Skip to main content

Cortex XSOAR Content Release Notes for version 21.6.0 (378277)#

Published on 08 June 2021#

New: DevSecOps Pack v1.0.0 (Community Contributed)#

Incident Fields#

  • DevSecOps After Commit ID
  • DevSecOps Analysis ID
  • DevSecOps App Task Action
  • DevSecOps App Task App ID
  • DevSecOps App Task App Name
  • DevSecOps App Task Completed At
  • DevSecOps App Task Conclusion
  • DevSecOps App Task Head Commit
  • DevSecOps App Task Id
  • DevSecOps App Task Name
  • DevSecOps App Task Output Summary
  • DevSecOps App Task Output Title
  • DevSecOps App Task Owner Login
  • DevSecOps App Task PR ID
  • DevSecOps App Task PR Number
  • DevSecOps App Task Started At
  • DevSecOps App Task Status
  • DevSecOps Before Commit ID
  • DevSecOps CodeQL Alerts
  • DevSecOps Commit Author
  • DevSecOps Commit Committer
  • DevSecOps Commit ID
  • DevSecOps Commit Message
  • DevSecOps Commit Modified Files
  • DevSecOps Commit TimeStamp
  • DevSecOps Commit Tree ID
  • DevSecOps Commit URL
  • DevSecOps Developer Email
  • DevSecOps Developer Name
  • DevSecOps Git Issue Details
  • DevSecOps Git Issue Number
  • DevSecOps Git Pusher Name
  • DevSecOps Head Commit Author
  • DevSecOps Head Commit Commiter
  • DevSecOps Head Commit ID
  • DevSecOps Head Commit Message
  • DevSecOps Head Commit TimeStamp
  • DevSecOps Head Commit Tree ID
  • DevSecOps Head Commit URL
  • DevSecOps IaC Vulnerability
  • DevSecOps IaC Vulnerability Description
  • DevSecOps IaC Vulnerability Severity
  • DevSecOps IaC Vulnerable Files
  • DevSecOps LGTM Analysis ID
  • DevSecOps LGTM Analysis Logs URL
  • DevSecOps LGTM Analysis Project ID
  • DevSecOps LGTM Analysis Results URL
  • DevSecOps LGTM Analysis Status
  • DevSecOps LGTM Project Config
  • DevSecOps LGTM Project Grade
  • DevSecOps LGTM Project ID
  • DevSecOps LGTM Project Language
  • DevSecOps LGTM Project Name
  • DevSecOps LGTM Project Status
  • DevSecOps LGTM Project URL
  • DevSecOps Language
  • DevSecOps Organization Name
  • DevSecOps PR Action
  • DevSecOps PR Additions
  • DevSecOps PR Assignee
  • DevSecOps PR Assignees
  • DevSecOps PR Base Label
  • DevSecOps PR Base Size
  • DevSecOps PR Body
  • DevSecOps PR Branch
  • DevSecOps PR Changed Files
  • DevSecOps PR Closed At
  • DevSecOps PR Comments
  • DevSecOps PR Commits
  • DevSecOps PR Created At
  • DevSecOps PR Deletions
  • DevSecOps PR Head Commit
  • DevSecOps PR Head ID
  • DevSecOps PR Head Open Issues
  • DevSecOps PR ID
  • DevSecOps PR Installation ID
  • DevSecOps PR Mergeable State
  • DevSecOps PR Number
  • DevSecOps PR Pushed At
  • DevSecOps PR Size
  • DevSecOps PR State
  • DevSecOps PR Title
  • DevSecOps PR Updated At
  • DevSecOps PR Watchers
  • DevSecOps Project ID
  • DevSecOps Repository ID
  • DevSecOps Repository Name
  • DevSecOps Repository Organization
  • DevSecOps Repository URL

Incident Types#

DevSecOps New Git PR

Indicator Fields#

DevSecOps Commit ID#
DevSecOps Message#
DevSecOps Rule ID#
DevSecOps SAST Category#
DevSecOps SAST Precision#
DevSecOps SAST Severity#

Indicator Types#

DevSecOps SAST Alert

Integrations#

Docker Engine API#

The Engine API is an HTTP API served by the Docker engine. It is the API the Docker client uses to communicate with the engine, so everything the Docker client can do can be done with the API.

GitLab#

An integration with GitLab.

LGTM#

An integration with LGTM API.

MinIO#

An integration with MinIO Object Storage.

Layouts#

New Git PR (Available from Cortex XSOAR 6.0.0).

Playbooks#

DevSecOps - Fetch PR - Triage#

A CodeQL code analysis playbook.

DevSecOps - LGTM - Analysis - SubPB#

A CodeQL code analysis playbook.

DevSecOps - Prisma - Analysis -SubPB#

Prisma task analysis playbook.


New: HostIo Pack v1.0.0#

Integrations#

HostIo#

Use the HostIo integration to enrich domains using the Host.io API.


New: Identity Pack v1.0.0#

Incident Fields#

Identity Table A table view of all identities related to the incident.


New: Linkshadow Pack v1.0.0 (Partner Supported)#

Integrations#

Linkshadow#

Fetch network anomalies data from LinkShadow and execute the remediation actions.


New: MITRE ATT&CK v2 Pack v1.0.0#

Dashboards#

MITRE ATT&CK v2#

MITRE ID - Moved the indicator field to the CommonTypes pack. Updated the CommonTypes pack to minimum version 2.9.8 to continue working with this pack.

Integrations#

MITRE ATT&CK Feed v2#

Use the MITRE ATT&CK® feed to fetch MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) content. MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

Scripts#

MITREIndicatorsByOpenIncidentsV2#

This is a widget script returning MITRE indicators information for top indicators shown in incidents.


New: Microsoft 365 Defender Pack v1.0.0#

Classifiers#

Microsoft 365 Defender - Incoming Mapper#

Classifies Microsoft 365 Defender's events

Microsoft 365 Defender#

Incident Fields#

  • Microsoft 365 Defender A
  • Microsoft 365 Defender Active
  • Microsoft 365 Defender Categories count
  • Microsoft 365 Defender Classification
  • Microsoft 365 Defender Devices
  • Microsoft 365 Defender Display Name
  • Microsoft 365 Defender First activity
  • Microsoft 365 Defender ID
  • Microsoft 365 Defender Last activity
  • Microsoft 365 Defender Status
  • Microsoft 365 Defender Tags
  • Microsoft 365 Defender Users
  • impacted devices
  • impacted entities

Incident Types#

Microsoft 365 Defender Incident

Integrations#

Microsoft 365 Defender (Beta)#

Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

Layouts#

  • Microsoft 365 Defender Incident - Summary

  • Microsoft 365 Defender - Layout (Available from Cortex XSOAR 6.0.0).


New: Sumo Logic Cloud SIEM Pack v1.0.0 (Partner Supported)#

Integrations#

Sumo Logic Cloud SIEM#

Frees the analyst with autonomous decisions.


New: Unit42 v2 Feed Pack v1.0.0#

Integrations#

Unit42 v2 Feed#

Unit42 feed of published IOCs, which contains known malicious indicators.


ARIAPacketIntelligence Pack v2.0.2 (Partner Supported)#

Integrations#

ARIA Packet Intelligence#

Updated the Docker image to: demisto/python3:3.9.5.20070.


AWS - ACM Pack v1.1.1#

Integrations#

AWS - ACM#
  • Added the Timeout parameter, which enables you to define the amount of time until a timeout exception is reached.
  • Added the Retries parameter, which enables you to define the maximum retry attempts when connection or throttling errors are encountered.
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/boto3py3:1.0.0.20382.

AWS - CloudTrail Pack v1.0.6#

Integrations#

AWS - CloudTrail#

Maintenance and stability enhancements.


AWS - CloudWatchLogs Pack v1.2.0#

Integrations#

AWS - CloudWatchLogs#
  • Added the Timeout parameter, which enables you to define the amount of time until a timeout exception is reached.
  • Added the Retries parameter, which enables you to define the maximum retry attempts when connection or throttling errors are encountered.
  • Added support for the access key and secret key parameters.
  • Updated the Docker image to: demisto/boto3:2.0.0.20482.

AWS - EC2 Pack v1.2.2#

Integrations#

AWS - EC2#
  • Added the Timeout parameter, which enables you to define the amount of time until a timeout exception is reached.
  • Added the Retries parameter, which enables you to define the maximum retry attempts when connection or throttling errors are encountered.
  • Added a limitation to the Retries parameter in order to prevent long execution time.
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/boto3:2.0.0.20379.

AWS - IAM Pack v1.1.0#

Integrations#

AWS - IAM#
  • Added the Timeout parameter, which enables you to define the amount of time until a timeout occurs.
  • Added the Retries parameter, which enables you to define the maximum retry attempts until a connection or throttling error occur.
  • Updated the Docker image to: demisto/boto3:2.0.0.20513.

AWS - Lambda Pack v1.2.1#

Integrations#

AWS - Lambda#
  • Internal code improvements.
  • Updated the Docker image to: demisto/boto3py3:1.0.0.20516.
  • Maintenance and stability enhancements.

AWS - S3 Pack v1.1.1#

Integrations#

AWS - S3#
  • Added the Timeout parameter, which enables you to define the amount of time until a timeout error occurs.
  • Added the Retries parameter, which enables you to define the maximum retry attempts until a connection or throttling error occurs.
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/boto3:2.0.0.20513.

AWS - SQS Pack v1.2.0#

Integrations#

AWS - SQS#
  • Added the Timeout parameter, which enables you to define the amount of time until a timeout exception is reached.
  • Added the Retries parameter, which enables you to define the maximum retry attempts when connection or throttling errors are encountered.
  • Updated the Docker image to: demisto/boto3:2.0.0.20482.

AWS - Security Hub Pack v1.1.1#

Integrations#

AWS - Security Hub#
  • Added the Timeout parameter, which enables you to define the amount of time until a timeout exception is reached.
  • Added the Retries parameter, which enables you to define the maximum retry attempts when connection or throttling errors are encountered.
  • Fixed an issue where the aws-securityhub-get-findings command did not return data in some cases.
  • Updated the Docker image to: demisto/boto3py3:1.0.0.20485.

AWS-NetworkFirewall Pack v1.0.2#

Integrations#

AWS Network Firewall#

Maintenance and stability enhancements.


Abuse.ch SSL Blacklist Feed Pack v1.1.2#

Integrations#

abuse.ch SSL Blacklist Feed#

Maintenance and stability enhancements.


Acalvio ShadowPlex Pack v1.0.1 (Partner Supported)#

Integrations#

Acalvio ShadowPlex#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Active Directory Query Pack v1.1.12#

Integrations#

Active Directory Query v2#
  • Added support for parentheses when searching for a user using the ad-get-user command.
  • Added the active directory search user with parentheses test sub-playbook.

Scripts#

IAMInitADUser#

Updated the Docker image to: demisto/python3:3.9.5.20070.


ActiveMQ Pack v1.0.2#

Integrations#

ActiveMQ#

Maintenance and stability enhancements.


Akamai WAF SIEM Pack v1.0.2#

Integrations#

Akamai WAF SIEM#

Maintenance and stability enhancements.


AlienVault Feed Pack v1.1.2#

Integrations#

AlienVault Reputation Feed#

Maintenance and stability enhancements.


AlienVault OTX Pack v1.1.2#

Integrations#

AlienVault OTX v2#
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/python3:3.9.5.20070.

Amazon DynamoDB Pack v1.0.6#

Integrations#

Amazon DynamoDB#

Maintenance and stability enhancements.


Analyst1 Pack v1.0.8 (Partner Supported)#

Integrations#

Analyst1#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Ansible Tower Pack v1.0.3#

Integrations#

Ansible Tower#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Atlassian Jira Pack v1.3.3#

Integrations#

Atlassian Jira v2#
  • Fixed an issue where fetch-incidents would stop when the last issue that was fetched had been deleted or moved to a different project in Jira.
  • Updated the Docker image to: demisto/oauthlib:1.0.0.19245.

AttackIQ Platform Pack v1.0.3#

Integrations#

AttackIQ Platform#

Updated the Docker image to: demisto/python3:3.9.5.20070.


AutoFocus Pack v1.3.2#

Integrations#

Palo Alto Networks AutoFocus v2#
  • Added support for relationships between indicators.
  • Maintenance and stability enhancements.

AzureSentinel Pack v1.0.11#

Integrations#

Azure Sentinel (Beta)#
  • Added the following arguments to the azure-sentinel-update-incident command:
    • assignee_email
    • labels
  • Fixed an issue where the Informational severity option was named Informal in the azure-sentinel-update-incident command.

Bambenek Consulting Feed Pack v1.1.2#

Integrations#

Bambenek Consulting Feed#

Maintenance and stability enhancements.


Base Pack v1.12.3#

Scripts#

CommonServerPython#
  • Fixed an issue where the is_demisto_version_ge method returned an incorrect response.
  • Improved secrets mechanism detection and obfuscation of log prints.
  • Maintenance and stability enhancements.
DBotTrainClustering#
  • Added fields used for clustering to the output JSON.
  • Added suffix in cases where clusters have the same name.
DBotPredictPhishingWords#
  • Updated the Docker image to support the new version of the out-of-the-box model.
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/ml:1.0.0.20606.
New: DBotShowClusteringModelInfo#
  • Displays clustering model incidents.
  • Displays clustering model summary.
CreateIndicatorRelationship#

Maintenance and stability enhancements.

FindSimilarIncidentsByText#
  • Fixed an issue where the automation performed an all-time search even if a time frame was specified.
  • Updated the Docker image to: demisto/sklearn:1.0.0.19770.
DBotPreProcessTextData#
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/ml:1.0.0.20606.
CommonServerPowerShell#
  • Added usage of versioned integration context.
  • Updated the Docker image to: demisto/powershell-ubuntu:7.1.3.20270.
SaneDocReports#
  • Fixed an issue where incorrect bar chart values caused an error.
  • Updated the Docker image to: demisto/sane-doc-reports:1.0.0.20692.

Bastille Networks Pack v1.0.3 (Partner Supported)#

Integrations#

Bastille Networks#

Updated the Docker image to: demisto/python3:3.9.5.20070.


BitSight Pack v1.0.3 (Partner Supported)#

Integrations#

BitSight for Security Performance Management#

Added a detailed description for the integration configuration.


BitcoinAbuse Feed Pack v1.0.5#

Integrations#

BitcoinAbuse Feed#
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/python3:3.9.5.20070.

BlockList DE Feed Pack v1.1.2#

Integrations#

Blocklist_de Feed#

Maintenance and stability enhancements.


Bluecat Address Manager Pack v1.0.2#

Integrations#

Bluecat Address Manager#

Maintenance and stability enhancements.


Bonusly Pack v1.0.2 (Community Contributed)#

Integrations#

Bonusly#

Updated the Docker image to: demisto/python3:3.9.5.20070.


BruteForce Feed Pack v1.1.2#

Integrations#

BruteForceBlocker Feed#

Maintenance and stability enhancements.


CSV Feed Pack v1.1.2#

Integrations#

CSV Feed#

Maintenance and stability enhancements.


Campaign Pack v2.0.3#

Incident Fields#

  • Select Campaign Incidents
  • Incidents Info
  • Select Action
  • Campaign Email To
  • Campaign Close Notes
  • Campaign Email Subject
  • Actions On Campaign Incidents
  • Campaign Email Body

Scripts#

New: CollectCampaignRecipients#

Collects the recipients from all campaign incidents. (Available from Cortex XSOAR 5.0.0).

New: GetCampaignIncidentsInfo#

Gets the campaign incidents information as an MD table. (Available from Cortex XSOAR 5.0.0).

New: GetCampaignIncidentsIdsAsOptions#

Gets the campaign incident IDs as option values for the multi-select field. (Available from Cortex XSOAR 5.0.0).

FindEmailCampaign#
  • Added support for markdown outputs to the following incidents fields:
    • EmailCampaignSummary
    • EmailCampaignMutualIndicators
    • EmailCampaignCanvas
  • Removed the following titles from the script readable outputs:
    • emailcampaignsummary
    • emailcampaignmutualindicators
  • Updated the Docker image to: demisto/sklearn:1.0.0.19770.
New: SendEmailToCampaignRecipients#

Sends email to all recipients from the selected campaign incidents. (Available from Cortex XSOAR 5.0.0).

New: PerformActionOnCampaignIncidents#

Performs user actions such as Link, Close, etc., on selected incidents from a campaign. (Available from Cortex XSOAR 5.0.0).

New: IsIncidentPartOfCampaign#

Gets the incident campaign's ID for the campaign that is linked to at least one of the given incidents. (Available from Cortex XSOAR 5.5.0).

PerformActionOnCampaignIncidents#

Added "Unlink & Reopen" to the possible actions of the interactive management section.


Carbon Black Endpoint Standard Pack v2.0.1#

Integrations#

Carbon Black Endpoint Standard#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Carbon Black Enterprise Response Pack v1.1.8#

Playbooks#

New: Block Endpoint - Carbon Black Response V2#

Isolates an endpoint for a given hostname. (Available from Cortex XSOAR 5.5.0).


CaseManagement-Generic Pack v1.2.0 (Community Contributed)#

Dashboards#

Incidents Overview#
  • Updated the default date range to 30 days.
  • Fixed the query in the Open Incidents by Role widget.
My Incidents#

Updated the default date range to 30 days.


Check Point Firewall Pack v2.0.8#

Integrations#

CheckPoint Firewall v2#
  • Added the ignore_warnings and ignore_errors arguments for the following commands:
    • checkpoint-host-delete
    • checkpoint-host-add
  • Added handling for the newly added IPv6 field.
  • Updated the Docker image to: demisto/python3:3.8.6.14516.

Cisco ASA Pack v1.0.6#

Integrations#

Cisco ASA#
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/python3:3.9.5.20070.

Cisco Email Security (Beta) Pack v1.0.2#

Integrations#

Cisco Email Security (beta)#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Cisco WebEx Feed Pack v1.1.2 (Community Contributed)#

Integrations#

Cisco WebEx Feed#
  • Fixed an issue in the following commands where the integration would fail to parse the returned domain list:
    • fetch-indicators
    • test-module
  • Updated the Docker image to: demisto/btfl-soup:1.0.1.20315.

Cloudflare Feed Pack v1.1.2#

Integrations#

Cloudflare Feed#

Maintenance and stability enhancements.


Cognni Pack v1.0.1 (Partner Supported)#

Integrations#

Cognni#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Common Playbooks Pack v1.9.7#

Playbooks#

Unisolate Endpoint - Generic#

Added a task that checks if the endpoint is online.

New: Get endpoint details - Generic#

This playbook use the generic !endpoint command to retrieve details about a specific endpoint. This command currently supports the following integrations:

  • Palo Alto Networks Cortex XDR - Investigation and Response.
  • CrowdStrike Falcon. (Available from Cortex XSOAR 5.5.0).
New: Block Email - Generic#

This playbook will block emails at your mail relay integration. (Available from Cortex XSOAR 5.5.0).

New: Get host forensics - Generic#
  • This playbook retrieves forensics from hosts.
  • The available integration is Illusive networks. (Available from Cortex XSOAR 5.5.0).
New: Threat Hunting - Generic#
  • This playbook enables threat hunting for IOCs in your enterprise.
  • This playbook currently supports the following integrations:
    • Splunk
    • Qradar
    • Pan-os
    • Cortex data lake
    • Autofocus (Available from Cortex XSOAR 5.5.0).
Block Indicators - Generic v2#

Added Block Email - Generic playbook.

New: Isolate Endpoint - Generic V2#

This playbook isolates a given endpoint via various endpoint product integrations. Make sure to provide the valid playbook input for the integration that you are using. (Available from Cortex XSOAR 5.5.0).


Common Scripts Pack v1.3.53#

Scripts#

New: GetIndicatorDBotScoreFromCache#

Gets the overall score for the indicator as calculated by DBot. (Available from Cortex XSOAR 6.0.0).

New: AddDBotScoreToContext#

Added DBot score to context for indicators with custom vendor, score, reliability, and type. (Available from Cortex XSOAR 6.0.0).

Set#

Documentation and metadata improvements.


Common Types Pack v3.0.3#

Incident Fields#

  • Categories
  • Dsts
  • Srcs
  • Agents ID
  • CMD
  • CMD line
  • Child Process
  • Detected IPs
  • Detected User
  • Endpoint
  • File MD5
  • File Names
  • File Paths
  • File SHA1
  • File SHA256
  • Objective
  • Parent CMD line
  • Parent Process
  • Scenario
  • Similar incidents Dbot
  • Tactic
  • Tactic ID
  • Technique
  • Technique ID
  • Threat Hunting Detected Hostnames
  • Threat Hunting Detected IP
  • Users
  • Similar incidents Dbot
  • Maintenance and stability enhancements.

Indicator Fields#

Is Malware Family#
  • Tool Types
  • Sophistication
  • Roles
  • Tool Version
  • Threat Actor Types
Operating System Refs#

MITRE ID - Associated the Kill Chain Phases field with the Attack Pattern and Tool indicator types.

Indicator Types#

  • emailRep
  • Tool
  • Malware
  • Report
  • Threat Actor
  • Attack Pattern

Layouts#

  • Updated the following layouts:
    • STIX Threat Actor
    • STIX Malware
    • STIX Tool
    • STIX Report
    • STIX Attack Pattern
  • Maintenance and stability enhancements:
    • Course of Action
    • Infrastructure
    • Campaign
    • Intrusion Set
  • Updated the following type layouts:
    • File Indicator
    • URL Indicator
    • Email Indicator
    • Domain Indicator
    • IP Indicator

Common Widgets Pack v1.0.10#

Widgets#

Page Break Widget#

Updated the category to Utilities.

Image#

Updated the category to Utilities.

Text Widget#

Updated the category to Utilities.

Malicious Indicators Activity by Type#

Changed layout name from Bad Indicators Activity by Type to Malicious Indicators Activity by Type.

Manual Verdict Indicators by User#

Changed layout name from Manual Reputation Indicators by User to Manual Verdict Indicators by User.

Malicious Indicators Activity#

Changed layout name from Bad Indicators Activity to Malicious Indicators Activity.

Manual Verdict Indicators#

Changed layout name from Manual Reputation Indicators to Manual Verdict Indicators.


ConcentricAI Pack v1.2.1 (Partner Supported)#

Integrations#

ConcentricAI#

Maintenance and stability enhancements.


Cortex Data Lake Pack v1.3.2#

Integrations#

Cortex Data Lake#

Maintenance and stability enhancements.


CounterCraft Deception Director Pack v1.0.1 (Partner Supported)#

Integrations#

CounterCraft Deception Director#

Updated the Docker image to: demisto/python3:3.9.5.20070.


CrowdStrike Falcon Pack v1.2.17#

Playbooks#

New: Crowdstrike Falcon - Isolate Endpoint#

Auto isolate endpoints by the device ID that was provided in the playbook. (Available from Cortex XSOAR 5.5.0).


Cryptocurrency Pack v1.1.4#

Integrations#

Cryptocurrency#

Updated the Docker image to: demisto/python3:3.9.5.20070.


CyberArk Pack v1.0.3#

Integrations#

CyberArk PAS#

Updated the Docker image to: demisto/python3:3.9.5.20070.


CyberTotal Pack v1.0.4 (Partner Supported)#

Integrations#

CyberTotal#

Updated the Docker image to: demisto/python3:3.9.5.20070.


CyberX - Central Manager Pack v1.0.2 (Community Contributed)#

Integrations#

CyberX - Central Manager#

Maintenance and stability enhancements.


Cybereason Pack v1.0.9#

Playbooks#

Isolate Endpoint - Cybereason#

Added a task that checks if the endpoint is online.


Cymptom Pack v1.0.2 (Partner Supported)#

Integrations#

Cymptom#

Maintenance and stability enhancements.


Cymulate Pack v2.0.3 (Partner Supported)#

Integrations#

Cymulate#
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/python3:3.9.5.20070.
Cymulate v2#
  • Fixed the incidents date format.
  • Updated the Docker image to: demisto/python3:3.9.5.20070.

Cyren Threat InDepth Threat Intelligence Pack v1.5.3 (Partner Supported)#

Integrations#

Cyren Threat InDepth Threat Intelligence Feed#

Updated the Docker image to: demisto/python3:3.9.5.20070.


DShield Feed Pack v1.1.2#

Integrations#

DShield Feed#

Maintenance and stability enhancements.


Darktrace Pack v1.0.3 (Partner Supported)#

Integrations#

Darktrace#

Updated the Docker image to: demisto/python3:3.9.5.20070.


DeHashed Pack v1.1.1#

Integrations#

DeHashed#

Updated the Docker image to: demisto/python3:3.9.5.20070.


DeepInstinct Pack v1.0.5 (Partner Supported)#

Integrations#

Deep Instinct#
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/python3:3.9.5.20070.

Developer Tools Pack v1.1.2#

Integrations#

XSOAR Powershell Testing#
  • Added support for the cache to be updated automatically on token expiration.
  • Updated the Docker image to: demisto/powershell-ubuntu:7.1.3.20650.

Devo Pack v1.0.2#

Integrations#

Devo v2#

Maintenance and stability enhancements.


Digital Defense Frontline VM Pack v1.1.2 (Partner Supported)#

Integrations#

Digital Defense FrontlineVM#

Maintenance and stability enhancements.


Digital Guardian Pack v1.0.3 (Partner Supported)#

Integrations#

Digital Guardian#

Updated the Docker image to: demisto/python3:3.9.5.20070.


EWS Pack v1.8.20#

Integrations#

EWS v2#
  • Added the First fetch timestamp parameter.
  • Updated the Docker image to: demisto/py-ews:1.0.0.19456.
EWS O365#
  • Added the First fetch timestamp parameter.
  • Fixed an issue where parsing attachments with non UTF-8 encoded characters failed.
O365 - Security And Compliance - Content Search (beta)#

Fixed an issue where the authentication process failed when the password was change.


Elasticsearch Pack v1.1.6#

Integrations#

Elasticsearch v2#
  • Added a the Timeout parameter.
  • Fixed an issue where the Request timeout integration parameter did not work properly.
  • Updated the Docker image to: demisto/elasticsearch:1.0.0.20431.

EmailRepIO Pack v1.0.1#

Integrations#

EmailRep.io#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Exabeam Pack v2.1.1#

Integrations#

Exabeam#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Expanse v2 Pack v1.5.0#

Incident Fields#

Integrations#

Expanse v2#
  • Added the expanse-get-cloud-resources command to fetch Cloud Resources.
  • Added new cloud management status parameters to issues and service commands.
  • Updated the Docker image to: demisto/python3:3.9.5.20070.

Layouts#

Expanse Issue Layout - Added new field for Cloud Management Status.

Mappers#

ExpanseV2 - Incoming Mapper#

Updated the mapper to extract cloud management status.

Playbooks#

Expanse VM Enrich#

Added support for Rapid7 Nexpose.


Export Indicators Pack v1.0.8#

Integrations#

Export Indicators Service#
  • Added the following integration parameters for appending or prepending arbitrary strings to EDL:
    • append_string
    • prepend_string
  • Maintenance and stability enhancements.

ExtraHop Reveal(x) Pack v1.0.6 (Partner Supported)#

Integrations#

ExtraHop Reveal(x) v2#

Maintenance and stability enhancements.


F5 firewall Pack v1.2.1#

Integrations#

F5 Application Security Manager (WAF)#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Farsight DNSDB Pack v2.1.3 (Partner Supported)#

Integrations#

Farsight DNSDB v2#

Updated the Docker image to: demisto/python3:3.9.5.20070.


FeodoTracker Feed Pack v1.1.3#

Integrations#

Feodo Tracker Hashes Feed (Deprecated)#

Maintenance and stability enhancements.


FireEye HX Pack v1.0.14#

Integrations#

FireEye HX#

Fixed an issue where the number of incidents fetched was unbounded and causes performance issues.

FireEye HX#

Maintenance and stability enhancements.

Playbooks#

New: FireEye HX - Isolate Endpoint#

Auto isolate endpoints by the endpoint ID that was provided in the playbook. (Available from Cortex XSOAR 5.5.0).


FireEye Helix Pack v1.0.3#

Integrations#

FireEye Helix#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Flashpoint Pack v1.1.3 (Partner Supported)#

Integrations#

Flashpoint#
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/python3:3.9.5.20070

Forescout Pack v1.0.3#

Integrations#

Forescout#

Maintenance and stability enhancements.


FortiManager Pack v1.0.1#

Integrations#

FortiManager#

Updated the Docker image to: demisto/python3:3.9.5.20070.


FraudWatch PhishPortal Pack v1.0.2#

Integrations#

FraudWatch#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Freshdesk Pack v1.0.3#

Integrations#

Freshdesk#

Fixed an issue where the fetch incidents command did not handle pagination properly.


GitHub Pack v1.2.8#

Integrations#

GitHub#

Added the Github-commit-file command.


Google Cloud Compute Pack v1.0.3#

Integrations#

Google Cloud Compute#

Maintenance and stability enhancements.


Google Cloud Storage Pack v1.0.2#

Integrations#

Google Cloud Storage#

Maintenance and stability enhancements.


Google Cloud Translate Pack v1.0.2#

Integrations#

Google Cloud Translate#

Maintenance and stability enhancements.


Google Docs Pack v1.0.1#

Integrations#

Google Docs#

Maintenance and stability enhancements.


GraphQL Pack v1.0.3#

Integrations#

GraphQL#
  • Added the Fetch the schema from the transport integration parameter to set whether to fetch the schema from the transport using an introspection query.
  • Updated the Docker image to: demisto/graphql:1.0.0.19143.

GreyNoise Pack v1.0.3 (Partner Supported)#

Integrations#

GreyNoise#

Maintenance and stability enhancements.


HelloWorld Pack v1.2.4 (Community Contributed)#

Integrations#

HelloWorld Feed#

Updated the Docker image to: demisto/python3:3.9.5.20070.

HelloWorld#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Humio Pack v1.0.5 (Partner Supported)#

Integrations#

Humio#

Updated the Docker image to: demisto/python3:3.9.5.20070.


IBM QRadar Pack v2.0.10#

Integrations#

IBM QRadar v3#
  • Added clarification for the needed Qradar version for mirroring.
  • Added the Maximum number of events per incident integration parameter.
  • Fixed an issue where enriching an invalid IP using assets returned an error.
  • Fixed an issue where events_limit integration parameter raised an error if it was not set and did not use its default value.
  • Updated the Docker image to: demisto/python3:3.9.5.20070.
IBM QRadar v2#
  • Fixed an issue where the integration was failing to create incidents due to a timeout.
  • Updated the Docker image to: demisto/python3:3.9.5.20070.

Scripts#

QRadarFetchedEventsSum#

Updated the Docker image to: demisto/python3:3.9.5.20070.

QRadarMagnitude#

Updated the Docker image to: demisto/python3:3.9.5.20070.

QRadarPrintAssets#

Updated the Docker image to: demisto/python3:3.9.5.20070.

QRadarPrintEvents#

Updated the Docker image to: demisto/python3:3.9.5.20070.


IBM X-Force Exchange Pack v1.1.3#

Integrations#

IBM X-Force Exchange v2#
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/python3:3.9.5.20070.

IPQualityScore (IPQS) Threat Risk Scoring Pack v1.0.1 (Partner Supported)#

Integrations#

IPQualityScore#
  • Documentation and metadata improvements.
  • Updated the Docker image to: demisto/python3:3.9.5.20070.

Illusive Networks Pack v1.0.8 (Partner Supported)#

Playbooks#

Illusive-Collect-Forensics-On-Demand#

Added forensics tags to the Illusive-Collect-Forensics-On-Demand playbook.


Indeni Pack v1.0.8 (Partner Supported)#

Integrations#

Indeni#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Intezer Pack v1.1.1 (Partner Supported)#

Integrations#

Intezer v2#

Maintenance and stability enhancements.


Ipinfo Pack v2.0.3#

Integrations#

IPinfo v2#
  • The Base URL parameter is now marked as required.
  • Updated the default timeout to 20 seconds.
ipinfo (Deprecated)#

Deprecated. Use the IPinfo v2 integration instead.


JsonWhoIs Pack v1.0.4#

Integrations#

JsonWhoIs#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Kaspersky Security Center Pack v1.0.1#

Integrations#

Kaspersky Security Center (Beta)#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Kenna Pack v1.1.1#

Integrations#

Kenna v2#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Lastline Pack v1.0.6#

Integrations#

Lastline v2#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Lockpath Keylight Pack v1.1.1#

Integrations#

Lockpath KeyLight v2#

Updated the Docker image to: demisto/python3:3.9.5.20070.


LogPoint SIEM Integration Pack v1.1.1 (Partner Supported)#

Integrations#

LogPoint SIEM Integration#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Logz.io Pack v1.1.5 (Partner Supported)#

Integrations#

Logz.io#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Looker Pack v1.0.2#

Integrations#

Looker#

Maintenance and stability enhancements.


MITRE ATT&CK Pack v1.1.13#

Indicator Fields#

MITRE ID - Moved the indicator field to the CommonTypes pack and updated the CommonTypes pack to a minimum version of 2.9.8 to continue working with this pack.


Machine Learning Pack v1.3.0#

Scripts#

DBotPredictOutOfTheBoxV2#
  • Updated the out-of-the-box model version.
  • Updated the Docker image to: demisto/ml:1.0.0.20606.
DBotPredictIncidentsBatch#
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/ml:1.0.0.20606.

Mail Listener Pack v1.0.4#

Integrations#

Mail Listener v2#
  • Fixed an issue where the integration failed to parse raw unicode escape characters.
  • Updated the Docker image to: demisto/imap:1.0.0.19866.

Majestic Million Feed Pack v1.1.2#

Integrations#

Majestic Million Feed#

Maintenance and stability enhancements.


Malware Pack v1.2.8#

Incident Types#

Layouts#

New: Malware Incident V2 Updated the Malware layout.

Playbooks#

New: Endpoint Malware Investigation - Generic V2#

This playbook provides a framework for handling malware investigation through all essential steps. The playbook consists of 7 stages. Each stage contains the relevant playbook or tasks. This playbook will auto extract indicators from incidents by indicator extraction rules of the malware incident type. To use the Illusive integration in the Forensics - Generic playbook, set the forensic timeline by editing the Forensics - Generic playbook inputs.
(Available from Cortex XSOAR 6.0.0).


MalwareDomainList Feed Pack v1.1.2#

Integrations#

Malware Domain List Active IPs Feed#

Maintenance and stability enhancements.


Malwarebytes Pack v1.1.1 (Partner Supported)#

Integrations#

Malwarebytes#

Maintenance and stability enhancements.


Manage Engine Service Desk Plus Pack v2.0.1#

Integrations#

Service Desk Plus#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Manage Engine Service Desk Plus (On-Premise) Pack v1.0.2#

Integrations#

Service Desk Plus (On-Premise) (Deprecated)#

Updated the Docker image to: demisto/python3:3.9.5.20070.


McAfee ESM Pack v1.1.6#

Integrations#

McAfee ESM v2#
  • Fixed an issue where fetching incidents would fail when the format of the time field in the alert was %d-%m-%Y %H:%M:%S.
  • Updated the Docker image to: demisto/python3:3.9.5.20070.

Microsoft Cloud App Security Pack v1.0.18#

Integrations#

Microsoft Cloud App Security#

Maintenance and stability enhancements.


Microsoft Defender for Endpoint Pack v1.2.14#

Integrations#

Microsoft Defender for Endpoint#
  • Fixed an issue where the pagination did not work properly in the microsoft-atp-indicator-list command.
  • Updated the Docker image to: demisto/crypto:1.0.0.19032.

Microsoft Management Activity API (O365/Azure Events) Pack v1.1.12#

Integrations#

Microsoft Management Activity API (O365 Azure Events)#

Maintenance and stability enhancements.


Microsoft Teams Pack v1.1.9#

Integrations#

Microsoft Teams#
  • Added the option to clear the integration cache. (Available from Cortex XSOAR version 6.1.0).
  • Updated the Docker image to: demisto/teams:1.0.0.20407.

Minerva Labs Anti-Evasion Platform Pack v1.0.2 (Community Contributed)#

Integrations#

MinervaLabsAntiEvasionPlatform#

Maintenance and stability enhancements.


MobileIron-UEM Pack v1.0.2 (Partner Supported)#

Integrations#

MobileIronCLOUD#

Updated the Docker image to: demisto/python3:3.9.5.20070.

MobileIronCORE#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Moloch Pack v1.0.1#

Integrations#

Moloch#

Fixed an issue where the moloch-sessions-json command would return faulty results.


Netcraft Pack v1.0.2#

Integrations#

Netcraft#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Netscout Arbor Sightline Pack v1.0.1#

Integrations#

Netscout Arbor Sightline (Peakflow)#

Updated the description for the na-sightline-mitigation-create command.


Nozomi Networks Pack v1.0.2 (Partner Supported)#

Integrations#

Nozomi Networks#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Office 365 Feed Pack v1.1.6#

Integrations#

Office 365 Feed#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Okta Pack v2.1.10#

Integrations#

Okta v2#

Updated the Docker image to: demisto/python3:3.9.5.20070.

Okta IAM#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Opsgenie v2 Pack v1.0.1 (Community Contributed)#

Integrations#

Opsgenie v2#

Updated the Docker image to: demisto/python3:3.9.5.20070.


PAN-OS Pack v1.6.17#

Integrations#

Palo Alto Networks PAN-OS#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Packetsled Pack v1.0.1#

Integrations#

Packetsled#

Maintenance and stability enhancements.


Palo Alto Networks Cortex XDR Investigation and Response Pack v3.0.13#

Dashboards#

New: Cortex XDR Events Grouping#

Cortex XDR Event Group

Playbooks#

Cortex XDR Isolate Endpoint#

Added a task that checks whether the endpoint is ready for isolation.

Scripts#

New: DBotGroupXDRIncidents#

Group XDR incidents

Widgets#

New: Cortex XDR Grouping - Summary#

Displays the grouping machine learning model summary.

New: Cortex XDR Grouping - Incidents#

Displays the incidents in a specific group.

New: Cortex XDR Groups - Scatter#

Displays the scatter plot of the groups.


Palo Alto Networks PAN-OS EDL Service Pack v2.0.4#

Integrations#

Palo Alto Networks PAN-OS EDL Service#
  • Updated the Integration detailed description to clarify the use of the instance.execute.external.<instance_name> option.
  • Removed un-needed IPv6 from the default NGINX configuration.
  • Fixed an issue where the X-EDL-Size header did not display zero when an empty EDL is returned.
  • Improved formatting of the X-EDL-Query-Time-Secs header.
  • Maintenance and stability enhancements.

Palo Alto Networks Threat Vault Pack v1.0.4#

Integrations#

Palo Alto Networks Threat Vault#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Palo Alto Networks Traps Pack v1.0.5#

Integrations#

Palo Alto Networks Traps#

Maintenance and stability enhancements.


PassiveTotal Pack v2.0.8 (Partner Supported)#

Indicator Types#

RiskIQSerialNumber - Indicator type for Serial Number.

Integrations#

PassiveTotal v2#
  • Added following commands:
    • pt-get-whois
    • pt-get-services
    • pt-get-articles
    • pt-get-cookies
  • Updated the Docker image to: demisto/python3:3.9.5.20070.

Layouts Containers#

New: PassiveTotal IP Indicator Layout#

Layout for PassiveTotal IP Indicator.

New: PassiveTotal Domain Indicator Layout#

Layout for PassiveTotal Domain Indicator.

New: PassiveTotal File SHA-1 Indicator#

Layout for PassiveTotal File Indicator.

New: PassiveTotal Email Indicator#

Layout for PassiveTotal Email Indicator.

New: RiskIQSerialNumber Indicator#

Layout for PassiveTotal Serial Number Indicator.

Scripts#

RiskIQPassiveTotalComponentsScript#

Updated the Docker image to: demisto/python3:3.9.5.20070.

RiskIQPassiveTotalComponentsWidgetScript#
  • A widget script for the layout.
  • Updated the Docker image to: demisto/python3:3.9.5.20070.
RiskIQPassiveTotalHostPairChildrenScript#

Updated the Docker image to: demisto/python3:3.9.5.20070.

RiskIQPassiveTotalHostPairParentsScript#

Updated the Docker image to: demisto/python3:3.9.5.20070.

RiskIQPassiveTotalHostPairsChildrenWidgetScript#
  • A widget script for the layout.
  • Updated the Docker image to: demisto/python3:3.9.5.20070.
RiskIQPassiveTotalHostPairsParentsWidgetScript#
  • A widget script for the layout.
  • Updated the Docker image to: demisto/python3:3.9.5.20070.
RiskIQPassiveTotalPDNSWidgetScript#

A widget script for the layout.

RiskIQPassiveTotalSSLForIssuerEmailWidgetScript#
  • A widget script for the layout
  • Updated the Docker image to: demisto/python3:3.9.5.20070
RiskIQPassiveTotalSSLForSubjectEmailWidgetScript#
  • A widget script for the layout
  • Updated the Docker image to: demisto/python3:3.9.5.20070
RiskIQPassiveTotalSSLScript#

Updated the Docker image to: demisto/python3:3.9.5.20070

RiskIQPassiveTotalSSLWidgetScript#
  • A widget script for the layout.
  • Updated the Docker image to: demisto/python3:3.9.5.20070
RiskIQPassiveTotalTrackersWidgetScript#
  • A widget script for the layout.
  • Updated the Docker image to: demisto/python3:3.9.5.20070
RiskIQPassiveTotalWhoisScript#

Updated the Docker image to: demisto/python3:3.9.5.20070

RiskIQPassiveTotalWhoisWidgetScript#
  • A widget script for the layout.
  • Updated the Docker image to: demisto/python3:3.9.5.20070
RiskIQPassiveTotalPDNSScript#

Updated the Docker image to: demisto/python3:3.9.5.20070


Perch Pack v1.0.3#

Integrations#

Perch#

Maintenance and stability enhancements.


PhishLabs Pack v1.0.2#

Integrations#

PhishLabs IOC#

Maintenance and stability enhancements.


Plain Text Feed Pack v1.1.2#

Integrations#

Plain Text Feed#

Maintenance and stability enhancements.


PolySwarm Pack v2.0.0 (Partner Supported)#

Integrations#

New: PolySwarm v2 Community#

Real-time threat intelligence from a crowd-sourced network of security experts and antivirus companies.

PolySwarm (Deprecated)#

Deprecated. Please use PolySwarm V2 instead.


Polygon Pack v1.0.3 (Partner Supported)#

Integrations#

Group-IB TDS Polygon#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Popular Cybersecurity News Pack v1.0.2 (Community Contributed)#

Integrations#

Popular News#

Improved parsing for Krebs on Security.


Preempt Pack v1.0.2#

Integrations#

Preempt#

Maintenance and stability enhancements.


Prisma Cloud Pack v1.7.0#

Classifiers#

Prisma Cloud App - Classifier#

Updated classifier for new Azure playbooks.

Prisma Cloud Classifier#

Updated classifier for new Azure playbooks.

prismaCloud_app#

Updated classifier for new Azure playbooks.

RedLock#

Updated classifier for new Azure playbooks.

Incident Fields#

  • Prisma Cloud ID
  • RRN
  • System Default
  • Subscription Created On
  • Resource API Name
  • Subscription Created By
  • VPC ID
  • Subscription Assigned By
  • Subscription Updated On
  • Subscription Description
  • Subscription Type
  • Prisma Cloud Time
  • Subscription ID
  • Prisma Cloud Reason
  • Prisma Cloud Rules
  • Resource Cloud Type
  • Subscription Name
  • Prisma Cloud Status
  • Subscription Updated By

Incident Types#

  • Azure SQL Misconfiguration
  • Azure Network Misconfiguration
  • Azure AKS Misconfiguration

Layouts#

The following layouts were updated for the new Azure playbooks:

  • New: Azure Network Misconfiguration Incident
  • New: Azure SQL Misconfiguration Incident
  • New: Azure AKS Misconfiguration Incident

Playbooks#

New: Prisma Cloud Remediation - Azure SQL Database Misconfiguration#

This playbook remediates Prisma Cloud Azure SQL database alerts.

Prisma Cloud policies remediated:

  • Azure SQL database auditing is disabled.
  • Azure SQL database with auditing retention less than 90 days.
  • Azure Threat Detection on SQL databases is set to off.
  • Azure SQL database with threat retention less than or equal to 90 days (Available from Cortex XSOAR 5.0.0).
New: Prisma Cloud Remediation - Azure Network Misconfiguration#

This playbook remediates Prisma Cloud Azure Network alerts. It calls sub-playbooks that perform the actual remediation steps.

Remediation:

  • Azure Network Security Group (NSG) having the inbound rule overly permissive to allow all traffic from any source on any protocol.
  • Azure Network Security Group (NSG) having the inbound rule overly permissive to allow all traffic from any source on TCP protocol.
  • Azure Network Security Group (NSG) having the inbound rule overly permissive to allow all traffic from any source on UDP protocol.
  • Azure Network Security Group (NSG) allows SSH traffic from internet on port 22.
  • Azure Network Security Group (NSG) allows traffic from internet on port 3389.
  • Azure Network Security Group allows DNS (TCP Port 53).
  • Azure Network Security Group allows FTP (TCP Port 21).
  • Azure Network Security Group allows FTP-Data (TCP Port 20).
  • Azure Network Security Group allows MSQL (TCP Port 4333).
  • Azure Network Security Group allows MySQL (TCP Port 3306).
  • Azure Network Security Group allows Windows RPC (TCP Port 135).
  • Azure Network Security Group allows Windows SMB (TCP Port 445).
  • Azure Network Security Group allows PostgreSQL (TCP Port 5432).
  • Azure Network Security Group allows SMTP (TCP Port 25).
  • Azure Network Security Group allows SqlServer (TCP Port 1433).
  • Azure Network Security Group allows Telnet (TCP Port 23).
  • Azure Network Security Group allows VNC Listener (TCP Port 5500).
  • Azure Network Security Group allows all traffic on ICMP (Ping).
  • Azure Network Security Group allows CIFS (UDP Port 445).
  • Azure Network Security Group allows NetBIOS (UDP Port 137).
  • Azure Network Security Group allows NetBIOS (UDP Port 138).
  • Azure Network Security Group allows SQLServer (UDP Port 1434).
  • Azure Network Security Group allows DNS (UDP Port 53). (Available from Cortex XSOAR 5.0.0).
New: Prisma Cloud Remediation - Azure AKS Cluster Misconfiguration#

This playbook remediates the Prisma Cloud Azure AKS cluster alerts.

Prisma Cloud policies remediated:

  • Azure AKS cluster monitoring not enabled.
  • Azure AKS cluster HTTP application routing enabled. (Available from Cortex XSOAR 5.0.0).
New: Prisma Cloud Remediation - Azure Network Security Group Misconfiguration#

This playbook remediates the Prisma Cloud Azure Network security group alerts.

Prisma Cloud policies remediated:

  • Azure Network Security Group (NSG) having the inbound rule overly permissive to allow all traffic from any source on any protocol.
  • Azure Network Security Group (NSG) having the inbound rule overly permissive to allow all traffic from any source on TCP protocol.
  • Azure Network Security Group (NSG) having the inbound rule overly permissive to allow all traffic from any source on UDP protocol.
  • Azure Network Security Group (NSG) allows SSH traffic from internet on port 22.
  • Azure Network Security Group (NSG) allows traffic from internet on port 3389.
  • Azure Network Security Group allows DNS (TCP Port 53).
  • Azure Network Security Group allows FTP (TCP Port 21).
  • Azure Network Security Group allows FTP-Data (TCP Port 20).
  • Azure Network Security Group allows MSQL (TCP Port 4333).
  • Azure Network Security Group allows MySQL (TCP Port 3306).
  • Azure Network Security Group allows Windows RPC (TCP Port 135).
  • Azure Network Security Group allows Windows SMB (TCP Port 445).
  • Azure Network Security Group allows PostgreSQL (TCP Port 5432).
  • Azure Network Security Group allows SMTP (TCP Port 25).
  • Azure Network Security Group allows SqlServer (TCP Port 1433).
  • Azure Network Security Group allows Telnet (TCP Port 23).
  • Azure Network Security Group allows VNC Listener (TCP Port 5500).
  • Azure Network Security Group allows all traffic on ICMP (Ping).
  • Azure Network Security Group allows CIFS (UDP Port 445).
  • Azure Network Security Group allows NetBIOS (UDP Port 137).
  • Azure Network Security Group allows NetBIOS (UDP Port 138).
  • Azure Network Security Group allows SQLServer (UDP Port 1434).
  • Azure Network Security Group allows DNS (UDP Port 53). (Available from Cortex XSOAR 5.0.0).
New: Prisma Cloud Remediation - Azure AKS Misconfiguration#

This playbook remediates Prisma Cloud Azure AKS alerts. It calls sub-playbooks that perform the actual remediation steps.

Remediation:

  • Azure AKS cluster monitoring not enabled.
  • Azure AKS cluster HTTP application routing enabled. (Available from Cortex XSOAR 5.0.0).
New: Prisma Cloud Remediation - Azure SQL Misconfiguration#

This playbook remediates Prisma Cloud Azure SQL alerts. It calls sub-playbooks that perform the actual remediation steps.

Remediation:

  • Azure SQL database auditing is disabled.
  • Azure SQL database with auditing retention less than 90 days
  • Azure Threat Detection on SQL databases is set to off.
  • Azure SQL Database with Threat Retention less than or equal to 90 days. (Available from Cortex XSOAR 5.0.0).

Prisma Cloud Compute Pack v1.0.8#

Integrations#

Palo Alto Networks - Prisma Cloud Compute#

Maintenance and stability enhancements.


Proofpoint Feed Pack v1.0.4#

Integrations#

Proofpoint Feed#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Proofpoint Protection Server Pack v2.0.4#

Integrations#

Proofpoint Protection Server v2#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Proofpoint TAP Pack v1.1.1#

Integrations#

Proofpoint TAP v2#

Maintenance and stability enhancements.


Proofpoint Threat Response (Beta) Pack v1.0.4#

Integrations#

Proofpoint Threat Response (Beta)#

Added a default value of 12 hours to the First fetch timestamp integration parameter.


QualysFIM Pack v1.0.2#

Integrations#

Qualys FIM#

Updated the Docker image to: demisto/python3:3.9.5.20070.


QueryAI Pack v1.0.5 (Partner Supported)#

Integrations#

Query.AI#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Quest Kace Pack v1.0.3#

Integrations#

Quest KACE Systems Management Appliance (Beta)#

Updated the Docker image to: demisto/python3:3.9.5.20070.


RSA Archer Pack v1.1.16#

Integrations#

RSA Archer v2#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Rapid Breach Response Pack v1.6.6#

Playbooks#

New: NOBELIUM - wide scale APT29 spear-phishing#

On May 27, 2021, Microsoft reported a wide scale spear phishing campaign attributed to APT29, the same threat actor responsible for the SolarWinds campaign named SolarStorm. This attack had a wide range of targets for an APT spear phishing campaign with 3,000 email accounts targeted within 150 organizations. Microsoft blog.

This playbook includes the following tasks:

  • Collects IOCs to be used in your threat hunting process.
  • Queries FW, SIEMs, EDR, XDR to detect malicious hashes, network activity and compromised hosts .
  • Blocks known indicators. ** Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. (Available from Cortex XSOAR 5.5.0).
NOBELIUM - wide scale APT29 spear-phishing#
  • Tags related indicators as NOBELIUM and APT29.
  • Updated the EWS search query.
  • Added validation if playbooks or integration is available.
CVE-2021-22893 Pulse Connect Secure RCE#

Added validation if playbooks or integration is available.

HAFNIUM - Exchange 0-day exploits#

Added validation if playbooks or integration is available.

SolarStorm and SUNBURST Hunting and Response Playbook#

Added validation if playbooks or integration is available.

Codecov Breach - Bash Uploader#

Added validation if playbooks or integration is available.

Scripts#

New: RapidBreachResponseParseBlog#

Parse the Volexity blog to extract indicators.


Rapid7 InsightIDR Pack v1.0.2#

Integrations#

Rapid7 InsightIDR#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Rapid7 Nexpose Pack v1.1.1#

Scripts#

NexposeCreateIncidentsFromAssets#

Deprecated. No available replacement.


RecordedFuture v2 Pack v1.1.2 (Partner Supported)#

Integrations#

Recorded Future v2#
  • Fixed an issue where the outputs of the recordedfuture-intelligence command did not match the integration's outputs.
  • Updated the Docker image to: demisto/python3:3.9.5.20070.

RiskIQ Digital Footprint Pack v1.0.6 (Partner Supported)#

Integrations#

RiskIQ Digital Footprint#

Updated the Docker image to: demisto/python3:3.9.5.20070.

Layouts Containers#

New: RiskIQAsset Indicator#

Layout for RiskIQAsset indicator.

Playbooks#

New: Check IP Address For Whitelisting - RiskIQ Digital Footprint#

Checks if the provided IP address should be whitelisted and excluded. Use this playbook as a sub-playbook to loop over multiple IP addresses to check if they should be whitelisted and excluded.

New: Vulnerability Scan - RiskIQ Digital Footprint - Tenable.io#
  • Performs a vulnerability scan for the following asset types using the Tenable.io integration:
    • Host
    • IP Address
  • Supports the Tenable.io integration.
New: IP Whitelist And Exclusion - RiskIQ Digital Footprint#

Whitelists the IP address(es) after checking if it should be whitelisted according to the user inputs provided. This playbook also adds the IP address indicators to the exclusion list and tags it with the RiskIQ Whitelisted IP Address tag. (Available from Cortex XSOAR 6.0.0).

New: RiskIQAsset Basic Information Enrichment - RiskIQ Digital Footprint#

Receives indicators from its parent playbook and enriches the basic information and the detected CVEs for the RiskIQAsset type of indicators. This playbook needs to be used with caution as it might use up the integrations' API license when running for large amounts of indicators.

Supported integrations:

  • RiskIQ Digital Footprint
  • VulnDB
  • CVE Search
  • IBM X-Force
New: Auto Update Or Remove Assets - RiskIQ Digital Footprint#

Automatically updates or removes the provided asset(s) from the RiskIQ Digital Footprint inventory according to the values provided. Use this playbook as a sub playbook and loop over each asset in the asset list in order to update or remove multiple assets.

Supports the RiskIQ Digital Footprint integration.

New: Check Indicators For Unknown Assets - RiskIQ Digital Footprint#

Receives indicators from its parent playbook and checks if the indicator is an unknown or a known asset in the RiskIQ Digital Footprint inventory and gives out a list of the unknown as well as known assets. This playbook cannot be run in quiet mode. This playbook needs to be used with caution as it might use up the integrations' API license when running for large amounts of indicators.

Supports the RiskIQ Digital Footprint integration.

New: RiskIQAsset Enrichment - RiskIQ Digital Footprint#

Enriches the RiskIQAsset type of indicators with basic information and CVEs detected for the asset, performs a vulnerability scan for Host and IP Address type of assets, and enriches received information in the context as well as provides the user to perform whitelisting of a list of IP Address type of assets. This playbook also enriches the detected CVEs. This playbook needs to be used with caution as it might use up the integrations' API license when running for large amounts of indicators.

Supported integrations:

  • RiskIQ Digital Footprint
  • Tenable.io
  • Google Cloud Compute
  • AWS - EC2
  • Okta v2
New: Add Unknown Indicators To Inventory - RiskIQ Digital Footprint#

Adds the unknown indicators or updates/removes the indicators identified as a known asset in the RiskIQ Digital Footprint inventory according to the user inputs for each asset. This playbook cannot be run in quiet mode. This playbook needs to be used with caution as it might use up the integrations' API license when running for large amounts of indicators.

Supports the RiskIQ Digital Footprint integration.

New: Auto Add Assets - RiskIQ Digital Footprint#

Automatically adds the provided asset(s) to the RiskIQ Digital Footprint inventory according to the values provided. Use this playbook as a sub-playbook and loop over each asset in the asset list in order to add multiple asssets.

Supports the RiskIQ Digital Footprint integration.

Scripts#

New: RiskIQDigitalFootprintAssetDetailsWidgetScript#
  • Displays the detailed information of an asset identified as a RiskIQAsset type of indicator in the layout of the indicator.
  • Updated the Docker image to: demisto/python3:3.9.4.18682.

RiskSense Pack v1.0.5 (Partner Supported)#

Integrations#

RiskSense#

Maintenance and stability enhancements.


Rubrik Polaris Pack v1.0.2 (Partner Supported)#

Incident Fields#

Incident Types#

Rubrik Radar - Updated the default integration type.

Integrations#

Rubrik Radar#
  • Improved implementation of the graphql query during incident ingestion to filter based on the lastUpdated time for new incidents in accordance to backend functionality changes to Radar.
  • Fixed an issue where new incidents were not being detected by XSOAR.
  • Added the Radar Critical Severity Level Mapping and the Radar Warning Severity Level Mapping integration parameters in order to allow the mapping of Radar Critical and Warning event severity levels to various XSOAR severity levels upon incident fetch. The default severity mappings are currently: Radar Critical -> XSOAR HIGH and Radar Warning -> XSOAR LOW.
  • Added the following commands:
    • rubrik-cdm-cluster-connection-state
    • rubrik-cdm-cluster-location
      These commands have been added as tasks to the Rubrik Post Intrusion Ransomware Investigation playbook.
  • Deprecated the rubrik-radar-analysis-status command as it is no longer needed.
  • Updated the Docker image to: demisto/python3:3.9.4.18682.

Layouts#

Rubrik Polaris Radar

  • Added the Rubrik Polaris tab that contains the Radar event timeline as well as the Data Classification sections.
  • Added various layout changes to the Incident Summary tab.

Mappers#

Rubrik Polaris Radar - Mapping#
  • Added various changes to the mapping in order to accommodate the newly added fields.
  • Modified the Radar Mapper to now map the Hostnames field to the Radar Polaris objectName field of the Radar event.

Playbooks#

Rubrik Polaris - Anomaly Analysis#

Added the following tasks to the playbook under the Sonar Data Classification section:

  • rubrik-cdm-cluster-location
  • rubrik-cdm-cluster-connection-state

Scripts#

New: RubrikCDMClusterConnectionState#

Displays the Rubrik Radar amount of files added.

New: RubrikRadarFilesAdded#

Displays the Rubrik Radar amount of files added.

New: RubrikRadarFilesDeleted#

Displays the Rubrik Radar amount of files deleted.

New: RubrikRadarFilesModified#

Displays the Rubrik Radar amount of files modified.

New: RubrikSonarOpenAccessFiles#

Displays the Rubrik Polaris Sonar open access files count.

RubrikSonarSensitiveHits#

Displays the data classification hits on an object.

New: RubrikSonarTotalHits#

Displays the Rubrik Polaris Sonar total hits.


SafeBreach - Breach and Attack Simulation platform Pack v1.1.5 (Partner Supported)#

Integrations#

SafeBreach v2#

Maintenance and stability enhancements.


Salesforce Pack v1.0.7#

Integrations#

Salesforce IAM#

Maintenance and stability enhancements.

Salesforce#

Maintenance and stability enhancements.


Salesforce Indicators Pack v1.0.2 (Community Contributed)#

Integrations#

Salesforce Indicators#

Maintenance and stability enhancements.


SecBI Pack v1.0.1 (Partner Supported)#

Integrations#

SecBI#

Maintenance and stability enhancements.


Securonix Pack v1.1.4#

Integrations#

Securonix#

Updated the Docker image to: demisto/python3:3.9.5.20070.


SentinelOne Pack v2.0.1#

Integrations#

SentinelOne v2#

Updated the Docker image to: demisto/python3:3.9.5.20070.


ServiceNow Pack v2.1.23#

Integrations#

ServiceNow v2#

Maintenance and stability enhancements.


Shodan Pack v1.0.3#

Integrations#

Shodan v2#

Maintenance and stability enhancements.


Silverfort Pack v1.0.4 (Partner Supported)#

Integrations#

Silverfort#

Updated the Docker image to: demisto/python3:3.9.5.20070.


SlashNext Phishing Incident Response - Annual Subscription (Direct Subscription) Pack v1.2.1 (Partner Supported)#

Integrations#

SlashNext Phishing Incident Response#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Smokescreen IllusionBLACK Pack v1.0.7 (Partner Supported)#

Integrations#

Smokescreen IllusionBLACK#

Maintenance and stability enhancements.


Snowflake Pack v1.0.3#

Integrations#

Snowflake#

Maintenance and stability enhancements.


Sophos Central Pack v1.0.3#

Integrations#

Sophos Central#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Sophos XG Firewall Pack v1.0.3#

Integrations#

Sophos Firewall#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Spamhaus Feed Pack v1.1.2#

Integrations#

Spamhaus Feed#

Maintenance and stability enhancements.


Splunk Pack v2.1.2#

Incident Fields#

  • Notable Drilldown
  • Notable Urgency
  • Successful Identity Enrichment
  • Successful Asset Enrichment
  • Successful Drilldown Enrichment
  • Notable Owner
  • Notable Status
  • Notable - ID

Incident Types#

  • Splunk Notable Generic
  • New incident type

Integrations#

SplunkPy#
  • Fixed an issue where all of the Notable fields were updated when mirroring incidents.
  • Supported the status_label Notable field while performing incoming incidents mirroring.
  • Fixed the way labels are parsed from the raw data of a Notable event.

Layouts#

New: Splunk Notable Generic - New layout for Splunk Notable events. (Available from Cortex XSOAR 6.0.0).

Mappers#

New: Splunk - Notable Generic Incoming Mapper#

New incoming mapper for Splunk Notable events. (Available from Cortex XSOAR 6.0.0).

New: Splunk - Notable Generic Outgoing Mapper#

New outgoing mapper for Splunk Notable events. (Available from Cortex XSOAR 6.0.0).

Splunk - Notable Generic Outgoing Mapper#

You can now only use this mapper from Cortex XSOAR version 6.2 and above.

Playbooks#

Splunk Generic#
  • Fixed an issue where the email task did not work as expected.
  • Documentation and metadata improvements.

Scripts#

New: SplunkShowAsset#

(Available from Cortex XSOAR 6.0.0).

New: SplunkShowDrilldown#

(Available from Cortex XSOAR 6.0.0).

New: SplunkShowIdentity#

(Available from Cortex XSOAR 6.0.0).


Starter Pack Pack v1.0.2 (Community Contributed)#

Integrations#

Starter Base Integration - Name the integration as it will appear in the XSOAR UI#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Symantec Management Center Pack v1.0.2#

Integrations#

Symantec Management Center#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Symantec Messaging Gateway Pack v1.0.1#

Playbooks#

New: Symantec block Email#

Blocks email addresses at your email gateway. (Available from Cortex XSOAR 5.5.0).


TAXII Server Pack v1.0.7#

Integrations#

TAXII Server#
  • Fixed an issue where in some cases the wrong server URL address was returned in the response.
  • Maintenance and stability enhancements.

TIM - Indicator Auto-Processing Pack v1.1.8#

Playbooks#

TIM - Process Indicators Against Organizations External IP List#

Added support for processing indicators against a CIDR list.

New: TIM - Update Indicators Organizational External IP Tag#

This playbook checks if an indicator with a organizational_external_ip tag has been updated and keeps or removes the tag according to the results. (Available from Cortex XSOAR 5.5.0).

TIM - Run Enrichment For Url Indicators#

Fixed an issue where the playbook input descriptions were incorrect.

TIM - Run Enrichment For Domain Indicators#

Fixed an issue where the playbook input descriptions were incorrect.

TIM - Run Enrichment For Hash Indicators#

Fixed an issue where the playbook input descriptions were incorrect.

TIM - Run Enrichment For IP Indicators#

Fixed an issue where the playbook input descriptions were incorrect.


TOPdesk Pack v1.0.1#

Integrations#

TOPdesk#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Talos Feed Pack v1.0.2 (Community Contributed)#

Integrations#

Talos Feed#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Tanium Pack v1.0.5#

Integrations#

Tanium v2#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Tanium Threat Response Pack v1.0.3#

Integrations#

Tanium Threat Response#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Thinkst Canary Pack v1.0.3#

Integrations#

Thinkst Canary#

Fixed an issue in the canarytools-check-whitelist command where in some cases the result did not match the actual status of the IP.


Threat Crowd Pack v2.0.2#

Integrations#

Threat Crowd v2#
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/python3:3.9.5.20070.

ThreatExchange Pack v2.0.0#

Integrations#

ThreatExchange (Deprecated)#

Deprecated. Use ThreatExchange v2 instead.

New: ThreatExchange v2#

A way to receive threat intelligence about applications, IP addresses, URLs, and hashes using a service by Facebook. (Available from Cortex XSOAR 5.5.0).


ThreatQ Pack v1.0.8 (Partner Supported)#

Integrations#

ThreatQ v2#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Trend Micro Deep Discovery Analyzer Pack v1.0.2#

Integrations#

Trend Micro Deep Discovery Analyzer (Beta)#

Fixed an issue where the trendmicro-dda-get-report command returned an error when receiving non-English characters.


TrendMicro Cloud App Security Pack v1.0.1#

Integrations#

TrendMicro Cloud App Security#

Updated the Docker image to: demisto/python3:3.9.5.20070.


URLhaus Pack v1.0.4#

Integrations#

URLhaus#

Updated the Docker image to: demisto/python3:3.9.5.20070.


VMRay Pack v1.0.2#

Integrations#

VMRay#

Fixed an issue where only the first indicator was shown in the War-Room entry for the vmray-get-threat-indicators command.


VirusTotal Pack v2.1.1#

Integrations#

VirusTotal#

Fixed an issue where the links to VirusTotal that were returned from the following commands were incorrect.

  • ip
  • domain

VulnDB Pack v1.0.3#

Integrations#

VulnDB#

Maintenance and stability enhancements.


Workday Pack v1.1.3#

Integrations#

Workday#

Updated the Docker image to: demisto/python3:3.9.5.20070.

Workday IAM#
  • Added support for modifications in the following fields of the User Profile indicator:
    • Username
    • Employee ID
  • Updated the Docker image to: demisto/python3:3.9.5.20070.

XM Cyber Pack v1.0.7 (Partner Supported)#

Integrations#

XM Cyber#

Updated the Docker image to: demisto/python3:3.9.5.20070.


XSOAR Lab Updates Pack v1.0.1 (Community Contributed)#

Playbooks#

NewPacksNotifier#

Now supports multiple Slack channels to send a notification to.


Zscaler Pack v1.1.5#

Integrations#

Zscaler#
  • Added support for the get_ids_and_names_only argument in the get-categories command.
  • Fixed an issue where the following commands would fail on large categories:
    • zscaler-category-add-url
    • zscaler-category-remove-url

iDefense Pack v3.0.5#

Integrations#

iDefense v2#

Updated the Docker image to: demisto/python3:3.9.5.20070.


iLert Pack v1.0.1 (Partner Supported)#

Integrations#

iLert#

Updated the Docker image to: demisto/python3:3.9.5.20070.


xMatters Pack v1.0.1 (Partner Supported)#

Integrations#

xMatters#

Updated the Docker image to: demisto/python3:3.9.5.20070.


Assets#