclude_reference_link=true" caused an error in the command servicenow-query-tickets command.


SlashNext Phishing Incident Response - Annual Subscription (Direct Subscription) Pack v1.2.0 (Partner Supported)#

Playbooks#

New: Abuse Inbox Management Detect & Respond#

When combined with SlashNext Inbox Abuse Management Protection playbook, this playbook fully automates the identification and remediation of phishing emails found in Microsoft 365 user inboxes. Using the indicators of compromise, URL, domain, and IP found in the original email, it searches and remediates other emails containing the same IOCs.

New: Online Brand Protection Detect and Respond#

Analyzes the domains and URLs in suspicious emails, reported by end users, to determine if the phishing campaign is impersonating your company’s brand. Playbook can then trigger a domain take down email, with forensic evidence, to a target address.

New: Abuse Inbox Management Protection#

Analyzes the URLs, domains, and IPs in suspicious emails, reported by end users, and returns a binary verdict (malicious or benign) and forensic information including screenshot of attack page, threat name and type, threat status, and first/last seen date.

Scripts#

New: BrandImpersonationDetection#

Analyzes the forensic data to detect brand impersonation attacks. Modify this file with the attributes associated with your company’s brand.


TCPIPUtils (Deprecated) Pack v1.0.1#

Integrations#

TCPIPUtils (Deprecated)#

Deprecated the integration because the service is no longer functional.


TIM - Indicator Auto-Processing Pack v1.1.7#

Playbooks#

TIM - Run Enrichment For Url Indicators#

Fixed an issue where the playbook input descriptions were incorrect.

TIM - Run Enrichment For Domain Indicators#

Fixed an issue where the playbook input descriptions were incorrect.

TIM - Run Enrichment For Hash Indicators#

Fixed an issue where the playbook input descriptions were incorrect.

TIM - Run Enrichment For IP Indicators#

Fixed an issue where the playbook input descriptions were incorrect.


Telegram (Beta) Pack v1.0.2#

Integrations#

Telegram (Beta)#

Added the proxy integration parameter.


Threat Crowd Pack v2.0.1#

Integrations#

Threat Crowd (Deprecated)#

Deprecated. Use the Threat Crowd v2 integration instead.

New: Threat Crowd v2#
  • Breaking Changes: Changed the following command names from the deprecated integration:
    • threat-crowd-ip is now ip
    • threat-crowd-file is now file
    • threat-crowd-email is now email
    • threat-crowd-domain is now domain
  • Query Threat Crowd for reports. (Available from Cortex XSOAR 5.0.0).
Threat Crowd v2#

Maintenance and stability enhancements.


Trend Micro Deep Discovery Analyzer Pack v1.0.1#

Integrations#

Trend Micro Deep Discovery Analyzer (Beta)#

Fixed an issue where the integration occasionally failed due to an empty Host header.


Urlscan.io Pack v1.1.6#

Integrations#

urlscan.io#

Breaking Change: The integration has been changed to no longer use Lists to establish relationships.


VirusTotal Pack v2.1.0#

Integrations#

VirusTotal - Premium (API v3)#

Updated the Docker image to: demisto/python3:3.9.5.20070.

VirusTotal (API v3)#
  • Added support for relationships.
  • Updated the Docker image to: demisto/python3:3.9.5.20070.
VirusTotal#

Fixed an issue where the file command failed when sending a list of file hashes where some of them were undefined.


Assets#